SECURE ANOMALY BASED EFFICIENT REAL TIME DISTRIBUTED INTRUSION DETECTION SYSTEM (SABER-DIDS).

摘要

Intrusion detection is the problem to identify unauthorized use, misuse, and abuse of computer systems by insiders and external penetrators. The new advances in the connectivity of computer systems provide greater access to external world, making it as easy as pie for intruders to avoid detection. Intrusion Detection Systems (IDSs) are based on the belief that an intruders behaviour will be noticeably different from that of a legitimate user (Anomaly-Based). A distributed IDS consists of multiple Intrusion Detection Systems (called Agents) over a large network, all of which communicate with each other, or with a central server that provides the service for advanced network monitoring, incident analysis, and instant attack data. By having these co-operative agents spread over the network interacting in a distributed fashion, incident analysts, network operations, and security department personnel are able to get a broader view of what is occurring on their network as a whole. Our system consists of two types of IDS agents: Network and Host agent. Network agent system is an anomaly based agent that employs machine learning to learn from the network and recognize unusual behaviour of network metrics (eg - size of packets, hop limit, type of packets etc). New types of the attacks are also detected with the help of entropy calculation method using the parameters i.e. packet size, source destination ip_address and input traffic volume to help differentiate between attack and normal packets. The Network Agents will also communicate with a server to access its training set periodically or on updated. Host agent system is also an intelligent agent. It will look for unusual behaviour on its own system i.e. it will look for information like (super user access, user_permission_violations external usb access, ip_tables modifiers, etc). An alarm system will also generate an alarm on illegal commands as well as external usb access. The Host agents will communicate with the Network admin as well as a central incident server for storing each ticket (which it generates when an unusual behaviour is encountered). A packet forwarding agent also forwards the unusable packets to honeypot agent which analyses those packets to gain information about them.