Distributed intrusion detection system

Distributed intrusion detection system


The research on distributed intrusion detection system (DIDS) is a rapidly growing area of interest because the existence of centralized intrusion detection system (IDS) is increasingly unfit for the current network circumstance. Detecting intrusion in distributed network from outside network segment as well as from inside is difficult problem. Intrusion detection system must analyze a large volume of data while not placing a significant added load on the monitoring systems and networks. The deficiency of centralized intrusion detection systems leads the idea of mobile agents. In an agent based IDS idea, there is no central station, therefore no central point of failure. Agents can detect and take predefined actions against malicious activity. The system shows a superior performance compared to central sniffing IDS techniques, and saves network resources compared to other distributed IDSs that activate too many sniffers causing bottlenecks in the network. This is one of the major motivations to use the distributed model based on Mobile Agent platform. This paper presents survey of Distributed Intrusion Detection System based on Mobile agents. It also includes an overview of several agent based intrusion detection implementation.


Nowadays, acquisition of information from networks is one part of our life. But a problem occurs at the same time, attempted attacks and successful invasions have become frequent. Thus, security has become a key word for most companies worldwide, and intrusion detection system (IDS) becomes a critical issue in network security research.

However, with growing complexity of the network environment and the appearance of coordinated attacks involving multiple attackers, the existence of tradition centralized IDS techniques is a passive information processing paradigm and increasingly unable to protect the global information infrastructure, so that distributed intrusion detection system (DIDS) technique have started to evolve and become a very important issue of security research in recent years [2].

Although the different definitions of DIDS are described by different organizations, they have the common feature for protecting the global information infrastructure. A DIDS can be defined as: “consists of multiple Intrusion Detection Systems (IDS) over a large network, all of which communicate with each other, or with a central server that

facilitates advanced network monitoring, incident analysis, and instant attack data” [1].


For mobile agents to be useful for intrusion detection, it is necessary that many, if not all, hosts and network devices are installed with a MA platform. MA platform is general purpose software that enables organizations to implement many different applications.

2.1 Working of mobile agents.

A mobile agent consists of the program code and the program execution state (the current values of variables, next instruction to be executed, etc).

  1. The mobile agent is created in the Home machine. That it initially resides on a computer called Home machine that creates it.
  2. The agent is then dispatched to execute on a remote computer, called a mobile agent host (or mobile agent platform).
  3. When a mobile agent is dispatched the entire code of the mobile agent and the execution state of the mobile agent is transferred to the host. The host provides a suitable execution environment for the mobile agent to execute i.e. the agent executes on Host machine A. The mobile agent uses resources like CPU, memory, etc., of the host machine to perform its tasks.
  4. After execution the agent is cloned to create two copies. One copy is dispatched to the Host machine B and the other is dispatched to the Host machine C.
  5. The cloned copies (or the migrated mobile agents) execute on their respective hosts. Since the state information is also transferred to the host, mobile agents can resume the execution of the code from where they left off in the previous host instead of having to restart execution from the beginning.
  6. After execution, host machine B and host machine C send the mobile agent received by them back to the Home machine.
  7. The Home machine retracts the agents and the data brought by the agent is analyzed. The agents are then disposed.

2.2 Properties of mobile agents.

Mobile agents' posses unique properties such as:

  1. Adaptive learning i.e. the mobile agents can learn from experience and adapt them to the environment. They can monitor traffic in large network and learn about the trouble spots in the network.
  2. Autonomy is the property that allows mobile agents to take decisions on its own. For example, mobile agents are free to choose the next host and when to migrate to the next host. The decisions taken by mobile agents are transparent to the user and in the interest of the user.
  3. Mobility allows the mobile agents to move from one host to another in the network. [4][5]

2.2 Advantages of mobile agents.

Mobile agent technology can potentially overcome a number of limitations intrinsic to distributed IDSs that employ only static components. A number of advantages of using mobile agent paradigms have been proposed and are relevant for intrusion detection systems.

Overcoming Network

Latency: Mobile agents can be dispatched to carry out operations directly at the remote point of interest, allowing them to respond in real time to changes in their environment. In addition to detecting and diagnosing potential network intrusions, mobile agents can provide appropriate response mechanisms. Such actions include gathering attack information sent to or emitted by the target of an attack, shutting down or isolating a system under attack to protect it from further damage, tracing the path of an attack, and shutting down OT isolating an attacker's system.

Reducing Network Load: Instead of transferring the data across the network, mobile agents are dispatched to the machine on which the data resides, essentiality moving the computation to the data, instead of moving the data to the computation, thus reducing the network load. A side benefit where confidentiality is a concern is the efficiency of moving an encrypted agent and its refined data versus all of the raw data in encrypted form.

Autonomous and Asynchronous Execution: For large distributed systems the ability of the system to continue to operate when portions of it are destroyed or become isolated is essential. Mobile agents can exist and function independently from the creating platform, making them useful as IDS components.

Dynamic Adaptation: The ability for mobile agent systems to sense their environment and react to changes is used in intrusion detection. Agents may move elsewhere to gain better position or avoid danger, clone themselves for redundancy and parallelism, or marshal other agents for assistance. When combined with autonomous and asynchronous execution, these characteristics facilitate the building of robust and fault tolerant systems [6].


1. The stationary(Static) agent:

The stationary agents are scattered on lot of network nodes. These agents are not mobile, also called as static agents. Static agents achieve their goal by executing on a single machine. The SA cannot move, and it stays and operates where it is created. It provides services for exterior and deals with requests for services.

2. The mobile agent:

The mobile agent is capable to move from a node to another over the network. It permits to spread dynamically the server interfaces managed on different sites. The mobile agent is a software entity which functions continuously and autonomously in a particular environment, able to carry out activities in a flexible and intelligent manner that is responsive to changes in the environment. The mobile agent would be able to learn from its experience, inhibit an environment with other agents and processes to be able to communicate and cooperate with them while moving from place to place. Thus, mobile agents perform tasks beyond the scope of static agents.

The MA is different from the SA, it not only stays at the created node, but also can migrate from one node to another in heterogeneous network, and i.e. it has mobility. So the intercommunication among agents in different networks completes in the local place and this increases the system flexibility. There are also two types of MA: original MA and its clones. [2][7]

The intercommunication among agents in different networks complete in the local place and this increases the system flexibility. The structure of the mobile agent platform is as in the figure 3 below.

The mobile agent platform consists of the following components:Information Collection Agent (ICA), Intrusion Detection Agent (IDA), Information Database (IDB), Monitor Agent (MnA) and Communication Service Agent (CSA).ICA collects real-time data from hosts or networks, and then updated the information continuously in the IDB. IDA takes out information from the IDB, and adopts misuse detection or anomaly detection to analyze these data. If it can make sure an intrusion occurs, and then it will respond it, else it will send the correlative data to MnA to make a further analysis, and also IDA will send message to other IDAs to cooperate to implement intrusion detection.

3.1 Information collection agent

ICA collects information from its monitoring goal environment such as a host or a network, and the information includes the packet that obtained from network, system audit data operating system log, system procedure, and so on. That is to say, IDA can be a host-base component or a network-base component. After selected and filtered, this information is stored in IDB. ICA provides necessary local interfaces and data for IDA.

3.2 Intrusion detection agent

IDA is a type of mobile agent that can track the invader, and make sure whether the system has been invaded or not. They are distributed everywhere of hosts and networks, represented MnA or user to monitor goal circumstances, and it can migrate between heterogeneous networks and pick-up the interesting information from IDB to analyze whether an intrusion occurs. According to different detection environment, we can design different types of IDA. IDA will adopt different detection methods (such as misuse detection, anomaly detection or hybrid) to detect intrusion. When IDA detects that an intrusion occurs, it will send an alarm to MnA. If IDA cannot make sure whether an intrusion occurs, it will send back correlative data which have been filtered to MA platform to do a further analysis. Also, IDA can cooperate with other IDAs to detect intrusion.

3.3. Information database

IDB is used to save the data that ICAs collect from goal objects. And these data can be kept a long time, and the IDA will analyze these data to detect intrusion.

3.4. Monitor Agent

Monitor Agent is a type of management agent, and it is used to control and deal with data. Its main work is to manage the deployment of all kind of mobile agents, coordinate the relation of agents and further analyze the data. MnA can communicate with UI, and it provides an interface between manager and system. What is most important is that MnA can dynamically distribute load which includes data of ICA and IDA according to agents own load and network load. So the system can make full use of all system sources and improve system performance.

3.5. Communication server agent

Communication between agents is very important, if it has some problems, IDS cannot work normally and the whole system may be paralysis. CSA is a special communication server agent. It is unique in every MA platform, which is used to transmit data flow or controlling flow. CSA is a bridge of communication among all agents. For the sake of communication security, CSA provides communication authentication for all information, and detect any unsafe data. The system adopts encryption channel and authentication to insure communication safely.


Mobile agent hides its location in the network which makes difficult for the attacker to locate and attack it. Even if the invader closes some host, mobile agent can leave the location which it considers dangerous. When an agent gets damaged, its clone can restore it, and join the intrusion detection system again. Work process of the mobile agent is :

(1) Clone Agents and distribute their location randomly

Mobile agents are cloned (backup agents) and distributed to the network randomly. Agents and backup agents communicate through a proxy agent to transmit data. Proxy agents are located in the same sub network but on different hosts along with their backup agents.

(2) Evade an attack and restore original Agent that had been attacked

If original Agent had been damaged, one of its clones will be selected out to replace it. The method is that clones of original agent clone will create their clone and dispatch to the appointed platform and check whether the platform can run normally or not. Once one backup agent is selected, it will inform its own backup agent that it has replaced the original agent, and other backup agents will inform their own backup agents to destroy and then destroy themselves.

(3) Recover broken communication links:

Now, the backup agent that replaced the original agent needs to communicate with other agent to implement detection intrusion. The restored agent probes the existing MA platform according its own MA list. When it finds the agents with which it loses contact, it receives information from these agents to restore its own state, and then send message required to join the system under controlling of MA platform.

Thus we studied the architecture that describes the way an agent can recover itself after attack. The author has implemented MADIDS and compared with traditional distributed IDS (TDIDS) between alarm times and false alarm times. The result of the experiment shows that MADIDS has better performance in alarm times and false alarm times than TDIDS.

To collect data from multiple hosts for global audit of intrusion, it is necessary that multiple agents performing the same task must check in a host only once otherwise the result of analysis will be incorrect. In the next section we describe an algorithm that helps mobile agents to traverse multiple hosts for intrusion detection, avoiding the host that has already been traversed by the mobile agent performing the same task.[6][8]


With the growing need of privacy and security of network and network resources, we can implement intrusion detection tools which are used to detect intrusion in the network using mobile agents. . We have seen different properties of mobile agents and various architectures of distributed intrusion detection system using mobile agents. We have seen that, using mobile agents we can build a robust, attack resistant distributed intrusion detection system that can detect attacks from multiple nodes simultaneously, make a global audit to detect intrusion, and provide a defensive mechanism at the place of attack reducing network load with better efficiency than traditional intrusion detection systems. Since mobile agents traverses through different hosts that are trusted to various degrees and since the state mobile agent changes during its journey, the security of mobile agents must be considered.

Please be aware that the free essay that you were just reading was not written by us. This essay, and all of the others available to view on the website, were provided to us by students in exchange for services that we offer. This relationship helps our students to get an even better deal while also contributing to the biggest free essay resource in the UK!