Intrusion Detection Node And Agent Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

An IDA consists of the following components: Preprocessor, Signature Processor, and Anomaly Processor and Post processor. The functionalities are described as follows.

C:\Documents and Settings\Administrator\Desktop\Presentation11\Presentation11\Slide2.PNG

Figure:4.4 IDA Structure

Pre-Processor either collects the network traffic of the leaf level sensor when it acts as an LPA or it receives reports from lower layer IDA. Collected sensor traffic data is then abstracted to a set of variables called stimulus vector to make the network status understandable to the higher layer processor of the agent. Signature Processor maintains a reference model or database called Signature Record of the typical known unauthorized malicious threats and high risk activities and compares the reports from the preprocessor against the known attack signatures. If match is not found then misuse intrusion is supposed to be detected and signature processor passes the relevant data to the next higher layer for further processing. Anomaly Processor analyzes the vector from the preprocessor to detect anomaly in network traffic. Usually statistical method or artificial intelligence is used in order to detect this kind of attack. Profile of normal activity which is propagated from Base station is stored in the database. If the activities arrived from preprocessor deviates from the normal profile in a statistically significant way, or exceeds some particular threshold value attacks are noticed. Intrusion detection rules are basically policies which define the standard of access mechanism and uses of sensor nodes. Here database acts as a Policy Information Base (PIB) or policy repository. Post Processor prepares and sends reports for the higher layer agent or base station. It can be used to display the agent status through a user interface.

Activating every node as IDS wastes energy so minimization of number of nodes to run intrusion detection is necessary. In three strategies is mentioned involving selection of Intrusion detection node. Core defense selects IDS node around a centre point of a subset of network. It is assumed that no intruder break into the central station in any cluster. This type of model defends from the most inner part then retaliates to the outer area. Boundary defense selects node along the boundary perimeter of the cluster. It provides defense on intruder attack from breaking into the cluster from outside area of the network. Distributed defense has an agent node selection algorithm which follows voting algorithm from in this model. Node selection procedure follows tree hierarchy

4.2.4 Intrusion detection model:-

There are two types of detection models are as follows:

1 Anomaly detection - Anomaly detection systems assume that all intrusive activities are necessarily anomalous.

Anomalous activities that are not intrusive are flagged as intrusive.

Intrusive activities that are not anomalous result in false negatives(events are not flagged intrusive, though they actually are)

Anomaly detection describes a process of detecting abnormal activities on a network. The major requirements on an anomaly-based intrusion detection model are low FPR and a high true positive rate. The performance parameters for these requirements are True Positive, True Negative, False Positive and False Negative which are defined as following:

True Positive (TP): This occurs when an IDS raises true alerts on a detected malicious traffic. Hence TP is the total detected malicious activity

True Negative (TN): This occurs when there's no malicious activity taking place in the network, and the Intrusion Detection system is thus not raising any alarm. Hence TN can be obtained by subtracting TP from the total monitored traffic.

False Positive (FP): This occurs when an IDS erroneously raises a false alarm over a legitimate activity in the network. These can be generated from adapting the IDS to a normal non-malicious traffic.

False Negative (FN): This occurs when the IDS fails to detect a malicious activity taking place in the network.

False Positive Rate (FPR): This shows the proportion of instances which were not an intrusion, but were still alerted on. FPR is obtained using the following formula:


True Positive Rate (TPR): This rate shows how good the IDS is at detecting intrusions in a network. It is also called the Detection Rate. TPR is obtained as:


A well-working IDS is expected to have a FPR of less than 1% and a very high TPR

C:\Documents and Settings\Administrator\Desktop\Presentation11\Presentation11\Slide5.PNG

Figure:4.5 - Anomaly detection Model

ADSs are also computationally expensive because of the overhead of keeping track of, and possibly updating several system profile metrics. An, started it all, and today, modern AD systems are not only real-time (as Denning wanted) but can monitor the overall health of the Internet.  A statistical baseline is taken of such states as CPU utilization, disk activity, user logins, and file activity, and then an alert is triggered when a statistically significant deviation occurs from this baseline. The number of events happening within a given time interval is compared to a monitored metric; e.g., someone logging in with an incorrect password too many times.   

Statistical approaches:-

Behavior profiles for subjects are generated.

The anomaly detector constantly generates the variance of the present profile from the original one.

They adaptively learn the behavior of users.

Potentially more sensitive than humans.

Problems with Statistical approaches:-They can gradually be trained by intruders so that eventually, intrusive events are considered normal. It is not known exactly what the subset of all possible measures that accurately predicts intrusive activities is.

Predictive pattern generation:-

This method tries to predict future events based on the events that have already occurred. We could have a rule that are given below.

E1 - E2 = (E3 = 80%, E4 =15%, E5 = 5%)

The problem is that some intrusion scenarios that are not described by the rules will not be flanged intrusive.


Rule based sequential patterns can detect anomalous activities that were difficult with traditional methods.

Systems built using this model are highly adaptive to changes.

It is easier to detect users who try to train the system during its learning period.

Anomalous activities can be detected and reported within seconds of receiving audit events.

2. Signature detection: - An upgradeable database is kept of the patterns for every known hacker attack, so Triggers an alert.  Signatures are byte sequences that may contain a sample of virus code, a combination of keystrokes, or text indicating probes in certain directories.  Signatures and alert rules are put together in databases called rule sets.    

Signature detection IDS operates on almost the exact opposite of anomaly detection.  It works by using databases or rule sets which contain samples of malicious keystrokes or code which represent suspicious behaviors or patterns.  It is possible to customize the database, as should be done, to offset false positives, along with other tweaking such as using wildcard (*) characters to catch variants where a script-kiddies has just changed a symbol or two in a virus code.  Signature detection IDS is popular among some people because professional groups and newsletters exist which alert to new behaviors and patterns.  In fact, all sorts of newsgroups exist where IT administrators talk shop about IDS. 

3. Hybrid Anomaly Model Detection:-

The incoming data or information is analyzed, compared with the existing pre-defined signatures for rule matching in the database and only then a response is generated. If a false positive error occurs, then the profile is updated and the process is started once again. It is assumed that false negative errors do not take place and all the activities taking place are purely in the suspicious state. The incoming data is analyzed, checked for significant deviations and then a response is generated. In case of a false positive error, the profile undergoes an upgrade and is monitored again to check for the changes made within the system or network. False negative errors are assumed not to take place and all activities occurring are in all suspicious state.

C:\Documents and Settings\Administrator\Desktop\Presentation11\Chintan-Intrusion IDS-4.jpg

Figure:4.6- Hybrid Anomaly Detection Model


4.2.1 IDS mechanism in sensor nodes

Physical layer: -

Physical layer jamming is the primary physical layer attack. Identifying jamming attack can be done by the Received Signal Strength Indicator, the average time required to sense an idle channel (carrier sense time), and the packet delivery ratio (PDR). In case of wireless medium, received signal strength has relation with the distance between nodes. Node tampering and destruction are another physical layer attack that can be prevented by placing nodes in secured place. During the initialization process Cluster node's LPA will store the RSSI value for the communication between Cluster node to leaf level sensor nodes and sensor to sensor node. Later, at the time of monitoring, Anomaly processor in LPA will monitor whether the received value is unexpected. If yes, it wills feedback RPA by generating appropriate alarm.

C:\Documents and Settings\Administrator\Desktop\Presentation11\Presentation11\Slide2.PNG

Figure:4.7 - IDS mechanism in wireless sensor networks

Link Layer attacks:-

Link layer attacks are collision, denial of sleep and packet replay etc. Here SMAC and Time Division Multiple Access can be used to detect the anomaly. Time Division Multiple Access is digital transmission process where each cluster node will assign different time slots for different sensor nodes in its region. During this slot every sensor node has access to the radio frequency channel without interference. If any attacker send packet using source address of any node, e.g. A, but that slot is not allocated to A then LPA's Anomaly Processor can easily detect that intrusion. S-MAC 18 protocol is used to assign a wakeup and sleep time for the sensor nodes. As the sensor has limited power, S-MAC can be implemented for the energy conservation. If any packet is received from source e.g. A in its sleeping period then LPA can easily detect the inconsistency.

Network Layer: -

Network Layer route tracing is used to detect whether the packet really comes from the best route. If packet comes to the destination via different path rather than the desired path then the Anomaly Processor can detect possible intrusion according to predefined rules. Application Layer uses three level watchdogs. They are in base station, regional node, and cluster node. Sensor nodes will be monitored by upper layer watchdog cluster node and cluster nodes will be monitored by regional node watchdog and finally the top level watchdog base station will monitor the regional nodes. So, if any one node is compromised by the attacker then higher layer watch dog can easily detect the attack and generate alarm.

Intrusion Response:

We have applied their idea in our response mechanism with some modification. Our IDS system considers each sensor nodes into one of five classes: Fresh, Member, Unstable, Suspect or Malicious. We have Local Policy Agent, Regional Policy Agent and finally Base Policy Decision Point to take decision about the sensor node's class placement. Route guard mechanism use Path rating algorithm to keep any node within these five classes. In our model, we have policy or rules defined in Base station's BPDP to select any node to be within these five classes. When a new node is arrived, it will be classified as Fresh. For a preselected period of time this new node will be in Fresh state. By this time LPA will check whether this node is misbehaving or not. In this period the node is permitted to forward or receive packets from another sensor node, but not its own generated packet. After particular time its classification will be changed to Member automatically if no misbehave is detected. Otherwise the node's classification will be changed to Suspect state. In Member state nodes

are allowed to create, send, receive or forward packets. In this time Member nodes are monitored by Watchdog at LPA in Cluster node. If the node misbehaves its state will be changed to Unstable for short span of time. During Unstable state nodes are permitted to send and receive packets except their own packets. In this state the node will be kept under close observation of LPA. If it behaves well then it will be transferred to Member state. A node in unstable state will be converted to Suspect state in two cases: Either the node was in Unstable state and interchanged its state within Member and Unstable state for a particular amount of times within a predefined period or the node was misbehaving for long time. LPA's Post processor sends "Danger alert" to RPA whenever Suspect node is encountered. The suspected node is completely isolated from the network. It is not allowed to send, receive, or forward packets and temporarily banned for short time. Any packets received from suspected node are simply discarded. After a certain period of time the node is reconnected and is monitored closely for extensive period of time By Intrusion Detection Agent in all three layers. If watchdogs report well then node status will be changed to Unstable. However if it continues misbehaving then it will be labeled as Malicious. After declaring any node malicious that node permanently banned from this network. To ensure that this malicious node will never try to reconnect, its MAC address or any unique ID will be added to Signature Record Database of LPA.

C:\Documents and Settings\Administrator\Desktop\Presentation11\Presentation11\Slide4.PNG

Figure:4.8 Response of intrusion operation

Survivability is one of the major factors that is predicted from every system. We consider the base stations to be failure free. But the Regional nodes or cluster nodes may be unreachable due to failure or battery exhaustion. So, in this case of failures or any physical damage of Regional nodes or Cluster nodes, control of that node should be taken over by another stable node. So in our proposed architecture if any Regional node fails, then its control is shifted to the neighbor Regional node dynamically. So, control of the Cluster nodes and sensor nodes belonging to that Regional node will be shifted automatically to the neighbor node. In the same way if any cluster node fails then control of that cluster node will be transferred to the neighbor Cluster node.

C:\Documents and Settings\Administrator\Desktop\Presentation11\Presentation11\Slide2.PNG

C:\Documents and Settings\Administrator\Desktop\Presentation11\Presentation11\Slide6.PNG

Figure 4.9: Child nodes failure

So in the proposed architecture if any LPA is unreachable due to failure or battery exhaustion of cluster nodes, neighbor LPA will take the charges of leaf level sensor nodes which was in the area of fault cluster node. In the same way due to Regional nodes failure neighbor Sub-parent nodes RPA will take over the functionality of all the cluster node's LPA and sensor nodes belonged to the faulty Regional node dynamically.

C:\Documents and Settings\Administrator\Desktop\Presentation11.png

C:\Documents and Settings\Administrator\Desktop\Presentation11\Presentation11\Slide5.PNG

Figure 4.10: Sub-parent nodes failure

As we mentioned before Cluster nodes or regional nodes have number direct communications between them. So how will Cluster node or Regional node determine about the failure of its neighbor? Actually in the proposed architecture Base station has direct or indirect connections with all its leaf nodes. Base station has direct connection with Regional node. So if any Regional node fails Base station can identify the problem and select one of its neighbor nodes dynamically according to some predefined rule in BPDP. Then BPDP needs to supply the policy, rules, or signatures of failed node to the selected new neighbor Regional node. In the same way if any cluster node fails then neighbor cluster node will not be informed about its failure. So in this case Regional node will take necessary action of selecting suitable neighbor cluster node. Here policy, rules or signatures of the failed cluster node will be supplied by the BPDP through relevant RPA. So RPA has the only responsibility to select appropriate neighbor LPA of unreachable LPA. The rest of the work belongs to BPDP of Base station. As Base station is much more powerful node with large storage; all the signatures, anomaly detection rules or policies are stored primarily as backup in Base station. This backup system increases reliability of the whole network system.

4.3 Intrusion Prevention Systems in wireless sensor network:-

Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion detection and prevention systems are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. There are several types of intrusion detection prevention systems:-

Network based IPS: - monitors the entire network for suspicious traffic by analyzing protocol activity.

Host-based IPS: - an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.

A typical wireless intrusion prevention system consists of:-

Wireless sensors: - used to monitor and analyze activity;

Management server - receives information from the sensors and performs analysis;

Database server - used to store event information generated by sensors and management servers;

Console - represents the interface for the users and administrators.

In a wireless intrusion prevention system, a normal sensor cannot monitor all the traffic on a band (which consists of more channels) simultaneously and can monitor only a single channel at a time; to cover multiple channels, it uses a technique called channel scanning, which involves monitoring each channel a few times per second. To reduce or avoid this limitation, there are specialized sensors that use several radio modules and can monitor several channels at the same time.

The intrusion prevention systems can detect incidents using mainly two methodologies:- Network based, signature-based and host based.

Most systems use multiple detection methodologies, either separately or integrated, for a more accurate detection. Signature-based detection involves comparing signatures against observed events in order to identify possible incidents; this method is very effective in the detection of known threats but does not provide good results in detecting previously unknown threats. Anomaly-based detection involves creating 'normal' activity patterns and comparing the observed events against these patterns. The intrusion detection prevention system has an initial training phase, in which the system learns the normal behavior and creates profiles, which are used as a base for comparison.

A static profile is determined in the training phase and remains unchanged, whereas a dynamic profile is constantly adjusted as additional events are observed. Stateful protocol analysis is the process of comparing predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations.

4.3.1 Host Based Intrusion Prevention Systems:-

Host Intrusion Prevention Systems (HIPS) are becoming more of a necessity in any environment, home or enterprise. Host Intrusion Prevention Systems protect hosts from the network layer all the way up to the application layer, against known and unknown malicious attacks. Even with today's firewalls, Intrusion Detection Systems (IDS), and other network protection we implement, "hosts are still vulnerable to the myriad of attacks through all the different vectors".

C:\Documents and Settings\Administrator\Desktop\diagram\diagram\Slide4.PNG

Host Intrusion Prevention Systems or HIPS is a combination of a personal firewall, IDS, and anti-virus plus something. By combining several preventive measures, users now have multiple layers of protection against various types of attacks. Personal firewall, buffer overflow exploit prevention, and IPS protect against local and network based attacks. Anti-virus, VPS, and application control defend against application based attacks. "A HIP is like an airport security checkpoint. A variety of technologies look for multiple types of threats, including checking bags and people for weapons and chemical residues, and utilizing facial recognition software to identify wanted individuals.

Intrusion prevention systems in this technique network security appliances that monitor network and or system activities for malicious activity. The main functions of intrusion prevention systems are to identify attacks & focus on malicious activity, attempt to block, stop activity, log information about said activity, and report activity. IPS is looking for behavior patterns that indicate malware. IPS is considered extensions of IDS because that is both monitor networks traffic or system activities for malicious activity. Example of the types of malicious behavior addressed by HIPS includes the following.

Modification of system resources: - root kits, Trojan horse ,and backdoors operator by changing system resources. Such as libraries, directories and user account.

Privilege-escalation exploits: - these attack attempt to give ordinary users root process.

Directory traversal: - A directory traversal vulnerability in a web server allows the hacker to access file outside the range of what a server application user would normally need to access.

The main differences are, that are IDS, IDS are placed in-line or able to activates prevent block intrusions that are detected. Attacks such as these result in behaviors that can be analyzed by HIPS. The HIPS capability can be tailored to the specific platform. IPS can take such like actions as sending an alarm, dropping the resetting the connection, malicious packets and or blocking the traffic from the offending internet protocol address. And intrusion prevention system can also UN fragment packet streams, correct Cyclic Redundancy Check (CRC) errors, prevent TCP sequencing issues, and clean up unwanted transport and network layer options.

The role of HIPS: - Many industry observers see the enterprise endpoint, including desktop and laptop system, main target for hackers and criminals, more so than network device. Traditionally, endpoint security, ant spam, and personal firewalls, the advantage of the integrated HIPS approach are that the various tools work closely together, threat prevention is more comprehensive, and management easier.

4.3.2 Network Based Intrusion Prevention Systems:-

NIPS the deployment of sensors and monitoring devices, throughout the networks to capture that are analyze the traffic. In the Sensors detect malicious and unauthorized activities in real-time and its can take action when it's required. Sensors are deployed at designated network points that enable security managers to monitor network activity while it is occurring, regardless of the location of the attack target. Among the techniques used in a NIPS but not commonly found in a firewall is flow data protection. This requires that the application payload in sequence packets is reassembled. The IPS device applies filters to the full content of the flow every time a new packet for the flow arrives. When a flow is determined to be malicious, and the latest and all subsequent for the flow arrives. When a flow is determined to be malicious, the latest and all subsequent packets belonging to the suspect flow are dropped. In terms of the general methods used by NIPS device to identify malicious packets, the following are typical:-

Pattern matching: - scans incoming for specific byte sequences (the signature) stored in a database of known attacks.

Stateful matching: - scans for attack signatures in the context of a traffic stream rather than individual packets.

Protocol anomaly: - looks for deviation from standards set forth in RFCs.

Traffic anomaly: - watches for unusual traffic activates, such as a flood of UDP packets or a new service appearing on the network.

Statistical anomaly: - develops baselines of normal traffic activity and throughput and alerts on deviations from those baselines.

NIPS sensors can tuned for intrusion prevention system analysis. These underlying OS of the platform on which the IPS software is mounted is stripped of unnecessary network services, and essential services are secured. This hardware is includes the following components:-

Network interface card: - network based IPS must be able to connect to any network such like as Gigabit Ethernet, Ethernet and Fast Ethernet etc.

Processor: - IPS requires CPU power to perform intrusion detection analysis and that pattern matching.

Memory: - ID analysis is memory intensive. Memory directly affects the capability of NIPS too efficiently and accurately detects its attacks.