Ids 015 architecture and implementation of ids
- 1. Architecture and Implementation of IDS/IPS Centralized Architecture The first generation of IDSs These host-based IDSs Run on the target system in order to monitor and analyze the operating system and host activities and to detect malicious activities. IDS Architecture Centralized Distributed Agent Based Based on where data source are collected and analyzed
- 2. The next generation of IDSs in which the intrusion monitoring, analysis and detection are moved from the target system to a separate system Most of current IDSs are centralized systems With a centralized architecture, all of the monitoring, detection, and response activities are controlled directly by a central console. Centralized intrusion detection have two major limitations (1) Existing commercial solutions to network intrusions cannot cover all possible attacks on the network accurately (i.e., they drop packets, but generate a huge number of false alarms) and (2) Existing approaches are unable to respond to attacks in a timely manner. As a result, a distributed intelligent agentbased system is proposed to overcome these shortcomings of conventional systems.
- 3. Distributed Architecture The partially distributed (i.e. hierarchical) architecture is proposed so that data collection is implemented locally in each subnet and is then reported to one or more central locations A typical hierarchical IDS architecture, in which a subnet IDS console collects reports from local sensors and then sends reports to the higher level IDS console (e.g., enterprise-level IDS console). This higher level IDS consol might send all reported information to another higher level IDS console that manages the detection and response among a set of cooperating networks Figure 5.3 shows a fully-distributed architecture.
- 4. Agent Based Agent based approach is used for hierarchical IDSs, they are also utilized for implementing fully distributed IDSs where data is collected and analyzed at a number of locations which is directly proportional to the number of monitored components
- 5. Intelligent Agents Instead of applying an individual IDS to defend the network, agents offer a new approach for the implementation of IDSs in which several independent and intelligent processes cooperate in securing the network. Such an agent-based IDS framework has many advantages, consisting of – o The distribution of the computation cost o The reduction in the amount of information sent over the network o The platform independence o The asynchronous operation o The ease of updating Some other benefits using the agent-based approach are efficiency, fault tolerance, extensibility, scalability, and resilience to degradation.
- 6. intelligent agents allows the complex IDS to be implemented in a highly modular manner and provides a possibility for the IDS to do an active defense instead of reporting intrusions passively. In an agent-based system, the individual agents are designed to manage a particular task and work together to fulfill the requirements of the whole system The main drawbacks of agent systems include the overhead of a large number of processes and the lack of viable research in understanding and addressing agents’ potential security problems. Some typical examples regarding the agent-based intrusion detection. o Autonomous Agents for Intrusion Detection (AAFID) o Multi-agents System-based Network Security Management Architecture o Hummingbird o Multi-agent-based IDS o Adaptive Hierarchical Agent-based Intrusion Detection System o Fuzzy Adaptive Survivability Tools (FAST) Autonomous Agents for Intrusion Detection (AAFID) A distributed IDS Developed by the Center for Education and Research in Information Assurance and Security (CERIAS) at the Purdue University The agents in AAFID are organized in a hierarchical fashion for data collection and analysis, and there are four components included in the system architecture, namely- o Agents o Filters o Transceivers o Monitors Filters provide a subscription-based service to agents with two main functions, namely data selection and data abstraction. Each data source has only one filter A transceiver receives findings reported by agents
- 7. Agents do not communicate directly with each other in the AAFID architecture and their operations are monitored by the transceivers on host entities. The transceiver has the ability to start, stop or send configuration commands to agents and can also perform data reduction on the data received from different agents. The transceivers report their results to one or more monitors Monitors have access to network-wide data, they are able to perform higher- level intrusion detection Monitors can also be organized in a hierarchical fashion so that one monitor may in turn report to the other higher level monitor In case an monitor is down or fails to do operations, the transceiver can send its report to more than one monitor, thus providing the redundancy and resistance to the failure of one of the monitors. Multi-agentsSystem-based Network Security ManagementArchitecture(MANSMA) Boudaoud et al. apply Belief- Desire-Intention (BDI) agents for intrusion detection and propose an architecture called MANSMA Consisting of two layers, namely the Manager Layer and the Local Layer. The Manager Layer is used to manage the global security of a large network The Local Layer is to manage the security of a domain. There are three types of agents identified in the Manager Layer, namely- o Security Policy Manager Agent (SPMA) o Extranet Manager Agent (EMA) o Intranet Manager Agent (IMA). The SPMA maintains the global security policy that is determined by a human administrator The EMA takes the control of IMAs and manages the distributed Extranet Each IMA manages the security of a local network and is able to control specified agents The security of a domain is managed in the Local Layer, where three types of Local Agents (LAs) are defined including –
- 8. o Extranet LA o Intranet LA o Internet LA The main functions of LAs contain monitoring specified activities and sending report to the Manager Agents Also define three functions for each agent, namely – o Event Filtering o Interaction o Deliberation Event filtering function filters detected security events according to the event class specified in the detection goal of the agent. The detection goal for each agent determines a set of event classes to be observed. Interaction function allows agents to communicate and exchange their analysis and knowledge Deliberation function determines the agent’s capability to built knowledge and experience and to reason according to its mental attitudes.