AN AGENT BASED DISTRIBUTED INTRUSION DETECTION SYSTEM

Abstract

An Intrusion Detection System (IDS) is an automated system that aims to detect intrusions or attacks in a computer system. The main goal of IDS is to detect any unauthorized use, abuse, or misuse of computer system by both system insiders and external attackers. The IDS architectures commonly used Centralized IDS, but these systems suffer from single point of failure and at heavy Ioad these CIDS may not detect all attacks. That limits their configurability, scalability and efficiency. The difficulty of these IDS leads the idea of agents based IDS. In this work, a novel IDS is proposed which addresses the problems of existing Centralized IDS. This proposed system uses agents along with a Network Intrusion Detection System (NIDS) to efficiently detect and trace back an internal attacker. The proposed system satisfies all necessary requirements, i.e. it should be easily and frequently updated with new attack signatures, it should adapt to changes in network topology and it should detect anomalous events or beaches in security should be detected in real-time and reported immediately. To eliminate single point of failure in the system proposed, NIDS are replicated at the secondary monitor. Existing Distributed Intrusion Detection Systems send whole system log, thus requiring a larger bandwidth, but in system proposed Agents send only required results to the monitor station, thus requiring a smaller bandwidth. The system uses misuse detection model for detecting attacks in the network. The proposed architecture has been developed in Java. This system uses IBM Aglet 2.0.12 to provide a mobile agent environment, the open source database-Mysql as the background DB , gcc 4.3.1 for generating attack, inotify-java, which is a Linux kernel subsystem for file system event notification and open source jpcap 0.7 at monitor station for sniffing network