Intrusion Detection Using Distributed Agents
Ahmed Shaaban Abd El Alim;
Abstract
Intrusion-detection systems aim at detecting attacks against computer systems ,I,I
1: II
[ and networks, or in general against information systems. Indeed, it is difficult to ]
I-I. provide provably secure information systems and to maintain them in such a secure ,fl
J II
j! state during their lifetime and utilization. Therefore, intrusion-detection systems have '11
the task of monitoring the usage of such systems to detect insecure states. They detect
i II
• attempts and active misuse, either by legitimate users of the information systems or by
R. •
external parties, to abuse their privileges or exploit security vulnerabilities. .E
[ Most intrusion-detection systems currently rely on some type of centralized ]
11 processing to analyze the data necessary to detect an intruder in real time. A II
l-i. centralized approach can be vulnerable to attack (e.g., Denial of Service). If an •I'I II II
11 intruder can disable or bypass the central detection system, then most, if not all, 11
I-. protection is lost. Additionally many of these systems depends on analyzing the log
r•1'
II II
[ files and packet traces, which is potentially modified by the intruder before the IDS ]
1''•,
can obtain it, making it's possible for the intruder to hide his activities. ,II
II li
• By studying the attack lifecycle, it's clear that most of the intrusions follow the
[l. same stages or steps to compromise the target's system and gain access to different
lri
target's resources. Also the signature-based techniques used to detect attacks is not 'lIiI
ll enough, because of the nature ongoing changes in the methods of intruders to break-in systems. ,!!
i II
. A better approach is applied in this thesis by focusing on the attack behavior,
for example adding a new user account on the system or modifying log files; this
li II
behavior could be caused by many possible attacks. This way it's possible to detect [j
I-I. many attacks regardless of their signature, even more new attacks could be detected. ,r1
I«I
This thesis tries to address the former problems and other problems related to II!I
f. the common characteristics of• any intrusion detection system, by introducing a ]
1«:
framework called Intrusion Detection System Using Distributed Agents (IDSUDA). II
IDSUDA architecture depends on the software agents technology to provide a JJ
if solution for intrusion detection. With the aid of software technology it was possible to
1: extend the capabilities of the Intrusion detection systems. Using distributed agents it II I-. was possible to provide both features, network-based and host-based IDS.
1: II
[ and networks, or in general against information systems. Indeed, it is difficult to ]
I-I. provide provably secure information systems and to maintain them in such a secure ,fl
J II
j! state during their lifetime and utilization. Therefore, intrusion-detection systems have '11
the task of monitoring the usage of such systems to detect insecure states. They detect
i II
• attempts and active misuse, either by legitimate users of the information systems or by
R. •
external parties, to abuse their privileges or exploit security vulnerabilities. .E
[ Most intrusion-detection systems currently rely on some type of centralized ]
11 processing to analyze the data necessary to detect an intruder in real time. A II
l-i. centralized approach can be vulnerable to attack (e.g., Denial of Service). If an •I'I II II
11 intruder can disable or bypass the central detection system, then most, if not all, 11
I-. protection is lost. Additionally many of these systems depends on analyzing the log
r•1'
II II
[ files and packet traces, which is potentially modified by the intruder before the IDS ]
1''•,
can obtain it, making it's possible for the intruder to hide his activities. ,II
II li
• By studying the attack lifecycle, it's clear that most of the intrusions follow the
[l. same stages or steps to compromise the target's system and gain access to different
lri
target's resources. Also the signature-based techniques used to detect attacks is not 'lIiI
ll enough, because of the nature ongoing changes in the methods of intruders to break-in systems. ,!!
i II
. A better approach is applied in this thesis by focusing on the attack behavior,
for example adding a new user account on the system or modifying log files; this
li II
behavior could be caused by many possible attacks. This way it's possible to detect [j
I-I. many attacks regardless of their signature, even more new attacks could be detected. ,r1
I«I
This thesis tries to address the former problems and other problems related to II!I
f. the common characteristics of• any intrusion detection system, by introducing a ]
1«:
framework called Intrusion Detection System Using Distributed Agents (IDSUDA). II
IDSUDA architecture depends on the software agents technology to provide a JJ
if solution for intrusion detection. With the aid of software technology it was possible to
1: extend the capabilities of the Intrusion detection systems. Using distributed agents it II I-. was possible to provide both features, network-based and host-based IDS.
Other data
| Title | Intrusion Detection Using Distributed Agents | Other Titles | نظام كشف الاختراق باستخدام الوكلاء الموزعين | Authors | Ahmed Shaaban Abd El Alim | Issue Date | 2004 |
Attached Files
| File | Size | Format | |
|---|---|---|---|
| B13819.pdf | 1.04 MB | Adobe PDF | View/Open |
Similar Items from Core Recommender Database
Items in Ain Shams Scholar are protected by copyright, with all rights reserved, unless otherwise indicated.