Functional Behavior of Mobile Agent on Intrusion Detection System

View with Images & Charts.

Functional Behavior of Mobile Agent on Intrusion Detection System

Introduction and Overview

With rapid development of wireless network applications, security became one of the major problems that wireless networks face today. Wireless transmissions are subject to eavesdropping and signal jamming. Physical security of each node is important to maintain integral security of the entire network. Ad hoc wireless networks are totally dependent on collective participation of all nodes in routing of information through the network. These are some of the major problems that wireless networks face today. As the uses of such networks grow, users will demand secure yet efficient low-latency communications.

Intrusion detection is one of key techniques behind protecting a network against intruders. An Intrusion Detection System tries to detect and alert on attempted intrusions into a system or network, where an intrusion is considered to be any unauthorized or unwanted activity on that system or network. Extensive research has been done in this field and efficient IDS systems have been designed for wired networks. All of those systems usually monitor user, system and network-level activities continuously and normally have a centralized decision making entity. But most of the techniques will not produce expected results when applied to wireless networks, due to some inherent properties of wireless networks, as mentioned further.

In this paper, we concentrate our discussion on ad hoc wireless networks. Such a network is a collection of mobile nodes that establish a communication protocol dynamically. The nodes may join the network at any time and communicate with entire network via neighboring nodes. Each member of such a network is responsible for accurate routing of information. Due to arbitrary physical configuration of an ad hoc network, there is no central decision-making mechanism of any kind – rather, the network employs distributed mechanisms of coordination and management. What really makes a difference between fixed wired and mobile wireless networks is the fact that mobile nodes have a very limited bandwidth and battery power. Network packet monitoring is performed at gateways in a fixed network, but a concept of a gateway in a wireless network is very vague, depending on the type of network and routing algorithms used. Efficient host based monitoring requires large amounts of CPU processing power, and hence is energy consuming.

Our proposed IDS system takes into account the above considerations to provide a lightweight, low-overhead mechanism based on mobile security agent concept. An agent is a small intelligent active object that traverses the network to be executed on certain hosts. Agents are dynamically updateable, lightweight, have limited functionality and can be viewed as components of flexible, dynamically-configurable IDS. These qualities make them a choice for security framework in bandwidth and computation-sensitive wireless ad hoc networks.


Definition of Network

A network is a set of devices (often referred to as nodes) connected by communication links. A node can be a computer, printer, or any other device capable of sending and/or receiving data generated by other nodes on the network [1].

Purpose of network

Computer networks can be used for several purposes:

  • Facilitating communications.Using a network, people can communicate efficiently and easily via email, instant messaging, chat rooms, telephone, video telephone calls, and video conferencing.
  • Sharing hardware. In a networked environment, each computer on a network may access and use hardware resources on the network, such as printing a document on a shared network printer.
  • Sharing files, data, and information. In a network environment, authorized user may access data and information stored on other computers on the network. The capability of providing access to data and information on shared storage devices is an important feature of many networks.
  • Sharing software. Users connected to a network may run application programs on remote computers.

Network classification

The following list presents categories used for classifying networks.

  • LAN – Local Area Network
  • WLAN – Wireless Local Area Network
  • WAN – Wide Area Network
  • MAN – Metropolitan Area Network
  • SAN – Storage Area Network, System Area Network, Server Area Network, or sometimes Small Area Network
  • CAN – Campus Area Network, Controller Area Network, or sometimes Cluster Area Network
  • PAN – Personal Area Network
  • DAN – Desk Area Network

LAN and WAN were the original categories of area networks, while the others have gradually emerged over many years of technology evolution [3].

Now we are going to discuss shortly each of the above categories –

LAN – Local Area Network

A LAN connects network devices over a relatively short distance. A networked office building, school, or home usually contains a single LAN, though sometimes one building will contain a few small LANs (perhaps one per room), and occasionally a LAN will span a group of nearby buildings. In addition to operating in a limited space, LANs are also typically owned, controlled, and managed by a single person or organization.

WLAN – Wireless Local Area Network

Wireless Local Area Networkisa LAN based on WiFi wireless network technology.

WAN – Wide Area Network

As the term implies, a WAN spans a large physical distance. The Internet is the largest WAN, spanning the Earth.

A WAN is a geographically-dispersed collection of LANs. A network device called a router connects LANs to a WAN. In IP networking, the router maintains both a LAN address and a WAN address.

A WAN differs from a LAN in several important ways. Most WANs (like the Internet) are not owned by any one organization but rather exist under collective or distributed ownership and management. WANs tend to use technology like ATM (Asynchronous transfer mode), Frame Relay and X.25 for connectivity over the longer distances.

MAN – Metropolitan Area Network

Metropolitan Area Networka network spanning a physical area larger than a LAN but smaller than a WAN, such as a city. A MAN is typically owned and operated by a single entity such as a government body or large corporation.

SAN – Storage Area Network

Storage area network connects servers to data storage devices through a technology like Fiber Channel.

SAN – System Area Network

System area network links high-performance computers with high-speed connections in a cluster configuration. Also known as Cluster Area Network.

CAN – Campus Area Network

Campus area network is a network spanning multiple LANs but smaller than a MAN, such as on a university or local business campus.

PAN – Personal Area Network

A personal area network (PAN) is a computer network used for communication among computer and different information technological devices close to one person. Some examples of devices that are used in a PAN are personal computers, printers, fax machines, telephones, PDAs (Personal digital assistant), scanners, and even video game consoles. A PAN may include wired and wireless devices. The reach of a PAN typically extends to 10 meters [4]. A wired PAN is usually constructed with USB and Firewire connections while technologies such as Bluetooth and infrared communication typically form a wireless PAN.

DAN – Desk Area Network

DAN (Desk Area Network) is an interconnection of computer devices around the ATM (Asynchronous Transfer Mode). This exchange of information between various peripherals and CPU is based on the transfer of ATM (Asynchronous Transfer Mode) cells mainly. DAN (Desk Area Network) enables the network to share resources over the network [5].

Network Elements

There are four basic elements of networks. They are

  • Rules
  • Medium
  • Messages
  • Devices

Fig 1.1: Elements of network

The diagram shows elements of a typical network, including devices, media, and services, tied together by rules, that work together to send messages. We use the word messages as a term that encompasses web pages, e-mail, instant messages, telephone calls, and other forms of communication enabled by the Internet.

Network Criteria

A network must be able to meet a certain number of criteria. The most important of these are

  • Fault Tolerance
  • Scalability
  • Quality of Service (QoS)
  • Security

Now we are going to discuss shortly each of the above criteria

Fault Tolerance

A fault tolerant network is one that limits the impact of a hardware or software failure and can recover quickly when such a failure occurs. These networks depend on redundant links, or paths, between the source and destination of a message. If one link or path fails, processes ensure that messages can be instantly routed over a different link transparent to the users on either end. Both the physical infrastructures and the logical processes that direct the messages through the network are designed to accommodate this redundancy.


A scalable network can expand quickly to support new users and applications without impacting the performance of the service being delivered to existing users. The ability of the network to support these new interconnections depends on a hierarchical layered design for the underlying physical infrastructure and logical architecture.

Quality of Service (QoS)

The Internet is currently providing an acceptable level of fault tolerance and scalability for its users. But new applications available to users over inter-networks create higher expectations for the quality of the delivered services. Voice and live video transmissions require a level of consistent quality and uninterrupted delivery that was not necessary for traditional computer applications. Quality of these services is measured against the quality of experiencing the same audio or video presentation in person.


The security and privacy expectations that result from the use of inter-networks to exchange confidential and business critical information exceed what the current architecture can deliver. Rapid expansion in communication areas that were not served by traditional data networks is increasing the need to embed security into the network architecture. As a result, much effort is being devoted to this area of research and development. In the meantime, many tools and procedures are being implemented to combat inherent security flaws in the network architecture.

Providing network security

Securing a network infrastructure includes the physical securing of devices that provide network connectivity and preventing unauthorized access to the management software that resides on them.

Security measures taken in a network should:

  • Prevent unauthorized disclosure or theft of information
  • Prevent unauthorized modification of information
  • Prevent Denial of Service

Means to achieve these goals include:

  • Ensuring confidentiality
  • Maintaining communication integrity
  • Ensuring availability

Now we are going to discuss each of the above goal shortly

Ensuring Confidentiality

Data privacy is maintained by allowing only the intended and authorized recipients – individuals, processes, or devices – to read the data.

Having a strong system for user authentication, enforcing passwords that are difficult to guess, and requiring users to change them frequently helps restrict access to communications and to data stored on network attached devices. Where appropriate, encrypting content ensures confidentiality and minimizes unauthorized disclosure or theft of information.

Maintaining Communication Integrity

Data integrity means having the assurance that the information has not been altered in transmission, from origin to destination. Data integrity can be compromised when information has been corrupted – willfully or accidentally – before the intended recipient receives it.

Source integrity is the assurance that the identity of the sender has been validated. Source integrity is compromised when a user or device fakes its identity and supplies incorrect information to a recipient.

The use of digital signatures, hashing algorithms and check sum mechanisms are ways to provide source and data integrity across a network to prevent unauthorized modification of information.

Ensuring Availability

Ensuring confidentiality and integrity are irrelevant if network resources become over burdened or not available at all. Availability means having the assurance of timely and reliable access to data services for authorized users.

Wireless Network

Definition of Wireless network

Wireless network is a network set up by using radio signal frequency to communicate among computers and other network devices. Sometimes it’s also referred to as WiFi network or WLAN [6]. Wireless network refers to any type of computer network that is wireless, and is commonly associated with a telecommunications network whose interconnections between nodes are implemented without the use of wires. Wireless telecommunications networks are generally implemented with some type of remote information transmission system that uses electromagnetic waves, such as radio waves, for the carrier and this implementation usually takes place at the physical level or “layer” of the network.

Types of wireless connections

Wireless PAN

Wireless Personal Area Networks (WPANs) interconnect devices within a relatively small area, generally within reach of a person. For example, Bluetooth provides a WPAN for interconnecting a headset to a laptop.

Wireless LAN

A wireless local area network (WLAN) links two or more devices using a wireless distribution method and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network.

? Wi-Fi: Wi-Fi is increasingly used as a synonym for 802.11 WLANs, although it is technically a certification of interoperability between 802.11 devices.

? Fixed Wireless Data: This implements point to point links between computers or networks at two locations, often using dedicated microwave or laser beams over line of sight paths.

Wireless MAN

Wireless Metropolitan area networks are a type of wireless network that connects several Wireless LANs.

  • WiMAX is the term used to refer to wireless MANs and is covered in IEEE 802.16d/802.16e.

Wireless WAN

Wireless wide area networks are wireless networks that typically cover large outdoor areas.

These networks can be used to connect branch offices of business or as a public internet access system. They are usually deployed on the 2.4 GHz band. A typical system contains base station gateways, access points and wireless bridging relays [7]. Figure 2.1 shows the wireless classification.

Fig 2.1: Types of wireless network

Wireless Operating Mode

The IEEE 802.11 standards specify two operating modes: infrastructure mode and ad hoc mode.

Infrastructure mode is used to connect computers with wireless network adapters, also known as wireless clients, to an existing wired network with the help from wireless router or access point.

Ad hoc mode is used to connect wireless clients directly together, without the need for a wireless router or access point. An ad hoc network consists of up to 9 wireless clients, which send their data directly to each other.

Wireless Ad Hoc Network (WAHN) and Security Issues

Wireless Ad hoc network

Wireless Ad hoc networks are a new paradigm of wireless communication for mobile hosts(which we call nodes). In a wireless ad hoc network, there is no fixed infrastructure such as base stations or mobile switching centers. Mobile nodes within each other’s radio range communicate directly via wireless links, while those that are far apart rely on other nodes to relay messages as routers. Node mobility in an ad hoc network causes frequent changes of network topology. Figure 3.1 shows an example:

Initially, nodes A and D have adirect link between them. When D moves out of A’sradio range, the link is broken. However, the network is still connected, because Acan reach D through C, E, and F. Topology changes in ad hoc networks Nodes A, B, C, D, E and F constitute an ad hoc network. The circle represents the radio range of node A. The network initially has the topology in (a). When node D moves out of the radio range of A, the network topology changes to that in (b).

Problems related to wireless networks

Structural and behavioral differences between wired and wireless mobile networks make existing Intrusion Detection System (IDS) designs inapplicable to the wireless networks. Network monitoring in wireless ad hoc networks is performed at every network node. This approach is inefficient due to network bandwidth consumption and increased computations resources that are highly limited in a wireless network. Applying functionality-based network IDS models also has limitations.

  • Anomaly detection model is built on along-term monitoring and classifying of what is a normal system behavior. Ad hoc wireless networks are very dynamic in structure, giving rise to apparently random communication patterns, thus making it challenging to build a reliable behavioral model.
  • Misuse detection requires maintenance of an extensive database of attack signatures, which in the case of ad hoc network would have to be replicated among all the hosts.

To avoid problems outlined above, the approach is to build a modular IDS system, based on intelligent mobile agents. The main advantages of having a modular approach are

  • Increased fault tolerance
  • Communications cost reduction
  • Improved performance of the entire network and
  • Scalability [10].

Types of attack

Attacks in Mobile Ad hoc networks can be categorized as follows.

  • Unfair use of the transmission channel (ATTACK1).
  • Anomalies in Packet Forwarding (ATTACK2).

Unfair use of the transmission channel (ATTACK1)

A node can prevent other nodes in its neighborhood from getting fair share of the transmission channel. This misbehavior can be considered as Denial of Service (DoS) attacks against the competing neighbors in a contention-based network since the competing neighbors are deprived of their fair share of the transmission channel. Some of the possible methods for unfair use of the transmission channel are as follows:

Ignoring the MAC protocol

Protocols like 802.11 uses RTS (Request to send) and CTS (Clear to send) to notify the immediate neighbors of how long the transmission channel will be reserved for the successful transmission. Such methods minimizes collisions among competing neighbors and try to ensure that all the competing neighbors can get some share of the common channel. But a misbehaving node can generate RTS/CTS at an unacceptable rate by ignoring the back off mechanism. Hence the competing neighbors cannot get an adequate share of the transmission channel. This imposes a long delay at the output queues and they finally time out and get removed.

If the indicated duration (Ti) is less than the actual duration (Ta) taken for successful transmissions, the transmission channel will remain occupied for an additional period, Ta – Ti.

The competing neighbors may not be aware of this additional hidden period. Therefore, neighbors trying to access the channel within the hidden period are likely to face unexpected collisions, increase their back off intervals and hence may not get their share of the channel.

Jamming the transmission channel with garbage

Garbage can consist of packets of unknown formats, violating the proper sequence of a transaction (e.g. sending a data packet without exchanging RTS and CTS) or simply random bits used as static noise by misbehaving nodes. Garbage data may result in too many collisions, may consume a significant part of the available Channel capacity or both. Consequently, legitimate neighbors may not be able to access the channel properly when needed.

Ignoring the bandwidth reservation scheme

Nodes in a multi-hop wireless network reserves a slot for transmission channel before initiating a flow. If there is not enough bandwidth, new flows should not be admitted so that existing flows are not choked. A misbehaving node may not abide by this rule and try to push out packets when there is not enough bandwidth left. As a result legitimate nodes may not get fair share of the transmission channel.

Malicious flooding

Deliver unusually large amount of data of control packets to the whole network or some target nodes.

Network Partition

A connected network is partitioned into k (k >= 2) sub networks where nodes in different sub networks cannot communicate even through a route between them actually does exist.

Sleep Derivation

A node is forced to exhaust its battery power.

Anomalies in packet forwarding (ATTACK2)

Anomalies in packet forwarding take the following forms:

Types Description
Drop Packets This type of attack can be classified into two types: (a) Black hole attack and (b) Gray hole attack.

Black hole: A misbehaving node drops all types of packets (both data and control packets).

Gray hole attack: An attacker selectively drops data packets

Delay Packet Transmissions A node can give preference to transmitting its own or friends’ packets by delaying others’ packets. As a result, some flows may be not being able to meet their end-to-end delay and jitter requirements
Wormhole A tunnel is created between two nodes that can be utilized to secretly transmit packets.
Packet Dropping A node drops data packets that are supposed to forward.
Routing Loop A loop is introduced in a route path
Denial of Service A node is prevented from receiving and sending data packets to its destinations.
Fabricated Route Messages Route messages with malicious contents are injected into the network.
False Source Route. An incorrect route is advertised into the network, setting the route length to be 1 regardless where the destination is.
Maximum Sequence Modify the sequence field in control messages to the maximum allowed value.
Cache Poisoning Information stored in routing tables is either modified, deleted or injected with false information
Selfishness A node is not serving as a relay to other nodes.
Rushing This can be used to improve fabricated route messages.
Spoofing Inject data or control packets with modified source addresses [11].

Table 3.1: Anomalies in packet forwarding

Vulnerabilities in WAHNS

There are six major attributes and/or vulnerabilities can be recognized. The six attributes are:

Lack of infrastructure: This is based on the peer-to-peer architecture they form once deployed. Inconsequence, traditional centralized security solution architectures including centralized IDS do not apply, and the need for distributed IDSs becomes evident.

Shared wireless medium: Since no physical access is required for a node to join, it is impossible to define a clear line of defense or boundaries for the system. This makes it impossible to place a single security solution on a well-defined infrastructure.

Cooperative nature between the nodes: Since all nodes are required to cooperate in supporting the WAHN operations, As a result, a compromised node may badly affect the whole network.

Easy physical accessibility: Nodes with low physical protection can be easily captured and tampered. Consequently, a compromised node may use the standard security means available to every node to protect its attack.

Dynamic network topology: This attribute is more common in the case of MANET than in WSN. As nodes frequently join and leave the network, it becomes extremely difficult for other nodes to tell whether the large number of route requests is due to the high mobility or to a denial of service attack.

Operational constraints: Both WSN and MANET share this attribute, but WSN nodes experience more constraints. In either case, the limitation of memory, bandwidth, computation, processing, and power capabilities highly affect the design of WAHNs [12].

Building a system to establish security in WAHNs

Each security solution encompasses all three components of prevention, detection, and reaction. However, an attacker succeeds in infiltrating the security system and causes them to misbehave. Node misbehavior can result in degradation of network performance.

Hence, the system should be monitored for any anomalies and take necessary actions if an anomaly is detected. A system performing these tasks is known as an intrusion detection system (IDS). Ideal IDS should be able to set thresholds for its detection schemes dynamically so that misbehaving nodes cannot easily work around the detection scheme.

An attacker may find certain loopholes in the current IDS and tries to attack. Hence these types of flaws in the basic operations must be recognized and raise the security level. The attacker identity must be reported by the IDS. Each monitor node should invoke the security mechanisms whenever necessary and possible [13].

Choosing a Wireless Intrusion Detection System

Now that we have an idea of what can be detected and what to do during an incident, we need to decide which WIDS to implement and how. Here we’ll discuss the architecture of a wireless IDS along with a general overview of Commercial WIDS systems vs. Open Source WIDS systems. A wireless IDS can be deployed in one of two ways

  • Decentralized
  • Centralized

In a decentralized environment each WIDS operates independently, logging, and alerting on its own. In addition this also means each WIDS has to be administered independently. In a large network this can quickly become overwhelming and inefficient, and therefore is not recommend for networks with more than one or two access points.

The idea behind a centralized WIDS is that sensors are deployed that relate information back to one central point. This one point would send alerts and log events as well as serve as a single point of administration for all sensors. Another advantage to a centralized approach is that sensors can collaborate with one another in order to detect a wider range of events with more accuracy. In this approach there are also three main ways in which sensors can be deployed.

  • The first is by using existing access points (AP).
  • The second option is to deploy “dumb” sensors. These devices simply relay all information to the central server and rely on the server to detect all events. While inexpensive, all information is sent back to a central point causing an impact in the performance of the wired network and creating a single point of failure at the server.
  • The third option is the use of intelligent sensors. These devices actively monitor and analyze wireless traffic, identify attack patterns and rouge devices as well as look for deviations from the norm. They then report these events back to the central server and allow an administrator to invoke countermeasures [14].

Intrusion Detection System

Definition of Intrusion Detection System

Intrusion detection can be defined as the automated detection and subsequent generation of an alarm to alert the security apparatus at a location if intrusions have taken place or are taking place. An IDS is a defense system that detects hostile activities in a network and then tries to possibly prevent such activities that may compromise system security. IDSs achieve detection by continuously monitoring the network for unusual activity. The prevention part may involve issuing alerts as well as taking direct preventive measures such as blocking a suspected connection.

In other words, intrusion detection is a process of identifying and responding to malicious activity targeted at computing and networking resources. In addition, IDS tools are capable of distinguishing between insider attacks originating from inside the network and external ones. Unlike firewalls which are the first line of defense, IDSs come into the picture only after an intrusion has occurred and a node or network has been compromised.

The primary assumptions of intrusion detection are: user and program activities are observable, for example via system auditing mechanisms; and more importantly, normal and intrusion activities have distinct behavior. Intrusion detection therefore involves capturing audit data and reasoning about the evidence in the data to determine whether the system is under attack [15].

An IDS is characterized by the following features [16]:

I. It runs continually with mini-mal supervision and intervention from the end user

II. Is able to operate in a hostile computing environment while exhibiting a high degree of fault-tolerance

III. Can be con-figured to adapt to changes in the system and to user behavior over time

IV. Imposes a minimal overhead on the system

V. Is able to perform data fusion and correlate information from multiple sources.

IDS classification

Traditionally, IDS systems were divided into two classes –


Host-based IDS

Network based systems (NIDS) listen on the network, and capture and examine individual packets flowing through a network. In contrast to firewalls, NIDS can analyze the entire packet, not just the header. They are able to look at the payload within a packet, to see which particular host application is being accessed, and to raise alerts when attacker tries to exploit a bug in such code. NIDS are host independent and can run as “blackbox” monitors to cover entire network. In practice, active scanning slows down the network considerably and can effectively analyze a limited bandwidth networks.

Host-based intrusion detection systems are concerned with what is happening on each individual host. They are able to detect actions such as repeated failed access attempts or changes to critical system files, and normally operate by accessing log files or monitoring real time system usage. To ensure effective operation, host IDS clients have to be installed on every host on the network, tailored to specific host configuration. Host based IDS do not depend on network bandwidth, and are used for smaller networks, where each host dedicates processing power towards the task of system monitoring. It slows down the hosts that have IDS clients installed.

IDS systems are functionally divided into two categories –

Anomaly detection systems

Misuse detection systems.

Anomaly detection system detects intrusion detections in a very accurate and consistent way and has low level of false alarms if a system under surveillance follows static behavioral patterns. This class of IDS systems is well suited to detect unknown or previously not encountered attacks.

Misuse detection systems monitor networks/hosts for known attack patterns. This class of IDS systems is useful in networks with highly dynamic behavioral patterns, and is a choice of many commercial IDS products. Both categories of IDS can be used on host-based and network-based IDS systems.

History of IDS

The concept of creating an intrusion detection system was first proposed in 1980 by James Anderson [ANDE80]. However, the field did not take off until 1987 when Dorothy Denning published an intrusion detection model [DENN87]. In 1988, at least three IDS prototypes were created [BAUE88] [SEBR88] [SMAH88]. In the following years, an ever-increasing number of research prototypes were explored. The US government, realizing that its computer systems were insecure, provided significant funding for research in IDSs. Hundreds of millions of dollars have probably been spent on IDS research within the last ten years.

Existing IDSs

There are several IDSs existed in recent world, which can be defined as

Stand-Alone IDS

With stand-alone IDS, the architecture is normally based upon running each node separately in order to locate the intrusions if perpetrated. Hence every decision is based and focused upon all the information that is collected at each and every node as all the nodes are independent and work individually as per its name itself “standalone”. Beside being totally isolated, the nodes on the same network do not know anything about the different nodes or the same network as no data is exchanged hence no alert information is passed on. Even though restricted by its limitations, more adaptable in situation when each node can run an IDS on their own or have IDS installed it is much more preferred for a flat network architecture which will unfortunately not suitable for wireless mobile network.

Cooperative and Distributed IDS

Zhang & Lee (2003) mentioned that wireless mobile networks have to adapt a cooperative and distributed intrusion detection system architecture. This is achieved by the IDS agent running on top of the nodes. Yet the IDS agent can however be complex but when analyzed closely, the IDS agent can be broken into six different modules. So in the cooperative and distributed network mentioned by Zhang & Lee (2003), every single node has a crucial role to play, each node has the responsibility for detecting any signs of intrusion and is responsible for contributing individually or entirely onto the network.

Zone Based IDS

In a proposal by Sun, B. et al., (2003), an anomaly-based two-level non-overlapping Zone-Based Intrusion Detection System (ZBIDS) can be used by separating the network into non-overlapping, zones. Referring to Figure 4.1, the nodes can be classified into 2 different groups:

  • Intra zone would be independent nodes by a shown in Figure 4.1 with nodes F, E, I, and J.
  • Inter zone node would be the nodes that have a physical connection to a different node in a different zone area. Example would be node H, B, C and K as illustrated in Figure 4.1.

Manager – Based IDS In Manager – Based IDS nodes that construct the network are divided into two types: Regular Node and Manager. One Manager and N Regular Nodes (RNs) (N ? 0) compose a smaller sub-network that is called zone. RN functions as sensor whose task is collecting and/or creating intrusion data locally, while Manager, besides as sensor, functions as the head of each zone to perform the intrusion detection in its zone based on the data collected by Regular Nodes and itself. Since ad hoc network doesn’t have any fixed infrastructure, it is difficult to aggregate all intrusion data occurred in the network to one place without cooperation of all nodes. Here all Managers should cooperate to provide the network with more complete data for an accurate and efficient detection [20].

Fig 4.2: Manager – Based IDS

SVM – Based IDS

A Support Vector Machine (SVM) based intrusion detection system is which suitable for real-time intrusion detection in wireless ad hoc networks.

The proposed intrusion detection system comprises of 4 components:

1. Local Data Collection Module(DCM)

2. SVM-based Intrusion Detection Module (SVMDM)

3. Local Response Module (LRM) and

4. Global Response Module (GRM).

Fig 4.3: SVM – Based IDS

The DCM gathers streams of audit data from various network sources and passes it to the SVMDM. The SVMDM analyzes the gathered local data traces using SVM classification algorithm, and identifies misbehaving nodes in the network. In the SVMDM, two types of SVM based detection methods are present, which depends on whether the attack data are available or not. One-class SVM classifier [22] based intrusion detection (1-SVMDM) is used whenever no attack data are available, while conventional two-class SVM based intrusion detection (2-SVMDM) is applied in the situation when attack data are available. In practice, the 1- SVMDM can be used in the early stage of intrusion detection to find possible network intrusive behaviors. After collecting some attack instances, 2-SVMDM can be used. The LRM is responsible for sending out the local detection results based on locally collected data set. The GRM collects the local detection results from the LRM, and makes a global response. Whenever any misbehaving node is detected, the GRM sends out alarm messages to the whole network to isolate the misbehaving node.

Agent – Based IDS

A mobile agent implementation is chosen, to support such features of the IDS system as mobility of sensors, intelligent routing of intrusion data throughout the network and lightweight implementation [10].

IDS Requirements

At least one past effort has identified desirable characteristics for an IDS. Regardless on what mechanisms an IDS is based, it must do the following:

??Run continuously without human supervision,

??Be fault tolerant and survivable,

??Resist subversion,

??Impose minimal overhead,

??Observe deviations from normal behavior,

??Be easily tailored to a specific network,

??Adapt to changes over time, and

??Be difficult to fool.

Functional Requirements

As the network-computing environment increases in complexity, so do the functional requirements of IDSs. Common functional requirements of an IDS being deployed in current or near-term operational computing environments include the following:

??The IDS must continuously monitor and report intrusions.

??The IDS must supply enough information to repair the system, determine the extent of damage, and establish responsibility for the intrusion.

??The IDS should be modular and configurable as each host and network segment will require their own tests and these tests will need to be continuously upgraded and eventually replaced with new tests.

??Since the IDS is assigned the critical role of monitoring the security state of the network, the IDS itself is a primary target of attack. The IDS must be able to operate in a hostile computing environment and exhibit a high degree of fault-tolerance and allow for graceful degradation.

??The IDS should be adaptive to network topology and configuration changes as computing elements are dynamically added and removed from the network.

??Anomaly detection systems should have a very low false alarm rate. Given the projected increase in network connectivity and traffic, simply decreasing the percentage of overall false alarms may not be sufficient as their absolute number may continue to rise.

??The IDS should be able to learn from past experiences and improve its detection

capabilities over time. Self-tuning IDS will be able to learning from false alarms

with the guidance of system administrators and eventually on its own.

??The IDS should be able to be easily and frequently updated with attack signatures as new security advisories and security patches become available and new vulnerabilities and attacks are discovered.

??Decision support tools will be necessary to help system administrators respond to various attacks. The IDS will be required not only to detect anomalous events, but also to take automated corrective action.

??The IDS should be able to perform data fusion and be able to process information from multiple and distributed data sources such as firewalls, routers, and switches. As real-time detection demands push networked-based solutions to re-programmable hardware devices that can download new capabilities, the IDS will need to be able to communicate with the hardware-based devices.

??Data reduction tools will be necessary to help the IDS process the information gathered from data fusion techniques. Data mining tools will be helpful in running

statistical analysis tools on archived data in support of anomaly detection techniques.

??The IDS should be capable of providing an automated response to suspicious activity. Rapid changes in network conditions and limited network administration expertise make it difficult for system administrators to diagnose problems and take corrective action to minimize the damage that intruders can cause.

??The ability to detect and react to distributed and coordinated attacks will become necessary. Coordinated attacks against a network will be able to marshal greater forces and launch many more and varied attacks against a single target. These attacks can be permutations of known attacks, be rapidly evolving, and be launched at little cost to the attackers.

??Distributing the computational load and the diagnostic capabilities to agents scattered throughout the network adds a level of fault-tolerance, but it is often necessary for the system administrator to have control over the IDS from a central location.

??The IDS should be able to work with other Commercial Off-the-Shelf (COTS) security tools, as no vendor toolset is likely to excel in or to provide complete coverage of the detection, diagnosis, and response responsibilities. The IDS framework should be able to integrate various data reduction, forensic, host-based, and network-based security tools. Interoperability and conformance to standards will further increase the value of the IDS.

??IDS data often requires additional analysis to assess any damage to the network after an intrusion has been detected.

??The IDS itself must also be designed with security in mind. For example, the IDS must be able to authenticate the administrator, audit administrator actions, mutually authenticate IDS devices, protect the IDS data, and not create additional vulnerabilities.

Performance Requirements

An IDS that is functionally correct, but that detects attacks too slowly is of little use. Here enumerate several performance requirements for IDSs. The IDS performance requirements include:

??To the extent possible, anomalous events or breaches in security should be detected in real-time and reported immediately to minimize the damage to the network and the loss or corruption of confidential information.

??The IDS must not place undue burden or interfere with the normal operations for which the systems were bought and deployed to begin with. This requirement makes it necessary for the agents to be cognizant of the consumption of network resources for which they are competing. There is a tradeoff between additional levels of security monitoring and the performance penalty to be paid by other applications.

??The IDS must be scalable. As new computing devices are added to the network, the IDS must be able to handle the additional computational and communication load

Mobile Agent

Definition of Mobile Agent

Mobile agents are a special type of agents defined as “processes capable of roaming through large networks such as the ad-hoc wireless network, interacting with machines, collecting information and returning after executing the tasks adjusted by the user”.

There are several features of mobile agent. They are –

  • Mobile agents are programs with persistent identity, which move around a network on their own volition and can communicate with their environment and with other agents.
  • These systems use specialized servers to interpret the agent’s behavior and communicate with other servers.
  • Mobile agents may execute on any machine in a network without the necessity of having the agent code pre-installed on every machine the agent could visit.
  • Mobile agents offer several potential advantages when used in ID systems that may overcome limitations that exist in IDS that only employ static, centralized components.
  • The non-monolithic systems based on autonomous mobile agents offer several advantages over monolithic systems [23], such as:

-Easy configuration,

-Extension capacity,

-Efficiency and


So we can say that, Mobile Agents can be defined as autonomous executing programs that can halt themselves, migrate to another host, in a heterogeneous environment, and continue execution without being affected by the status of the originating node. On the hosts they move to, mobile agents interact with stationary service agents, collect information and execute to accomplish their tasks [24, 25].

A software mobile agent can carry out activities from one node to another in a flexible and smart way as a response to new changes in the network [26]. Using this feature; mobile agents can communicate and cooperate with each other. The obvious advantage of using mobile agents is when they present a single general framework in which many distributed applications can be implemented easily, efficiently and robustly [25].

Advantages of Mobile Agent

A number of advantages of using mobile code and mobile agent computing paradigms have been proposed. These advantages include:

  • Overcoming network latency,
  • Reducing network load,
  • Executing asynchronously and autonomously,
  • Adapting dynamically,
  • Structure and Composition,
  • Operating in heterogeneous environments, and
  • Having robust and fault-tolerant behavior.
  • Scalability

This section examines these claims and evaluates their applicability to the design of IDS.

Overcoming Network Latency

Mobile agents are useful for applications that need to respond in real time to changes in their environment, because they can be dispatched from a central controller to carry out operations directly at the remote point of interest. In addition to detecting and diagnosing potential network intrusions, an IDS needs to provide an appropriate response in order to protect and defend the network from malicious behavior. While a central controller can send messages to the nodes within the network and issue instructions on how to respond to a particular condition or perceived threat, the approach is problematic. For example, the central controller may have to respond to a number of events throughout the network in addition to handling its normal processing load and become a bottleneck or a single point of failure. If connections to this central server are slow or unreliable, the network communications are susceptible to unacceptable delays. Mobile agents, since they are distributed throughout the network, may take advantage of alternate routes around any problem communication links. It will always be faster to send a message to a network node to execute predetermined, resident code, rather than send a mobile agent to the node. However, such architecture requires that all response and reconfiguration actions be predefined, replicated and distributed throughout the network. The response mechanism then constitutes, in effect, a large distributed database, raising serious administration problems concerning configuration management, consistency and transaction control. Innovative responses, by definition, must be transmitted at least once to each affected node, either by conventional network means, a series of messages, or by a mobile agent. Of these choices, the mobile agent technique offers the fastest response.

Reducing Network Load

One of the most pressing problems facing current IDSs is the processing of the enormous amounts of data generated by the network traffic monitoring tools and host-based audit logs. IDSs typically process most of this data locally. Even though the data is usually abstracted before being sent out on the network, the amount of data can still place a considerable communication load on the network. Mobile agents offer an opportunity to reduce the network load by eliminating the need for this data transfer.

Mobile agents are well suited for ad hoc, flexible, search and analysis problems involving multiple distributed resources that require specialized tasks that are not supported by the data server. A mobile agent-based search and data analysis approach can help decrease network traffic resulting from the transfer of large amounts of data across a network for local processing. Instead of transferring the data across the network, mobile agents can be dispatched to the machine on which the data resides, essentially moving the computation to the data, instead of moving the data to the computation, thus reducing the network load for such a scenario. Clearly, transferring an agent that is smaller in size than the data to be transferred reduces the network load.

Asynchronous Execution and Autonomy

IDS architectures that are coordinated by a central host require reliable communication paths to the network sensors and intermediate processing nodes. The critical role played by this central controller makes it a likely target of attack. Mobile agent frameworks allow IDSs to continue operation in the event of the failure of a central controller or communication link. Unlike message passing routines or Remote Procedure Call (RPC), once the mobile agent is launched from a home platform it can continue to operate autonomously even if the host platform from where it was launched is no longer available or connected to the network. The coordination of IDS sensors and filters can be protected from the loss of network connections since the mobile agents do not require control by another process. A mobile agent’s inability to communicate with central controller would not prevent it from carrying out its assigned tasks.

Structure and Composition

MAs allow for a natural way to structure and design an IDS. For example, rather than a monolithic static system, an IDS can be divided into data producer and data analyzer components and represented as agents. The data producer provides an interface to the networks it sniffs or audit trails it filters. Multiple analyzers, each responsible for detecting a single attack or a small set of attacks, interact with the producer to look for attacks. Under such a framework, MAs from multiple vendors can be used to create an IDS. If a company has the best detector for attack X and another company has the best detector for attack Y, then we can use MAs from both vendors to detect X and Y.

Adapting Dynamically

MAs provide a versatile and adaptive computing paradigm as they can be retracted, dispatched, cloned, or put to sleep as network and host conditions change. For example, as better MAs detectors for an attack are developed they can be sent out on the network to replace the older version, or if an MA is producing too many false positives it can be recalled or gracefully terminated.

MAs also have the ability to sense their execution environment and autonomously react to changes. For example, if the computational load of the host platform is too high and the host’s performance doesn’t meet the agent’s service expectations, the agent and its data can move to another machine that can better satisfy its computational needs. MAs can distribute themselves among the hosts in the network in such a way as to maintain the optimal configuration for solving a particular problem.

Operating in Heterogeneous Environments

Large enterprise networks are typically comprised of many different computing platforms and computing devices. One of the greatest benefits of MAs is the implementation of interoperability at the application layer. Interoperability at the computer or transport layer requires significant changes to the host’s environment. Interoperability at the presentation layer limits flexibility in updating the system for new attacks. Conversely, while MA frameworks must be installed on each host, MAs themselves are independently configurable. Since mobile agents are generally computer and transport-layer independent, and dependent only on their execution environment, they offer an attractive approach for heterogeneous system integration.

The ability of MAs to operate in heterogeneous environments also provides an opportunity for the easy integration of network-based and host-based tools operating on various platforms.

Robust and Fault-tolerant Behavior

The ability of mobile agents to react dynamically to unfavorable situations and events makes it easier to build robust distributed systems. For example, if a host is being shut down, all agents executing on that machine are warned, whenever possible, and given time to dispatch and continue their operation while preserving their execution state on another host in the network. Their support for disconnected operation and distributed design paradigms eliminate single point of failure problems and allow mobile agents to offer fault-tolerant characteristics.


The computational load on centralized IDSs increases as more processing nodes are added to the networks they monitor. As networking technology continues to improve, increased bandwidth and network traffic will place greater demands on these centralized architectures. Distributed MA IDS architectures are one of several options that allow computational load and diagnostic responsibilities to be distributed throughout a network.

As the number of computing elements in the network increases, agents can be cloned and dispatched to new machines in the network.

Disadvantages of Mobile Agent

The obvious disadvantage of using MAs is the concern that they will introduce vulnerabilities into the network. However, this is not the only disadvantage to implementing Mobile Agent Intrusion Detection System (MAIDS). MA solutions may not perform fast enough to meet the IDS’s needs.


The security concerns related to mobile code are one of the main obstacles to the widespread use of this technology. The MA computing paradigm presents a number of security threats that are not addressed by conventional security techniques. Standard security techniques must be modified or new techniques invented to address these threats.

The security threats can be classified into four broad categories:

  • Agent-to-agent
  • Agent-to-platform
  • Platform-to-agent
  • Other-to-agent platform

Agent-to-agent category represents the set of threats in which agents exploit security weaknesses of other agents or launch attacks against other agents.

Agent-to-platform category represents the set of threats in which agents exploit security weaknesses of or launch attacks against an agent platform.

Platform-to-agent category represents the set of threats in which platforms compromise the security of agents.

Other-to-agent platform category represents the set of threats in which external entities, including agents and agent platforms, threaten the security of an agent platform.


One of the most challenging problems facing IDSs is improving the speed with which they can identify malicious activity. Not only must IDSs detect attacks quickly, but they must also process system events in real time. This task is becoming ever more difficult as network bandwidth increases. Mobile agent software will generally hinder rather than help an IDS’s ability to rapidly process events and detect attacks.

Code Size

IDSs are complex pieces of software. Agents that perform IDS services may thus be required to contain a large amount of code. If these agents are supposed to do operating system specific tasks on multiple operating systems then this code base may get extremely large. The size of MA code may limit the functionality of MAIDS because it will take a long time to transfer an agent between hosts. In addition, such a transfer will require greater computing and network resources.

Lack of Priori Knowledge

Large enterprise networks are comprised of several different hardware platforms, running several different operating systems, each having different configurations and running different applications. It is not trivial for the mobile agents to have a priori knowledge about how a system is configured, how data is arranged.

Limited Exposure

An agent’s envisioned autonomous behavior, involving collaboration with other agents at various network locations, creates a dynamic environment that requires new design methodologies and modeling tools to properly formulate and construct agent-based systems. The lack of mature agent design methodologies and modeling tools makes this task difficult.

Coding and Deployment Difficulties

MAs’ inherent capabilities, such as moving and cloning, add more complexity to the design and development process. Given this added complexity, MAIDS will be even more prone to faults than their non-MA counterparts. Further hampering near term MAIDS deployment is a lack of MA design, development, and management tools, needed before any large-scale deployment of agent-based applications becomes feasible.

Studying Mobile Agents Suitability for WAHNS

In order for the nodes in WAHNs to collaborate in the IDS overall functionality, they need to either exchange audit data or exchange software that work on these data.

The followings are the main mobile agents features that demonstrate straight relevance to the special challenging requirements found in WAHNs:

Reducing network load: Through migrating the code and not the data, mobile agents can limit the amount of traffic traveling between the nodes.

Conserving bandwidth: Mobile agents limit intermediate messages between the nodes, and hence, reasonably reduce the amount of bandwidth needed.

Improving load balancing in the network: Load balancing problem clearly appears in a distributed computing system, where tasks are being unequally allocated to the different network elements. Load balancing greatly helps with the computation and processing constraints of WAHN nodes.

Reducing the total tasks completion time: This will help avoiding the time-consuming transmission of intermediate results between tasks . This is very useful to deal with WAHN nodes’ battery constraints.

Overcome network latency: Moving the executing code to the system where computation and output is to be produced will help to reduce the network latency. Again this helps with battery constraints in WAHNs.

Advance mobile computing: Handling the nodes’ join-and-leave issues. This is achieved by the ability of a mobile agent to continue its task even if one of its links goes off due to a leaving node.

Enabling dynamic deployment and adoption of the executing program on other processing nodes: Thisadds more efficiency to the whole system as the sameprograms might be called multiple times.

Having robust and fault-tolerant behavior: As the same code may get executed on different nodes. Fault tolerance is one of the main features required for WAHNs IDS due to the frequent joining and leaving of nodes in the network.

Working on a heterogeneous network: Mobile agent systems allow agents to be language and operating system-independent which can be recognized as a portability advantage. It can be also utilized for IDS interoperability.

Light-weight: Light-weight mobile agents only carry the primary features they need, and hence, they accomplish their tasks with minimal code. Once they reach their destination, they get updated and upgraded as needed [32]. This brings a design tradeoff issue. While light-weight mobile agents reduce network traffic and conserve bandwidth, they also demand more powerful nodes to support their updates and upgrades processes.

In particular, mobile agents operating on different nodes might have similar and different tasks assigned to them, and their collaborative work makes the final intrusion detection picture in the network Scalability, interoperability, fault tolerance, and conservative use of system resources can all be accomplished with the use of mobile agents.

Agent-based ad hoc network IDS

This section introduces a multi-sensor intrusion detection system employing cooperative intrusion detection. A mobile agent implementation is chosen, to support such features of the IDS system as

  • Mobility of sensors,
  • Intelligent routing of intrusion data throughout the network and
  • Lightweight implementation.

There are three types IDSs that use mobile agent. They are

    1. Distributed Intrusion Detection Using Mobile Agents
    2. Local Intrusion Detection System (LIDS)
    3. Intrusion Detection Architecture based on a Static Stationary Database

Each of the above IDS will be discussed in the next chapter.


At first glance, mobile agent technology offers much to the field of intrusion detection. The idea of mobile and autonomous components intuitively seems useful in intrusion detection and