The Multi-Agents Immune System for Network Intrusions detection ( MAISId )
Noria Benyettou,A. Benyettou,V. Rodin,SOUAd Yahia Berrouiguet
Abstract:Network intrusion detection Systems are designed to protect computer networks by observing frames and notifying the operators when a possible attack happened. But with the development of network and the information exchange, networks became increasingly vulnerable faced at the new forms of threats. It is necessary to improve the performance of an intrusion detection system. Inspired by immune biological system behavior and the performances of the multi-agent systems, we present in this article a new model (MAISID) of multi-agent system immune for intrusion detection. MAISID is a system that performs frames analyses by a group of immune agents’ collaboration. These agents are distributed on the network to achieve simultaneous treatments, and are auto-adaptable to the evolution of the environment and have also the property of communication and coordination in order to ensure a good detection of intrusions in a distributed network. In this approach, the MAISID model is installed in each host of the network and sub-network for an extensive monitoring and a simultaneous analysis of the frames. key words: Intrusion Detection System, Artificial Immune System, Multi-Agents System, Network Security. street, elm’naouar, Oran Algéria. DIDS15, NADIR9, ADAM4). These models are already based on the attacks indexed in knowledge base. However, with the networks widening they generate much false alarm, and became less and less reliable to new attack’s forms. To overcome difficulties met by these models, new research works are interested in multiagents systems and immunology principles such as (MAAIS 9] NIDIMA14, DAMIDAIS11, IMASNID7, etc). 384 BENyETTOU et al., Orient. J. Comp. Sci. & Technol., Vol. 6(4), 383-390 (2013) These systems succeed in decreasing the false alarm rate thanks to the processes employed; namely communication process between the agents and the distinction process between self and not-self. That is why, we present in this document a new model a Multi-Agents System (MAS) inspired by an Immune algorithm for the Intrusion Detection (MAISID). Our choice is justified by the distributed and opened character of networks. Given the failure of the exist methods to detects new attacks; we integrate into our agents the artificial immune system mechanism. Artificial immune systems are inspired by the coordination principles and the parallel functioning of the biological immune system (life cycle, immunizing, immature tolerance, mature and memory lymphocyte). Related Works The idea of using artificial immune systems for intrusion detection, in distributed networks, appears recently, the first work was develop by Hofmeyer and Forest in 19991. Another architecture is proposed by Sunjun, the Immune Multi-agent Active Defense Model for Network Intrusion (IMMAD) in 2006 16. This model is built for monitoring multilayer network, by a set of agents that communicate and cooperate at different levels. One more interesting architecture is proposed by NianLiu in 2009, called Network Intrusion Detection Model Based on Immune MultiAgent (NIDIMA)[14]. This model ensures security of distributed networks against intrusions. There are many other models, but we present those close to our architecture (SMAIDI). Let us recall that our aim is to increase immunity and to decrease the false alarm rate. Intrusion detection System characteristics To neutralize in real time illegal intrusion attempts, intrusions detection system must be executed constantly in the host or in the network. The major inconveniences of the existing IDS [6] are: 1. Their difficulties to adapt oneself to the changes of the network architecture and especially how to integrate these modifications in the detection methods. 2. Their high rate of false-positives (false alert). The intrusion detection system is effective if it has the following characteristics [12] 1. Distribution: to ensure the monitoring in various nodes of the network the analysis task must be distributed. 2. Autonomy: for a fast analysis, distributed entities must be autonomous at the host level. 3. Delegation: each autonomous entity must be able to carry out its new tasks in a dynamical way. 4. Communication and cooperation: complexity of the coordinated attacks requires a correlation of several analyses carried out in network nodes. 5. Reactivity: intrusion detection major goal is to react quickly to an intrusion. 6. Adaptability: an intrusions detection system must be open to all network architecture changes. Biological immune system Biological immune cells (IB) have membrane receivers, who allow them to recognize specifically an epitope of an antigen. The immune system is mainly founded on three elements: gene database of genes, negative selection and the clonal selection. The gene database makes it possible to generate antibodies. The negative selection makes it possible to remove the inappropriate antibodies, and the clonal selection makes it possible to keep the best antibodies to make cells memories of them. These three processes are independent; they are subjected to no central body to manage them. The recognition of an antigen by a cell (IB) is according to the affinity between antibodies and this antigen. The IB cells differentiate between them via their competence. This immunocompetence depends on the synthesis of a membrane receiver. IB cells which recognize antigen will proliferate while being cloned, according to clonal selection principle10. 385 BENyETTOU et al., Orient. J. Comp. Sci. & Technol., Vol. 6(4), 383-390 (2013) Following this immunocompetence we distinguish two cases 1. IB Cells with a weak affinity will be transferred, or destroyed by negative selection. 2. IB Cells which have the capacity to recognize antigens become mature cells. At the end of their maturation, (IB) Cells will undergo of the somatic mutations which will promote their genetic variation, then become memory cells. Immune components description In this section, the principal immune components which are used in our architecture will be defined. Antigens They are considered in d i f ferent approaches7,11 as bit strings extracted from ippackets, including ip address, port number, protocol type. Set U={0,1}L (L>0), and Ag ⊂ U, and the set U can be divided into self and notself. The self indicates normal network behavior; on the other hand, notself indicates the abnormal network16. Antibodies Correspond to bit strings, they have the similar length as antigens; antibodies are constantly in search of antigens in order to match them and also to increase their lifespan. Set AB={ab/ab=<b,t,ag>, b,ag ∈ U ∧ t N}. Where ‘b’ is the antibody bit string whose length is L, ‘ag’ is the antigen detected by the antibody and‘t’ is the antigen number matched by antibody2. There exist three states for antibodies: immature, mature and memory. Antibodies are able to detect an intrusion, in our architecture they are represented by D-agents. Immature stage Correspond to the first stage of our cell. In this stage, the immature Antibodies (Imb) are randomly generated by the generator detector. Immature immunocytes set is Imb={<b,t,ag>Match /bU, t< ̧, ag=Ø } and Match={<x,y>/x,yU, f match (x,y) = 1}, which will evolve into Imb through selftolerance. If an Antibody is not matched with notself for step evolution; then it will die after a certain period of time. Mature stage Correspond to the second stage of our cell. In this stage the mature Antibodies (Mab) have failed to match with notself during activation and evolution; Mature immunocytes set is Mab={<b,t,ag>Match/ bU, ̧<t< ̧’, ag ‘“Ø} and Match={<x,y>/x,y U, f match (x,y) = 1}. In our work, if a Mab is not matched with notself after certain period of time then they will die. Let us note that, dead is formulate by Abdead ={<b,t,ag >Match / b,ag U, t } Memory Stage Correspond to the final stage of our cell. In this stage the memory antibodies (Meb) are the results of activation and evolution of the mature antibodies. Memory immunocytes set is Meb={<b,t,ag>Match/bU,t> ̧’,ag=(ag1, ....agn)} and Match={<x,y>/x,y U, f match (x,y) = 1}. They have significant lifespan as long as they succeed matching with not-self. Affinity characterizes the correlation between Antigens and Antibodies is to determinate the. According to Hamming Distance (HD) this major element is evaluated. The calculation formula is evaluated according to Hamming Distance (HD). Fig. 1: immune system life cycle 386 BENyETTOU et al., Orient. J. Comp. Sci. & Technol., Vol. 6(4), 383-390 (2013) Let us consider xi (i=1...L) the bit string of length L and yi (i=1...L) another bit string of the same length L. xi represents Antigen and yi represents an Antibody. is the affinity matching threshold value and HD (x,y) is the different sum of the bits in the two strings. The affinity function is calculated as follows and DH(x,y)= withif xi yi, else Artificial Multi-Agents Immune System Artificial immune system (AIS) is a set of algorithms inspired by biological immune system principles and functions. This last exploits the characteristics of natural immune system, as regards the learning and the memorizing in order to solve complex problems in artificial intelligence field. The biological immune system is a robust and powerful process, known for its distributed simultaneous treatment orders of the operations and adaptive within the limit of its function17. Biological and multi-agents systems have common characteristics. Biological cells are modeled by the agents; each agent is equipped with a set of receiver in its surface and has an internal behavior. Agents are submitted to environment rules and also to other agent’s influence18. This is why it seems natural to model an intrusion detection system by the MAS based on biological immune systems principles. Let us note, that the Detector agents (D-agents) are constantly in competition to defend their existence; they increase their life cycle and exchange state (immature, mature and memory)