Pikoulas J, Buchanan WJ and Triantafyllopoulos
K, "An Intelligent Intrusion Detection Environment
using Software Agents", Thirteenth International
Conference "Software & Systems Engineering
and their Applications, Paris, December 2000.
Security is one of the major issues in any
network and on the Internet. It encapsulates many
different areas, such as protecting individual users
against intruders, protecting corporate systems
against damage, and protecting data from intrusion.
It is obviously impossible to make a network totally
secure, as there are so many areas, which must be
protected. This thesis includes an evaluation of
current techniques for internal misuse of computer
systems, and tries to propose a new way of dealing
with this problem.
The thesis presents that it is impossible to fully
protect a computer network from intrusion, and shows
how different methods are applied at differing levels
of the OSI model. Most systems are now protected
at the network and transport layer, with sys-tems
such as firewalls and secure sockets, but a key
weakness exists in the session layer which is responsible
for user logon and their associated password. It
is thus key for any highly secure system to be able
to continually monitor a user, even after they have
successfully logged into the system, as once an
intruder has successfully logged into a system,
they can use this as a stepping-stone to gain full
access (often right up to the system administrator
level). This type of login identifies another weakness
of current intrusion detection systems, in that
they are mainly focused on detecting external intrusion,
whereas a great deal of research identifies that
one of the main problems is from internal intruders,
and from staff within an organisation. Fraudulent
activities can often he identified by changes in
user behaviour. While this type of behaviour monitor
might not be suited to most network, it could be
applied in high secure installations, such as in
government, and military organisations.
Computer networks are now one of the most rapidly
changing and vulnerable systems, where security
is now a major issue. A dynamic approach, with the
capacity to deal with and adapt to abrupt changes,
and be simple, will provide an effective modelling
toolkit. Analysts must be able to understand how
it works and be able to apply it without the aid
of an expert. Such models do exist in the statistical
world, and it is the purpose of this thesis to introduce
them and to explain their basic notions and structure.
One weakness identified is the centralisation
and complex implementation of intrusion detection,
and the research proposes an agent-based approach
to monitor the user behaviour of each user. It also
proposes that many intrusion detection systems cannot
cope with new types of intrusion. It thus applies
Bayesian statistics to evaluate the user behaviour,
and predict the future behaviour of the user. The
model developed is a unique application of Bayesian
statistics, and the results show that it can better
predict future behaviour than existing ARIMA models.
The thesis argues that the accuracy of long-term
forecasting questionable, especially in systems
that have a rapid and often unexpected evolution
and behaviour. Many of the existing models for prediction
use long-term forecasting, which may not be the
optimal type for intrusion detection systems.
The experiments conducted have varied the number
of users and also the time in-terval used for monitoring
user behaviour. These results have been compared
with ARIMA, and an increased accuracy has been observed.
It is also shown that the new model can better predict
changes of user behaviour, which is a key factor
in identifying intrusion detection.
The thesis concludes with recommendations for future
work, including how the statistical model could
be improved. This includes research into changing
the specification of the design vector for Bayesian.
Another interesting area is the integration of standard
agent communication agents, which will make the
security agents more social in their approach and
be able to gather information from other agents.
