DISTRIBUTED INTRUSION DETECTION SYSTEM USING COOPERATIVE AGENT BASED ON ANT COLONY CLUSTERING
The development of intrusion detection systems (IDS) deals with computational and architectural issues. Cluster-based detection uses its knowledge base in the form of a cluster center. The detection performance against existing attacks as well as new types of attacks is still not as good as the perf...
Saved in:
| Main Author: | |
|---|---|
| Format: | Dissertations |
| Language: | Indonesia |
| Online Access: | https://digilib.itb.ac.id/gdl/view/29301 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Institut Teknologi Bandung |
| Language: | Indonesia |
| id |
id-itb.:29301 |
|---|---|
| institution |
Institut Teknologi Bandung |
| building |
Institut Teknologi Bandung Library |
| continent |
Asia |
| country |
Indonesia Indonesia |
| content_provider |
Institut Teknologi Bandung |
| collection |
Digital ITB |
| language |
Indonesia |
| description |
The development of intrusion detection systems (IDS) deals with computational and architectural issues. Cluster-based detection uses its knowledge base in the form of a cluster center. The detection performance against existing attacks as well as new types of attacks is still not as good as the performance of classification-based detection such as artificial neural networks (ANN). Hierarchical clustering requires large computing resources, as well as highdimensional data on IDS development. Partitioned Kmeans capable of processing large data but requires initial cluster initiation. <br />
<br />
<br />
<br />
Ant colony clustering (ACC) is inspired by the behavior of brood care and cemetery organization in the colonies, hierarchical-partitional does not require the initiation of number of clusters, such as the Lumer-Faieta (LF) ACC model. A number of developed ants are able to constantly explore 2D (toroid) search space without supervision, do simple work, collect similar objects to find clusters. The cluster center serves as a knowledge base for detecting attacks such as DoS (denial of service). ACC still faces constraints such as detection rates and false alarm levels that are not yet ideal, large data traffic generates computational loads. <br />
<br />
<br />
<br />
In terms of architecture, distributed and coordinated attack issues such as DDoS (distributed DoS) in botnet environments are still difficult to solve because they require large amounts of information to be disseminated, intercomponent detection collaboration for difficult information synchronization, network traffic loads due to large distributed information, and the use of centralized hierarchical architecture allows the attacker to bypass the communication path and command to the central component. <br />
<br />
<br />
<br />
High-dimensional data constraints are addressed through the extraction and selection based on PCA (principal component analysis) for dimensional reduction in NSL-KDD (DoS attacks) and botnet CTU13-ISCX attack data (DDoS attacks). Numerical features of 32 features (NSL-KDD) are transformed into new features in smaller dimensions with 65.63% reduction (11 new features). CTU13-ISCX with 71 numerical features were transformed into 11 new features (84.51% <br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
reduction). A subset with 11 features is used in the development of ACC for detection purposes. <br />
<br />
<br />
<br />
ACC model LF-DBSCAN is used to determine the cluster center as a knowledge detection base. Experiment 10 times on the 100x100 grid, with 1,198 (NSL-KDD) and 1,445 (CTU13-ISCX) object resumed cluster extraction using DBSCAN resulting in an attack cluster center (DoS / DDoS) and normal activity. The use of Subset with 11 new features has a rand index cluster index, jaccard coefficient, and maximum fowlkes-mallow indices, as well as the minimum davies-bouldin index. <br />
<br />
<br />
<br />
ACC performance is not reduced in detecting new types of DoS attacks. Values such as TPR, TNR, ACU, PRE, REC, and FM show no significant difference between three different attack scenarios. These are simple scenario attacks uses one type of attack on a single protocol, general attacks with some types of attacks on some protocols, and a common attack that there is a new type of DoS attack and is not included during the cluster center extraction process. ACC performance on DoS detection exceeds Kmeans clustering on a combination of three attack scenarios, by the ROC curve that is closer to the ideal shape and area under the curve. There is a significant difference in DDoS detection performance between the LF-DBSCAN and Kmeans, by the higher TPR, TNR, ACU, PRE, REC, and FM than Kmeans, while the FPR and FNR values are lower than Kmeans. This ROC curve is more close to the ideal shape and area under the curve is wider than Kmeans. <br />
<br />
<br />
<br />
ACC-based IDSs are able to work together without the presence of centralized components in building a shared cluster center as a knowledge base of DoS/DDoS attack detection using randomized gossip. Ten learning agents cooperate each others and demonstrate the convergence of feature values toward a new cluster center as a shared knowledge base for detection. Randomized gossip supports the development of an ACC-based distributed IDS architecture with the absence of centralized, non-hierarchical components to close vulnerability loopholes. Cluster centers from randomized gossip can be used for attack detection and can increase TPR, TNR, ACU, PRE, and FM on DoS detection by up to 57% and DDoS by 25%, and decrease FPR and FNR on DoS detection by 73% and DDoS up to 41%, compared with no randomized gossip and Kmeans clustering. <br />
<br />
<br />
<br />
This study proposes the development of an ACC-based distributed IDS architecture through the collaboration of several agents to recognize the types of DoS attacks and DDoS attacks on the botnet network. |
| format |
Dissertations |
| author |
Nur Kholish AR, Muhammad |
| spellingShingle |
Nur Kholish AR, Muhammad DISTRIBUTED INTRUSION DETECTION SYSTEM USING COOPERATIVE AGENT BASED ON ANT COLONY CLUSTERING |
| author_facet |
Nur Kholish AR, Muhammad |
| author_sort |
Nur Kholish AR, Muhammad |
| title |
DISTRIBUTED INTRUSION DETECTION SYSTEM USING COOPERATIVE AGENT BASED ON ANT COLONY CLUSTERING |
| title_short |
DISTRIBUTED INTRUSION DETECTION SYSTEM USING COOPERATIVE AGENT BASED ON ANT COLONY CLUSTERING |
| title_full |
DISTRIBUTED INTRUSION DETECTION SYSTEM USING COOPERATIVE AGENT BASED ON ANT COLONY CLUSTERING |
| title_fullStr |
DISTRIBUTED INTRUSION DETECTION SYSTEM USING COOPERATIVE AGENT BASED ON ANT COLONY CLUSTERING |
| title_full_unstemmed |
DISTRIBUTED INTRUSION DETECTION SYSTEM USING COOPERATIVE AGENT BASED ON ANT COLONY CLUSTERING |
| title_sort |
distributed intrusion detection system using cooperative agent based on ant colony clustering |
| url |
https://digilib.itb.ac.id/gdl/view/29301 |
| _version_ |
1822922874526105600 |
| spelling |
id-itb.:293012018-10-02T15:34:51ZDISTRIBUTED INTRUSION DETECTION SYSTEM USING COOPERATIVE AGENT BASED ON ANT COLONY CLUSTERING Nur Kholish AR, Muhammad Indonesia Dissertations INSTITUT TEKNOLOGI BANDUNG https://digilib.itb.ac.id/gdl/view/29301 The development of intrusion detection systems (IDS) deals with computational and architectural issues. Cluster-based detection uses its knowledge base in the form of a cluster center. The detection performance against existing attacks as well as new types of attacks is still not as good as the performance of classification-based detection such as artificial neural networks (ANN). Hierarchical clustering requires large computing resources, as well as highdimensional data on IDS development. Partitioned Kmeans capable of processing large data but requires initial cluster initiation. <br /> <br /> <br /> <br /> Ant colony clustering (ACC) is inspired by the behavior of brood care and cemetery organization in the colonies, hierarchical-partitional does not require the initiation of number of clusters, such as the Lumer-Faieta (LF) ACC model. A number of developed ants are able to constantly explore 2D (toroid) search space without supervision, do simple work, collect similar objects to find clusters. The cluster center serves as a knowledge base for detecting attacks such as DoS (denial of service). ACC still faces constraints such as detection rates and false alarm levels that are not yet ideal, large data traffic generates computational loads. <br /> <br /> <br /> <br /> In terms of architecture, distributed and coordinated attack issues such as DDoS (distributed DoS) in botnet environments are still difficult to solve because they require large amounts of information to be disseminated, intercomponent detection collaboration for difficult information synchronization, network traffic loads due to large distributed information, and the use of centralized hierarchical architecture allows the attacker to bypass the communication path and command to the central component. <br /> <br /> <br /> <br /> High-dimensional data constraints are addressed through the extraction and selection based on PCA (principal component analysis) for dimensional reduction in NSL-KDD (DoS attacks) and botnet CTU13-ISCX attack data (DDoS attacks). Numerical features of 32 features (NSL-KDD) are transformed into new features in smaller dimensions with 65.63% reduction (11 new features). CTU13-ISCX with 71 numerical features were transformed into 11 new features (84.51% <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> reduction). A subset with 11 features is used in the development of ACC for detection purposes. <br /> <br /> <br /> <br /> ACC model LF-DBSCAN is used to determine the cluster center as a knowledge detection base. Experiment 10 times on the 100x100 grid, with 1,198 (NSL-KDD) and 1,445 (CTU13-ISCX) object resumed cluster extraction using DBSCAN resulting in an attack cluster center (DoS / DDoS) and normal activity. The use of Subset with 11 new features has a rand index cluster index, jaccard coefficient, and maximum fowlkes-mallow indices, as well as the minimum davies-bouldin index. <br /> <br /> <br /> <br /> ACC performance is not reduced in detecting new types of DoS attacks. Values such as TPR, TNR, ACU, PRE, REC, and FM show no significant difference between three different attack scenarios. These are simple scenario attacks uses one type of attack on a single protocol, general attacks with some types of attacks on some protocols, and a common attack that there is a new type of DoS attack and is not included during the cluster center extraction process. ACC performance on DoS detection exceeds Kmeans clustering on a combination of three attack scenarios, by the ROC curve that is closer to the ideal shape and area under the curve. There is a significant difference in DDoS detection performance between the LF-DBSCAN and Kmeans, by the higher TPR, TNR, ACU, PRE, REC, and FM than Kmeans, while the FPR and FNR values are lower than Kmeans. This ROC curve is more close to the ideal shape and area under the curve is wider than Kmeans. <br /> <br /> <br /> <br /> ACC-based IDSs are able to work together without the presence of centralized components in building a shared cluster center as a knowledge base of DoS/DDoS attack detection using randomized gossip. Ten learning agents cooperate each others and demonstrate the convergence of feature values toward a new cluster center as a shared knowledge base for detection. Randomized gossip supports the development of an ACC-based distributed IDS architecture with the absence of centralized, non-hierarchical components to close vulnerability loopholes. Cluster centers from randomized gossip can be used for attack detection and can increase TPR, TNR, ACU, PRE, and FM on DoS detection by up to 57% and DDoS by 25%, and decrease FPR and FNR on DoS detection by 73% and DDoS up to 41%, compared with no randomized gossip and Kmeans clustering. <br /> <br /> <br /> <br /> This study proposes the development of an ACC-based distributed IDS architecture through the collaboration of several agents to recognize the types of DoS attacks and DDoS attacks on the botnet network. text |