A Mobile Agent and Snort Based Distributed Intrusion Detection System

Xiao-Ling Ye, Ying-Chao Zhang,Chao-Long Zhang ,Chao Chen, Xin-Yi Huang

Nanjing University of Information Science and Technology,

Nanjing 210044, China,

yc.nim@163.com

Abstract

Nowadays with the growing scale of computer

network as well as the number of nodes, the traditional

method of mobile agent based distributed intrusion

detection system may cause severe problem of network

congestion and time delay, for the data processing of

all the nodes are converged to the central node which

will lead to a mass data processing on it. In this article

we bring up a mobile agent and snort based distributed

intrusion detection system (short for MASDIDS). It

does data collection, analysis and response on the

supervisory node and the result is analyzed by mobile

agent. Therefore, the central server only has to take

down the intrusion behavior and manage components,

because most calculation is distributed to the

supervisory nodes. The problem of excessive flow in

the system processing center will not exist, so that the

real-time of the system will be enhanced.

1. Structure and Function of MASDIDS

1.1. Topology of MASDIDS

The topology of MASDIDS is illustrated in graph 1.

In this graph, there is a central server CS. CS manages

all the supervisory nodes Host and deals with all the

agent transaction of the whole system.

1.2. Function and Structure of MASDIDS

Most of the reality intrusion behaviors are not

isolated attack but compound attacks made up with

many scattered behaviors or a series of attack. [3]

These scattered attacks usually happened at several

nodes and have a certain period of time span. We

should not detect these scattered attacks in isolation but

make unified analysis and processing, so that we can

detect the compound attack correctly. Therefore, we

must make comprehensive consideration by combining

the detection result both base on host and network and

the result of every node, and then the compound attack

may be detected. The function structure of MASDIDS

has taken into account the detection of compound

attack and made corresponding solutions. [1][5]

Graph 1. Topology of MASDIDS.

The system collects and processes network packets

by using Snort. Except Snort, there are 5 other agent:

Data Collection Agent (DCA), Data Analysis Agent

(DAA), Search Agent (SA), State Detect Agent (SDA)

and Center Manage Agent (CMA). Every agent is an

individual entity. All of them constitute the MASDIDS

system.

DCA is a static agent. There is a DCA and a Snort

in every supervisory node. DCA collects analyses and

processes log and audit data on supervisory node, and

Snort collects and analyses network data, and then

DCA starts to make comprehensive consideration on

the detection results based on host and network. The

result will be saved in Mysql of this node. The control

works of Snort is also achieved by DCA. The DCA can

make Snort start, stop, update its rule base, and so on.

Firewall

Internet

Router

Switch

CS Host1 Hostn

World Congress on Software Engineering

978-0-7695-3570-8/09 $25.00 © 2009 IEEE

DOI 10.1109/WCSE.2009.310

281

World Congress on Software Engineering

978-0-7695-3570-8/09 $25.00 © 2009 IEEE

DOI 10.1109/WCSE.2009.310

281

World Congress on Software Engineering

978-0-7695-3570-8/09 $25.00 © 2009 IEEE

DOI 10.1109/WCSE.2009.310

281

World Congress on Software Engineering

978-0-7695-3570-8/09 $25.00 © 2009 IEEE

DOI 10.1109/WCSE.2009.310

281

The analysis result of DCA is not only the basis of

DAA for further analysis but also the basic section of

MASDIDS.

DAA is a mobile agent. There are more than one

DAA in the system. DAA makes further analysis based

on the result made by DCA. Every DAA takes charge

of several supervisory nodes for analyzing. DAA also

needs corporation among themselves to ensure the

efficiency of analysis.

SA is a best effort mobile agent. If an intrusion

behavior is detected, CMA will generate an SA to trace

its path and source which can be contributive to collect

evidence and update rule base. The SA may be not

efficient, because many intrusion behaviors are

generally through an intermediary node, and they can

also eliminate their evidence. As a result, SA can just

be a best effort agent.

SDA is mainly used to detect the state of DCA and

DAA and at the same time, it provides location based

services for DAA. In the system, the start and

termination of DCA and DAA must send a log in and

log out message to SDA, and when the DAA needs to

change its location, it should also send a location

message to SDA. There is only one active SDA in the

system. When DCA needs a certain DAA to get

through the analysis mission, SDA can show all the

location of DAA which are in normal state to DCA in

order to make sure the communication is unimpeded

and the system is stable.

CMA takes charge of all the agent and snort in the

system. It must make sure that all the agent and snort is

normal and available. It also manages and updates

system rule base. CMA makes statistical analysis on

the intrusion behaviors to the whole system, and

illustrates all the statistical information of intrusion in

GUI to the user.

2. Snort

The capture and detection of network packet of

MASDIDS is mainly depended on snort. Therefore, the

efficiency of snort detection algorithm plays an

important role to system performance. [5]

2.1. Detection process of Snort

Snort is a standard application based on Libpcap

base. It uses Libpcap base to capture network packet

and trigger the detection progress of snort for

detection.

As Snort started, it initializes at first, and then read

every rules file and analyze them using corresponding

grammar rule to generate a syntax tree. When it

analyzes a packet, enter the certain sub tree for

matching according to its type of agreement. Among

those rules that make up the rule syntax tree, their

relationships are the logic relationship OR. A match

does not impact the others. Among the elements of

these rules, such as the source IP, destination IP,

source Port and destination Port, their relationships are

the logic relationship AND. The rule will be triggered

only if all of the elements are matched. The generation

of syntax tree of rules is illustrated in graph 2.

Graph 2. Process graph of syntax tree of Snort rules.

The process of matching rules is the process of

matching packet caught from network and syntax tree

of rules. If successfully matched, an attack is thought

to be detected and can make certain response. If there

is no matching, the packet is a normal packet. The

detection process is illustrated in graph 3.

Graph 3. Workflow diagram of Snort.

2.2. Optimized detection algorithm of Snort

While a syntax tree is constructed, Snort begins to

match the captured packet and syntax tree of rules.

Therefore, the optimized Snort matching algorithm can

Initialize

Read Rule File, Analyze Rule Base

Open Libpcap Base

Capture Network Packet

Analyze Network Packet

Match Rule

Syntax

Tree?

No

Normal

Generate Rule Syntax Tree

Yes

An Intrusion is Detected,

Make Certain Response

Main Chain

Sub

Chain

Rule Head1

Source IP

Destination IP

Source Port

Destination Port

Head of

the Chain

Rule Head2

Source IP

Destination IP

Source Port

Destination Port

Rule Option 11

Rule Option 12

Rule Option 21

Rule Option 22

282282282282

be helpful to Snort to save matching time and reduce

network delay.

First of all, let’s take the two rules below as an

example:

(1) alert tcp any any -> any 7070 (msg:

"IDS411/dos-realaudio"; flags: AP; content: "|fff4 fffd

06|"; reference: arachNIDS,IDS411;)

(2) aert tcp any any -> any 21 (msg: "IDS287/ftp-

wuftp260-venglin-linux"; flags: AP; content:

"|31c031db 31c9b046 cd80 31c031db|"; reference:

arachNIDS,IDS411; )

In Snort rules, every rule element is corresponded to

a matching sub-function. While Snort is matching

rules, it uses one by one in-depth matching method and

it needs to call all the matching sub-functions

corresponded by rule elements in every rule. Most of

them should be called for several times. If both two

rules have the option of “reference” and their

parameters are the same, the first matching result

cannot be called directly by the second. The second

must call its matching sub-function and parameter

again, so we can say the matching is not efficient.

Second, according to the real-time monitoring of the

network, we can find these attacks have many same

points in a certain period of time. Most network attacks

their mainly targets are some system loopholes and

port by using scanning attack. For example, one of

these attacks is to remote control the computer through

the loophole of input method by port 3389. It had been

a main network intrusion method before Microsoft’s

patch was published. After the publish of the patch,

this kind of intrusion behavior declined. Instead of it

were other network intrusions. However, the rules in

Snort rule base are arranged according to the original

state, and they don’t make adjustment for the intrusions

occurred in a certain time period.

Finally, all the elements of a rule make up a logic

statement of AND in a rule. The implementation of the

terms will be true only when all the rule matching is

true. Therefore, when we are doing rule matching to a

packet, once a rule element cannot be matched, we

don’t have to match the remaining options of this rule,

for this rule does not need response. However, the rule

options in Snort are arranged according to the original

state. It will not adjust its arrestment if the matching

rates of some rule options are low.

Integrated the problems among those Snort

matching algorithm, we amend its algorithm as below:

Establish a method to sort according to the matching

sub-function. While doing rule matching to several

rules, call the sub-function to deal with the parameter

of the same kind of rule elements of different rules

first. If the parameters of rule elements of the same

rules are the same, it can be called directly, and need

not to call the same function again and again which

saved the time for calling function.

Add index parameter to all the rules in the rule base.

Once a rule is matched, its index value will be added

one, at the same time, do dynamic sort to the index, a

big index value will be put in the front of the rule base

and a small one will be put in the back.

Add index parameter to the rule options of the same

rule. While a rule option is matched, its index value

will be added one, also at the same time, sort the index

while a big index value will be put in the front of the

rule and a small one will be put in the back.

Reprogrammed and built rule tree is illustrated in

graph 4 and 5. We divide Snort syntax tree into two

parts, one is rule head linker. The parameters in the

linker is IP address and port number. The sub-function

processes the parameters in column. If the parameters

are the same, we can call the result directly, which

saves the time to call function. Every index linked by

rule head is the index value of the whole rule. If the

rule is matched, this value will add one, and do

dynamic sort to the index at the same time. That is to

compare with the index value of the former rule. If the

value is larger than the former then change the order

with the former rule, and then continue to compare the

index value to the new former rule. It will not stop

until the value is smaller. The other part is rule option

linker. The sub-function processes the parameters in

column which saves the time for calling function.

Every index linked by parameter chain is its rule option

index value. If any of the rules on the chain

successfully rule option matched, this index value adds

one. At the same time, do dynamic sort to the index.

That is to compare the index value with the latter rule

option. If the value is larger than the latter one, change

the order with the latter rule option, and then continue

to compare with the new latter rule option. It will not

stop until the value is larger than the latter.

Graph 4. Improved graph of rule head linker.

Rule Head1

Rule Head2

Rule Head3

Parameter11

Parameter21

Parameter31

Parameter12

Parameter22

Parameter 32

Index1

Index2

Index3

Rule Head Linker

Parameter Chain

of Sub-function1

Parameter Chain

of Sub-function2

283283283283

Graph 5. Improved graph of rule option linker.

3. Workflow of MASDIDS

The working process of MASDIDS system is

elaborated as below:

Data collection. Act for DCA to collect log and

audit data on supervisory node and then analyze and

process them. Snort collects, detects and processes the

packet that captured in the network. DCA analyzes and

processes its own result and the result detected by

Snort comprehensively. When an intrusion behavior is

detected, SDA will connect DAA to do a further

analysis.

If there is no idle DAA in the system, after SDA

reports CMA, CMA creates DAA according to the

system demand, and gives it certain router information

and intelligence. Then send it to the supervisory node

to do a further analysis.

When DAA reaches a certain supervisory node, it

does a further detection. During analyzing, it can move

to other supervisory node in the system to collect more

information, and cooperate with other DAA and share

the analysis result to detect compound attack.

When an intrusion behavior is detected and certain

response measures have been carried out, DAA will

report the behavior to CMA and request CMA to

publish a search agent SA to trace the origin of the

intrusion behavior.

CMA publishes SA to trace the intrusion behavior.

It analyzes the tracing result and then logs the most

complete information detected (such as the scope,

method, time and source of this attack) into the record,

and makes corresponding alarm.

4. Accomplishment and test of MASDIDS

4.1. Detection experiment

We constructed network topology to test the

MASDIDS model in order to verify it. The operating

system of central server is WindowsXP, the IP address

is 192.168.2.16, CPU 1.8G, memory 512M, NIC

10/100Mbps. The operating system of supervisory

node is WindowsXP, IP address is 192.168.2.18, CPU

1.8G, memory 256, NIC 10/100Mbps. The operating

system of intrusion host is Red Hat Linux 9.0, IP

address is 192.168.2.111, CPU 1.8G, memory 256M,

NIC 10/100Mbps.

The central server and supervisory node in the

system have installed the running environment Tahiti

for Aglet. These supervisory nodes have also installed

and correctly configured the running environment

apache + php + mysql + adodb + jpgraph + winpcap +

acid + snortrules for Snort, and the latest version of

Snort, Snort 2.8.1 has also been installed. The alarm

information of Snort is saved in Mysql. Snort display

intrusion detection information through acid. Aglet is a

mobile agent technology developed by IBM Japan

merely by Java. The company also developed a useful

interface – Aglet Workbench for people to develop and

run mobile agent system. Until now, Aglet is the most

successful and all-around system.

The code for test includes Centeraglet.java and

Hostaglet.java. Centeralet.java is an Aglet for central

server. It provides user operating interface and network

supervisory interface automatically when it is created,

and it also collects Mysql alarm log from the host by

Hostaglet and displays it in the window.

Hostaglet.java is an Aglet sent to supervisory node.

Its main function is to response the alarm of Snort.

Hostaglet detects alarm log of Snort every one minute

in our design. If the alarm log changed, Hostaglet will

send the new content of the alarm log of Snort to

Centeraglet.

When we need to add host node in MASDIDS, click

button “add” in supervisory domain and you can see

such interface as in graph 6. In this interface, you can

add supervisory node and sent Aglet to atp that user

specified. In this program, there is only Hostaglet. On

the host of supervisory node 192.168.2.18 has installed

the running interface Aglet beforehand, and on the host

of 192.168.2.18 has correctly installed and configured

Snort. Run Snort supervisory program.

Graph 6. To add supervisory node in MASDIDS.

Rule

Option1

Rule

Option2

Rule

Option3

Parameter11

Parameter21

Parameter 31

Parameter 12

Parameter 22

Parameter 32

Index1

Index 2

Parameter Chain

of Sub-function1

Rule Option

Linker

Parameter 12

Parameter 22

Parameter 32

Index 3

Parameter Chain

of Sub-function2

Parameter Chain

of Sub-function2

284284284284

On the interface of MASDIDS, if we choose a

certain supervisory node and click “configure”, we can

enter the interface of configuration supervision. An

intrusion host, IP address 192.168.2.111, runs hping2

and starts attacking 192.168.2.18. In the interface of

Snort remote supervision, the attack can be detected

generally in 3 seconds. The detected result is saved in

Mysql, as illustrated in graph 7. The alarm information

displayed by MASDIDS is illustraded in graph 8. From

the pictures we can see that Hstaglet of supervisory

node sends alarm information in Mysql to the central

server and displays it.

Graph 7. The attack that detected by supervisory interface.

Graph 8. Graph of detected alarm information of

MASDIDS.

5. Conclusion

From the experiment above we get the conclusion

that the MASDIDS system model, using mobile agent

to control professional network intrusion detection

system is feasible. As Snort is integrated, the system is

professional at the aspect of network based intrusion

detection and has a good real-time detection. For this

model, it only needs to program an Aglet program with

new features to add a new Aglet to the system, so that

it can realize new functions.

6. Acknowledgments

This work is supported in part by the Nature Science of

Higher Education (Grant No.06KJD520122) “The Six

Top Talents" of Jiangsu Province” (Grant No.06-A-

027), the Nature Science of NUIST(Grant

No.20070084)， the Jiangsu Province Philosophy and

Social Sciences(Grant No.08EYB018),

7. References [1] Christopher Krugel, Thomas Toth, Engin Kirda:

SPARTA, a mobile agent based intrusion detection system.

Network Security 2001, Leuven, Belgium, 2001

[2] S. H. Qing, J. C. Jiang, H. T. Ma. Research on Intrusion

Detection Techniques: A Survey [J].Journal on

Communications, 2004:25(7):19~ 29

[3] James P. Anderson. Information Security in a Multi-User

Computer Environment. Advances in Computers 1972,12: 1-

36

[4] Mark Slagell. The design and implementation of MAIDS

(mobile agent intrusion detection system). Iow a State

University, Tech.Rep.: TR01-07, 2001

[5]http://www.snort.org

285285285285