Agent Based Campus Internal Network Intrusion Detection Model

Abstract

The aim of the research is the modeling and implementation of an intrusion detection system (IDS) with focus on internally generated intrusions on a multi-Disciplinary campus network using Ahmadu Bello University (ABU) Zaria as a case study. A.B.U Zaria campus network is a complex network covering three campuses, 12 faculties and over a hundred Departments and as such there are varied types of users with diverse application requirements. Traffic data for a period of 24 months (January 2011 to December 2012) comprising of local to local and local to remote were used in developing the knowledge base of the IDS. The overhead of each packet derived from properties and composition of each packet is determined and used to form the behavior base of the IDS. The overhead determined is compared to a threshold called the safe score. This is the maximum allowable overhead for an Ethernet frame and has a value of 0.45. The developed model hybridizes the knowledge –based and behavior- based detection techniques and is implemented as an agent based application (using autonomous and adaptic agents or workers) in a program written in C-sharp(C#). If any packet has an overhead greater than the safe score, it is logged for further analysis. In the validation stage, the model processed 3,422,000 packets and 2328 packets were logged. Using Wireshark for the analysis of the logged packets, 298 packets (13% of the logged packets) were determined not to be malicious but of applications and or protocols not in the original knowledge-base and as such the knowledge base was updated. The IDS model developed is capable of updating its knowledge base, can sniff traffic directly on the network and utilizes less than 15.5% of ROM and CPU capacity at peak traffic period. It also showed about 50% improvement in the number of unknown applications and protocols identified by Netflow analyzer upon implementation.