Hybrid multi-agent framework for detection of stealthy probes

Probing tools are widely used to discover system information. Once the information is known, attackers can launch computer attacks against the vulnerable services running on the system. Even though current computer systems are protected against known attacks by implementing a number of access restriction policies, protection against novel attacks still remains as an elusive goal for the researchers. Attackers defeat current protection and detection mechanisms by exploiting unknown weakness and bugs in system and application software. Stealthy and low profile probes that include only a few carefully crafted packets over an extended period of time are used to delude firewalls and intrusion detection systems ( IDS). Building effective IDSs, unfortunately, has remained an elusive goal owing to the great technical challenges involved and applied AI techniques are increasingly being utilized in attempts to overcome the difficulties. This paper presents computational intelligent agents-based approach to detect computer probes at the originating host. We also investigate and compare the performance of different classifiers used for detecting probes, with respect to the data collected on a real network that includes a variety of simulated probe attacks and the normal activity. Through a variety of experiments and analysis, it is found that with appropriately chosen network features computer probes can be detected in real time or near real time at the originating host. Using the detection information, an effective response mechanism can be implemented at the boundary controllers. (c) 2006 Elsevier B. V. All rights reserved.