Artificial Neural Network for Mobile IDS Solution F. A. Barika1 & K. Hadjar2 & N. EL Kadhi3
[email protected] 1: Higher Institute of Management, LI3 Tunis, Tunisia
[email protected] 2: Ahlia University Bahrain ITMS Dept. Chairman
[email protected] 3 : Ahlia University Bahrain ECCE Dept. Chairman and LERIA EPITECH France Abstract— The aim of this paper is to suggest an Artificial Neural Network architecture for decision making within intrusion detection systems. Taking as starting point the IMA_IDS solution [57] that presents a global agent architecture for enhanced intrusion network based solution, we suggest the use of ANN as a major decision algorithm to be included into the detection agents. Our goal is in fact to increase efficency by reducing the fault positive and increasing the detection capabilities with partial available information on network status. Keywords: Artificial Neural Network, Distributed intrusion detection system, anomaly detection, Signature based IDS.
1. Introduction Security threats for computer network have increased significantly. Among all security issues, intrusion is the most critical and widespread. Intrusion can be defined as any action that is not legally allowed for a user to take towards an information system, compromise, or cause harm to a network. Intrusion detection, appeared in 1980 [1], is a process of detecting and tracing inappropriate, incorrect, or anomalous activity targeted at computing and networking resources. Abstract intrusion detection model was proposed in 1987 by Denning [2]. Intrusion Detection System (IDS) is commanly, a software that automates the intrusion detection process and detects possible intrusions. IDS are usually divided into two groups according to the analyzed events: • Host Based IDS (HIDS): perform their analysis on information collected at a single host by the audit trails. HIDS are designed for monitoring a single computer system looking very specifically at what is happening on that machine via the log files and/or the internal auditing systems. • Network Based IDS (NIDS): rely on information obtained by monitoring the stream of data exchanged
between computers. NIDS are used to detect intrusions across an entire network. These systems must be placed in the network such that they can see all passing traffic. The HIDS works above the network layer making it unable to detect some kind of attacks [11], while NIDS infer their decision from low-level network packets traveling among hosts. Detecting unknown intrusions in network traffic can be very complicated, whereas on a host there are more things to be looked at such as processes, network accesses, system calls made, etc. Moreover, there is a tradeoffs between NIDS and HIDS about attack resistance and visibility. Visibility makes evasion more difficult by increasing the range of analyzable events and decreasing the risk of having an incorrect view of system state. On one hand, HIDS provides good visibility [10]. However increasing the visibility of the target system to the IDS frequently comes at the cost of weaker isolation between the IDS and attacker and increases risk of direct attack on IDS. On the other hand, NIDS offer higher attack resistance instead of the cost of visibility. The usual approach for an IDS is to set up sensors to collect the data. Then to pass it to an analyzer component which will analyze the data and issue alert. This centralized approach, used in the most known products such as Snort [4] has several flows: • •
• • •
In case of a failure of a sensor there is no handover, This type of IDS is very sensitive to Denial of service attack [5]. Many IDS have hierarchical structures. This gives the opportunity to the attackers to harm the IDS by cutting off a control branch or even tacking out the root command. Unstable reaction to distributed attacks, Sensors capacity relays on computer hardware, which makes the capacity hard to extend, Security of each sensors has to be granted separately, there is no global security to ensure that each sensor is
not corrupted and is authorized on the network, You need to update all the sniffer separately, • Need of human expertise during all the working time, • When an IDS is faced to a huge number of events in the network, it slows down a system or drop network packets that it don’t have time to process, To eliminate such defects a lot of approaches has been applied to the detection process such as neural network [7], genetic algorithms [8] and agent approach [9]. Developing IDS implies taking into account contemporary computer distributed environment and distributed nature of attacks. For these reasons agents approach seems to be more suitable. We advocate the idea that mobile agents framework enhance the performance of IDS and even offer them new capabilities. Moreover agent systems are used in various applications such as workflow, scheduling and optimization [13]. Agents is defined as a distinct software process, which can reason independently, and can react to change induced upon it by other agents and its environment, and is able to cooperate with other agents [12]. Agents are autonomous that can act independent from other agents and perform different tasks. They are also robust and fault-tolerant to changing environments. Agents can be mobile migrating from an agent place to another in order to perform the work locally. In an agent based IDS idea, there is no central station, therefore no central point of failure. Overcoming the deficiency of centralized structure is the major reason for using agents in the intrusions detection field. The agents usefulness includes also reduction of the network load, overcoming of network latency and support for disconnected operations [14]. IDS can be classified into two categories, according to the approach used in analyzing network events: those based on anomaly approach, and, those based on misuse approach. ˇ • Anomaly approach : it relies on models of the TnormalTˇ behavior of a computer system [2]. Behavior profiles may be focused on the users, the applications or the network. In this approach, to detect abnormal activity patterns, the predefined profile patterns are compared with the actual ones in use. The detected patterns will be considered as intrusions. • Misuse approach : relies on a set of attack descriptions, also called attack signatures [15]. These descriptions are matched to the stream of audit data, attempting to verify that the defined signature is occurring. Both anomaly and misuse approaches present advantages and disadvantages. An IDS based on misuse approach can detect only those attacks that have been defined. Anomaly approach able us to detect attacks that are unknown in advance; this advantage causes a large number of false positives (false alarm) occurred when an IDS alerts an event that is not an intrusion [3]. Commercial IDS products such •
as NetRanger [44] and RealSecure [45] work on misuse approach. In this paper and based on the MA_IDS global structure we suggest to use an Artificial Neural Network (ANN) a decisional process implemented by the detection (analyser) agent. By such decision process we will be able to enhance the detection process because of : • Learning step: Because of the ANN structure and working process we will be able to customize the solution from one environment to another just by customizing the learning sets. In fact the learning step will offer to use the opportunity to move from static attacks description (usually provided through signature) to a more general description that could include environment specificities and particularities. • Unexpected configuration: ANN are knowing to be able to ’react’ to unexpected situation. In fact, if we consider a signature description, if one event is not detected the global detection process is compromised. With ANN it will affect partially the final decision by just decreasing the detection rate or the ANN output value. Notice that the ANN output is in general not a binary decision but a kind of fuzzy value (rate) of correctness. To illustrate this aspect let’s consider a signature described by A, B, C ⇒ D that means the attacks D is occuring if events A, B and C has been observed. With a classical detection approach if the event C for example is not captured by the collectors agents, the intrusion will not be detected. With an ANN the output would be somthing like D is true with a rate of 0.75 for example. Our paper is organized as follow: In section 2, we present Anomaly Detection Research. In section 3, we recall the Agent architecture approach. Section 4 details the ANN architecture and components finally section 5 concludes the paper.
2. Anomaly Detection Research Since Anderson’s paper various anomaly detection approaches have been implemented by establishing statistical models for user [26], program [27] or network behavior [28]. More recently the authors of [29] use statistical clustering techniques to learn normal behavior patterns in network data. The delivered system was able to detect most network probes and DOS attacks in the MIT Lincoln Labs data. In 2002, Eskin and others [30] proposed unsupervised anomaly detection algorithms with unlabeled data, based on the assumption that number of normal instances is significantly larger than the number of anomalies and anomalies appear as outliers in the data. In the same year a new approach called specification-based anomaly detection was proposed [31]. Its purpose was to combine the primary benefits of anomaly detection and specification-based detection, namely, good detection of new attacks and low false alarm rates.
Puttini et al. have presented a new anomaly IDS design using a parametric mixture model for behavior modeling and Bayesian based detection [32]. The proposed algorithms for detection and update phases present real-time feasibility with no special hardware requirement but the parametric Gaussian model that has been used for evaluation has some limitations. A model based the vector quantization technique was proposed in [34]. This model is suitable for security monitoring in the grid computing environment. Experimental results based on this model have shown very promising performance in terms of high detection rate and low false alarm rate. For the same purpose, Gao et al. demonstrate that, with the addition of labelled examples, the anomaly detection algorithm can guided to develop better models of the normal and abnormal behavior of the data [35]. In 2005, Kim et al. propose fusions of genetic algorithm and support vector machines for efficient optimization of both features and parameters for detection models [33]. Their method provides optimal anomaly detection model which is capable to minimize amounts of features and maximize the detection rates. A statistical approach to anomaly detection in interdomain routing was proposed in [36]. A time-series segmentation algorithm is used to detect instabilities triggered by events like router mis-configurations, infrastructure failures and worm attacks. The performance of the proposed algorithm is evaluated using real Internet trace data with false alarm rate as low as 0.0083 alarms per hour. But this algorithm occurs an average detection delay of approximately 50 minutes. Durgin and Zhang investigate profile-based anomaly detection techniques that can be used to address the problem of recognizing and evaluating threats against networks which is complex and heterogeneous [42]. They identify and evaluate promising techniques for data mining and machinelearning. They build a prototype anomaly detection tool that demonstrates how the techniques might be integrated into an operational intrusion detection framework. But they have not tested datasets that contains real intrusions or used it to identify abnormal behaviors that pose a threat to the network security. In 2007, Salem, Vaton and Gravey provide a new framework for efficient detection and identification of network anomalies over high speed links [37]. They apply the CUSUM algorithm and prove the capacity of early detection even for low intensity of DoS/DDoS (distributed DOS) attacks. It results from this framework a high size of exchanged sketch information between different monitoring nodes in different layers. Authors also propose, as a future work, to distribute hierarchically the proposed approach. More recent work focus on the choice of features used to describe normal or intrusive traffic patterns. Tran, Ma and Sharma propose an automated feature weighting method based on a fuzzy subspace approach to vector quantization modelling that can assign a weight to each feature when
network models are trained [38]. Their method increase the detection rate and reduce false alarm rate.
2.1 Discussion Anomaly based systems have the advantage of being able to detect previously unknown attacks but they suffer from the difficulty to build a solid model of acceptable behavior and the high number of alarms caused by unusual but authorized activities. Statistical analysis are not able to detect attacks scenarios which may occur over an extended period of time. For example, an exploit using a missing command in a session can only be identified when a session is completed and will necessitate keeping track of state and context [20]. This could affect the time performance of the IDS which corresponds to the total time that the IDS needs to detect an intrusion. Times need to be as short as possible in order to allow the security analyst sufficient time to react to an attack before much damage has been done, as well as to stop an attacker from modifying audit information or altering the IDS itself [21]. IDS designers must find ways to speed up their attack analysis techniques when monitoring a fully-saturated network with less number of false positives. Statistical algorithms are not scalable and fast enough to keep up with the gigabit networks requirements of these days. Not fast enough because the statistical processing tend to be computationally expensive due to the fact that several metrics are often maintained, and need to be updated against every systems activity. Scalability is an issue since these systems depend on the network traffic behavior and we have networks today which have diverse and different requirements at times. Besides, one of the major problem with statistical methods is that not all abrupt changes in the network are anomalies where as it declares anomaly to any abrupt changes. It is also difficult to determine the right threshold above which an anomaly is to be considered intrusive. In statistical algorithms, a bigger sampling or threshold increases the chance of false negatives, while smaller values increase the chance of false positives. Basically, These traditional methods select key statistics about network traffic as features for a model trained to recognize normal activity. Unfortunately, statistics such as packet arrival times and connection arrival times have much variation. Too much statistical variation makes models inaccurate and events classified as anomalies may not always be malicious [18]. Moreover statistical analysis have the disadvantage that their statistical measures capturing user behavior can be trained gradually to a point where intrusive behavior is considered normal.
Fig. 1 MAFIDS A RCHITECTURE
This agent performs its tasks in the context of the collected-events pretreatment phase, which precedes the analysis phase. The Filter agent plays the twofold role of preparing data to be analyzed, and of establishing a baseline of normal network behavior during the training period. In its first role, the Filter agent access to the sniffing file which is modified by the Sniffer agent and treats these crude events by achieving the following tasks : • Distinguish the various fields of the events collected in crude such as destination address and the protocol, • Sort the events by the category of packet (TCP, IP, ...) concerned by a specific kind of intrusion.
3.3 The Analyzer Agent
3. IMA IDS Architecture As mentioned in our introduction, we are suggesting to add an artificial neural network as a decision algorithm over an already existing Agent Intrusion detection systems. The solution has been introduced by Barika & al [58], implemented and enhaced with different detection approchs in [58], [57]. Let us breifley recall the agent IDS architecture. The distributed structure of our system consists of four levels, as shown in figure 1 : the down level, the pretreatment, the kernel and the upper level. We have four cooperatives, communicants and collaborative entities which are able to move from one station to another: Sniffer agent, Filter agent, Analyzer agent and Decision agent. Every category of agent is assigned respectively to the levels cited previously.
3.1 The Sniffer Agent This kind of agent will be cloned and distributed throughout the network. This agent patrols the network, collects all the events occurred in the host to which it is related and storage the collected data in a sniffing file. The Sniffer agent can duplicate itself in order to lighten the network charge. On the down level, we are interested to collect all the events occurred through the network in real time. Sniffer are what is commonly called sensor [43].
3.2 The Filter Agent Detecting intrusions in a distributed system turns out to be difficult. IDS must undertake to analyze a huge volumes of events. This task becomes more difficult especially when the events must be collected from distributed sources around the network. Intrusions seek in all levels of the distributed system; each level may require monitoring. So, to be able to determine whether an intrusion is taking place, we have to aggregate and merge events collected from various sources, which is among the set of tasks allocate to the Filter agent.
This kind of agent processes and analyzes the events captured by the Sniffer agent and pre-processed by the Filter agents. Our proposal start introduce upgrade at this level. Because of the use of ANN, this agent will now act as a classifier and pattern builder agent. we consier that attcks are divided into a set of groups acoording to either the concerned protocol (TCP, UDP) the observed events and events properties (IP alues, PORT Value, ....) or the used vulerability. This agent will infact prepare the inputs for the decisional ANN by correctly formatting the collected elements and also describing the input/output pattern acording to our ANN representation.
3.4 The Decision Agent The administrator, depending on his needs and requirements, can customise this agent via the training step. In fact, in [46], Thom define in detail the morphology. We hold back the principal aspects. To highlight the analogy with our intrusions detection system, we demonstrate that all the keywords cited in the definition have a special reference respectively : • A natural phenomenon : a network event, • A case B : a segment of the network, • A point x : a network event collected in a temporal unity, • A regular point : a normal event, according to our definition of the normal behavior and its models, • An open in B * T : the set of permitted behavior, considered as normal relatively in the time.
4. ANN Architecture for Intrusion Detection Decision Making 4.1 Introduction Artificial Neural Networks have proved their abilities to correctly handle many difficult problems [59]. Many success has been achieved with ANN in voice recognition, pattern recognition [60], handwriting recognition,Eˇ In our model, the agent gathers all the required data coming from the other agents and introduces them to the
just consider here having 20 neurons, each one represents an attack. Let us now detail the hidden layer structure. As mentioned before, hidden layers contains respectively 5, 10 and 15 Neurons. The first hidden layer may contain more than 5 neurons. In fact this layer is for including a kind of attack classification in the attack decision making process. One neuron inside this layer is in fact one class attack category. For example we can consider that any spoofing attack is belonging to the category C1 in figure 2 represented by the first neuron in the first hidden layer. Notice that any attack signature (of this class) may include one or more events represented by the following entries IP AdRSour, IP AdrDest, N A, M aSour, M ADE, CodeSize. Since the ANN is a Feed Forward one, we mention here just the significant entries that should have a weight higher than 0 after the training step.
4.3 ANN Intrusion Detection Global Description
Fig. 2 ANN FOR I NTRUSION DETECTION TOPOLOGY
ANN. The training phase consists of a supervised training, where we present to the ANN, a couple of input and desired output which consist respectively of event parameters and attack.
4.2 The topology of the ANN In our model, we choose to relay on a Multilayer Perceptrons (MLPs) ANN connected in a feed-forward way. Figure 2 illustrates the topology of artificial neural network used inside IDS model. The input layer size is depending on the collected events sent by the collectors. In figure 2 we limit (as an example) the input layers to 20 neurons. In practical implementation this size will be fixed by the network administrator according to the concerned attack category. In fact, it is commonly known that for example TCP/IP attack signatures uses no more than 10 or 15 events and so on. As known in regular ANN use [58], there is no deterministic way to decide about the number of neurons in hidden layers. After multiple tests, we find that having 3 hidden layers with respectively 5 neurons, 10 neurons and 15 neurons each, seems to be the best configuration for intrusion decision making process. Finally the output layer, that represents the set of possibly detect attacks is composed of as much neurons as the dressed (studied) attacks. In order to simplify representation, we
Our first prototype has been designed using Artificial Neural Nets Simulator JavaNNS [60]. In order to build the training set, we will take as inputs the Snort attacks descriptions gathered by the collector agent and we convert them into the input format of JavaNNS; for the desired output, the administrator specicifies for every collected event the desired output which is in our case the possible attack. In the training phase, the ANN will learn all the features from the training set by adjusting its weights. Once this phase is acheived, we have a trained ANN and we can conduct on it a real test by giving to it all the collected events and we will have in output according the acquired knowledge the estimated attack once we have fixed a threshold to every neuron dealing with attack. For example to build the training set elements, we will take as inputs the Snort attacks descriptions such as shown table 1. Source Port Destination Port
Packet Data Payload
TCP 20432, 12754, 15104 27665, 12754, 7070, 8080, 135, 139, 3372, 6004, 6789, 6790 80, 179, 515, 646, 21513, 3128, 9191, 443, 3101, 25 FF F4 FF FD 06, FF FF FF FF FF FF, 00 03 00 00 00, 05 00 00 03 10 00 00 00, 00 00 00 00, 01 06 00 00 00, FF FF FF, 00 00, 3A, 13,0A, 00
Table 1 C OMMON ATTRIBUTES VALUES IN TCP PACKETS
5. Conclusion In this paper we shortly recall intrusion detection systems principles and drawbacks. Then we introduce the distributed
intrusion detection system that we are suggesting based on previous M AF ID architecture [57]. Based on the mentionned limitations and drawbacks in the decision step, we argue the use of Artificial Neural Networks as an alternative solution. We present the detailed architectre of our ANN and we also argue the use of multilayer Perceptron pradigm. Then We present our ANN topology that has been designed using JavaNNS [60]. We are now working on transcripting Snort signature to a binary representatonthat could be taking as input for our ANN. The idea is to manage to generate a huge test set including snort events as inputs and the corresponding signatures as possible outputs.
References [1] J. P. Anderson, Computer security threat monitoring and surveillance, James P. Anderson Company, (Fort Washington, Pennsylvania, 1980). [2] D. E. Denning, An intrusion detection model, in IEEE Transactions on software engeneering, SE-13:222232, (1987). [3] G. Vigna, S. Eckmann and R. Kemmerer, Attack Languages, in Proc. of the IEEE Information Survivability Workshop, IEEE Computer Society Press, (Boston, MA, USA, 2000), pp. 163-166. [4] SNORT, http://www.snort.org/. [5] S. Specht and R. Lee, Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures, in Proceedings of the 17th International Conference on Parallel and Distributed Computing Systems, (September 2004), pp. 543-550. [6] N. Kussul, A. Shelestov, A. Sidorenko, V. Pasechnik, S. Skakun, Y. Veremeyenko and N. Levchenko, Multi-Agent Security System based on Neural Network Model of User’s Behavior, in International Journal Information Theories & Applications Vol.10, (2003), pp. 184-188. [7] L. Vokorokos, A. Balaz and M. Chovanec, Intrusion Detection System using self organizing map, in Acta Electrotechnica et Informatica No. 1, Vol. 6, (2006), (ISSN 1335-8243 Faculty of Electrical Engineering and Informatics, Technical University of Kosice). [8] W. Li, Using Genetic Algorithm for network intrusion detection, in Proc. United States Department of Energy Cyber Security Group, (Training Conference, Kansas City, Kansas, May 24–27, 2004). [9] K. Deeter, K. Singh, S. Wilson, L. Filipozzi and S. Vuong, APHIDS: A Mobile Agent-Based Programmable Hybrid Intrusion Detection System, in Mobility Aware Technologies and Applications. LNCS, vol. 3284, (Springer, Heidelberg, 2004), pp. 244-253. [10] R. Ando, Y. Kadobayashi and Y. Shinoda, Asynchronous Pseudo Physical Memory Snapshot and Forensics on Paravirtualized VMM Using Split Kernel Module, inICISC 2007, The 10th 7,International Conference on Information Security and Cryptology, (Seoul, Korea Nov. 29-30 2007). [11] M. J. Ranum, Experiences Benchmarking Intrusion Detection Systems, in NFR Security, (December 2001). [12] V. Honavar, L. Miller and J. S. K. Wong, Distributed knowledge networks, in Proceedings, IEEE Information Technology Conference, ˝ Syracuse, (NY, USA, September 1998), pp. 87U90. [13] K. Ghedira, MASC : une approche Multi-Agents de problémes de Statisfaction de Contraintes, (1993). [14] D. B. Lange and M. Oshima, Seven Good Reasons for Mobile Agents, in Communications of the ACM, 42(3):88, (March 1999). [15] S. Kumar, and E. Spafford, A Software Architecture to Support Misuse Intrusion Detection, Department of Computer Sciences, Purdue University, (March 1995). [16] J. T. Bordogna, D. E. Brown, J. H. Conklin, Design and Implementation of an Automated Anomaly Detection System for Crime, in Systems and Information Engineering Design Symposium, SIEDS 2007, (27-27 April 2007). [17] P. Lingxi, L. Tao, L. Xiaojie, C. Yuefeng, L. Caiming, L. Sunjun, An Immune System-Inspired Paradigm for Anomaly Detection, in Journal of Computational and Theoretical Nanoscience, Volume 4, Numbers 7-8, (November/December 2007) , pp. 1394-1398(5). [18] K. Das, Protocol Anomaly Detection for Network-based Intrusion Detection, SANS Institute 2002. [19] A. Lazarevic, V. Kumar and J. Srivastava, Intrusion Detection: A Survey, book chapter, Book Managing Cyber Threats, ISSN 09246703, 2006. [20] F. Gong, Deciphering Detection Techniques: Part II Anomaly-Based Intrusion Detection, White Paper, McAfee Network Security Technologies Group, (March 2003). [21] V. Kumar, J. Srivastava and A. Lazarevic, Managing Cyber Threats: Issues, Approaches and Challenges, Springer, New York, 2005. [22] A. Lazarevic, A. Ozgur, L. Ertoz, J. Srivastava and V. Kumar, A comparative study of anomaly detection schemes in network intrusion detection, in In Proceedings of the Third SIAM International Conference on Data Mining, (2003). [23] L. Mariani and F. Pastore, Automated Identification of Failure Causes in System Logs, in proceedings of the International Symposium on Software Reliability Engineering (ISSRE), IEEE Computer Society, (2008).
[24] S. Hawkins, H. He, G. Williams and R. Baxter, Outlier detection using replicator neural networks, in In Proc. of the Fifth Int. Conf. and Data Warehousing and Knowledge Discovery (DaWaK02), (2002). [25] B. Scholkopf, R.Williamson, A. Smola, J. Shawe-Taylor, and J. Platt, Support vector method for novelty detection, in Advances in Neural Information Processing Systems (NIPS), vol. 13, (2000). [26] H. S. Javitz and A. Valdes, The NIDES Statistical Component: Description and Justification, Technical Report, Computer Science Laboratory, SRI International, Menlo Park, CA, (March 1994). [27] S. Forrest, S. A. Hofmeyr, A. Somayaji and T. A. Longstaff. A Sense of Self for Unix Process, in Proceedings of the 1996 IEEE Symposium on Securiry and Privacy, pp 120-128. IEEE Computer Society Press, Los Alamitos, CA. 1996. [28] W. Lee, S. J. Stolfo and K. Mok. Data mining in work flow environments: Experiences in intrusion detection, in Proceedings of the 1999 Conference on Knowledge Discovery and Data Mining (KDD-99), 1999. [29] C. Taylor and J. Alves-Foss, NATE - Network Analysis of Anomalous Traffic Events, A Low Cost Approach, in New Security Paradigms Workshop, 2001. [30] E. Eskin, A. Arnold, M. Prerau, L. Portnoy and S. Stolfo, A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data, in D. Barbara and S. Jajodia (editors), Applications of Data Mining in Computer Security, Kluwer, (2002). [31] R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang, and S. Zhou, Specification Based Anomaly Detection: a New Approach for Detecting Network Intrusions, in Proceedings of ACM Computer and Communications Security Conference, (2002). [32] R. S. Puttini, Z. Marrakchi and L. Me, A Bayesian Classification Model for Real-Time Intrusion Detection, in AIP CONFERENCE PROCEEDINGS 0094-243X, ISSU 659, 2003, pages 150-162. [33] D. Kim, H.-N. Nguyen, S.-Y. Ohn and J. Park, Fusions of GA and SVM for Anomaly Detection in Intrusion Detection System, Advances in Neural Networks: Second International Symposium on Neural Networks (ISNN 2005), China, May 2005. [34] H.-W. Sun, K.-Y. Lam, S.-L. Chung, M. Gu and J-G. Sun, Grid and Cooperative Computing, Third International Conference Wuhan, China, October 21-24, 2004. [35] J. Gao, H. Cheng, and P.-N. Tan, A Novel Framework for Incorporating Labeled Examples into Anomaly Detection. In Proceedings of SDM’06: SIAM Int’l Conf. on Data Mining, Bethesda, MD, April 2006. [36] S. Deshpande, M. Thottan, T. Ho and B. Sikdar, A Statistical Approach to Anomaly Detection in Interdomain Routing, Proceedings of IEEE BROADNETS, San Hose, CA, 2006. [37] O. Salem, S. Vaton and A. Gravey, A novel approach for anomaly detection over high-speed networks, EC2ND : European Conference on Computer Network Defense, Heraklion, Greece, October 2007 [38] D. Tran, W. Ma, and D. Sharma, Automated Feature Weighting for Network Anomaly Detection, IJCSNS International Journal of Computer Science and Network Security, Vol. 8 No. 2 pp. 173-178, 2008 [39] V. A. Siris and F. Papagalou, Application of anomaly detection algorithms for detecting SYN flooding attacks, in Proceedings of IEEE Global Communications Conference (GLOBECOM), Dallas, ˝ TX, November 2004, pp. 2050U2054. [40] H. Wang, D. Xhang, and K. G. Shin, Change-point monitoring for the detection of dos attacks, IEEE Transactions on Dependable Secure ˝ Computing, vol. 1, no. 4, pp. 193U208, October 2004. [41] S. Shanbhag and T. Wolf, Massively parallel anomaly detection in online network measurement, in Proceedings of Seventeenth IEEE International Conference on Computer Communications and Networks (ICCCN), St. Thomas, USVI, August 2008 [42] N. A. Durgin and P. C. Zhang, Profile-based Adaptive Anomaly Detection for Network Security, Sandia National Laboratories Technical Report, SAND2005-7293, November 2005. [43] A. Cardon, A distributed multiagent system for the self-evaluation of dialogs. Proceedings of the Joint JSAI 2001 Workshop on New Frontiers in Artificial Intelligence, Springer-Verlag, 43-50 (2001) [44] CISCO, http://www.cisco.com.AccessedMarch2008. [45] RealSecure, http://www.iss.net.AccessedMarch2008.
[46] R. Thom, Stabilite structurelle et morphogenese, InterEditions, Paris, 1972 [47] M. Zalewski, Strange attractors and tcp/ip sequence number analysis, 2002, available at:http://lcamtuf.coredump.cx/newtcp/, Accessed 20 July 2008 [48] M. Minsky, The emotion machine, New York: Simon and Schuster, ISBN 0-7432-7663-9, 2006 [49] P. Baquiast, A. Cardon, Entre science et intuition, la conscience artificielle, 2003 [50] J. C. Campagne, A. Cardon, Artificial emotions for robots using massive multi-agent systems, Social Intelligence Design International Conference, 2003 [51] A. Cardon, J. C. Campagne, A self-adapting system generating emotion, SID 2005 : Social intelligence design workshop, 2005 [52] F. Barika, N. El Kadhi, K. Ghedira, Intelligent and Mobile Agent for Intrusion Detection System, ICICT 03 Egypt, November, 2003 [53] J. Timofte, Intrusion Detection using Open Source Tools, Informatica Economica Journal Issn: 14531305, 75-79, 2008 [54] D. Spinellis, D. Gritzalis, Panoptis: intrusion detection using a domain-specific language, Journal of Computer Security, v.10 n.1-2, p.159-176, 2002 [55] G. Androulidakis, V. Chatzigiannakis, M. Grammatikou, and F. Stamatelopoulos, .Network Flow-Based Anomaly Detection of DDoS Attacks, in Proceedings of Trans-European Research and Education Networking Association (TERENA) 2004, Rhodes, Greece, June 2004. [56] HPING. http://www.hping.org. Accessed November 2007 [57] N.EL KADHI, R. LIPS,Using Correlation Engine and Mobile Agents for Intrusion Detection System: The 12 WSEAS Conference on communication, Heraklion Greece 2008. [58] N. EL KADHI, F. BARIKA, K.GHEDIRA, Intelligent and Mobile agent for Intrusion Detection System IMA-IDS. ICICT Conference Cairo, September 2003 [59] P. D. Wasserman. Neural Computing: Theory and Practice, Van Nostrand Reinhold, 1989. [60] JavaNNS, http://www-ra.informatik.uni-tuebingen. de/software/JavaNNS/welcome\_e.html.
