www.elsevier.com/locate/comcom

Computer Communications 30 (2007) 2649–2660

An agent based and biological inspired real-time intrusion detectionand security model for computer network operations q

Azzedine Boukerche a,*, Renato B. Machado b, Kathia R.L. Juca b,Joao Bosco M. Sobral b, Mirela S.M.A. Notare c

a Paradise Research Laboratory, University of Ottawa, ON, Canadab Federal University of Santa Catarina, Brazil

c Barddal University, Brazil

Available online 25 March 2007

Abstract

There is a strong correlation between the human immune system and a computer network security system. The human immune systemprotects the human body from pathogenic elements in the same way that a computer security system protects the computer from mali-cious users. This paper presents a novel intrusion detection model based on artificial immune and mobile agent paradigms for networkintrusion detection. The construction of the model is based on registries’ signature analysis using both Syslog-ng and Logcheck unixtools. The tasks of monitoring, distributing intrusion detection workload, storing relevant information, and ensuring data persistenceand reactivity have been carried out by the mobile agents, which represent the leukocytes of an artificial immune system. Our real-timebased intrusion detection and communication model is host-based and adopts the anomaly detection paradigm. We present our intrusiondetection model, discuss its implementation, and report on its performance evaluation using real data provided by an Internet ServiceProvider and a data processing corporation.� 2007 Published by Elsevier B.V.

Keywords: Artificial immune system; Mobile agent; Computer networks; Intrusion detection model

1. Introduction

With the rapidly changing telecommunications industryand the increasing popularity of computer based applica-tions, a great deal of research has been conducted on theapplication of biologically inspired techniques and agentbased systems to computer communication systems [5,11].The motivation of this work is to investigate how biologi-cally inspired techniques coupled with a mobile agent tech-nology can be used efficiently to design future generationsof intrusion detection systems for computer communica-tion networks.

0140-3664/$ - see front matter � 2007 Published by Elsevier B.V.

doi:10.1016/j.comcom.2007.03.008

q This work was partially supported by NSERC, Canada research ChairProgram, Ontario Distinguished researcher Award, and Early ResearchCareer Award.

* Corresponding author.E-mail address: boukerch@site.uottawa.ca (A. Boukerche).

In this paper, we propose an intrusion detection modelfor computer communication and network operations thatis based upon host-based human immune system and mobile

agent paradigms. In order to improve the accuracy of intru-sion detection without decreasing the overall performanceof a computer network and the functioning of each com-puter, we propose to distribute the intrusion detectiontasks among a number of computer hosts. We haveextended our earlier work [11], and developed an artificialhuman immune system in which B-Cells were implementedwithin the Mobile Agent Facilities (MAF) as mobile agentsand as part of the Common Intrusion Detection Framework

(CIDF). In our design, the IDS system generates threegroups of data according to the type of the network intru-sion detection: attacks, security violations, and security

events. These events are analyzed, distributed, and storedusing the computational and agent based architecturemodel. Our proposed IDS system is based upon the

2650 A. Boukerche et al. / Computer Communications 30 (2007) 2649–2660

anomaly detection paradigm while it continuously moni-tors activity registries. It has both passive and active post-detection behaviors. AIS [11] modules of our IDS systemare installed on the different hosts of a computer network,thereby allowing the implementation of a distributed detec-tion scheme. We also define a set of agents, which we referto as an agency, to monitor event files originating from theLogcheck file. This work is an outgrowth of our previouswork where an efficient IDS based solely upon an artificialhuman immune system was presented [11].

The remainder of this paper is organized as follows: Sec-tion 2 reviews related work. Section 3 introduces the basicbackground and terminology used in this paper. Section 4presents our intrusion detection and communicationsmodel. Section 5 reports on the results we have obtainedin order to evaluate our proposed IDS system. Section 6concludes the paper.

2. Previous and related work

Earlier studies have proven that there is a strong corre-lation between the human immune system and a computernetwork security system [1,14,20]. The human immune sys-tem protects the human body from pathogenic elements inthe same way that a computer security system protects acomputer against attacks by malicious intruders. Theimmune system consists of a complex network of cells thatis responsible for the defense of the human body againstattacks from external intruders including bacteria, viruses,and parasites. To accomplish this task, the immune systemmust be able to distinguish its own molecules and humanbody cells (identified as self-cells) from foreign molecules(identified as nonself cells). The security policy used bythe human immune system is specified mainly by a naturalselection phenomenon, whereas the security policy for acomputer network takes into account the networking tech-nology, its configuration, and the weaknesses of its policies[20,12].

On the other hand, mobile agent technology, in whichagents are dependent only on their execution environmentallows us to combine the desirable characteristics of thesystem when possible, thereby reducing system integrationefforts. Agents, as we shall see later, can be designed as anintegral component of an intrusion detection system. Theyhave task-oriented functions and can be updateddynamically.

Intrusion detection is widely known as one of the mostimportant techniques for protecting networks against mali-cious users and alerting users about unwanted intrusions.Several IDS systems for computer networks have beendeveloped [6,7,9,17,3,11]. They are classified into two cate-gories: network-based and host-based IDS. Network-basedID systems operate on network data flows while host-basedID systems operate on a host to detect unwanted andanomalous activities. While earlier ID systems have usedeither biologically inspired techniques or mobile agenttechnology, very little work has been done to combine both

the artificial human immune system and mobile agent tech-nology to design efficient intrusion detection systems forcomputer network operations. Earlier studies on intrusiondetection systems include ASAX (Advanced Security AuditTrail Analysis on Unix) [16]; IDA (Intrusion DetectionAgents) [2], which is composed of autonomous mobileagents that collect information on unwanted intrusions;and STAT (State Transition Analysis Technique), whichuses both artificial intelligence (AI) and expert system tech-nologies [21]. Earlier IDS based upon mobile agents tech-nologies have appeared in [4,10].

Several intrusion detection techniques have been devel-oped in the past and can be divided into the followingtwo categories:

(i) Anomaly detection. This class of techniques assumesthat all intrusion activities are necessarily anomalous.This is only possible if we can identify a set of activ-ities that characterizes the normal operations of a sys-tem. In this approach, detection occurs byrecognizing the changes that have taken place duringthe operation of the computer network. In a systembased on anomaly intrusion detection, the users’activities are monitored and registered during theoperation of the computer system [2].

(ii) Misuse Detection. This technique is based on thetraces left by an attack made against the system whileexploiting a system’s weaknesses. The intrusion char-acteristics are collected and scenarios are definedbased on the results. The limitation of this techniqueis that only well-known weaknesses will be observed.Thus, misuse detection is not useful for the detectionof future unexpected intrusions and anomalies.

3. Background

Before we proceed further, we wish to present the basicbackground related to the human immune system, as wellas the terminology used in this paper.

3.1. Human immune system

The immune system [1,20,11] is a complex network oforgans and cells that is responsible for an organism’sdefense against alien particles. One of the main featuresof the immune system is its ability to distinguish betweenself and nonself molecules. Every cell of the organism pos-sesses molecules in its structure that are identified as self

molecules. The molecules that mark cells as self particlesare contained in the chromosome sections known as theMajor Histocompatibility Complex (MHC). The moleculesthat constitute alien organisms are characterized as nonself

molecules. The organs that compose the immune systemare present throughout the entire human body. Theseorgans are referred to as lymphoid organs because theyare concerned with the growth, development, and deploy-

A. Boukerche et al. / Computer Communications 30 (2007) 2649–2660 2651

ment of lymphocytes [20]. B-cells and T-cells are the twomajor classes of lymphocytes. When an organism isexposed to a disease, B-cells and T-cells are activated. Oncethe disease has been overcome, some of these cells are ableto retain a ‘‘memory’’ of the disease. Thus, when the organ-ism faces the same antigen in another circumstance, theimmune system will recognize and destroy it quickly. How-ever, the human immune system has a passive naturalimmunity, as human beings are protected in the firstmonths of life by antibodies received from their mothers.The IgG antibody, which moves through placenta, makesthem immune to any microbes to which the mother isimmune. In addition, children receive IgA antibodies fromtheir mothers’ breast-milk [20].

The human immune system is capable of detecting andeliminating pathogens, i.e., nonself elements, as quickly aspossible. Therefore, it works according to a principle thatallows lymphocytes to learn and adapt themselves to spe-cific foreign protein structures, and to ‘‘remember’’ thesestructures when necessary. These principles are imple-mented by B-cells. Furthermore, to ensure that at leastsome of lymphocytes will be able to react to the pathogenicelements, the human body relies on dynamic protection viaa continual renewal of diverse lymphocyte receptors.

3.2. Computer network security and the human immune

system

Both immune and computer systems share commonsecurity concerns. They both aim to protect their respectivesystems against attacks and intrusions that violate theestablished security policy. Security policies used by theimmune system are specified mainly by natural selectionphenomena, and only a few of those aspects are importantand known for their computational requirements that meetthe security level required [11,12]. These include:

(a) Disposability. This quality allows the human body tocontinue working even under pathogen’s attack;

(b) Correction. This policy identifies the manner of pre-venting the immune system from attacking its ownhuman cells;

(c) Integrity. This quality provides a guarantee that thegenetic codes present in the cells will not be damagedor changed by any pathogens;

(d) Accountability. This feature provides the meansadopted by the immune system to identify, find anddestroy pathological agents.

Security policies define a set of rules that should be sat-isfied in order to defend a computer network systemagainst malicious intruders. They serve to detect the viola-tion of rules, or an unauthorized intrusion. They are alsoable to recognize actions that may result in a violation[2,3]. Preventing all of the possible broken security levelsand their violations is practically impossible. However, itis possible to identify violations when they occur in order

to be able to take appropriate action to repair potentialdamage to the security of the computer network.

3.3. Mobile agents

Agents are computational entities that act by delegatingtasks to other entities. They are autonomous and can beeither reactive or proactive. They are also able to learnwhen necessary. When an agent moves from one entity toanother over a network in order to execute its task, it isknown as a mobile agent. Mobile agents constitute analternative to conventional client-server architecture, com-bining local interaction with the mobility of code withinmobile agents versus the transparency of localization andremote interaction [2].

4. Our proposed intrusion detection system (IDS) model

In this section, we present the main components of ourcommunication and computational model for designingefficient network intrusion detection systems. The proposedmodel is based upon a combination of mobile agent para-digms and a biologically inspired technique based on thehuman immune system paradigm. In our model, a sequen-tial analysis of logs registries is used for system auditingand an anomaly detection scheme is used for monitoringpurposes. The main features of our IDS model are asfollows:

(a) The anomaly detection model. This model makes useof the logs audit tool (Logcheck). It will automaticallymonitor the targeted system’s logs. The anomalydetection model will help classify events as either nor-

mal or anomalous activities based on the responseobtained from monitoring the services requested.

(b) Distributed agent-based and host-based architecture.In our design, the intrusion detection host-based sys-tem is identified by analyzing server activity registries(logs). Since these services may be distributed acrossthe network, the intrusion detection and logs file’sanalysis must be distributed as well. In our implemen-tation, we choose to use the Syslog-ng tool and themobile agents approach to distribute the logs regis-tries across the network.

(c) The response generation component. The main ideabehind this component is the enhancement of theresponses of our IDS model, when an attack occurs.In our design, we have considered two types ofresponses that will be processed based upon anattempt or an actual network attack and the servicesthat are being monitored. The first passive responseis issued from a secure machine and consists of send-ing an e-mail to alert the network administratorabout the presence of intrusive elements. The secondactive response, which is carried out by a mobileagent, disables the compromised service.

2652 A. Boukerche et al. / Computer Communications 30 (2007) 2649–2660

In Fig. 1, we illustrate the main components of our pro-posed IDS model which includes not only FTP, DNS,

HTTP, POP3 e SMTP services, but also the servers thatrun the logs generation tool (Syslog-ng) that are responsiblefor acquiring register activities for different servers and ser-vices and identifying their corresponding event generationfunction. The Logcheck tool allows the analysis of theevents and the acknowledgment of an intrusion or viola-tion. The last component of our model represents theagents that are responsible for guaranteeing the securityand integrity of the logs, data persistence, and theresponses to the events that have been generated by the net-work. In order to meet the standards of the CIDF (Com-mon Intrusion Detection Framework) (i.e., eventgeneration, analysis, storage, responses to generatedevents), we made use of the logs sequential analysis, net-work administrators’ experiences, and responses to thegeneration of events, just to mention a few [11].

Fig. 1. Computationa

In what follows, we shall discuss the mobile agent archi-tecture component, which is an integral part of our IDSsystems. The files resulting from the processing of bothSyslog-ng and Logcheck [13,19], as well as the mobile agentsystem, represent an essential interface to our IDS systemdesign.

4.1. The mobile agents model

The implementation of our mobile agent infrastructureis based on a platform that offers the mechanisms and func-tionalities necessary to the creation and execution of agentsin a distributed environment. Several platforms havealready been developed in order to implement mobileagents [2]. In our design, we settle on GrasshopperTM,which was developed by IKV Technologies AG [8], becauseof its security advantages and its Java-2 flexibility com-pared to previous mobile agent platforms.

l and IDS model.

A. Boukerche et al. / Computer Communications 30 (2007) 2649–2660 2653

In Fig. 2, we illustrate the main components of ouragent model, which serves as a platform to monitor the filesthat are generated by the Logcheck tool [13] and distributeaudit registrations to a reliable set of servers. We also pro-vide a mechanism to identify the appropriate actions thatmust be taken according to the nature of the networkattacks and their corresponding events, while also ensuringour agent model’s mobility, reliability, and adaptability.

In our design, the main agent class components aredefined as follows:

1. The monitoring agents class. These agents are meant tocontinuously monitor the events generated by the Log-

check tool [13]. In our design, we have defined three differ-ent agent instances, where each instance is responsible forone of the following generated files: attack, event, andsecurity violation. These agents also act within a pre-defined interval in order to verify whether the auditing filehas been modified. The generated monitoring agentsensure the delivery agent instance, the data logs, the itin-erary to be followed, and the administrators’ e-mails.We refer to this process as ‘‘cloning the agent process’’,which represents the creation of new agents with similarcharacteristics as well as certain additional properties.This process corresponds to the somatic hypermutation ofthe B-cells (i.e., the cellular division process of the B-cells).

2. The delivery agents class. These agents receive data logs,itineraries and administrators’ e-mails. In a normal situ-ation, the delivery agents are ready to go until the firstagency of the itinerary which is considered a security sce-nario. In the first agency, the delivery agency decodes thedata logs in order to verify the event type, the affectedservices, and addresses. The delivery agents will sendan email to the system administrator if the event type

Fig. 2. Main components

is interpreted either as a network attack or a networkattack attempt. This is done based on previous Logcheck

classifications [13]. The delivery agent creates a newagent that is responsible for reacting to these threats.This new agent will be provided with all informationthat has already been obtained from the auditing datalog file. Independently, the delivery agent stores theinformation decoded from the auditing data logs withinthe first agency’s database. It travels throughout theentire system based on the itinerary it has been givenand stores the logs in the database in each place it visits.Upon the arrival of the last agency of the itinerary, theagent is removed. The delivery agent’s operation definesthe work of the reacting agent and how the logs arestored locally in case the agent does not move until thenext itinerary agency.

3. The reacting agents class. Similar to the delivery agents,a passive reaction is initiated by sending an email to theadministrator and a strategy proactive is definedthrough mobile agents that implement the characteristicsof the reaction. An applied reaction is defined for each ofthe five monitored services (i.e., DNS, FTP, HTTP,POP3 and SMTP). A reaction procedure is defined asstopping the service being attacked, thereby allowingfuture administrators’ intervention to deal with the secu-rity problem. Note that the life of the reacting agentbegins with its creation of the delivery agent when anevent is interpreted as an attack. Its first activity consistsin verifying and identifying which services are sufferingfrom the attack. Thus, if the service is one of the moni-tored services and has an accessible server, the agent willpursue its path until it reaches the attacked server or sta-tion in order to stop the service. Later, the reacting agentwill be removed from the system.

of the Agent model.

2654 A. Boukerche et al. / Computer Communications 30 (2007) 2649–2660

4. The persistence agents class. In order to deal with net-work instability and to guarantee data distribution anddata persistence, we must define the persistent agentsclass. These agents will verify whether there are new datain the local server within a predefined time interval. Ifthere are new data, they will be stored in a local data-base, since the delivery agent did not move towards itsdestination agency.

5. The channel of communication SSL (Secure Sockets

Layer) [18]. This channel allows agent mobility andcommunication among the agents while ensuring reli-ability and fulfilling the integrity requirements of ourmodel.

6. The Database Manager System. This is where eachagency (e.g., source and destination) manages thedatabase.

4.2. The artificial immune system model

In this section, we will present our artificial humanimmune system model while highlighting the one-to-onecorrespondence between human immune concepts andour security and computational model. As we can see inFig. 3, the skin and mucous membranes and chemical bar-riers of the immune system can be mapped respectively tothe firewall and network services of a computer networksystem. The innate immune system consists of access con-trol, file permissions, file systems security policies, andactivity registration components in a computer networksystem. Acquiring an immune based system consists of

Fig. 3. Mapping between the computer security and immune system.

monitoring activities, updating patches, and includingmobile agent components within the computer networksystem.

4.2.1. The anatomy of the artificial immune system

The innate immune system consists of a combination ofboth computer and network security procedures. Theacquired immune system is implemented by processes thatmigrate among computers that can be accomplishedthrough mobile agents as described earlier. Each computercorresponds to one of the organs of an organism and eachprocess corresponds to a cell. Some computers can be con-sidered as the thymus for the network in that they selectand spread the lymphocyte cells. If the lymphocytes usethe process of negative detection, then a centralized serveris not necessary to coordinate an answer for a securitybreak. Indeed, lymphocytes can take the necessary actionby replying and/or circulating to look for similar problemswithin the network. However, when an anomaly detectionapproach is used, an operative process has either beenaltered or is suffering from an attack. Thus, the lymphocyteprocess should act by either suspending, terminating, orrestarting the operative process. In this approach, the selfcomponents can be defined as a set of normal system reg-istrations while nonself components correspond to the reg-istrations observed in an intrusion situation. This approachallows anomalies that are found in a computer network tobe eliminated quickly by network components.

4.2.2. Model of the artificial immune system

The artificial immune system uses some of the character-istics of the innate immune system to help responsible cellsachieve their tasks within the acquired immune system. Theimmune system consists of a set of immune cells with com-puter processes to implement and define a network securityscheme. These processes will help detect and elaborate theappropriate immune system answers in addition to the cre-ation of an immune system memory. In our model, eachcomputer host is considered to be an organ processing acell, thereby allowing the different monitored services tobe distributed among different servers [1,20,11]. Thus, allof the servers and services will be exposed to the pathogens,i.e., attacks and security violation events. The initial config-uration of the services is part of our innate immune system,while system updates, additional configurations, and secu-rity patches act as immune reinforcements (vaccines) andtherefore characterize the IgA class of antibodies.

Note that when assisting different users and networkconnections, the organism should be in contact with bothself and nonself antigens that must be recognized by theimmune cells. Thus, our system logs and the monitored ser-vices by these antigens have been taken into consideration.In the following subsections, we will describe the mainactivities and properties of the artificial immune systemthat we used in our system model.

(a) Detection of anomalies. During the use of services,our logs registration system acts as phagocyte cells and

A. Boukerche et al. / Computer Communications 30 (2007) 2649–2660 2655

macrophages (specialized cells that act as the representa-tives of antigens that circulate throughout the entirehuman body by processing and digesting pathogens).As far as logs generation is concerned, it is necessaryto configure and define the Syslog-ng filters, which actas MHC class II molecules. These filters select which logswill be moderated so that the line of resulting logs isequal to the compound MHC/peptides, that is, a combi-nation of the MHC gene with antigen components.These MHC/peptides, or logs, are exposed to the phago-cyte when the syslog-ng generates a file with the resultinglogs, which are exposed to other analysis tools (i.e., B-cells and T-cells). This process, which is an integral partof the immune system, represents part of the anomalydetection procedure.

(b) Activation of the acquired immune system. After theexposition of the different antigens, the acquired immunesystem activation phase begins. The first stage consists ofT-cells coming into contact with the pathogens throughthe compound resulting in the MHC/peptides (Syslog-

ng logs) that is presented by the macrophages. Thisphase makes use of a special type of T-cell, known asthe T-Helper, which possesses different receivers thatallow the identification of the pathogen agent. Identifica-tion is achieved through the auditing of the Logcheck

file, which is responsible for the main property of thehuman immune system, i.e., the capacity to distinguishbetween self and nonself cells. Consequently, the Log-check file is able to distinguish between attack attemptsand malicious actions against a server (or certain ser-vices). Logcheck filters activity registrations within ahost, generating reports of activities meant to acquireportions of codes that are considered dangerous or sus-pect. The T-Helper cell (i.e., Logcheck) differentiates theself-event activities from the nonself-event activities basedon the following four files:

• Logcheck.hacking. This file is composed of keywordsthat characterize the T-cell receivers that are capableof recognizing linked antigens in chains of class IMHC. In our computational and security model, thesewords characterize an intrusive activity (i.e., attacks)to a server(s).

• Logcheck.violations. This file contains keywords thatcharacterize the T-cell receivers that are capable of rec-ognizing antigens associated with molecules of class IIMHC. In this case, actions are basically framed to char-acterize security policy violations.

• Logcheck.ignore. This file contains keywords that char-acterize T-cell receivers that detect the presence ofmicro-organisms that are not viewed as policy securityviolations.

• Logcheck.violations.ignore. This file is composed of key-words that characterize T-cell receivers that detectactions that do not need to be moderated (e.g., antigenself cells), because they would result in a false immuno-logical answer.

The results of the Logcheck analysis are stored in threedifferent files in order to determine security events, securityviolations, and attacks, respectively. The updating of thesefiles symbolizes the lymphokines (chemical signs) that stim-ulate the action of other immune cells, e.g., B-cells, whichare responsible for the construction of immune answersthrough the creation of antibodies.

(c) B-cells activation – mobile agents. In our securitymodel, B-cells are implemented through agents with differ-ent responsibilities. Monitoring agents periodically verifythe occurrence of new Logcheck events, which characterizedifferent B-cell receivers, and thereby recognize antigenparts. When activated, B-cells (monitoring agents) producemany copies of themselves (i.e., clones that are producedthrough cellular division). A computational process is alsoimplemented for the monitoring agents when these comeinto contact with antigens (i.e., log violation). The cellsare themselves cloned in the delivery mobile agents (i.e.,mutation in which the monitoring agent begins to use itsmobile capability). The mutation process will still generateother B-cells, which are known as memory cells, in order tostore information concerning the antigen in order to returnthe fastest answer for future exposition to the same antigen.In our model, these memory cells are implemented theMysql database, where all of the related attack informa-tion, events and security violations are stored.

In order to start the Mysql process, the database needsto be present in several machines. Mobile agents (i.e.,plasma cells) should be responsible for taking this informa-tion to all areas of the human body (i.e., the computer net-work system).

(d) Immune system’s answers. To improve the efficiencyof our model, we have defined certain reactivity patterns,which may be expanded and diversified in the future. Asoutlined in Figs. 1 and 2, in our delivery mobile agentmodel, which classifies an event as an attack attempt,three defense approaches (antibodies) have been designed:

• In the first approach, which we refer to as an active

answer, the delivery mobile agent (i.e., plasma cell) cre-ates a number of instances of mobile reactive agents(i.e., antibodies); will move to the server that is beingattacked so that the service that provides the connectioncan be terminated without damaging the network andthe operation of its services.

• In the second mechanism, which we refer to as a passiveanswer, the mobile agents starting from a security com-puter send e-mails about the security events. This pro-cess can be viewed as different antibodies belonging tothe immunoglobulin IgM. In the human immune sys-tem, these antibodies remain in the blood-flow and areeffective in combating bacteria. This approach can beassociated with a specialized reaction taken by a net-work security specialist.

• A third reaction form, which we classify as a passive

reaction, generates administrative reports in which thenetwork administrator determines what information

2656 A. Boukerche et al. / Computer Communications 30 (2007) 2649–2660

must be recovered from the database (i.e., immunologi-cal memory), which contains all information concerningthe nonself events. This mechanism is similar to theimmunoglobulin IgD, that is present inside the B-cells,which in turn regulate cell activation. This objectivecan be reached through the administrator’s analysis,which can detect corrections to be made within thedefined security policies.

5. Experimental results

In this section, we present the different classes of exper-imental results we have carried out to evaluate the perfor-mance of our model using two realistic environments, adata processing company, and an Internet Service Pro-vider. In the course of our experiments, we chose to use sys-tem tools for the detection and logs analysis (Syslog-ng [19]and Logcheck [13]). This is mainly due to the flexibility ofthese programs, which are meant to ensure that the require-ments of our model and system design are met. The Grass-hopper mobile agents represent an essential framework inthe implementation of our architecture.

The first set of experiments was designed to evaluate theperformance variation of our agent-based model using twodifferent well-known communication models, i.e., socketand socket-SSL. In our experiments, we have consideredthe variation of agent size, including the total time of trans-mission in the network using different bandwidths, i.e.,Ethernet 10 Mbps, Ethernet 100 Mbps and Ethernet1000 Mbps. For each network scenario, we have varied thesizes of the agent’s segment from 0 KB to 2000 KB. Theexperiments that we carried out consist of registering theagents’ transmission time between two computers using theCartesian product between agent size and network speed.

Let us now turn to our results.•Agent performance with the socket communication

model: In Fig. 4, we portray agent transmission perfor-mance varying agent sizes and network speeds using asocket without SSL as a communication model. As onecan see, our results indicate that agent performance is not

Fig. 4. Agent performance in a channel without SSL.

entirely linear, as Ethernet 100 Mbps and 1000 Mbps net-works indicate similar performance for agent transmission,while 10 Mbps exhibits similar behavior in the initial seg-ments and then deteriorates significantly. In order to provethese observations, we have chosen to apply the Kruskal–Wallis statistic method with the latter-test Dunn for thegroups of results obtained within the interval [0 KB,2000 KB] when using several transmission values(10 Mbps, 100 Mbps and 1000 Mbps) with a 95% confi-dence interval. Our results indicate that:

(i) Significant differences were obtained with p-

value < 0.001 comparing groups of sizes inside anetwork of the same speed, where p-value indicateswhether the groups are different statistically withina given trusted interval.

(ii) Where data segments of the same size on 10 Mbps and100 Mbps networks with agent segment size of 0 KB,200 KB and 400 KB did not present any significantperformance difference, a p-value > 0.05 wasobtained. However, significant differences wereobserved with different size values where p-value < 0.001 was obtained.

(iii) In data segments of the same size on 10 Mbps and1000 Mbps networks, agent segment sizes of 0 KBand 200 KB did not present any significant perfor-mance difference where (p-value > 0.05) wasobtained. Agents with a segment size of 400 KB, onthe other hand, exhibited a significant differencewhere (p-value < 0.01) was obtained. For all theother data segment sizes, the performance differencewas highly significant where (p-value < 0.001) wasobtained.

(iv) With data segments of the same size on 100 Mbpsand 1000 Mbps networks, all of the groups exhibitedsimilar performance, and the differences were not assignificant with (p-value > 0.05).

•Agent performance with the socket-SSL communication

model: In Fig. 5, we illustrate the agent transmission per-

Fig. 5. Agent performance in a channel with SSL.

Fig. 7. Agent performance in 1000 Mbps Network.

A. Boukerche et al. / Computer Communications 30 (2007) 2649–2660 2657

formance with varying sizes and network speeds usingsockets with SSL as a communication model. The graphpresents performance that is similar among 100 Mbpsand 1000 Mpbs networks for all agents’ data segment sizes.The 10 Mbps network presents similar initial performanceto the other two networks, but later does not perform wellwhen compared to other networks. Using an approach sim-ilar to that used in our previous experiments, the Kruskal–Wallis statistic test [15] was used with the latter-test Dunnfor the range groups [0–2000 KB] comparing 10 Mbps,100 Mbps and 1000 Mbps network transmission rates witha confidence interval of 95%. The experimental results wehave obtained can be summarized as follows:

(1) All group size comparisons within networks of thesame speed exhibit significant differences where p-

value < 0.001 was obtained.(2) Our results with data segments of the same size on

10 Mbps and 100 Mbps networks, where agent sizesvaried from 0 KB, 200 KB, to 400 KB indicated thatthere was no significant performance difference and(p-value > 0.05) was obtained. However, signifi-cant differences were identified with (p-value < 0.001) for the remaining sizes.

(3) Data segments of the same size on the 10 Mbps and1000 Mbps networks, and agent sizes of 0 KB and200 KB did not present any significant performancedifference, where (p-value > 0.05) was obtained.However, agents of data segments with 400 KB sizeshowed a significant performance difference with(p-value < 0.01). A highly significant performancedifference with (p-value < 0.001) was observed forall of the other agent segment sizes.

(4) With data segments of the same size on 100 Mbpsand 1000 Mbps networks, similar performance wasobserved with no significant differences where p-

value was superior to 0.05.

Figs. 6 and 7 portray the results we have obtained andfacilitate the interpretation of the time transmission varia-tion based upon the communication model used. Theyillustrate the differences in transmission times and the agentperformance differences between the two communicationmodels in each network that was used in our experiments.

Fig. 6. Agent performance in a 100 Mbps Network.

To better understand the similarities and differencesobtained in the curves in the graphs, the Kruskal–Wallisstatistic method [15] was again applied with the latter-testDunn for the range groups [0 KB, 2000 KB] comparingthe two communication methods (socket and socket-SSL)with a 95% confidence interval. Our results indicate that

(i) For 10 Mbps networks, the groups (200 KB, 0 KB),(400 KB, 0 KB), (400 KB, 200 KB), (600 KB,200 KB), (600 KB, 400 KB), (800 KB, 400 KB),(800 KB, 600 KB), (1000 KB, 600 KB), (1000 KB,800 KB), (1200 KB, 800 KB), (1200 KB, 1000 KB),(1400 KB, 1000 KB), (1400 KB, 1200 KB),(1600 KB, 1200 KB), (1800 KB, 1400 KB),(2000 KB, 1400 KB) and (2000 KB, 1600 KB) didnot exhibit any significant performance differenceswith a p-value above 0.05 where the (X,Y) pairGroup refers to X as the size of the segment of datausing the socket method and Y as the size of the seg-ment of data using the socket-SSL method.

(ii) In a 100 Mbps network, the groups (400 KB, 0 KB),(600 KB, 200 KB), (800 KB, 400 KB), (1000 KB,600 KB), (1200 KB, 800 KB), (1400 KB, 1000 KB),(1600 KB, 1200 KB), (1800 KB, 1200 KB) and(2000 KB, 1400 KB) did not present a significant per-formance difference amongst themselves, where p-

value was higher than 0.05, and the (X,Y) pairGroup refers to X as the size of the segment of datausing the socket method and Y as the size of the seg-ment of data using the socket-SSL method.

(iii) For 1000 Mbps networks, the groups (400, 0), (600,0), (600, 200), (800, 400), (1000, 600), (1200, 800),(1400, 1000), (1600, 1200), (1800, 1200) and (2000,1400) did not present significant differences, wherethe p-value > 0.05 and the (X,Y) pair Group refersto X as the size of the segment of data using thesocket method and Y as the size of the segment ofdata using socket-SSL method.

In our next set of experiments, we investigated the per-formance of our human immune model using both a dataprocessing company and an Internet Service Provider(ISP). These two distinct environments have different secu-rity policies, user profiles, and services, just to mention a

2658 A. Boukerche et al. / Computer Communications 30 (2007) 2649–2660

few differences, and might prove to be very useful in ourexperimental studies.

Let us now turn to the results of our next set ofexperiments.

•Normal and anomalous events. In our experiments, wemake use of both (Syslog-ng and Logcheck) software toolsin order to classify the type of the events as either normalor anomalous. Tables 1 and 2 display the normal events,anomalous events, total of reported events, and percentageof anomalies we have obtained using our intrusion detec-tion model for both the ISP and the data processing com-pany on a monthly basis. The total of number of reportedevents represents the total number of activities that are col-lected by Syslog-ng. Anomalous events were filtered usingthe Logcheck tool, while normal events were registered bythe Syslog-ng tool and were classified as normal by theLogcheck tool. The percentage of anomalies representsthe impact of the activities that are classified as anomalouswith respect to the total number of reported events.

As we can see from Tables 1 and 2, the environment isvery vulnerable to malicious events and intruders whenwe use the ISP data. The percentage of anomalous eventsobserved in the system varies from 4.63 to 74.64 with anaverage percentage of 8.60. We also notice that in themonths of May and June, a smaller percentage of anoma-lies was obtained compared to other months. With the dataprocessing company, the percentage of anomalies obtainedwas more uniform throughout the entire monitoring periodwhen compared to the ISP results. These percentages varyfrom 46.39 to 55.65, with an average of percentage of53.17.

•False positive events. Recall that the events classified asfalse positives are not considered as intrusions, but ratheras anomalous events. In our intrusion detection model,the users’ registries belong to the activity set that is defined

Table 1Normal and anomalous events – ISP

Month Normalevents

Anomalousevents

Total Nbr ofevents

%Anomaly

March 36,427 107,226 143,653 74.64April 472,413 289,776 762,189 38.02May 26,448,702 1,282,590 27,731,292 4.63June 27,535,313 3,444,785 30,980,098 11.12

Total 54,492,855 5,124,377 59,617,232 8.60

Table 2Normal and anomalous events – Data Processing Co.

Month Normalevents

Anomalousevents

Total Nbrevents

%Anomaly

December 5,097,642 4,411,987 9,509,629 46.39January 6,358,250 7,719,349 14,077,599 54.83February 7,226,472 8,248,814 15,475,286 53.30March 6,587,265 8,265,999 14,853,264 55.65

Total 25,269,629 28,646,149 53,915,778 53.13

as security events by the Logcheck tool. Thus, a classifica-tion of false positives is highly correlated to an adequateconfiguration of the Logcheck wordlist that identifies thesesecurity events. Tables 3, 4 display the monthly number ofevents that have been classified as false positives, as well asthe total number of anomalous events, the total number ofreported events, and the percentage of false positivesamong the anomalous events for both the ISP and the dataprocessing company test cases.

According to the data we have presented, the index offalse positive events varies from 60.90% to 85.76% whenwe use the ISP test case with an average percentage ofapproximately 80.82% during the monitored period. How-ever, when using the data processing company environ-ment, the index of false positive events was quite high,varying from 92.58% to 97.74% with a total index of94.67%. Note that a significant percentage of false positiveevents that are related to anomalous events implies that asmaller index of true anomalous events can be observed.Consequently, in our design the Logcheck wordlist wasconfigured to increase the number of false positives,thereby minimizing the amount of false negatives.

•True positive events. True positive events representmalicious intruder events and/or anomalous registrieswhere registration activities are identified as attacks andsecurity violations by the Logcheck tool. In Tables 5 and6, we display the monthly number of events that are classi-fied as true positive events, the total number of anomalousevents, the total number of reported events, and the per-centage of true positive events among the anomalousevents for both the ISP and the data processing company.

The results obtained for the true positive events mirrorthe results obtained for the false positive events. As wecan see, the percentage index of false positive events ishigher when we use the data processing company test case

Table 3False positives – ISP

Month Falsepositives

Anomalousevents

Total Nbrevents

% Falsepositives

March 77,111 107,226 143,653 71.91April 176,476 289,776 762,189 60.90May 933,418 1,282,590 27,731,292 72.78June 2,954,366 3,444,785 30,980,098 85.76

Total 4,141,371 5,124,377 59,617,232 80.82

Table 4False positives – Data Processing Co.

Month Falsepositives

Anomalousevents

Total Nbrevents

% Falsepositives

December 4,283,284 4,411,987 9,509,629 97.08January 7,545,212 7,719,349 14,077,599 97.74February 7,636,807 8,248,814 15,475,286 92.58March 7,653,811 8,265,999 14,853,264 92.59

Total 27,119,114 28,646,149 53,915,778 94.67

Table 5True positive events – ISP

Month True Anomalous Total Nbr % True

March 30,115 107,226 143,653 28.09April 113,300 289,776 762,189 39.10May 349,172 1,282,590 27,731,292 27.22June 490,419 3,444,785 30,980,098 14.24

Total 983,006 5,124,377 59,617,232 19.18

Table 6True positive events – Data Processing Co.

Month Truepositives

Anomalousevents

Total Nbrevents

% Truepositives

December 128,703 4,411,987 9,509,629 2.92January 174,137 7,719,349 14,077,599 2.26February 612,007 8,248,814 15,475,286 7.42March 612,188 8,265,999 14,853,264 7.41

Total 1,527,035 28,646,149 53,915,778 5.33

A. Boukerche et al. / Computer Communications 30 (2007) 2649–2660 2659

compared to the ISP one, while the percentage of true posi-tive events in the ISP case is higher (19.18%) than theresults obtained from the data processing company testcase (5.33%). These results reflect the security policiesand the profile of each environment, the ISP being moreexposed to external attack attempts than the data process-ing company.

•True negative events. This category of events is definedby our intrusion detection system as consisting of neitheranomalous nor intruder events. Tables 7 and 8 displaythe results we have obtained for the monthly number ofevents that are classified as true negative events, the totalnumber of anomalous events, the total number of reportedevents, and the percentage of true negative events among

Table 7True negative events – ISP

Month Truenegatives

Anomalousevents

Total Nbrevents

% Truenegatives

March 36,427 107,226 143,653 25.36April 472,413 289,776 762,189 61.98May 26,448,702 1,282,590 27,731,292 95.37June 27,535,313 3,444,785 30,980,098 88.88

Total 54,492,855 5,124,377 59,617,232 91.40

Table 8True negative events – Data Processing Co.

Month Truenegatives

Anomalousevents

Total Nbrevents

% Truenegatives

December 5,097,642 4,411,987 9,509,629 53.61January 6,358,250 7,719,349 14,077,599 45.17February 722,6472 8,248,814 15,475,286 46.70March 6,587,265 8,265,999 14,853,264 44.35

Total 25,269,629 28,646,149 53,915,778 46.87

the total number of reported events. The true negativeevents correspond to the self events and represent normalsituations. Our results indicate a variation of true negativeevents from 25.36% to 95.37% when we use the ISP testcase, with an average of 91.40%. When we use the data pro-cessing company test case, we observe that the percentageof true negative events exhibits uniform distribution behav-ior during the monitored period with a true negative eventspercentage variation of 44.35% to 53.61% and a percentageaverage of 46.87%.

•False negative events. The classification method used inthis case is dependent on the security policies adopted inthe environment, users’ right, and user profiles. Therefore,the intrusion detection process depends on the quality ofthe Logcheck wordlist initially provided during the config-uration process. The results obtained mirror those weobtained for the true negative events.

6. Conclusion

In this paper, we have developed an intrusion detectionmodel based on the human immune system paradigm, andshown how biologically inspired techniques coupled withmobile agent technologies can improve the security of com-plex computer communication networks, as well as howthese techniques can be used efficiently to design futuregenerations of intrusion detection systems for computercommunication networks. Our realtime-based intrusiondetection and communication model is host-based andadopts the anomaly detection paradigm. We have dis-cussed its implementation and reported on its performanceevaluation using an extensive set of experiments.

References

[1] S.A. Hofmeyr, S. Forrest, Immunity by design: an artificial immunesystem, Proceedings of the Genetic and Evolutionary ComputationConference (1999) 1289–1296.

[2] M. Asaka, S. Okazawa, A. Taguchi, S. Goto, A method of tracingintruders by use of mobile agents, in: INET’99, 1999.

[3] J. Beale, J.C. Foster, Snort 2.0 Intrusion Detection. Syngeress, 2003.[4] D. Dasgupta, H. Brian, Mobile security agents for network traffic

analysis. 2 (2001) 32–340.[5] A. Boukerche, K.R.L. Juca, J.B.M. Sobral, M.S.M.A. Notare, An

Artificial Immune Based Intrusion Detection Detection Model forComputer and Telecommunication Systems, Parallel Computing 30(5) (2004) 629–646.

[6] R. Lippmann et al., Evaluating intrusion detection system: the 1998darpa off-line intrusion detection evaluation, Proceedings of DARPAInformation Survivability Conference on Exposition II 2 (1999) 12–26.

[7] X. Guan, Y. Yang, J. You, Pom-a mobile agent security modelagainst malicious hosts, 4th Conference on High PerformanceComputing 2 (2000) 1165–1166.

[8] IKV++ Technologies AG. www.ikv.de.[9] J. Hainess, L. Rossey, R. Lippemann, R. Cunningham, Extending the

darpa off-line intrusion detection evaluations, Proceedings of DAR-PA Information Survivability Conference Exposition II 1 (2001) 35–45.

[10] G. Helmer, J. Wong, V. Honavar, L. Miller, Lightweight agents forintrusion detection. Technical Report, 2000.

2660 A. Boukerche et al. / Computer Communications 30 (2007) 2649–2660

[11] A. Boukerche, K.R.L. Juca, J.B.M. Sobral, M.S.M.A. Notare,Biological inspired based intrusion detection models for mobiletelecommunication systems, in: IEEE Proceedings of the Int’l Parelleland Distributed Processing Symposium and Workshops, 2005.

[12] J. Kim, P. Bentley, Evaluating negative selection in an artificialimmune system for network intrusion detection, in Proceedings of theGenetic and Evolutionary Computation Conference, pp. 1330–1337,2001.

[13] Central loghost mini how to. http://www.campin.net/newlog-check.html#newlogcheck/, May 2004.

[14] R.B. Machado, A. Boukerche, J.B.M. Sobral, K.R.L Juca, M.S.M.A.Notare, A hybrid artificial immune and mobile agent intrusiondetection based model for computer network operations. Interna-tional Parallel and Distributed Processing Symposium, 2005.

[15] D.C. Montgomery, Design and Analysis of Experiments, fifth ed.,John Wiley & Sons, Inc., New York, NY, 2001.

[16] A. Mounji, B. Le Charlier, Continuous assessment of a unixconfiguration integrating intrusion detection and configuration anal-ysis, 1997.

[17] D.G. Schwartz, S. Stoecklin, E. Yilmaz, A case-based approach tonetwork intrusion detection. Fifth International Conference onInformation Fusion, pp. 1084–1089, July 2002.

[18] SSL 3.0 specification. http://www.netscape.com, 2004.[19] syslog-ng reference manual. http://www.balabit.com/products/

syslog_ng/reference/book1.html, 2004, 1102.[20] J.I. Timmis, Artificial immune systems: a novel data analysis

technique inspired by the immune network theory, PhD Thesis,University of Wales – September 2001.

[21] G. Vigna, S. Eckmann, R. Kemmerer, The stat tool suite, 2000.

Azzedine Boukerche is a Full Professor and holdsa Canada Research Chair position at the Uni-versity of Ottawa. He is the Founding Director ofPARADISE Research Laboratory at Ottawa.Prior to this, he held a Faculty position at theUniversity of North Texas, USA, and he wasworking as a Senior Scientist at the SimulationSciences Division, Metron Corporation located inSan Diego. He was also employed as a Faculty atthe School of Computer Science McGill Univer-sity, and taught at Polytechnic of Montreal. He

spent a year at the JPL/NASA-California Institute of Technology wherehe contributed to a project centered about the specification and verifica-

tion of the software used to control interplanetary spacecraft operated byJPL/NASA Laboratory.

His current research interests include wireless security, wireless ad hocand sensor networks, wireless networks, mobile and pervasive computing,wireless multimedia, QoS service provisioning, peformance evaluation andmodeling of large-scale distributed systems, distributed computing, large-scale distributed interactive simulation, and parallel discrete event simu-lation. Dr. Boukerche has published several research papers in these areas.He was the recipient of the Best Research Paper Award at IEEE/ACMPADS’97 and ACM MobiWac 2006, and the recipient of the 3rd NationalAward for Telecommunication Software 1999 for his work on a distrib-uted security systems on mobile phone operations, and has been nomi-nated for the best paper award at the IEEE/ACM PADS’99, ACMMSWiM 2001.

Dr. A. Boukerche is a holder of an Ontario Early Research ExcellenceAward (previously known as Premier of Ontarion Research ExcellenceAward), Ontario Distinguished Researcher Award, and Glinski ResearchExcellence Award. He is a Co-Founder of QShine Int’l Conference, onQuality of Service for Wireless/Wired Heterogeneous Networks (QShine2004), served as a General Chair for the 8th ACM/IEEE Symposium onmodeling, analysis and simulaltion of wireless and mobile systems, and the9th ACM/IEEE Symposium on distributed simulation and realt time-

application, a Program Chair for ACM Workshop on QoS and Securutyfor Wireless and Mobile networks, ACM/IFIPS Europar 2002 Confer-ence, IEEE/SCS Annual Simulation Symposium ANNS 2002, ACMWWW’02, IEEE MWCN 2002, IEEE/ACM MASCOTS 2002, IEEEWireless Local Networks WLN 03-04; IEEE WMAN 04-05, ACMMSWiM 98-99, and TPC member of numerous IEEE and ACM spon-sored conferences. He served as a Guest Editor for the Journal of Paralleland Distributed Computying (JPDC) (Special Issue for Routing formobile Ad hoc, Specail Issue for wireless communication and mobilecomputing, Special Issue for mobile ad hoc networking and computing),and ACM/kluwer Wireless Networks and ACM/Kluwer Mobile Net-works Applications, and the Journal of Wireless Communication andMobile Computing.

He serves as Vice General Chair for the 3rd IEEE Distributed Com-puting for Sensor Networks (DCOSS) Conference 2007, and as ProgramCo-Chair for Globecom 2007 and 2008 Symposium on Wireless Ad Hocand Sensor Networks. Dr. A. Boukerche serves as an Associate Editor forIEEE Transactions on Parallel and Distributed Systems, IEEE WirelessCommunication Magazine, ACM/Kluwer Wireless Networks, Wiley In’tJournal of Witeless Communication and Mobile Computing, the Journalof Parallel and Distributed Computing, and the SCS Transactions onsimulation. He also serves as a Steering Committee Chair for the ACMModeling, Analysis and Simulation fo Wireless and Mobile SystemsSymposium, the ACM Workshop on Performance Evaluation of WirelessAd Hoc, Sensor, and Ubiquitous Networks and the IEEE DistributedSimulation and Real-Time Applications Symposium (DS-RT).

Renato B. Machado is a M.Sc. Student at the Federal University of Santa

Catarina. his research areas of interest are Security for Wireless Ad hocand Sensor Networks.

Kathia R.L. Juca received her M.Sc. degree from the federal University of

Santa Catarina, and is pursuing her Ph.D. Degree at UFSC. Her researchareas of interest are Security for Wireless Ad hoc and Sensor Networks andDistributed Systems.

Joao Bosco M. Sobral is a Professor at the Federal University of Santa

Catarina. He has been a the General Chair of I2TS 2006 and 2007, andserved in several Int’l conferences. His reserach areas of expertise are;Distributed Systems, Mobile and Distributed Computing and NetworkSecurity.

Mirela S.M. Annoni Notare is a Faculty memberand Professor at Barddal University, Brasil. She isalso the Program Coordinator of the Bacharela-do/Curso em Sistemas de Informacao at BarddalUniversity, Brasil. She received her M.Sc. andPh.D. degrees from the Federal University ofSanta Catarina (UFSC) in 1995 and 2000,respectively, and a B.Sc. Degree from PassoFundo University in 1989 all in Computer Sci-ence. Her main research interests focuses on theproposition of security management solutions for

wireless telecommunication networks. Dra Mirela Notare has publishedwidely in these areas. She has been the Guest editor of the Journal of

Parallel and Distributed Computing, Wiley Int’l Wireless Communicationand Mobile Computing. He also served as Program Chair for the ACMInternational Workshop on Quality of Service and Security for MobileNetworks, and the IEEE P2MNet 2006 and 2007 Workshop (held jointlywith IEEE LCN Conference).

She has also received several awards and citations, such as NationalAward for Telecommunication Software, INRIA and TV Globo. She hasbeen a committee member in several scientific conferences, including ACMMSWiM, IEEE/ACM/SCS ANNSS and IEEE/ACM MASCOTS. She isthe Founder and President of STS Co. and a Senior Member of IEEE,SBrT and SBC societies.