A multi-agent based system for intrusion detection - IEEE Xplore

2 downloads 0 Views 446KB Size Report
The system dis- cussed is implemented in a. TCP/IP LAN (Local Area Network) environment. It represents a step towards a complete multi-agent based system ...
The majority of threats on Transmission Control Protocol/Inernet Protocol (TCP/IP) networks come from a small number of security flaws. System administrators report that they have not corrected these flaws because they do not know which ones are the most dangerous according to a study done by Northcutt et al. One critical networking security application is the intrusion detection system (IDS). Intrusion detection can be defined as identifying individuals who are using a computer system without authorization and those who have legitimate access to the system but are abusing their privileges. An intrusion detection system should be fast enough to catch different types of intruders before harm is done. The IDS is a computer program that attempts to perform intrusion detection with two approaches, a rule-based approach and/or an anomaly-based approach. The rule-based IDS searches for attack signatures in the network traffic. The anomaly-based IDS searches for abnormal behavior in the network traffic. Intrusion detection systems can be classified as host-based or network-based. Host-based IDSs base their decisions on information obtained from a single host; but network-based IDSs obtain data by monitoring the traffic of information in the entire connected network according to Balasubramaniyan et al. As a result, the IDS has become a cornerstone in the arsenal of security mechanisms. This is because with an IDS system administrators do not have to decide which security flaws are the most dangerous. The IDS will monitor the network traffic and decide which are the most dangerous flaws for them. This article describes a framework for intrusion detection using agent-based technology. Agents are ideally qualified due to their reactivity, interactivity, autonomy and intelligence. The system discussed is implemented in a TCP/IP LAN (Local Area Network) environment. It represents a step towards a complete multi-agent based system for networking security.

A multi-agent based system for intrusion detection Islam M. Hegazy, Taha AlArif, Zaki. T. Fayed and Hossam M. Faheem the framework

Agents The agent is a program module that functions continuously in a

28

©DIGITALVISION COMPOSITE: MKC

0278-6648/03/$17.00 © 2003 IEEE

particular environment. It is able to carry out activities in a flexible and intelligent manner that is responsive to changes in the environment. An agent is able to learn from its experiences. The agent is autonomous. It takes actions based on its built-in knowledge and its past experiences. Agents can be classified into four categories: 1) simple reflex agents, 2) agents that keep track of the world, 3) goal-based agents and 4) utility-based agents. The simple reflex agents perceive the input from their environment and interpret it to a state that matches their rules. The agents that keep track of the world maintain an internal state of past inputs because their actions need to occur in correlation with the past states and the new state. The goal-based agents need to know some information about their goals because the percepts (impression of the object obtained using the senses) do not provide enough information to determine the action to be taken. Sometimes knowing the goals is not sufficient for the agents to take the right action, especially when there are conflicting goals. As a result, the utilitybased agents map the perceptstates into numbers that determine how closely the goals were achieved. The multi-agent system is a system that consists of multiple agents that can interact together to learn or to exchange experiences. To be flexible, the agents should achieve reactivity, proactiveness and social ability. Reactivity means the agent can perceive its environment and respond, in a timely fashion, to changes that occur to satisfy its design objectives. Pro-activeness means that the agent is able to exhibit goal-directed behavior by taking the initiative in order to satisfy its design objectives. Social ability means that the agent can interact with other agents in order to satisfy its design objectives. The IDS consists of several agents working together. Since the attacks change everyday, the signatures also change. Thus, the agents must be able to learn the new signatures or detect the abnormal traffic resulting from the new attacks.

IEEE POTENTIALS

For this article, three kinds of attacks were modeled: the Denial of Service (DoS) attack, the ping sweep attack and the secure coded document theft. The DoS attacks a service so that it is not available for use for legitimate users. Ping sweep is a pre-attack methodology that finds the online hosts to attack later on. The secure coded document theft is when an unauthorized person reads a "secure" document. Building the IDS using the agent technology has several advantages. First, the agents can be added or removed from the system without altering other system components. This is because they are running independently. Second, the agents can be reconfigured or upgraded to newer versions without disturbing the rest of the system (as long as their external interface remains the same). Lastly, an agent may be a member of a group of agents that perform different simple functions. Since they can exchange information, they can derive more complex results than any one of them could obtain on its own according to Balasubramaniyan et al.

it listens to the network line and gives out the TCP/IP packets only. The analysis agent can be implemented as an agent that keeps track of the environment because some analysis will require looking at past packets. The decision agent can be implemented as a goal based agent or utility-based agent because it has to know the goals of the system to make the appropriate decisions. The alert agent can be implemented as a simple reflex agent because it does not need to know anything about the past or the goals: it just gives out reports or logs. Table 1 describes the type of each agent, its input and its output.

agents. The sniffing agent reads a packet, if there is a free space in the buffer, the agent adds it to the buffer. If the analysis agent requests new data, then the sniffing agent sends the data in the buffer. The sniffing agent continues to work until the user stops the system. The analysis agent, as shown in Fig. 3, requests the buffer from the sniffing agent. The analysis agent builds a list of suspicious packets. It searches through the buffer for signatures of attacks; if there is a known signature, it will put the packet into the list. When it finishes searching the buffer, it will wait until the complementary decision agent requests the list of suspect packets.

Agent structure Although object-oriented programming techniques have been utilized for several artificial intelligence (AI) applications, agent-based technology is ideally qualified to replace it for several reasons. Among them: • Objects decide for themselves whether or not to execute an action, agents decide whether or not to execute an action upon request from another agent.

Start Connect to the network line

No

Is buffer not full? Yes Read packet

Ping sweep analysis agent

Ping sweep decision agent Logging Agent

Sniffer Agent

Sniffing Module

Denial of service analysis agent

Denial of service decision agent

Secure code analysis agent

Secure code decision agent

Alert Generator Agent

Reporting Module Analysis Module

Decision Module

Fig. 1 System modules

Is packet protocol TCP or ICMP?

No

Yes Add packet to the buffer

Is data requested by analysis agents?

No

Yes

Multi-agent system framework The proposed intrusion detection system has four main modules (Fig. 1), the sniffing module, the analysis module, the decision module and the reporting module. The sniffing module is responsible for gathering packets from the network. The analysis module is responsible for analyzing the packets. The decision module is responsible for taking actions relevant to the severity of the detected attack. The reporting module generates reports and logs. The sniffing agent can be implemented as a simple reflex agent; that is,

OCTOBER/NOVEMBER 2003

• Agents have flexible behavior, while the standard object model has nothing to say about such types of behavior. • A multi-agent system is multithreaded, where each agent has at least one thread of control; the standard object model has a single thread of control in the system. The sniffing agent is the first agent to work in the system. As shown in Fig. 2, it connects to the network and begins to read the packets moving around. It has a buffer to hold necessary packet information required by the other

Send buffer Inform analysis agent of new data Fig. 2 Sniffing agent flowchart

The decision agent starts working by requesting the data and the list of suspect packets from its complementary analysis agent (Fig. 4). The decision agent then will calculate the severity of the attack and take the necessary action according to the level of severity. The

29

the system. Consequently, it will close the log file. When the alert generator receives the decisions’ list, it will send an alert to the system administrator. This alert can be a message on the screen or a message to a centralized machine or an alert file. The alert generator will terminate when the user stops the system (Fig. 6).

Start

Request data from sniffer agent

No

Has data arrived

Open log file

No

Is data new?

System operation

Yes Search for signature

Yes

Does attack exist?

Add packet to suspect list

No

No Is buffer empty? Yes Does decision agent request data? Yes

The sniffing module, with its agent, percepts the network traffic passing through the host and gives out the TCP/IP and Internet Control Mesage Protocol (ICMP) packets. The free packet capture library, winpcap, is utilized. The DoS analysis agent searches for DoS signatures in the packets. For example, the land attack where the source address and the destination address are the same, or the Xmas tree attack where the control bits are all set. The ping sweep analysis agent searches for the ping sweep attack signature. This is where one source

No

Start

Fig. 3 Analysis agent flowchart

Request data from analysis agent

Send packets and suspect list to decision agent Has data arrived?

Inform decision agent of new data

No

Yes Calculate severity

agent will also make a list of the decisions taken. A severe attack causes the agent to disconnect the attacker and to send an alert to the system administrator; otherwise, the agent may only send an alert to the system administrator. Decisions and alerts are then forwarded to the alert generator agent. The decision agent forwards the list of suspect packets as well as the data when requested by the logging agent. The logging agent, as shown in Fig. 5, opens the logging file and requests the buffer and list of suspect packets from the decision agents. The logging agent then writes the buffer into the log file, indicating the suspicious ones. If the decision agent has no suspect packets, the logging agent writes the data of packets information into the log file without any alert message. The logging agent terminates when the user stops

30

Start

Is attack severe?

No

Yes Take the appropriate action Send decision and packets to reporting agents

No

Did reporting agents request data? Yes

Fig. 4 Decision agent flowchart

Yes Receive data from decision agents

Write packets & indicate the suspicious ones with the decision taken

Fig. 5 Logging agent flowchart

address floods many destination addresses with certain packets to discover the online hosts to attack. The secure code analysis agent searches for a secret code in the data portion of the packets. To see if the source address is or is not authorized to read the document. The analysis agents perceive the TCP/IP packets fields, analyze them and give out their analysis. Corresponding decision agents perceive the results of the analysis agents and then start their operations. According to the analysis received from the analysis agents, the decision agents decide which actions to take. That is, they decide whether to disconnect a host or just issue an alert message. The logging agent percepts the TCP/IP fields extracted from the packets, and then it writes them into a log file. The alert generator agent percepts the type of attack and the action taken by the decision agents. It then writes them into an alert file.

Simulation A simulation of an intrusion detection system that can detect DoS, ping sweep and secure document theft will be presented now. Suppose that computer A attacks computer C with the Xmas tree attack and that the multiagent-based IDS installed on computer B is monitoring the network. The following scenario (Xmas tree attack) will take place: 1. Computer A attacks computer C with the Xmas tree attack.

IEEE POTENTIALS

2. Computer C receives the defected packets. 3. The IDS running on computer B sniffs the packets on the network and analyzes them. The multi-agent system in analyzing all the incoming packets discovers that computer C is being attacked with the Xmas tree attack. 4. The IDS initiates an alert and sends a reset packet to the attacker (Computer A) to disconnect it from the network. 5. Computer A receives the reset

Fig. 7 Simulation of an attack

Computer B 3 Xmas Tree

Reset

4

Reset Computer C 2 Xmas Tree

1 Xmas Tree

Computer A Insider

Start

higher), large memory (1GB), and sufficient amount of available disk storage are also highly recommended. No

Is data new?

Concluding remarks

Yes Receive data from decision agents

Send alert to system administrator about suspicious packets

Fig. 6 Alert Generator agent flowchart

packet and is disconnected so that its attack cannot continue. Of course, the detection of the attack is a real-time process such that the attacker is instantly terminated and an alert is generated onto the console machine B. It is highly recommended that the IDS machine be fully dedicated to the intrusion detection mission. High processing speed (P-IV with 2GHz or Table 1

Agent-oriented techniques are being increasingly used in a range of networking security applications. However, if they are to be part of an intrusion detection system design, it is vital to clarify why they are more suitable compared to other approaches such as object-oriented programming. This article has sought to justify why agent-oriented approaches are appropriate for developing complex software systems such as an IDS. An internal structure of each agent in the system has been addressed. A simplified simulation process has been introduced. The framework presented here should be considered a step forward towards a complete multi-agentbased system for networking security.

Read more about it • Gerhard Weiss (2000), Multiagent Systems: A modern approach to distributed artificial intelligence. The MIT Press, Cambridge. • Guy G Helmer, Johnny S K Wong,

Agents’ Descriptions

Agent name

Type

Percepts

Output

Sniffing agent

Simple reflex agent

Network traffic

The TCP packets

Secure code analysis agent

Keeping track of the world agent

The TCP packets

The secure code analysis

DoS analysis agent

Keeping track of the world agent

The TCP packets

The DoS analysis

Ping sweep analysis agent

Keeping track of the world agent

The TCP packets

The Ping sweep analysis

Secure code decision agent

Goal based agent

The secure code analysis

The secure code decision

DoS decision agent

Goal based agent

The DoS analysis

The DoS decision

Ping sweep decision agent

Goal based agent

The Ping sweep analysis

The Ping sweep decision

About the authors

Logging agent

Simple reflex agent

The TCP packets

Log file

Alert generator agent

Simple reflex agent

Decisions

Alert file

OCTOBER/NOVEMBER 2003

Vasant Honavar, Les Miller (1998), "Intelligent agents for intrusion detection," In: The IEEE Information technology conference. Syracuse, NY, pp 121-124. • Jai Sunder Balasubramaniyan, Jose Omar Garcia-Fernandez, David Isacoff, Eugene Spafford, Diego Zamboni (1998), "An architecture for intrusion detection using autonomous agents," In: 14th IEEE Computer security applications conference. Scottsdale, Arizona. • Marc Dacier (1999), "Intrusion Detection vs. Detection of Errors Caused by Intentionally Malicious Faults," In: 29th Annual international symposium on fault-tolerant computing, Madison, Wisconsin. • Sami Saydjari (1999), "The detection of novel unseen attacks." In: 29th annual international symposium on fault-tolerant computing, Madison, Wisconsin. • Stephen Northcutt, Judy Novak, Donald McLachlan (2001), "Network Intrusion Detection," New Riders, USA. • Stephen Northcutt, Mark Cooper, Matt Fearnow, Karen Frederic (2001), “Intrusion Signatures and Analysis,” New Riders, USA. • Stuart Russell, Peter Norvig (1995), Artificial Intelligence: a modern approach, Prentice Hall, New Jersey. • Teresa F. Lunt (2000), "Foundations of intrusion detection," In: 13th IEEE Computer security foundations workshop, Cambridge.

Islam M. Hegazy, Taha Al-Arif, Zaki. T. Fayed, and Hossam M. Faheem Computer Science Department, Faculty of Computer and Information Sciences, Ain Shams University. Note: This article in its original format was published in the Conference Proceedings of ISDA03 which was sponsored by the IEEE.

31