The system dis- cussed is implemented in a. TCP/IP LAN (Local Area Network) environment. It represents a step towards a complete multi-agent based system ...
The majority of threats on Transmission Control Protocol/Inernet Protocol (TCP/IP) networks come from a small number of security flaws. System administrators report that they have not corrected these flaws because they do not know which ones are the most dangerous according to a study done by Northcutt et al. One critical networking security application is the intrusion detection system (IDS). Intrusion detection can be defined as identifying individuals who are using a computer system without authorization and those who have legitimate access to the system but are abusing their privileges. An intrusion detection system should be fast enough to catch different types of intruders before harm is done. The IDS is a computer program that attempts to perform intrusion detection with two approaches, a rule-based approach and/or an anomaly-based approach. The rule-based IDS searches for attack signatures in the network traffic. The anomaly-based IDS searches for abnormal behavior in the network traffic. Intrusion detection systems can be classified as host-based or network-based. Host-based IDSs base their decisions on information obtained from a single host; but network-based IDSs obtain data by monitoring the traffic of information in the entire connected network according to Balasubramaniyan et al. As a result, the IDS has become a cornerstone in the arsenal of security mechanisms. This is because with an IDS system administrators do not have to decide which security flaws are the most dangerous. The IDS will monitor the network traffic and decide which are the most dangerous flaws for them. This article describes a framework for intrusion detection using agent-based technology. Agents are ideally qualified due to their reactivity, interactivity, autonomy and intelligence. The system discussed is implemented in a TCP/IP LAN (Local Area Network) environment. It represents a step towards a complete multi-agent based system for networking security.
A multi-agent based system for intrusion detection Islam M. Hegazy, Taha AlArif, Zaki. T. Fayed and Hossam M. Faheem the framework
Agents The agent is a program module that functions continuously in a
28
©DIGITALVISION COMPOSITE: MKC
0278-6648/03/$17.00 © 2003 IEEE
particular environment. It is able to carry out activities in a flexible and intelligent manner that is responsive to changes in the environment. An agent is able to learn from its experiences. The agent is autonomous. It takes actions based on its built-in knowledge and its past experiences. Agents can be classified into four categories: 1) simple reflex agents, 2) agents that keep track of the world, 3) goal-based agents and 4) utility-based agents. The simple reflex agents perceive the input from their environment and interpret it to a state that matches their rules. The agents that keep track of the world maintain an internal state of past inputs because their actions need to occur in correlation with the past states and the new state. The goal-based agents need to know some information about their goals because the percepts (impression of the object obtained using the senses) do not provide enough information to determine the action to be taken. Sometimes knowing the goals is not sufficient for the agents to take the right action, especially when there are conflicting goals. As a result, the utilitybased agents map the perceptstates into numbers that determine how closely the goals were achieved. The multi-agent system is a system that consists of multiple agents that can interact together to learn or to exchange experiences. To be flexible, the agents should achieve reactivity, proactiveness and social ability. Reactivity means the agent can perceive its environment and respond, in a timely fashion, to changes that occur to satisfy its design objectives. Pro-activeness means that the agent is able to exhibit goal-directed behavior by taking the initiative in order to satisfy its design objectives. Social ability means that the agent can interact with other agents in order to satisfy its design objectives. The IDS consists of several agents working together. Since the attacks change everyday, the signatures also change. Thus, the agents must be able to learn the new signatures or detect the abnormal traffic resulting from the new attacks.
IEEE POTENTIALS
For this article, three kinds of attacks were modeled: the Denial of Service (DoS) attack, the ping sweep attack and the secure coded document theft. The DoS attacks a service so that it is not available for use for legitimate users. Ping sweep is a pre-attack methodology that finds the online hosts to attack later on. The secure coded document theft is when an unauthorized person reads a "secure" document. Building the IDS using the agent technology has several advantages. First, the agents can be added or removed from the system without altering other system components. This is because they are running independently. Second, the agents can be reconfigured or upgraded to newer versions without disturbing the rest of the system (as long as their external interface remains the same). Lastly, an agent may be a member of a group of agents that perform different simple functions. Since they can exchange information, they can derive more complex results than any one of them could obtain on its own according to Balasubramaniyan et al.
it listens to the network line and gives out the TCP/IP packets only. The analysis agent can be implemented as an agent that keeps track of the environment because some analysis will require looking at past packets. The decision agent can be implemented as a goal based agent or utility-based agent because it has to know the goals of the system to make the appropriate decisions. The alert agent can be implemented as a simple reflex agent because it does not need to know anything about the past or the goals: it just gives out reports or logs. Table 1 describes the type of each agent, its input and its output.
agents. The sniffing agent reads a packet, if there is a free space in the buffer, the agent adds it to the buffer. If the analysis agent requests new data, then the sniffing agent sends the data in the buffer. The sniffing agent continues to work until the user stops the system. The analysis agent, as shown in Fig. 3, requests the buffer from the sniffing agent. The analysis agent builds a list of suspicious packets. It searches through the buffer for signatures of attacks; if there is a known signature, it will put the packet into the list. When it finishes searching the buffer, it will wait until the complementary decision agent requests the list of suspect packets.
Agent structure Although object-oriented programming techniques have been utilized for several artificial intelligence (AI) applications, agent-based technology is ideally qualified to replace it for several reasons. Among them: • Objects decide for themselves whether or not to execute an action, agents decide whether or not to execute an action upon request from another agent.
Start Connect to the network line
No
Is buffer not full? Yes Read packet
Ping sweep analysis agent
Ping sweep decision agent Logging Agent
Sniffer Agent
Sniffing Module
Denial of service analysis agent
Denial of service decision agent
Secure code analysis agent
Secure code decision agent
Alert Generator Agent
Reporting Module Analysis Module
Decision Module
Fig. 1 System modules
Is packet protocol TCP or ICMP?
No
Yes Add packet to the buffer
Is data requested by analysis agents?
No
Yes
Multi-agent system framework The proposed intrusion detection system has four main modules (Fig. 1), the sniffing module, the analysis module, the decision module and the reporting module. The sniffing module is responsible for gathering packets from the network. The analysis module is responsible for analyzing the packets. The decision module is responsible for taking actions relevant to the severity of the detected attack. The reporting module generates reports and logs. The sniffing agent can be implemented as a simple reflex agent; that is,
OCTOBER/NOVEMBER 2003
• Agents have flexible behavior, while the standard object model has nothing to say about such types of behavior. • A multi-agent system is multithreaded, where each agent has at least one thread of control; the standard object model has a single thread of control in the system. The sniffing agent is the first agent to work in the system. As shown in Fig. 2, it connects to the network and begins to read the packets moving around. It has a buffer to hold necessary packet information required by the other
Send buffer Inform analysis agent of new data Fig. 2 Sniffing agent flowchart
The decision agent starts working by requesting the data and the list of suspect packets from its complementary analysis agent (Fig. 4). The decision agent then will calculate the severity of the attack and take the necessary action according to the level of severity. The
29
the system. Consequently, it will close the log file. When the alert generator receives the decisions’ list, it will send an alert to the system administrator. This alert can be a message on the screen or a message to a centralized machine or an alert file. The alert generator will terminate when the user stops the system (Fig. 6).
Start
Request data from sniffer agent
No
Has data arrived
Open log file
No
Is data new?
System operation
Yes Search for signature
Yes
Does attack exist?
Add packet to suspect list
No
No Is buffer empty? Yes Does decision agent request data? Yes
The sniffing module, with its agent, percepts the network traffic passing through the host and gives out the TCP/IP and Internet Control Mesage Protocol (ICMP) packets. The free packet capture library, winpcap, is utilized. The DoS analysis agent searches for DoS signatures in the packets. For example, the land attack where the source address and the destination address are the same, or the Xmas tree attack where the control bits are all set. The ping sweep analysis agent searches for the ping sweep attack signature. This is where one source
No
Start
Fig. 3 Analysis agent flowchart
Request data from analysis agent
Send packets and suspect list to decision agent Has data arrived?
Inform decision agent of new data
No
Yes Calculate severity
agent will also make a list of the decisions taken. A severe attack causes the agent to disconnect the attacker and to send an alert to the system administrator; otherwise, the agent may only send an alert to the system administrator. Decisions and alerts are then forwarded to the alert generator agent. The decision agent forwards the list of suspect packets as well as the data when requested by the logging agent. The logging agent, as shown in Fig. 5, opens the logging file and requests the buffer and list of suspect packets from the decision agents. The logging agent then writes the buffer into the log file, indicating the suspicious ones. If the decision agent has no suspect packets, the logging agent writes the data of packets information into the log file without any alert message. The logging agent terminates when the user stops
30
Start
Is attack severe?
No
Yes Take the appropriate action Send decision and packets to reporting agents
No
Did reporting agents request data? Yes
Fig. 4 Decision agent flowchart
Yes Receive data from decision agents
Write packets & indicate the suspicious ones with the decision taken
Fig. 5 Logging agent flowchart
address floods many destination addresses with certain packets to discover the online hosts to attack. The secure code analysis agent searches for a secret code in the data portion of the packets. To see if the source address is or is not authorized to read the document. The analysis agents perceive the TCP/IP packets fields, analyze them and give out their analysis. Corresponding decision agents perceive the results of the analysis agents and then start their operations. According to the analysis received from the analysis agents, the decision agents decide which actions to take. That is, they decide whether to disconnect a host or just issue an alert message. The logging agent percepts the TCP/IP fields extracted from the packets, and then it writes them into a log file. The alert generator agent percepts the type of attack and the action taken by the decision agents. It then writes them into an alert file.
Simulation A simulation of an intrusion detection system that can detect DoS, ping sweep and secure document theft will be presented now. Suppose that computer A attacks computer C with the Xmas tree attack and that the multiagent-based IDS installed on computer B is monitoring the network. The following scenario (Xmas tree attack) will take place: 1. Computer A attacks computer C with the Xmas tree attack.
IEEE POTENTIALS
2. Computer C receives the defected packets. 3. The IDS running on computer B sniffs the packets on the network and analyzes them. The multi-agent system in analyzing all the incoming packets discovers that computer C is being attacked with the Xmas tree attack. 4. The IDS initiates an alert and sends a reset packet to the attacker (Computer A) to disconnect it from the network. 5. Computer A receives the reset
Fig. 7 Simulation of an attack
Computer B 3 Xmas Tree
Reset
4
Reset Computer C 2 Xmas Tree
1 Xmas Tree
Computer A Insider
Start
higher), large memory (1GB), and sufficient amount of available disk storage are also highly recommended. No
Is data new?
Concluding remarks
Yes Receive data from decision agents
Send alert to system administrator about suspicious packets
Fig. 6 Alert Generator agent flowchart
packet and is disconnected so that its attack cannot continue. Of course, the detection of the attack is a real-time process such that the attacker is instantly terminated and an alert is generated onto the console machine B. It is highly recommended that the IDS machine be fully dedicated to the intrusion detection mission. High processing speed (P-IV with 2GHz or Table 1
Agent-oriented techniques are being increasingly used in a range of networking security applications. However, if they are to be part of an intrusion detection system design, it is vital to clarify why they are more suitable compared to other approaches such as object-oriented programming. This article has sought to justify why agent-oriented approaches are appropriate for developing complex software systems such as an IDS. An internal structure of each agent in the system has been addressed. A simplified simulation process has been introduced. The framework presented here should be considered a step forward towards a complete multi-agentbased system for networking security.
Read more about it • Gerhard Weiss (2000), Multiagent Systems: A modern approach to distributed artificial intelligence. The MIT Press, Cambridge. • Guy G Helmer, Johnny S K Wong,
Agents’ Descriptions
Agent name
Type
Percepts
Output
Sniffing agent
Simple reflex agent
Network traffic
The TCP packets
Secure code analysis agent
Keeping track of the world agent
The TCP packets
The secure code analysis
DoS analysis agent
Keeping track of the world agent
The TCP packets
The DoS analysis
Ping sweep analysis agent
Keeping track of the world agent
The TCP packets
The Ping sweep analysis
Secure code decision agent
Goal based agent
The secure code analysis
The secure code decision
DoS decision agent
Goal based agent
The DoS analysis
The DoS decision
Ping sweep decision agent
Goal based agent
The Ping sweep analysis
The Ping sweep decision
About the authors
Logging agent
Simple reflex agent
The TCP packets
Log file
Alert generator agent
Simple reflex agent
Decisions
Alert file
OCTOBER/NOVEMBER 2003
Vasant Honavar, Les Miller (1998), "Intelligent agents for intrusion detection," In: The IEEE Information technology conference. Syracuse, NY, pp 121-124. • Jai Sunder Balasubramaniyan, Jose Omar Garcia-Fernandez, David Isacoff, Eugene Spafford, Diego Zamboni (1998), "An architecture for intrusion detection using autonomous agents," In: 14th IEEE Computer security applications conference. Scottsdale, Arizona. • Marc Dacier (1999), "Intrusion Detection vs. Detection of Errors Caused by Intentionally Malicious Faults," In: 29th Annual international symposium on fault-tolerant computing, Madison, Wisconsin. • Sami Saydjari (1999), "The detection of novel unseen attacks." In: 29th annual international symposium on fault-tolerant computing, Madison, Wisconsin. • Stephen Northcutt, Judy Novak, Donald McLachlan (2001), "Network Intrusion Detection," New Riders, USA. • Stephen Northcutt, Mark Cooper, Matt Fearnow, Karen Frederic (2001), “Intrusion Signatures and Analysis,” New Riders, USA. • Stuart Russell, Peter Norvig (1995), Artificial Intelligence: a modern approach, Prentice Hall, New Jersey. • Teresa F. Lunt (2000), "Foundations of intrusion detection," In: 13th IEEE Computer security foundations workshop, Cambridge.
Islam M. Hegazy, Taha Al-Arif, Zaki. T. Fayed, and Hossam M. Faheem Computer Science Department, Faculty of Computer and Information Sciences, Ain Shams University. Note: This article in its original format was published in the Conference Proceedings of ISDA03 which was sponsored by the IEEE.
31