Application-based intrusion detection - CiteSeerX

24 downloads 195247 Views 210KB Size Report
Security monitoring software monitor: monitors different operations of a computer network and outputs the results to system administrators. Network monitoring ...
A design of softbots for intelligent, reactive intrusion detection systems ISLAM M. HEGAZY, HOSSAM M. FAHEEM, TAHA AL-ARIF Computer Science Department, Faculty of Computer and Information Sciences, Ain Shams University Abbassia 11566, Cairo EGYPT

Abstract: - Intelligent softbots are now used in several fields of computer science and artificial intelligence. Due to the arising of new attacks in the cyber world everyday new intrusion detection systems have to be built to cope with these new attacks. These intrusion detection systems should be reactive. Since intelligent agents are characterized by reactivity they can be used to build intrusion detection systems. In this paper, we will describe a model for intrusion detection system built with intelligent agents. Key-Words: - Agents, Intrusion detection, Security.

1 Introduction Intelligent agents are a new paradigm for software development. An agent is a software application placed in a certain environment, and that is capable of autonomous action in this environment in order to meet its design objectives. Autonomy means that the agent should be able to act without the direct intervention of humans or other agents [1]. With the vast growth of information needs for organizations, a robust security system has to be applied to the organizations’ computers to protect senstive information. Threats to the information are not attributed to the outsiders only but to the insiders as well. Recent Computer Security Institute/Federal Bureau of Investigation Computer Crime and Security survey indicates that as much as 82% of losses were attributable to insider threats [2]. External network attacks can be categorized into IP spoofing attacks, packet sniffing, sequence number predication attacks and trust-access attacks. Categories of internal attacks include passwords attacks, session hijacking attacks, shared library attacks, and technological vulnerability attacks [3]. Computer network security can be categorized as follows [3]: • Security enhancement software: thus replacing an operating system’s builtin security software.

• •

• •

Authentication and encryption software: encrypts and decrypts computer files. Security monitoring software monitor: monitors different operations of a computer network and outputs the results to system administrators. Network monitoring software: monitors user’s behavior or monitors incoming and outgoing traffic. Firewall software and hardware: runs on the Internet/intranet entrance to a computer network, and checks all incoming network traffic for its contents at the network and transport layers of the OSI model.

Intrusion detection falls into the fourth category, Network monitoring software. Intrusion detection can be defined as the problem of identifying individuals who are using a computer system without authorization and those who have legitimate access to the system but are abusing their privileges [4]. Three techniques for illegal behavior detection are commonly used [5]: anomaly detection, rule based detection, and hybrid detection, a combination of anomaly detection and rule based detection. Anomaly intrusion detection uses statistical methods to search for abnormal user behavior while the rule-based intrusion detection searches for attacks’ signatures in the network traffic [6,7].

Intrusion detection systems (IDSs) can be classified into network-based IDS or host-based IDS. Network-based IDSs gather their information from the network traffic they are monitoring. Host-based IDSs gather their information from the log files of the hosts they reside on [8]. A special case of hostbased IDSs is the application-based IDSs. Application-based IDSs analyze the events transpiring at a specific application [9]. During this paper, a modified Denial of service (DoS) agent will be introduced, a logging agent, an application based agent, and an update agent will be suggested. The following sections describe the function and the proposed architecture of each one of them. This paper is organized as follows: section 2 explains the modified DoS agent, section 3 explains the logging agent, section 4 explains the application based agent, section 5 explains the update agent, and section 6 states the conclusion.

The DoS agent has to take into account the signatures of new attacks, detect automatically the signatures of repetitive attacks that are not listed in the signatures database and adds them. Table 1 shows the function of the DoS agent. Table 1 DoS analysis agent algorithm ALGORITHM DoS analysis agent INPUT: Buffer of packets Buffer of signatures OUTPUT:

Buffer of packets and buffer of suspected packets

STEP 1 For i = 1 to number of packets in buffer Check packet i for traditional attacks If packet i is not suspected Check packet i for listed signatures If packet i is not suspected

2 Denial of Service agent

Check packet i for misconfigurations

The DoS attack is a type of attack where certain services are attacked to prevent them from legitimate users [6, 7]. DoS attacks constitute one of the major threats that make computer systems useless. Traditional techniques for implementing DoS modules are now obsolete since new attacks arise everyday. DoS modules should have some intelligence to cope with the upcoming attacks. We chose to implement DoS module using intelligent agents. Fig. 1 depicts the traditional DoS module and the DoS agent.

If packet i is misconfigured

output

Set of rules output

packet

List of signatures

End for

3 Logging agent

Set of rules packet

Watch this misconfiguration signature If misconfiguation is repeated from the same source Add misconfiguration signature to the signatures buffer

Add

Signature new & repeated

Fig. 1 Traditional DoS module and DoS agent

The logging agent writes out the log file of IDS. It receives two buffers, a buffer of packets and a buffer of suspected packets. It provides a code for every packet indicating whether or not it is suspected, the type of attack, and the attack severity. Table 2 explains the logging agent function. Table 2 Logging agent algorithm ALGORITHM Logging agent INPUT: Buffer of packets Buffers of suspected packets

OUTPUT: File of attacks codes STEP 1 For i = 1 to number of packets in buffer Code packet I Write code of packet i in the file If packet is suspected Write its severity End for

4 Application log agent Application log agent reads the log file written by the logging agent. This agent searches the log file for attacks codes, decodes them and writes the explanation of the attack in an attack description file. This agent acts as a simple application-based IDS such that it is specific to this system and do a simple mapping function. Table 3 explains application log agent function. Table 3 Application log agent algorithm ALGORITHM Logging agent INPUT: Symbolic log file OUTPUT: Attacks descriptive file. STEP 1 While not end of log file Read symbol Decode symbol If it is an attack symbol Write attack description and its severity in the description file End for

5 Update agent The update agent is responsible for updating the signatures database. Every certain period of time the update agent connects to a certain server and downloads the new signatures database file. This database helps the analysis modules to recognize the new listed attacks.

6 Experiments and Results We ran the system under heavy network load and observed the detection time and action time of the system after different intervals of time. Table 4 shows the results of the experiment. Table 4 Results of the experiments Detection Action time time 0.172 0.00245 Experiment 1 0.189 0.00262 Experiment 2 0.180 0.00271 Experiment 3 0.180 0.00223 Experiment 4 0.190 0.00256 Experiment 5 Average 0.182 0.00252

Risk time 0.174 0.192 0.183 0.182 0.192 0.185

Experiment 1 is the average of experiments done on the system for half a minute. Experiment 2 is the average of experiments done on the system for one minute. Experiment 3 is the average of experiments done on the system for a minute and a half. Experiment 4 is the average of experiments done on the system for two minutes and finally experiment 5 is the average of experiments done on the system for two minutes and a half. All times are calculated in seconds. From the above table we can conclude that system can detect an intrusion in about 0.182 seconds, takes an action in about 2.52 msec. with risk time 0.185 seconds.

7 Conclusions IDSs are very complicated applications that require a lot of resources and much time. It should be as real time as possible. Using intelligent agents simplifies the building of the IDS because each agent will be responsible for a specific part of the system. Using intelligent agents will give the ability to the system to learn new signatures. It is also a step toward a decentralized IDS where agents can be distributed over several machines. Reference: 1. Amar Ramadan-Cherif, Samir Benarif, and Nicole Levy, An Adaptive Platform Based Multi-Agents for Architecting Dependability, in proceedings of the third international conference in Intelligent

Systems Design and Applications. Oklahoma, USA 10 – 13 August 2003. 2. Paul E. Proctor, The Practical Intrusion Detection Handbook, Prentice Hall, New Jersey, 2001. 3. J. Pikoulas, W.J. Buchanan, M. Mannion, K. Triantafyllopoulos, An Agent-based Bayesian Forecasting Model for Enhanced Network Security, in proceedings of eighth annual IEEE International Conference and Workshop On the Engineering of Computer Based Systems, Los Alamitos, CA, USA, 2001 4. Jai Sunder Balasubramaniyan, Jose Omar Garcia-Fernandez, David Isacoff, Eugene Spafford, Diego Zamboni, An architecture for intrusion detection using autonomous agent, in proceedings of the 14th IEEE Computer security applications conference, Scottsdale, Arizona, 1998. 5. J. Pikoulas, W. Buchanan, and M. Mannion, An Intelligent Agent Security Intrusion Systems, in the proceedings of the ninth annual IEEE International Conference and Workshop On the Engineering of Computer Based Systems, 2002. 6. Stephen Northcutt, Judy Novak, Donald McLachlan, Network Intrusion Detection. New Riders, USA, 2001. 7. Stephen Northcutt, Mark Cooper, Matt Fearnow, Karen Frederic, Intrusion Signatures and Analysis, New Riders, USA, 2001. 8. Eugene Spafford and Diego Zamboni, Data Collection Mechanisms for Intrusion Detection Systems, CERIAS tech report, 2000. 9. Rebecca Bace and Peter Mell, Intrusion Detection Systems, NIST special publication on intrusion detection system. http://csrc.nist.gov/publications/ nistpubs/800-31/sp800-31.pdf, November 2001. 10. Islam M. Hegazy, Taha Al-Arif, Zaki. T. Fayed, and Hossam M. Faheem, A Framework for Multiagent-based System for Intusion Detection, in proceedings of the third international conference in Intelligent Systems Design and Application,. Oklahoma, USA 10 – 13 August, 2003.