ABHIJIT ABHIJIT PATHAKPATHAK

RoadmapRoadmap• IntroductionIntroduction• System OverviewSystem Overview• System ArchitectureSystem Architecture• Detailed DesignDetailed Design• Fault ToleranceFault Tolerance• ResultsResults• Future WorkFuture Work

IntroductionIntroduction• Inherent security threats in Inherent security threats in

networkingnetworking• What is a file integrity What is a file integrity

checker ?checker ?• Concept of mobile agentsConcept of mobile agents• File Integrity checker with File Integrity checker with

mobile Agentsmobile Agents

System OverviewSystem Overview• Ajanta Mobile Agent PlatformAjanta Mobile Agent Platform• FileProc Agent and FileMon FileProc Agent and FileMon

AgentAgent• Two Phase Operation of SystemTwo Phase Operation of System

• Initialization PhaseInitialization Phase• Monitoring PhaseMonitoring Phase

• User InterfaceUser Interface

System ArchitectureSystem Architecture

• Ajanta Architecture OverviewAjanta Architecture Overview• File Integrity Checker File Integrity Checker

ArchitectureArchitecture

File Integrity Checker File Integrity Checker ArchitectureArchitecture

Host A

Launching Host

Host B Host C

Agent Server

Agent Server

Agent Server

Launcher

FM

FP Database

Database

FM

FM

FM

FM – File Monitor FM – File Monitor Agent Agent

FP – File Processor FP – File Processor AgentAgent

Design AlternativesDesign Alternatives• Agent Carrying File signaturesAgent Carrying File signatures• Agent Carrying File NamesAgent Carrying File Names• Implementation Decision Implementation Decision

FactorsFactors• Avoid carrying signaturesAvoid carrying signatures• Lightweight AgentsLightweight Agents

Important FeaturesImportant Features• Usability and FlexibilityUsability and Flexibility• Creation of multiple Agent Creation of multiple Agent

pairs pairs • Monitoring with various Monitoring with various

frequenciesfrequencies• Catering to different Catering to different

monitoring attributesmonitoring attributes

Monitoring OptionsMonitoring Options• Host Based SettingsHost Based Settings

• Recursive monitoring of Recursive monitoring of directoriesdirectories

• Non-recursive monitoring of Non-recursive monitoring of directoriesdirectories

• Exclusion of files/directoriesExclusion of files/directories• File/Directory based settingsFile/Directory based settings

• Specifying various attributesSpecifying various attributes

Configuration FileConfiguration File

host:newton.cs.umn.eduhost:newton.cs.umn.edu

/home/grad09/apathak/proj/home/grad09/apathak/proj --aa

!/usr/lib/link_audit/64!/usr/lib/link_audit/64

/usr/include/usr/include-ab-ab

=/dev=/dev -ai-ai

Configuration FlagsConfiguration Flags

-a:-a: Ignore changes in last access timeIgnore changes in last access time-m:-m: Ignore changes in last modification timeIgnore changes in last modification time-c:-c: Ignore changes in file creation timeIgnore changes in file creation time-i:-i: Ignore change in i-node informationIgnore change in i-node information-u:-u: Ignore change in user id of file ownerIgnore change in user id of file owner-g: -g: Ignore change in group id of file ownerIgnore change in group id of file owner-s:-s: Ignore change in file sizeIgnore change in file size-b:-b: Ignore change in allocated disk blocks for Ignore change in allocated disk blocks for

filefile-p: -p: Ignore change in access permissionsIgnore change in access permissions-h:-h: Ignore change in the file contents hash Ignore change in the file contents hash

value value

LauncherLauncher• Extension of Agent ServerExtension of Agent Server• Parsing the Configuration file and Parsing the Configuration file and

generating itinerarygenerating itinerary• Creation and Launch of AgentsCreation and Launch of Agents• User Interface threadUser Interface thread• Three Launching ModesThree Launching Modes

• Initialization and MonitoringInitialization and Monitoring• Initialize onlyInitialize only• Monitor OnlyMonitor Only

Database DesignDatabase Design• Signature TablesSignature Tables

• File Attributes with hostnamesFile Attributes with hostnames• Directory-file name mapping tablesDirectory-file name mapping tables

• Event TableEvent Table• File Added EventFile Added Event• File Deleted EventFile Deleted Event• File Changed EventFile Changed Event

• Report Generator toolReport Generator tool

Fault ToleranceFault Tolerance

• Failure of Agent ServerFailure of Agent Server• Additional intelligence in Additional intelligence in

AgentsAgents• Failure of AgentsFailure of Agents

• User configurable timeout User configurable timeout mechanismmechanism

ResultsResults• The System is deployed on 15 hostsThe System is deployed on 15 hosts• Average statistics per hostAverage statistics per host

• Number of files :Number of files : 88308830• File size (in bytes) :File size (in bytes) : 2075720757• Bytes sent per file :Bytes sent per file : 175175• Agent residency time :Agent residency time : Approx 8 minutesApprox 8 minutes

• Type of files being monitoredType of files being monitored• System BinariesSystem Binaries• System LibrariesSystem Libraries• System Header filesSystem Header files

ResultsResults• The following scenarios were detected The following scenarios were detected

successfullysuccessfully• Changing contents of log files by Changing contents of log files by

removing or adding single and/or removing or adding single and/or multiple lines multiple lines

• Changing owner information of fileChanging owner information of file• Moving files to and from various Moving files to and from various

directoriesdirectories• Replacing binary file with another file Replacing binary file with another file

with same name and sizewith same name and size

ResultsResults• Removing entire directory Removing entire directory recursively with all files in itrecursively with all files in it

• Changing file deep in directory Changing file deep in directory hierarchy for recursive hierarchy for recursive monitoring modemonitoring mode

• Changing access times of the Changing access times of the files by opening those without files by opening those without modificationsmodifications

Future workFuture work• Sensing the load on hosts before Sensing the load on hosts before

launching Agents launching Agents • Customizing Report Generating Customizing Report Generating

tooltool• Integration of Launcher and Integration of Launcher and

Report Generation UIReport Generation UI• Porting System to various Porting System to various

platforms including windows NTplatforms including windows NT

Thank YouThank You