jeremy kackley, james jacobs, paulus wahjudi and jean gourd
Post on 02-Jan-2016
214 Views
Preview:
TRANSCRIPT
Jeremy Kackley, James Jacobs, Paulus Wahjudi and Jean Gourd
What are they? Code that migrates from machine to machine
How are they utilized? Examples
Searching Visiting several resources that contain data. Sorting the data, and combining it into a payload.
Computation done remotely. Communication
Can also be used to deliver data.
Advantages: Reactive/
Adaptive Reliability Autonomous Efficient
Disadvantages Nontraditional Lack of
Standards Complexity Security
Trustworthiness Agent
trustworthiness Sandbox
Fairly good solution
Agency trustworthiness Encryption
Keep 'payload' secure.
Difficult Focus of this work.
System for monitoring network data for the purpose of detecting compromised resources. Four threat levels organized by severity
Level 1: Observation Situation normal CAN monitors network passively via Probe agent dispatches
Level 2: Investigation Anomalous data observed by the passive monitoring system. Actively monitor the anomalous nodes by dispatching team of Commander
and Detective agents Level 3: Confirmation
Active monitoring has also detected anomalies. Attempt to confirm state of the nodes in question. Takes the form of a Secret agent
Level 4: Resolution System has detected compromise. Attempt to resolve:
Alert Human “Log” activity but permit Block activity Shut down node (DDOS, out of band signal…)
MAIDs relies upon anomaly detection, what if a node is entirely passive?
Pollination is a scheme to detect passive, ‘mole-like’ attackers.
Inspired by Bee: Bee’s visiting flowers to get nectar Incidentally, they gain pollen They also deposit pollen Pollen on the bee’s provides a roadmap of
where they’ve been
Agent Pollination Agents visit nodes in the course of activities Agents gain pollen Against leave pollen behind Amount of pollen represents the time spent at nodes Sequence of pollen represents road-map of where the agent
has been Implications
Incorrect or missing sequences are new anomalies and represent ‘issues’ that require investigation
Amount of pollen can represent the types of data an agent is interested in when cross-referenced with the types of data stored at various nodes
Nodes with practically no pollen might indicate a node that has no resources and is sniffing passing agents
Standard inference models can be utilized to generate even more anomalous triggers for MAIDS
Manipulate Open System Interconnection OSI transport layer by either Appending additional packets containing pollen
information to the sequence representing the agent Manipulating the packets themselves via packet
tagging Pollination does not need to be active everywhere;
can only pollinate ‘sensitive’ nodes and thus track ‘important’ data
Degree of pollination can vary depending on threat level, as can consequences to agents with suspicious pollen patterns
Pollination patterns can be periodically changed to make it more difficult to spoof
Situation normal. Probes distributed
Record communication.
Do not move. Agents visit network.
Normal agent behavior. During this process,
they pick up data from the probes.
Central Authority Node Compares data from
the probes as it arrives naturally. Mines for anomalies.
Anomalies detected. Could be nothing;
'lag.' Deploy a set of
agents Detective agents
Actively monitor Commander Agent
Takes information from detective agents and analyzes it for anomalies
Anomalies still detected. Deploy a “Secret Agent”
Designed to appear externally as a regular agent.
Executes predetermined series of actions, reports observed results, if possible.
Detective agents observe the 'actual' results
Commander agent analyzes results Agency exonerated Elevation of threat
level.
Level 4 assumes compromise has occurred This situation must be resolved. Possible avenues of resolution:
Human Intervention Redirect output to a 'vault' for later analysis
Attempt to fool agency into thinking it is still actually part of the network.
Blockade output of node. Protect the network, and agents, by preventing access to
or from the suspected node. Automated attack on the node.
The appropriate response depends upon the network.
Simply ask for human aid.
This can be thought of as raising an alert.
No automated action taken by the system.
This step is implied in all other possible resolutions.
“Saves” the output of the node for later analysis.
Limited action against node is taken.
Attempts to obscure the fact that the compromise is detected until a human decides what action to take.
This response takes active steps to protect the network by preventing communication with the affected node.
This could itself be detrimental to the network; leading to bottlenecks or failure.
If data is of an especially sensitive nature; it might be desirable to attempt to remove the affected device from the network by offensive means. Again, this could
damage the network.
top related