Jeremy Kackley, James Jacobs, Paulus Wahjudi and Jean Gourd

What are they? Code that migrates from machine to machine

How are they utilized? Examples

Searching Visiting several resources that contain data. Sorting the data, and combining it into a payload.

Computation done remotely. Communication

Can also be used to deliver data.

Advantages: Reactive/

Adaptive Reliability Autonomous Efficient

Disadvantages Nontraditional Lack of

Standards Complexity Security

Trustworthiness Agent

trustworthiness Sandbox

Fairly good solution

Agency trustworthiness Encryption

Keep 'payload' secure.

Difficult Focus of this work.

System for monitoring network data for the purpose of detecting compromised resources. Four threat levels organized by severity

Level 1: Observation Situation normal CAN monitors network passively via Probe agent dispatches

Level 2: Investigation Anomalous data observed by the passive monitoring system. Actively monitor the anomalous nodes by dispatching team of Commander

and Detective agents Level 3: Confirmation

Active monitoring has also detected anomalies. Attempt to confirm state of the nodes in question. Takes the form of a Secret agent

Level 4: Resolution System has detected compromise. Attempt to resolve:

Alert Human “Log” activity but permit Block activity Shut down node (DDOS, out of band signal…)

MAIDs relies upon anomaly detection, what if a node is entirely passive?

Pollination is a scheme to detect passive, ‘mole-like’ attackers.

Inspired by Bee: Bee’s visiting flowers to get nectar Incidentally, they gain pollen They also deposit pollen Pollen on the bee’s provides a roadmap of

where they’ve been

Agent Pollination Agents visit nodes in the course of activities Agents gain pollen Against leave pollen behind Amount of pollen represents the time spent at nodes Sequence of pollen represents road-map of where the agent

has been Implications

Incorrect or missing sequences are new anomalies and represent ‘issues’ that require investigation

Amount of pollen can represent the types of data an agent is interested in when cross-referenced with the types of data stored at various nodes

Nodes with practically no pollen might indicate a node that has no resources and is sniffing passing agents

Standard inference models can be utilized to generate even more anomalous triggers for MAIDS

Manipulate Open System Interconnection OSI transport layer by either Appending additional packets containing pollen

information to the sequence representing the agent Manipulating the packets themselves via packet

tagging Pollination does not need to be active everywhere;

can only pollinate ‘sensitive’ nodes and thus track ‘important’ data

Degree of pollination can vary depending on threat level, as can consequences to agents with suspicious pollen patterns

Pollination patterns can be periodically changed to make it more difficult to spoof

Situation normal. Probes distributed

Record communication.

Do not move. Agents visit network.

Normal agent behavior. During this process,

they pick up data from the probes.

Central Authority Node Compares data from

the probes as it arrives naturally. Mines for anomalies.

Anomalies detected. Could be nothing;

'lag.' Deploy a set of

agents Detective agents

Actively monitor Commander Agent

Takes information from detective agents and analyzes it for anomalies

Anomalies still detected. Deploy a “Secret Agent”

Designed to appear externally as a regular agent.

Executes predetermined series of actions, reports observed results, if possible.

Detective agents observe the 'actual' results

Commander agent analyzes results Agency exonerated Elevation of threat

level.

Level 4 assumes compromise has occurred This situation must be resolved. Possible avenues of resolution:

Human Intervention Redirect output to a 'vault' for later analysis

Attempt to fool agency into thinking it is still actually part of the network.

Blockade output of node. Protect the network, and agents, by preventing access to

or from the suspected node. Automated attack on the node.

The appropriate response depends upon the network.

Simply ask for human aid.

This can be thought of as raising an alert.

No automated action taken by the system.

This step is implied in all other possible resolutions.

“Saves” the output of the node for later analysis.

Limited action against node is taken.

Attempts to obscure the fact that the compromise is detected until a human decides what action to take.

This response takes active steps to protect the network by preventing communication with the affected node.

This could itself be detrimental to the network; leading to bottlenecks or failure.

If data is of an especially sensitive nature; it might be desirable to attempt to remove the affected device from the network by offensive means. Again, this could

damage the network.