mobile agents for intrusion detection jaromy ward

Mobile Agents for Intrusion Mobile Agents for Intrusion DetectionDetection

Jaromy WardJaromy Ward

Mobile Agents?Mobile Agents?

What is a mobile agent?What is a mobile agent?– AutonomousAutonomous– Move on own to another machineMove on own to another machine– Platform / AgentPlatform / Agent– DuplicativeDuplicative– AdaptableAdaptable

Traditional IDSTraditional IDS

HierarchicalHierarchical– Intrusion detection at end nodesIntrusion detection at end nodes– Aggregate nodes take data from end nodesAggregate nodes take data from end nodes– Command and control at top of hierarchyCommand and control at top of hierarchy– IDS reports possible intrusions to humanIDS reports possible intrusions to human

The user must than make a decisionThe user must than make a decision– is this a real threatis this a real threat– What action should be takenWhat action should be taken

Problems with Traditional IDSProblems with Traditional IDS

Lack of EfficiencyLack of EfficiencyHigh number of False PositivesHigh number of False PositivesBurdensome MaintenanceBurdensome MaintenanceLimited FlexibilityLimited FlexibilityVulnerable to Direct AttackVulnerable to Direct AttackVulnerable to DeceptionVulnerable to DeceptionLimited Response CapabilityLimited Response CapabilityNo Generic Building MethodologyNo Generic Building Methodology


Lack of EfficiencyLack of Efficiency– Amount of dataAmount of data– Host-base IDSHost-base IDS

Slow down performance of systemSlow down performance of system

– Network-base IDSNetwork-base IDSCannot process all network trafficCannot process all network traffic

High Number of False +’sHigh Number of False +’s– IDS’s still have too many false alarms that an IDS’s still have too many false alarms that an

intrusion has taken place. intrusion has taken place. – Also some attacks still go unnoticed.Also some attacks still go unnoticed.


Burdensome MaintenanceBurdensome Maintenance– The maintenance of IDS requires knowledge The maintenance of IDS requires knowledge

of rule sets, which are different from system to of rule sets, which are different from system to system. system.

Limited FlexibilityLimited Flexibility– IDS’s are written for a specific environmentsIDS’s are written for a specific environments– Not easily ported to different systemsNot easily ported to different systems– Upgrade Requires shutting down IDSUpgrade Requires shutting down IDS


Vulnerable to AttackVulnerable to Attack– Levels of compromiseLevels of compromise

Root level – worst caseRoot level – worst case

Aggregation level – next worse caseAggregation level – next worse case

End node level – not too badEnd node level – not too bad

– Lack of redundancyLack of redundancy– Lack of mobilityLack of mobility– Lack of dynamic recoveryLack of dynamic recovery


Vulnerable to DeceptionVulnerable to Deception– Network based use generic network protocol Network based use generic network protocol

stack for analysisstack for analysis– Attacker could use this to decieve the IDS that Attacker could use this to decieve the IDS that

the packet is good when in fact it is notthe packet is good when in fact it is not

Limited Response CapabilityLimited Response Capability– Delay of ResponseDelay of Response

Human response timeHuman response time

Distance from end node and controllerDistance from end node and controller

Advantages of Mobile AgentsAdvantages of Mobile Agents

Reduce Network LoadReduce Network LoadOvercoming Network LatencyOvercoming Network LatencyAutonomous ExecutionAutonomous ExecutionPlatform IndependencePlatform IndependenceDynamic AdaptationDynamic AdaptationStatic AdaptationStatic AdaptationScalabilityScalabilityFault ToleranceFault ToleranceRedundancyRedundancy

AdvantagesAdvantages

Reduce Network LoadReduce Network Load– Computation moved closer to affected nodesComputation moved closer to affected nodes– Reduction in data to be movedReduction in data to be moved

Overcoming Network LatencyOvercoming Network Latency– More immediate response timesMore immediate response times– Closer to end nodesCloser to end nodes

Autonomous ExecutionAutonomous Execution– Communication with other MA’sCommunication with other MA’s– Cloning of MA’sCloning of MA’s– No need for central authority to take actionNo need for central authority to take action


Platform IndependencePlatform Independence– Run on any operating systemRun on any operating system– Only need to write code to run on platform not Only need to write code to run on platform not

OSOS

Dynamic AdaptationDynamic Adaptation– Reactions based on previous intrusionsReactions based on previous intrusions– Learn to avoid or move towards areasLearn to avoid or move towards areas– Cloning for added protectionCloning for added protection


Static AdaptationStatic Adaptation– Upgrades only require introducing new agentUpgrades only require introducing new agent– Old Mobile agents removed laterOld Mobile agents removed later

ScalabilityScalability– Introduction of more mobile agentsIntroduction of more mobile agents

Fault ToleranceFault Tolerance– Moves encrypted in the network with data it Moves encrypted in the network with data it

may needmay need


RedundancyRedundancy– Central point of failure removedCentral point of failure removed– Harder to locate MA as they are always Harder to locate MA as they are always

movingmoving– Keep in contact with other MA’s Keep in contact with other MA’s

Determine state of networkDetermine state of network

Help other MA, produce cloneHelp other MA, produce clone

Disadvantages of MA’sDisadvantages of MA’s

SecuritySecurity– Need for PKINeed for PKI– Platforms need to ensure MA is not harmfulPlatforms need to ensure MA is not harmful

Signed by trusted authoritySigned by trusted authority

Encrypted with public keyEncrypted with public key

Code SizeCode Size– IDS is complicatedIDS is complicated– Minimize agent sizeMinimize agent size

FunctionFunction

Platform provide OS dependent operationsPlatform provide OS dependent operations

DisadvantagesDisadvantages

PerformancePerformance– Language usedLanguage used

InterpretiveInterpretive

ScriptScript

– New Java VM developed to help save state New Java VM developed to help save state information of MA.information of MA.

Intrusion ResponsesIntrusion Responses

Dynamically modify or shutdown TargetDynamically modify or shutdown Target

Automated Tracing of AttackersAutomated Tracing of Attackers

Automated Evidence GatheringAutomated Evidence Gathering

Operations on an Attacker’s HostOperations on an Attacker’s Host

Isolating the Attacker/TargetIsolating the Attacker/Target

Operations on Attacker and Target SubnetOperations on Attacker and Target Subnet


Dynamically modify or shutdown TargetDynamically modify or shutdown Target– Shutdown compromised targetShutdown compromised target– Gather more information from targetGather more information from target

Automated Tracing of AttackersAutomated Tracing of Attackers– Follow trail of intruderFollow trail of intruder

Automated Evidence GatheringAutomated Evidence Gathering– Mobil agents move to area of attackMobil agents move to area of attack– Determine what collection is necessaryDetermine what collection is necessary


Operations on an Attacker’s HostOperations on an Attacker’s Host– Limit operations of AttackerLimit operations of Attacker

Isolating the Attacker/TargetIsolating the Attacker/Target– Prevent network traffic from attacker/targetPrevent network traffic from attacker/target

Operations on Attacker and Target SubnetOperations on Attacker and Target Subnet– Deploy multiple agents to flood systemsDeploy multiple agents to flood systems

ImplementationsImplementations

Mobile agents deployed in HierarchyMobile agents deployed in HierarchyComposed of three types of AgentsComposed of three types of Agents– Data CollectorsData Collectors

Collect specific dataCollect specific dataMinor processing of dataMinor processing of data

– Detection AgentsDetection AgentsDetect intrusionsDetect intrusionsTrace intrusionsTrace intrusions

– Manager AgentsManager AgentsOversee Data collectors and Detection agentsOversee Data collectors and Detection agents

ConclusionConclusion

Still under developmentStill under development

Show great promiseShow great promise

Wireless networks could use Mobile agent Wireless networks could use Mobile agent protection.protection.

For more information visit For more information visit http://csrc.nist.gov/mobilesecurity/http://csrc.nist.gov/mobilesecurity/

ReferencesReferencesWayne Jansen, “Intrusion Detection with Mobile Agents” , National Institute of Standards and Technology, Wayne Jansen, “Intrusion Detection with Mobile Agents” , National Institute of Standards and Technology, October 2001 October 2001 T. Karygiannis, “Network Security Testing Using Mobile Agents”, National Institute of Standard and Technology, T. Karygiannis, “Network Security Testing Using Mobile Agents”, National Institute of Standard and Technology, June 2002 June 2002

Peter Mell, Mark McLarnon, “Mobile Agent Attack Resistant Distributed Hierarchical Intrusion Detection Systems”, Peter Mell, Mark McLarnon, “Mobile Agent Attack Resistant Distributed Hierarchical Intrusion Detection Systems”,

National Institute of Standards and Technology, November 1999National Institute of Standards and Technology, November 1999 Gene Bradshaw, Mark Greaves, Heather Holmback, T. Karygiannis, Wayne Jansen, Barry Silverman, Niranjan Gene Bradshaw, Mark Greaves, Heather Holmback, T. Karygiannis, Wayne Jansen, Barry Silverman, Niranjan Suri, Alex Wong, “Agents for the Masses?”, IEEE Journal pp. 53- 63, March/April 1999 Suri, Alex Wong, “Agents for the Masses?”, IEEE Journal pp. 53- 63, March/April 1999

Asaka, S.Okazawa, A.Taguchi, and S.Goto, ”A Method of Tracing Intruders by Use of Mobile Agents”, Asaka, S.Okazawa, A.Taguchi, and S.Goto, ”A Method of Tracing Intruders by Use of Mobile Agents”,

Proceedings of the Ninth Annual Internet Society Conference INET'99, San Jose, California, June 1999Proceedings of the Ninth Annual Internet Society Conference INET'99, San Jose, California, June 1999 W. Jansen, P. Mell, T. Karygiannis, D. Marks, “Mobile Agents in Intrusion Detection and Response”, National W. Jansen, P. Mell, T. Karygiannis, D. Marks, “Mobile Agents in Intrusion Detection and Response”, National

Institute of Standards, February 2000Institute of Standards, February 2000 Jai Balasubramaniyan, Jose Omar Garcia-Fernandez, David Isacoff, E. H. Spafford, and Diego Zamboni, “An Jai Balasubramaniyan, Jose Omar Garcia-Fernandez, David Isacoff, E. H. Spafford, and Diego Zamboni, “An Architecture for Intrusion Detection using Autonomous Agents”, Department of Computer Sciences, Purdue Architecture for Intrusion Detection using Autonomous Agents”, Department of Computer Sciences, Purdue University, Coast TR 98-05, 1998University, Coast TR 98-05, 1998David Kotz, Robert Gray, “Mobile Agents and the Future of the Internet”, Department of Computer Science, David Kotz, Robert Gray, “Mobile Agents and the Future of the Internet”, Department of Computer Science, Dartmouth College, New Hampshire, December 2002 Dartmouth College, New Hampshire, December 2002

Christopher Krugel, Thomas Toth, “Applying Mobile Agent Technology to Intrusion Detection”, Technical Christopher Krugel, Thomas Toth, “Applying Mobile Agent Technology to Intrusion Detection”, Technical

University Vienna, Vienna, Austria April 2001University Vienna, Vienna, Austria April 2001 W. Jansen, P. Mell, T. Karygiannis, D. Marks, “Applying Mobile Agents in Intrusion Detection and Response”, W. Jansen, P. Mell, T. Karygiannis, D. Marks, “Applying Mobile Agents in Intrusion Detection and Response”, NIST Interim Report – 6416, National Institute of Standards, October 1999 NIST Interim Report – 6416, National Institute of Standards, October 1999

mobile agents for intrusion detection jaromy ward

Documents