Mobile Agents for Intrusion Detection

1
Mobile Agents for Intrusion Detection

• Jaromy Ward

2
Mobile Agents?

• What is a mobile agent?
• Autonomous
• Move on own to another machine
• Platform / Agent
• Duplicative
• Adaptable

3
(No Transcript)
4
Traditional IDS

• Hierarchical
• Intrusion detection at end nodes
• Aggregate nodes take data from end nodes
• Command and control at top of hierarchy
• IDS reports possible intrusions to human
• The user must than make a decision
• is this a real threat
• What action should be taken

5
Problems with Traditional IDS

• Lack of Efficiency
• High number of False Positives
• Burdensome Maintenance
• Limited Flexibility
• Vulnerable to Direct Attack
• Vulnerable to Deception
• Limited Response Capability
• No Generic Building Methodology

6
Problems with Traditional IDS

• Lack of Efficiency
• Amount of data
• Host-base IDS
• Slow down performance of system
• Network-base IDS
• Cannot process all network traffic
• High Number of False s
• IDSs still have too many false alarms that an
  intrusion has taken place.
• Also some attacks still go unnoticed.

7
Problems with Traditional IDS

• Burdensome Maintenance
• The maintenance of IDS requires knowledge of rule
  sets, which are different from system to system.
• Limited Flexibility
• IDSs are written for a specific environments
• Not easily ported to different systems
• Upgrade Requires shutting down IDS

8
Problems with Traditional IDS

• Vulnerable to Attack
• Levels of compromise
• Root level worst case
• Aggregation level next worse case
• End node level not too bad
• Lack of redundancy
• Lack of mobility
• Lack of dynamic recovery

9
Problems with Traditional IDS

• Vulnerable to Deception
• Network based use generic network protocol stack
  for analysis
• Attacker could use this to decieve the IDS that
  the packet is good when in fact it is not
• Limited Response Capability
• Delay of Response
• Human response time
• Distance from end node and controller

10
Advantages of Mobile Agents

• Reduce Network Load
• Overcoming Network Latency
• Autonomous Execution
• Platform Independence
• Dynamic Adaptation
• Static Adaptation
• Scalability
• Fault Tolerance
• Redundancy

11
Advantages

• Reduce Network Load
• Computation moved closer to affected nodes
• Reduction in data to be moved
• Overcoming Network Latency
• More immediate response times
• Closer to end nodes
• Autonomous Execution
• Communication with other MAs
• Cloning of MAs
• No need for central authority to take action

12
Advantages

• Platform Independence
• Run on any operating system
• Only need to write code to run on platform not OS
• Dynamic Adaptation
• Reactions based on previous intrusions
• Learn to avoid or move towards areas
• Cloning for added protection

13
Advantages

• Static Adaptation
• Upgrades only require introducing new agent
• Old Mobile agents removed later
• Scalability
• Introduction of more mobile agents
• Fault Tolerance
• Moves encrypted in the network with data it may
  need

14
Advantages

• Redundancy
• Central point of failure removed
• Harder to locate MA as they are always moving
• Keep in contact with other MAs
• Determine state of network
• Help other MA, produce clone

15
Disadvantages of MAs

• Security
• Need for PKI
• Platforms need to ensure MA is not harmful
• Signed by trusted authority
• Encrypted with public key
• Code Size
• IDS is complicated
• Minimize agent size
• Function
• Platform provide OS dependent operations

16
Disadvantages

• Performance
• Language used
• Interpretive
• Script
• New Java VM developed to help save state
  information of MA.

17
Intrusion Responses

• Dynamically modify or shutdown Target
• Automated Tracing of Attackers
• Automated Evidence Gathering
• Operations on an Attackers Host
• Isolating the Attacker/Target
• Operations on Attacker and Target Subnet

18
Intrusion Responses

• Dynamically modify or shutdown Target
• Shutdown compromised target
• Gather more information from target
• Automated Tracing of Attackers
• Follow trail of intruder
• Automated Evidence Gathering
• Mobil agents move to area of attack
• Determine what collection is necessary

19
Intrusion Responses

• Operations on an Attackers Host
• Limit operations of Attacker
• Isolating the Attacker/Target
• Prevent network traffic from attacker/target
• Operations on Attacker and Target Subnet
• Deploy multiple agents to flood systems

20
Implementations

• Mobile agents deployed in Hierarchy
• Composed of three types of Agents
• Data Collectors
• Collect specific data
• Minor processing of data
• Detection Agents
• Detect intrusions
• Trace intrusions
• Manager Agents
• Oversee Data collectors and Detection agents

21
Conclusion

• Still under development
• Show great promise
• Wireless networks could use Mobile agent
  protection.
• For more information visit http//csrc.nist.gov/mo
  bilesecurity/

22
References

• Wayne Jansen, Intrusion Detection with Mobile
  Agents , National Institute of Standards and
  Technology, October 2001
• T. Karygiannis, Network Security Testing Using
  Mobile Agents, National Institute of Standard
  and Technology, June 2002
• Peter Mell, Mark McLarnon, Mobile Agent Attack
  Resistant Distributed Hierarchical Intrusion
  Detection Systems, National Institute of
  Standards and Technology, November 1999
• Gene Bradshaw, Mark Greaves, Heather Holmback, T.
  Karygiannis, Wayne Jansen, Barry Silverman,
  Niranjan Suri, Alex Wong, Agents for the
  Masses?, IEEE Journal pp. 53- 63, March/April
  1999
• Asaka, S.Okazawa, A.Taguchi, and S.Goto, A
  Method of Tracing Intruders by Use of Mobile
  Agents, Proceedings of the Ninth Annual Internet
  Society Conference INET'99, San Jose, California,
  June 1999
• W. Jansen, P. Mell, T. Karygiannis, D. Marks,
  Mobile Agents in Intrusion Detection and
  Response, National Institute of Standards,
  February 2000
• Jai Balasubramaniyan, Jose Omar Garcia-Fernandez,
  David Isacoff, E. H. Spafford, and Diego Zamboni,
  An Architecture for Intrusion Detection using
  Autonomous Agents, Department of Computer
  Sciences, Purdue University, Coast TR 98-05, 1998
• David Kotz, Robert Gray, Mobile Agents and the
  Future of the Internet, Department of Computer
  Science, Dartmouth College, New Hampshire,
  December 2002
• Christopher Krugel, Thomas Toth, Applying
  Mobile Agent Technology to Intrusion Detection,
  Technical University Vienna, Vienna, Austria
  April 2001
• W. Jansen, P. Mell, T. Karygiannis, D. Marks,
  Applying Mobile Agents in Intrusion Detection
  and Response, NIST Interim Report 6416,
  National Institute of Standards, October 1999