Mobile Agents for Intrusion Mobile Agents for Intrusion DetectionDetection
Jaromy WardJaromy Ward
Mobile Agents?Mobile Agents?
What is a mobile agent?What is a mobile agent?– AutonomousAutonomous– Move on own to another machineMove on own to another machine– Platform / AgentPlatform / Agent– DuplicativeDuplicative– AdaptableAdaptable
Traditional IDSTraditional IDS
HierarchicalHierarchical– Intrusion detection at end nodesIntrusion detection at end nodes– Aggregate nodes take data from end nodesAggregate nodes take data from end nodes– Command and control at top of hierarchyCommand and control at top of hierarchy– IDS reports possible intrusions to humanIDS reports possible intrusions to human
The user must than make a decisionThe user must than make a decision– is this a real threatis this a real threat– What action should be takenWhat action should be taken
Problems with Traditional IDSProblems with Traditional IDS
Lack of EfficiencyLack of EfficiencyHigh number of False PositivesHigh number of False PositivesBurdensome MaintenanceBurdensome MaintenanceLimited FlexibilityLimited FlexibilityVulnerable to Direct AttackVulnerable to Direct AttackVulnerable to DeceptionVulnerable to DeceptionLimited Response CapabilityLimited Response CapabilityNo Generic Building MethodologyNo Generic Building Methodology
Problems with Traditional IDSProblems with Traditional IDS
Lack of EfficiencyLack of Efficiency– Amount of dataAmount of data– Host-base IDSHost-base IDS
Slow down performance of systemSlow down performance of system
– Network-base IDSNetwork-base IDSCannot process all network trafficCannot process all network traffic
High Number of False +’sHigh Number of False +’s– IDS’s still have too many false alarms that an IDS’s still have too many false alarms that an
intrusion has taken place. intrusion has taken place. – Also some attacks still go unnoticed.Also some attacks still go unnoticed.
Problems with Traditional IDSProblems with Traditional IDS
Burdensome MaintenanceBurdensome Maintenance– The maintenance of IDS requires knowledge The maintenance of IDS requires knowledge
of rule sets, which are different from system to of rule sets, which are different from system to system. system.
Limited FlexibilityLimited Flexibility– IDS’s are written for a specific environmentsIDS’s are written for a specific environments– Not easily ported to different systemsNot easily ported to different systems– Upgrade Requires shutting down IDSUpgrade Requires shutting down IDS
Problems with Traditional IDSProblems with Traditional IDS
Vulnerable to AttackVulnerable to Attack– Levels of compromiseLevels of compromise
Root level – worst caseRoot level – worst caseAggregation level – next worse caseAggregation level – next worse caseEnd node level – not too badEnd node level – not too bad
– Lack of redundancyLack of redundancy– Lack of mobilityLack of mobility– Lack of dynamic recoveryLack of dynamic recovery
Problems with Traditional IDSProblems with Traditional IDS
Vulnerable to DeceptionVulnerable to Deception– Network based use generic network protocol Network based use generic network protocol
stack for analysisstack for analysis– Attacker could use this to decieve the IDS that Attacker could use this to decieve the IDS that
the packet is good when in fact it is notthe packet is good when in fact it is not
Limited Response CapabilityLimited Response Capability– Delay of ResponseDelay of Response
Human response timeHuman response timeDistance from end node and controllerDistance from end node and controller
Advantages of Mobile AgentsAdvantages of Mobile Agents
Reduce Network LoadReduce Network LoadOvercoming Network LatencyOvercoming Network LatencyAutonomous ExecutionAutonomous ExecutionPlatform IndependencePlatform IndependenceDynamic AdaptationDynamic AdaptationStatic AdaptationStatic AdaptationScalabilityScalabilityFault ToleranceFault ToleranceRedundancyRedundancy
AdvantagesAdvantages
Reduce Network LoadReduce Network Load– Computation moved closer to affected nodesComputation moved closer to affected nodes– Reduction in data to be movedReduction in data to be movedOvercoming Network LatencyOvercoming Network Latency– More immediate response timesMore immediate response times– Closer to end nodesCloser to end nodesAutonomous ExecutionAutonomous Execution– Communication with other MA’sCommunication with other MA’s– Cloning of MA’sCloning of MA’s– No need for central authority to take actionNo need for central authority to take action
AdvantagesAdvantages
Platform IndependencePlatform Independence– Run on any operating systemRun on any operating system– Only need to write code to run on platform not Only need to write code to run on platform not
OSOS
Dynamic AdaptationDynamic Adaptation– Reactions based on previous intrusionsReactions based on previous intrusions– Learn to avoid or move towards areasLearn to avoid or move towards areas– Cloning for added protectionCloning for added protection
AdvantagesAdvantages
Static AdaptationStatic Adaptation– Upgrades only require introducing new agentUpgrades only require introducing new agent– Old Mobile agents removed laterOld Mobile agents removed later
ScalabilityScalability– Introduction of more mobile agentsIntroduction of more mobile agents
Fault ToleranceFault Tolerance– Moves encrypted in the network with data it Moves encrypted in the network with data it
may needmay need
AdvantagesAdvantages
RedundancyRedundancy– Central point of failure removedCentral point of failure removed– Harder to locate MA as they are always Harder to locate MA as they are always
movingmoving– Keep in contact with other MA’s Keep in contact with other MA’s
Determine state of networkDetermine state of networkHelp other MA, produce cloneHelp other MA, produce clone
Disadvantages of MA’sDisadvantages of MA’s
SecuritySecurity– Need for PKINeed for PKI– Platforms need to ensure MA is not harmfulPlatforms need to ensure MA is not harmful
Signed by trusted authoritySigned by trusted authorityEncrypted with public keyEncrypted with public key
Code SizeCode Size– IDS is complicatedIDS is complicated– Minimize agent sizeMinimize agent size
FunctionFunctionPlatform provide OS dependent operationsPlatform provide OS dependent operations
DisadvantagesDisadvantages
PerformancePerformance– Language usedLanguage used
InterpretiveInterpretiveScriptScript
– New Java VM developed to help save state New Java VM developed to help save state information of MA.information of MA.
Intrusion ResponsesIntrusion Responses
Dynamically modify or shutdown TargetDynamically modify or shutdown TargetAutomated Tracing of AttackersAutomated Tracing of AttackersAutomated Evidence GatheringAutomated Evidence GatheringOperations on an Attacker’s HostOperations on an Attacker’s HostIsolating the Attacker/TargetIsolating the Attacker/TargetOperations on Attacker and Target SubnetOperations on Attacker and Target Subnet
Intrusion ResponsesIntrusion Responses
Dynamically modify or shutdown TargetDynamically modify or shutdown Target– Shutdown compromised targetShutdown compromised target– Gather more information from targetGather more information from target
Automated Tracing of AttackersAutomated Tracing of Attackers– Follow trail of intruderFollow trail of intruder
Automated Evidence GatheringAutomated Evidence Gathering– Mobil agents move to area of attackMobil agents move to area of attack– Determine what collection is necessaryDetermine what collection is necessary
Intrusion ResponsesIntrusion Responses
Operations on an Attacker’s HostOperations on an Attacker’s Host– Limit operations of AttackerLimit operations of Attacker
Isolating the Attacker/TargetIsolating the Attacker/Target– Prevent network traffic from attacker/targetPrevent network traffic from attacker/target
Operations on Attacker and Target SubnetOperations on Attacker and Target Subnet– Deploy multiple agents to flood systemsDeploy multiple agents to flood systems
ImplementationsImplementations
Mobile agents deployed in HierarchyMobile agents deployed in HierarchyComposed of three types of AgentsComposed of three types of Agents– Data CollectorsData Collectors
Collect specific dataCollect specific dataMinor processing of dataMinor processing of data
– Detection AgentsDetection AgentsDetect intrusionsDetect intrusionsTrace intrusionsTrace intrusions
– Manager AgentsManager AgentsOversee Data collectors and Detection agentsOversee Data collectors and Detection agents
ConclusionConclusion
Still under developmentStill under developmentShow great promiseShow great promiseWireless networks could use Mobile agent Wireless networks could use Mobile agent protection.protection.For more information visit For more information visit http://csrc.nist.gov/mobilesecurity/http://csrc.nist.gov/mobilesecurity/
ReferencesReferencesWayne Jansen, “Intrusion Detection with Mobile Agents” , National Institute of Standards and Technology, October Wayne Jansen, “Intrusion Detection with Mobile Agents” , National Institute of Standards and Technology, October 2001 2001 T. Karygiannis, “Network Security Testing Using Mobile Agents”, National Institute of Standard and Technology, T. Karygiannis, “Network Security Testing Using Mobile Agents”, National Institute of Standard and Technology, June 2002 June 2002
Peter Mell, Mark McLarnon, “Mobile Agent Attack Resistant Distributed Hierarchical Intrusion Detection Systems”, Peter Mell, Mark McLarnon, “Mobile Agent Attack Resistant Distributed Hierarchical Intrusion Detection Systems”,
National Institute of Standards and Technology, November 1999National Institute of Standards and Technology, November 1999 Gene Bradshaw, Mark Greaves, Heather Holmback, T. Karygiannis, Wayne Jansen, Barry Silverman, Niranjan Gene Bradshaw, Mark Greaves, Heather Holmback, T. Karygiannis, Wayne Jansen, Barry Silverman, Niranjan Suri, Alex Wong, “Agents for the Masses?”, IEEE Journal pp. 53- 63, March/April 1999 Suri, Alex Wong, “Agents for the Masses?”, IEEE Journal pp. 53- 63, March/April 1999
Asaka, S.Okazawa, A.Taguchi, and S.Goto, ”A Method of Tracing Intruders by Use of Mobile Agents”, Proceedings Asaka, S.Okazawa, A.Taguchi, and S.Goto, ”A Method of Tracing Intruders by Use of Mobile Agents”, Proceedings
of the Ninth Annual Internet Society Conference INET'99, San Jose, California, June 1999of the Ninth Annual Internet Society Conference INET'99, San Jose, California, June 1999 W. Jansen, P. Mell, T. Karygiannis, D. Marks, “Mobile Agents in Intrusion Detection and Response”, National W. Jansen, P. Mell, T. Karygiannis, D. Marks, “Mobile Agents in Intrusion Detection and Response”, National
Institute of Standards, February 2000Institute of Standards, February 2000 Jai Balasubramaniyan, Jose Omar Garcia-Fernandez, David Isacoff, E. H. Spafford, and Diego Zamboni, “An Jai Balasubramaniyan, Jose Omar Garcia-Fernandez, David Isacoff, E. H. Spafford, and Diego Zamboni, “An Architecture for Intrusion Detection using Autonomous Agents”, Department of Computer Sciences, Purdue Architecture for Intrusion Detection using Autonomous Agents”, Department of Computer Sciences, Purdue University, Coast TR 98-05, 1998University, Coast TR 98-05, 1998David Kotz, Robert Gray, “Mobile Agents and the Future of the Internet”, Department of Computer Science, David Kotz, Robert Gray, “Mobile Agents and the Future of the Internet”, Department of Computer Science, Dartmouth College, New Hampshire, December 2002 Dartmouth College, New Hampshire, December 2002
Christopher Krugel, Thomas Toth, “Applying Mobile Agent Technology to Intrusion Detection”, Technical University Christopher Krugel, Thomas Toth, “Applying Mobile Agent Technology to Intrusion Detection”, Technical University
Vienna, Vienna, Austria April 2001Vienna, Vienna, Austria April 2001 W. Jansen, P. Mell, T. Karygiannis, D. Marks, “Applying Mobile Agents in Intrusion Detection and Response”, NIST W. Jansen, P. Mell, T. Karygiannis, D. Marks, “Applying Mobile Agents in Intrusion Detection and Response”, NIST Interim Report – 6416, National Institute of Standards, October 1999 Interim Report – 6416, National Institute of Standards, October 1999