23-06-2012, 01:13 PM
A METHOD OF TRACING INTRUDERS BY USE OF MOBILE AGENTS
A METHOD OF TRACING INTRUDERS BY USE OF MOBILE AGENTS.pdf (Size: 212.43 KB / Downloads: 27)
INTRODUCTION
Computer break-ins are mainly divided into two types: break-ins from outside the local area network (LAN) and those from inside LAN. However, it is rare in either case that intruders directly attack the target host from their own hosts. The reason for this is logical: intruders desire to conceal their origin. Intruders tend to attack the less -protected hosts first, gradually approaching hosts armed with stronger protection, ultimately working up to and reaching their target hosts. Commonly, administrators not only on the target hosts but also on the intermediate hosts do not notice the intrusion. Furthermore, the administrators cannot trace the origin of an intrusion after the network connection has closed even if the intrusion has been detected.
Structure of IDA
In many conventional network intrusion detection systems, each target system transfers its system log to an intrusion-detection server, and the server analyzes the entire log in search of intrusions. Methods of this kind fall under the client/server paradigm. In a large-scale network deploying an intrusion detection system, network traffic will be extremely high, since the volume of the system logs that are routinely transferred is very large, though most of it has no information related to intrusions. Therefore, this type of intrusion detection system on a large-scale network does not fulfill its function efficiently. To solve this problem, we adopted a mobile-agent paradigm in developing IDA. Mobile agents autonomously migrate to target systems to collect only information related to intrusions, eliminating the need to
Action of IDA
Here we outline how IDA works after a sensor detects an MLSI on a target system. IDA accumulates the data required by intrusion-route tracing (i.e., about network connection, the various processes running on the system, etc.) on each target system in advance. & Each sensor on the target system seeks an MLSI from the system log.
Purpose of the Bulletin Board and the Message Board
In IDA, the manager dispatches a tracing agent to a target system and, because of the mobile agent's autonomy, subsequently has no concern with the migration of the tracing agent. Many tracing agents may therefore trace the same intrusion, since the manager does not centrally control their respective migration. To avoid this overlapping, tracing agents exchange information with each other regarding their respective pursuits. Tracing agents employ the message board on a target system for this exchange of information.
The Message Board
As explained above, tracing agents employ the message board on the target system in order not to overlap their respective trace routes. A tracing agent begins to trace from the point in a target system where an MLSI is first detected. If a user who leaves the MLSI leaves another MLSI on his or her way to the target, another tracing agent will be dispatched. For example, suppose user X remotely logs onto target systems A, B, C, and D in this order: A - B - C - D.