30-06-2012, 02:37 PM
SPARTA : A MOBILE AGENT BASED INTRUSION DETECTION SYSTEM
[attachment=26311]
. Introduction
Intrusion Detection Systems (IDS) are software or hardware products that automate the analysis process of traffic on a network or a host and they are complementary security tools in computer networks; it can be deployed at different points depending on the application. Accordingly to its location, the IDS must be parameterized in a different way, for example, an IDS located in a Demilitarized Zone (DMZ) must be more flexible than IDS located inside the internal network to reduce false alarms or to avoid system overload, allowing intrusions without generating an alarm. Likewise the IDS can receive different kinds of attacks if it is located in a DMZ or in the intranet zone. Due to the increasing rate of attacks, Intrusion Detection Systems has become a complementary and mandatory security tool to any organization, and in addition it is useful to perform forensic analysis procedures in order to complement the IDS use.
IDA´s architecture
The IDA´s (Intrusion Detection Agent system) architecture uses a sensor agent that resides at a node in search of an MLSI (Marks Left by Suspected Intruder) from the system's log; notifies the Manager who dispatches a tracing agent to the host where the MLSI was detected. This agent activates an information-gathering agent. The information-gathering agent collects, in an independent way, information related to the MLSI on the target system. The information-gathering agent returns to the Manager with its results and logs them on a bulletin board. Meanwhile, the bulletin board integrates information collected about the intrusion, using the gathered information from several involved agents. So, bulletin board and message board are a common use area and can be accessed by tracing agents and information-gathering agents.
MAID’s architecture
The MAID’s (Mobile Agents Intrusion Detection System) architecture is a distributed IDS which includes a Manager, Assistant Monitor Agent, Response Monitor Agent and a Host Monitoring Agent. There is a Monitor Agent (MA) in each host. If an agent detects an intrusion, it reports directly to the Manager. The host Monitor Agent can request aid to the manager. If a Manager receives an Assistant's request, it will send an Assistant MA to patrol the network in order to gather information, and thus to determine if some suspicious activities in different hosts can be combined to carry out a distributed intrusion. Finally, the manager analyzes the gathered information and if it detects a plausible distribution intrusion it will dispatch a Response MA. The manager is a central point of correlation and therefore, if it is located by any attacker, the system would be in a dangerous situation. The mobile agents (Assistant MA and the Response MA) are encrypted using a symmetric key algorithm with a one-time session key. Then, this session key is encrypted using a public key algorithm, this turns the MAIDS's runtime environment slow. The MAID’s architecture is as shown.
Literature Review of Previous Work
Historically, the intrusion detection technology dates back to 1980 and became a well-established research area after the introduction of the model and the prototypes presented in previous. These systems were centralized. A single machine monitors data flow at a strategic point in the network and collects and analyzes data from the log files. Once an attacker destabilizes this host, he or she is able to gain considerable access to the whole network.
This limitation is the main vulnerability of currently implemented IDSs. Distributed IDSs were introduced to overcome this susceptibility where mobile agents are considered to play a prominent role in the implementation of such technologies. The approach in other proposes architecture for a distributed intrusion detection system based on multiple independent entities called Autonomous Agent for Intrusion Detection (AAFID) framework. The proposed system allows data to be collected from multiple sources, thus combining traditional host-based and network-based IDSs. Several problems face this framework including scalability, performance, security, and user interface.
Related Work
The idea of correlating events which occur at different places in a network and to formalize patterns to describe such correlations is not new. The Complex Event Processor which is developed at Stanford University is capable of correlating causally and temporally related events. It bases on the theory of partial ordered multistep and is used for intrusion detection and network management. Patterns are described using the Rapid Pattern Language. The difference between our approach and their work is the fact, that we use mobile agents to perform the pattern detection in a distributed fashion without any central server. In contrast to that, they collect data from different client sites and process it at a server.
Conclusion
Relating distributed events and deducing knowledge from different hosts is especially important in the field of network management and intrusion detection. We present a solution, where mobile agents perform the task of correlating data in a fully decentralized manner. Designing a distributed system always includes the goal of creating a scalable solution. In order to prevent a tremendous increase in network traffic, the expressiveness of our pattern description language had to be slightly restricted. This allows an efficient detection algorithm and a fault tolerant and scalable system design.
[attachment=26311]
. Introduction
Intrusion Detection Systems (IDS) are software or hardware products that automate the analysis process of traffic on a network or a host and they are complementary security tools in computer networks; it can be deployed at different points depending on the application. Accordingly to its location, the IDS must be parameterized in a different way, for example, an IDS located in a Demilitarized Zone (DMZ) must be more flexible than IDS located inside the internal network to reduce false alarms or to avoid system overload, allowing intrusions without generating an alarm. Likewise the IDS can receive different kinds of attacks if it is located in a DMZ or in the intranet zone. Due to the increasing rate of attacks, Intrusion Detection Systems has become a complementary and mandatory security tool to any organization, and in addition it is useful to perform forensic analysis procedures in order to complement the IDS use.
IDA´s architecture
The IDA´s (Intrusion Detection Agent system) architecture uses a sensor agent that resides at a node in search of an MLSI (Marks Left by Suspected Intruder) from the system's log; notifies the Manager who dispatches a tracing agent to the host where the MLSI was detected. This agent activates an information-gathering agent. The information-gathering agent collects, in an independent way, information related to the MLSI on the target system. The information-gathering agent returns to the Manager with its results and logs them on a bulletin board. Meanwhile, the bulletin board integrates information collected about the intrusion, using the gathered information from several involved agents. So, bulletin board and message board are a common use area and can be accessed by tracing agents and information-gathering agents.
MAID’s architecture
The MAID’s (Mobile Agents Intrusion Detection System) architecture is a distributed IDS which includes a Manager, Assistant Monitor Agent, Response Monitor Agent and a Host Monitoring Agent. There is a Monitor Agent (MA) in each host. If an agent detects an intrusion, it reports directly to the Manager. The host Monitor Agent can request aid to the manager. If a Manager receives an Assistant's request, it will send an Assistant MA to patrol the network in order to gather information, and thus to determine if some suspicious activities in different hosts can be combined to carry out a distributed intrusion. Finally, the manager analyzes the gathered information and if it detects a plausible distribution intrusion it will dispatch a Response MA. The manager is a central point of correlation and therefore, if it is located by any attacker, the system would be in a dangerous situation. The mobile agents (Assistant MA and the Response MA) are encrypted using a symmetric key algorithm with a one-time session key. Then, this session key is encrypted using a public key algorithm, this turns the MAIDS's runtime environment slow. The MAID’s architecture is as shown.
Literature Review of Previous Work
Historically, the intrusion detection technology dates back to 1980 and became a well-established research area after the introduction of the model and the prototypes presented in previous. These systems were centralized. A single machine monitors data flow at a strategic point in the network and collects and analyzes data from the log files. Once an attacker destabilizes this host, he or she is able to gain considerable access to the whole network.
This limitation is the main vulnerability of currently implemented IDSs. Distributed IDSs were introduced to overcome this susceptibility where mobile agents are considered to play a prominent role in the implementation of such technologies. The approach in other proposes architecture for a distributed intrusion detection system based on multiple independent entities called Autonomous Agent for Intrusion Detection (AAFID) framework. The proposed system allows data to be collected from multiple sources, thus combining traditional host-based and network-based IDSs. Several problems face this framework including scalability, performance, security, and user interface.
Related Work
The idea of correlating events which occur at different places in a network and to formalize patterns to describe such correlations is not new. The Complex Event Processor which is developed at Stanford University is capable of correlating causally and temporally related events. It bases on the theory of partial ordered multistep and is used for intrusion detection and network management. Patterns are described using the Rapid Pattern Language. The difference between our approach and their work is the fact, that we use mobile agents to perform the pattern detection in a distributed fashion without any central server. In contrast to that, they collect data from different client sites and process it at a server.
Conclusion
Relating distributed events and deducing knowledge from different hosts is especially important in the field of network management and intrusion detection. We present a solution, where mobile agents perform the task of correlating data in a fully decentralized manner. Designing a distributed system always includes the goal of creating a scalable solution. In order to prevent a tremendous increase in network traffic, the expressiveness of our pattern description language had to be slightly restricted. This allows an efficient detection algorithm and a fault tolerant and scalable system design.