1 / 22

Mobile Agents for Intrusion Detection

Mobile Agents for Intrusion Detection. Jaromy Ward. Mobile Agents?. What is a mobile agent? Autonomous Move on own to another machine Platform / Agent Duplicative Adaptable. Traditional IDS. Hierarchical Intrusion detection at end nodes Aggregate nodes take data from end nodes

lilah
Download Presentation

Mobile Agents for Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Mobile Agents for Intrusion Detection Jaromy Ward

  2. Mobile Agents? • What is a mobile agent? • Autonomous • Move on own to another machine • Platform / Agent • Duplicative • Adaptable

  3. Traditional IDS • Hierarchical • Intrusion detection at end nodes • Aggregate nodes take data from end nodes • Command and control at top of hierarchy • IDS reports possible intrusions to human • The user must than make a decision • is this a real threat • What action should be taken

  4. Problems with Traditional IDS • Lack of Efficiency • High number of False Positives • Burdensome Maintenance • Limited Flexibility • Vulnerable to Direct Attack • Vulnerable to Deception • Limited Response Capability • No Generic Building Methodology

  5. Problems with Traditional IDS • Lack of Efficiency • Amount of data • Host-base IDS • Slow down performance of system • Network-base IDS • Cannot process all network traffic • High Number of False +’s • IDS’s still have too many false alarms that an intrusion has taken place. • Also some attacks still go unnoticed.

  6. Problems with Traditional IDS • Burdensome Maintenance • The maintenance of IDS requires knowledge of rule sets, which are different from system to system. • Limited Flexibility • IDS’s are written for a specific environments • Not easily ported to different systems • Upgrade Requires shutting down IDS

  7. Problems with Traditional IDS • Vulnerable to Attack • Levels of compromise • Root level – worst case • Aggregation level – next worse case • End node level – not too bad • Lack of redundancy • Lack of mobility • Lack of dynamic recovery

  8. Problems with Traditional IDS • Vulnerable to Deception • Network based use generic network protocol stack for analysis • Attacker could use this to decieve the IDS that the packet is good when in fact it is not • Limited Response Capability • Delay of Response • Human response time • Distance from end node and controller

  9. Advantages of Mobile Agents • Reduce Network Load • Overcoming Network Latency • Autonomous Execution • Platform Independence • Dynamic Adaptation • Static Adaptation • Scalability • Fault Tolerance • Redundancy

  10. Advantages • Reduce Network Load • Computation moved closer to affected nodes • Reduction in data to be moved • Overcoming Network Latency • More immediate response times • Closer to end nodes • Autonomous Execution • Communication with other MA’s • Cloning of MA’s • No need for central authority to take action

  11. Advantages • Platform Independence • Run on any operating system • Only need to write code to run on platform not OS • Dynamic Adaptation • Reactions based on previous intrusions • Learn to avoid or move towards areas • Cloning for added protection

  12. Advantages • Static Adaptation • Upgrades only require introducing new agent • Old Mobile agents removed later • Scalability • Introduction of more mobile agents • Fault Tolerance • Moves encrypted in the network with data it may need

  13. Advantages • Redundancy • Central point of failure removed • Harder to locate MA as they are always moving • Keep in contact with other MA’s • Determine state of network • Help other MA, produce clone

  14. Disadvantages of MA’s • Security • Need for PKI • Platforms need to ensure MA is not harmful • Signed by trusted authority • Encrypted with public key • Code Size • IDS is complicated • Minimize agent size • Function • Platform provide OS dependent operations

  15. Disadvantages • Performance • Language used • Interpretive • Script • New Java VM developed to help save state information of MA.

  16. Intrusion Responses • Dynamically modify or shutdown Target • Automated Tracing of Attackers • Automated Evidence Gathering • Operations on an Attacker’s Host • Isolating the Attacker/Target • Operations on Attacker and Target Subnet

  17. Intrusion Responses • Dynamically modify or shutdown Target • Shutdown compromised target • Gather more information from target • Automated Tracing of Attackers • Follow trail of intruder • Automated Evidence Gathering • Mobil agents move to area of attack • Determine what collection is necessary

  18. Intrusion Responses • Operations on an Attacker’s Host • Limit operations of Attacker • Isolating the Attacker/Target • Prevent network traffic from attacker/target • Operations on Attacker and Target Subnet • Deploy multiple agents to flood systems

  19. Implementations • Mobile agents deployed in Hierarchy • Composed of three types of Agents • Data Collectors • Collect specific data • Minor processing of data • Detection Agents • Detect intrusions • Trace intrusions • Manager Agents • Oversee Data collectors and Detection agents

  20. Conclusion • Still under development • Show great promise • Wireless networks could use Mobile agent protection. • For more information visit http://csrc.nist.gov/mobilesecurity/

  21. References • Wayne Jansen, “Intrusion Detection with Mobile Agents” , National Institute of Standards and Technology, October 2001 • T. Karygiannis, “Network Security Testing Using Mobile Agents”, National Institute of Standard and Technology, June 2002 • Peter Mell, Mark McLarnon, “Mobile Agent Attack Resistant Distributed Hierarchical Intrusion Detection Systems”, National Institute of Standards and Technology, November 1999 • Gene Bradshaw, Mark Greaves, Heather Holmback, T. Karygiannis, Wayne Jansen, Barry Silverman, Niranjan Suri, Alex Wong, “Agents for the Masses?”, IEEE Journal pp. 53- 63, March/April 1999 • Asaka, S.Okazawa, A.Taguchi, and S.Goto, ”A Method of Tracing Intruders by Use of Mobile Agents”, Proceedings of the Ninth Annual Internet Society Conference INET'99, San Jose, California, June 1999 • W. Jansen, P. Mell, T. Karygiannis, D. Marks, “Mobile Agents in Intrusion Detection and Response”, National Institute of Standards, February 2000 • Jai Balasubramaniyan, Jose Omar Garcia-Fernandez, David Isacoff, E. H. Spafford, and Diego Zamboni, “An Architecture for Intrusion Detection using Autonomous Agents”, Department of Computer Sciences, Purdue University, Coast TR 98-05, 1998 • David Kotz, Robert Gray, “Mobile Agents and the Future of the Internet”, Department of Computer Science, Dartmouth College, New Hampshire, December 2002 • Christopher Krugel, Thomas Toth, “Applying Mobile Agent Technology to Intrusion Detection”, Technical University Vienna, Vienna, Austria April 2001 • W. Jansen, P. Mell, T. Karygiannis, D. Marks, “Applying Mobile Agents in Intrusion Detection and Response”, NIST Interim Report – 6416, National Institute of Standards, October 1999

More Related