RESPONSE MECHANISMS IN IDS BASED ON INTELLIGENT AGENTS full report
computer science topics|
Active In SP
Joined: Jun 2010
07-06-2010, 07:12 PM
RESPONSE MECHANISMS IN IDS BASED ON IDS BASED INTELLIGENT AGENTS
Dr. Ashok Patel 1 Dr. V. R. Rathod 2 Prof. Bhushan H Trivedi 3 Mr. Harshal A Arolkar 4
1 Director & Head, Computer Department, HNG U, Patna, India
2 Prof & Head, Department of CS,India 3 Professor, GLSIC Technology, Ahmedabad, India, E-mail: Asst. Professor, GLS IC Technology, Ahmedabad, India,
Intrusion Detection System is facing a stiff competition against IPS today. It is important today to is increasing in overall architecture of the IDS design and also how the response is generated from intrusion. We have looked at total four such IDS and compared them on 7 criterions. Our conclusion has shown that IDS are becoming more responsive and response mechanisms are standardized also provide response mechanisms in IDS. We have tried to study some of IDS based on mobile agent technology. We have also tried to see how response component
Gartner Analyst Richard Stiennon in 2002 research note stated that IDS has failed to provide an additional layer of security. He also recommended introducing IPS in place of IDS. There are some other comments also. Marty roesch; inventor of Snort says, "IDS and IPS are separate technologies, IPS is access control and IDS is to tell you how insecure your network is". One more vendor says "User wants to just stop attacks". Other vendors also have shown interest in providing active response rather then showing passive detection including CISCO . We have tried to find out how IDS based on intelligent agents react to this wave. We have studied few current IDS based on intelligent agents and compared them on the basis of response and adaptability. Adaptability also is an important aid to response that makes the IDS capable to be more resistant to similar type of attacks.
We have studied following Intelligent agent based IDSes which have shown the way to respond in IDS environment. We have discussed them in the order of importance and comple xity for providing response.
1. Intrusion Detection Agent System 
2. Mobile Agent Based Attack Resistant Distributed Hierarchical Intrusion Detection Systems 
3. RS: - Methodology for Using Intelligent Agents to provide automated intrusion response:  and  DEPTS: - Adaptive Intrusion Tolerance System 
2. INTRUSION DETECTION AGENT
IDA system is being developed at Information Technology Agency in Japan. Intrusion Detection is a prime objective of this system. This system also responds to the attack in a very primitive way. It tries to track down the attacker's machine if it is part of the network; otherwise it tracks the entry point. Quite opposite to earlier systems, here the system tries to concentrate not on catching all intrusions, but most of them with more efficiency. The authors claim that they are able to trace intruders in 12 out of 13 simulations. The efficiency is achieved by tracing intruders only looking at MLSI. MLSI (Mark Left by Suspected Intruder) is related to change in critical system files or event like generation of root shell (using su command on Linux or Unix machine). Authors found out that most of the intrusion pattern contains either modifications of the system file or starting of root shell. The system tries to gather more information as soon as the system notices MLSI. There are three types of mobile agents used in this system; Manager, Tracing agent and information gathering agent. IDS sensors are not mobile. IDS sensors gather information about intrusion from system logs. If they detect MLSI i.e. if they find unauthorized root shell starting up or changes are made in /etc/passwd, /etc/shadow, /etc/host.equiv files etc. then it informs the manager. The manager then dispatches a tracing agent to the target host. Tracing agent activates the information-gathering agent upon arrival. Information Gathering agent, independent of the parent tracing-agent, returns back to manager agent after getting additional information. Upon arrival, the tracing agent also employs a message board. This message board enables other agents coming to the same host know that this particular tracing agent is tracing a specified MLSI. This enables an agent to notice that another agent is already tracing the MLSI it is trying to trace. tracing agent uses the user id and process id related to MLSI to trace the originator. If the tracing agent reaches the point from where the attack is initiated or if it finds out the entry point of the attacker, it has not to go any further, it returns back to manager with report. It is also possible to find that some other agent is already investigating. When a tracing agent reaches to a host where the message board contains the information about the tracing agent that is investing the route about the same attack, it returns back to the manager.
3. AAIRS: - METHODOLOGY FOR USING
INTELLIGENT AGENTS TO PROVIDE
AUTOMATED INTRUSION RESPONSE
This system employs large number of agents and has very elaborate mechanism to response to intrusion. IDS sensors give the output to Interface Agents. Interface agents keep track of credibility about that IDS report by looking at to-date intrusion reports and false positives from the same IDS. It generates and maintains Attack Confidence Metric based on its observations. Interface Agents pass the intrusion information and attack confidence metric to the Master Analysis agent. Master Analysis agent classifies if the attack is a new attack or continuation of an existing attack. For a new attack it creates an agent named Analysis agent that can handle that attack. Otherwise it passes on the information to an Analysis agent already handling the same attack. When the system determines an attack, it passes the information to Response Taxonomy agent. The job of Response Taxonomy agent is to determine the class of an attack. An important job of Analysis agent is to determine the response goal. Examples of response goals are masking the attack from the users or catch the attack, or sustain a specific service or maximize data integrity etc. To accomplish the response goal, plan steps are designed. Examples of plan steps are gathering evidence, preserve evidence, identify compromised files, notify admin, counter attack the attacking system etc. After the plan steps are decided, tactics are decided. Ex. Gathering an evidence plan step may enable additional logging, logging on remote machine, logging on remote media, enabling process accounting, tracing the connection etc. Analysis agent considers few things before deciding on action plan. It looks at the response goal and how much supportive each proposed plan to the goal. It also looks at the attack confidence metric and pass it to the Master Analysis agent to decide severity of the tactic. Once few plans are filtered out after all these, policy specification agent comes into picture. It looks at each plan to see if the response falls within the security policy decided by the admin. Once all this is determined, analysis agent tries to see if there is an existing response plan. If there is an existing response plan, analysis agent reevaluates it to see if it is successful. If the plan is successful, the analysis agent continues to execute. If the plan is not successful, analysis agent adapts to it by changing the plan steps. In case of no existing plan, new plan is to be developed. In this case the analysis agent connects to the response taxonomy agent to get all viable plans for this type of attack. The policy agent filters plans that do not fit into the policy and remaining is given to the tactics agent to implement. It can decide to respond at three different times. It can respond when the attack is on; or when the attack is likely to begin; or when the attack is over. It also can determine if the attack is done by automatic scripts or by a human. It is capable to even determine the level of the attack; i.e. the attacker is either an expert or a novice. It also considers degree of suspicion in IDS input. The system is also capable to determine the seriousness of the attack by considering the target host. Ex. If target host is a normal user's machine the response may not be severe but if it is against the DNS server, the response may be very severe. In case of all plans exhausted and target host is feared to be compromised, the system can even shut down the target host.
The response can be immediately carried out with the use of response toolkit. Whenevere the tactics agent wants to execute a tactic, it executes it using some of the components of response toolkit. Admin can take control of the system at any time. It can also provide feedback by which system can adapt to understand success or failure of a particular response against a particular attack.
4. MOBILE AGENT BASED ATTACK
RESISTANT DISTRIBUTED HIERARCHICAL INTRUSION DETECTION SYSTEMS.
This system provides attack resistance using the very architecture. Conventional IDS, being hierarchical, have a disadvantage of being rigid in nature. If a node is attacked and compromised, all other decedents are cutoff.
Here middle tier components of IDS are imp lemented as mobile agents. Their movement in the network is random and effectively pinpointing them is difficult. They can remain away from networks or hosts likely to be compromised, which make them evade attackers. Being mobile, it is easier for the IDS components to hide themselves in the network, evade attackers and also possible to rejuvenate if killed. The IDS component agents can create clones known as backup agents, when an attacker kills a component; a backup agent takes the responsibility. All agents are digitally signed so, avoiding problems of rough agents. It is important to note that only middle tier components are mobile, i.e. data aggregation and processing components are mobile. Leafs, i.e. data collection agents are static and servers are also static. Unlike other systems, this system does not have any centralized mobile agent directory, thus making the job of attacker that much difficult. Agents have to keep list of all other agents whom they have to communicate. Agents periodically ask the platform on which they are running list of other platforms. Out of the list, they choose some platform on random and migrate to that platform. Every agent is paired with a buddy. Agent only notifies the buddy about its movement. When an attacker kills an agent; the buddy of that agent takes a note of it. All traffic here is encrypted and thus an attacker can only kill the agent; cannot eavesdrop.
To survive from any one of the possibilities of the above, agent here does following.
It moves to another random platform. This helps in the second case where the attacker knows about its existence on a specific mobile platform. It avoids all LANs those who have recently communicated with target Mobile Agent. (This is available due to a Dangerous LAN List i.e. the list of networks the agent recently visited which all mobile platforms periodically publish to other agents). Obviously it should also avoid the LAN having the target mobile agent.
As mentioned earlier, the agents can clone themselves into backup agents . Back up agents constantly talks to original agent. An attacker can follow the communication between backup and original and can kill both agent and backup simultaneously. To avoid that problem, backup agents generate dumb proxy agents. Whenever a backup agent talks to the original agent, it talks to it via the proxy. Backup agents may use multiple proxies. When an agent dies, all backup agents go for a voting process at pre-decided place. There are voting agents for doing this job. It is possible that some of the backup agents may also be killed so, with few of the back up agents participate in the voting process, one of them will be the winner and replace the original agents and other backup agents are to die. The winner now try to find out buddy of the original agent by probing all mobile agent platforms one after another and then send the request to join at a specified place in the IDS hierarchy again.
The implementation is done using Aglets and authors are planning to provide API based interface to the system.
5. ADEPTS: - ADAPTIVE INTRUSION TOLERANCE SYSTEM
This system is developed with special interest on response. It has much more systematic way to detect and respond to intrusion in a distributed environment then any other system that we have studied earlier. It can handle multiple concurrent alerts, uncertainty in detection and failure of response. The response mechanism here includes aggregation of factors of severity of a response, its effectiveness and the possibility of escalation to determine the appropriate set of responses. It can find out what an attacker has done so far and from that can determine what he is planning to do, and can prevent that adeptively.
One interesting aspect of the system is that the system contains I-DAG (Intrusion Directed Acyclic Graph), Looking at the present situation, the system is capable to determine the status of the system and relate it to corresponding node in I-DAG. Thus it can determine what attacker must have compromised to reach here and what it can do now.
The IRS here is designed to behave in a proactive manner to prevent an attacker from moving up the DAG. Each node in the I-DAG has Cause Service Set and Effect Service Set. The former set contains all services that must be compromised in order to achieve the goal. The letter set includes all services that are taken to be compromised once the goal is achieved. To show these concepts, I-DAG uses AND & OR edges and intermediate nodes. When there is a combination of AND and OR arc is required, it is solved using having one branch with all and arcs and another with OR arcs and joining them by intermediate nodes.
The system that detects the intrusion is designed earlier and is named as CIDS. This system gives input to the ADEPTS system. The input comprises of two things. The first is the type of attack and second is the confidence value, a real number between 0 and 1.The system can accept multiple alerts at the same point of time. A separate I-DAG will be initiated for each such alert. If there is a node in the I-DAG corresponding to the intrusion, the confidence is assigned to that node. Compromised Confidence Index (CCI) of the node is the probability that the node is compromised. It is decided by the confidence of the node and CCI of immediate children of the node. CCI algorithm runs when new alert enters the system. This algorithm traverse the I-DAG from the bottom up starting at nodes for which alarms have been raised and going up to the roots. When a CCI of the node is greater then a pre-defined Threshold value, the system deduces that the node is compromised. After the algorithm traverses to the top and calculates CCI for each node in the path, it starts traversing it down. Each node that is traversed is labeled. The possible labels are of four types. Strong Candidate (SC) are nodes with CCI values more then threshold. Weak candidate (WC) are nodes with CCI values less or equal to threshold but is on the AND path to the SC node. Very Weak Candidate is the one which is having CCI less or equal to threshold but is on the OR path to the SC. Non Candidate is the node which is neither of above. Now some of these nodes are placed in the response set. The nodes that are placed in the response set help the Response Index calculation algorithm to decide about the response. It spawns threads for each node that need to be processed.
The response index is a real number. More the value of RI, better is the response for given attack. The RI is calculated considering the node class, the disruptively index and the effectiveness index. All these indexes are real numbers between 0 and 1.
When an attack goal is achieved and the response is initiated, the node in the node in the I-DAG corresponding to that goal and the response action taken are pushed onto Sensitivity Queue (SensQ); It is kept to see if a new attack is seen, we can check if it is possible due to a failed response. In that case the EI value of the response is reduced. If no new attack corresponding to failure of the response is found in 30 hours time, the response is considered successful and EI value is incremented. To prevent response from being fired when the same response is already been fired is to keep a table. This table is known as Activation Lookup Table.
All the four systems considered above shows how IDS based on mobile agents evolved over time to include response. We have tried to compare them based on the discussion above. The comparison is given in table 1 at the end.
We have drawn few conclusions from our study
1. Most of the IDS have response as secondary activity.
2. The no and type of responses that can be generated are increasing. From only one possible response in IDA, there are more then 100 responses possible in
3. From only tracing the intruder in IDA to the
anticipation of what would the intruder do next and
prepare for it in ADEPTS. .
4. All models consider parallel attacks and have provision for response. ADEPTS can also interlink between different attacks and anticipate next type of attack.
5. Based on mobile agents, all the models fit in distributed infrastructure.
6. Out of the models that we have studied, only ADEPTS consider the case when the response is failed.
7. Intrusion detection process is becoming standardized. The Response Taxonomy agent specified in the AAIRS signifies that it is possible to have Intrusion classified as a specific type.
8. Almost all models use some form of AI to check the faith in intrusion alarms and responses.
9. The third model uses an important mechanism of using a response toolkit and making it independent from the OS. The forth model also is based on a mechanism which can have actual responses separated from the mainstream intrusion detection and response decision process. Thus models today have more thrust on independence and interoperability.
 "Emerging technologies: Intrusion Detection Vs.
Prevention" Andrew Conry Murrey Network Magazine 52-55 may 2003.
 M. Asaka, S. Okazawa, A. Taguchi, and S. Goto. "A method of tracing intruders by use of mobile agents", In 9th Annual Conference of the Internet Society
 "Mobile agent attack resistant distributed hierarchical intrusion detection systems". Peter Mell and Mark McLarnon. Purdue, IN, USA, In Proceedings of the Second International Workshop on Recent Advances in Intrusion Detection (RAID99), September 1999.
 "Adaptation techniques for intrusion detection and intrusion response system" D. Ragsdale, C.A. Carver, J. Humphries, and U. Pooch. Proceedings of the IEEE International Conference on Systems, Man, and Cybernetics at Nashville,Tennessee, pages 2344--2349, October 8-11 2000.
 "A Methodology for Using Intelligent Agents to provide Automated Intrusion Response" Curtis Carver Jr, John
M.D. Hill, John R. Surdu Proceedings of the IEEE
Systems, Man, and Cybernetics Information Assurance and Security Workshop, West Point, NY, June 6-7,
 "ADEPTS: Adaptive Intrusion Response using Attack Graphs in an E-Commerce Environment,;" Bingrui Foo, Yu-Sung Wu, Yu-Chun Mao, Saurabh Bagchi, and Eugene Spafford. In the International Conference on
Dependable Systems and Networks (DSN), Yokohama, Japan, June 28 - July 1, 2005.
Prof. Bhushan Trivedi
Educational Background : pursuing PhD, MCA, Experience: Nearly 19 yrs in academics, currently Professor at GLSICT for last 7 yrs. Areas of Interest: AI, Networking, InterÃ‚Â¬Networking, Sensor Networks, Network Security. Currently providing services as Vice Chairman CSI Ahmedabad Chapter.
Dr. Asok Patel
Educational Background : PhD, PG DCA.
Experience: Nearly 20 Yrs. Academic Experience, currently Director and head of computer department at Hemchandraacharya North Gujarat University. Has guided 8 PHD students till now. At present 4 students are pursuing their PhD under his guidance. Areas of Interest: E-Governance, Networking. Currently providing services as Regional Student Branch Counselor, Region - III, CSI.
Mr. Harshal Arolkar
Educational Background: pursuing PhD, MCA. Experience: 7 yrs in academics, currently working as Assistant Professor at GLSICT. Areas of Interest: Networking, Sensor Networks, Sensor Network Applications. Currently providing services as Hon. Secretary CSI
Dr.V R Rathod
Educational Background : PhD, M.Sc (Statistics), Experience: Nearly 30 Yrs total experience in Industry as well as Academic, currently Professor and Head of Department of Computer Science at Bhavnagar University. Has guided 4 PHD students till now. At present 5 students are pursuing their PhD under his guidance. Areas of Interest: Computer Applications in rural areas ad physically disabled, Networking, E- Security.
Criteria for comparison IDA MAARTDHIDS AAIRS ADEPTS
Response mechanism When MLSI is found, agent traces
connection to reach the origin Resurrection of compromised or killed agents and using redundancy at various places analysis agent's input & Specific response from response toolkit is executed by the tactics agent Depending on the node from where response is decided to be initiated in I-DAG, the response with highest value of RI is executed
Agents used Manager and sensors as static agents and Tracing and
Information Gathering as mobile agents Only middle tier of
implemented as mobile agents. It uses agents representing components, their backup agents and their proxy agents. Analysis & Response Taxonomy agent to identify type of attack, master analysis agent to co-ordinate, Policy specification agent to implement policy and tactics agent for response. The entire job seems to be done by a single agent.
Attacks which can be handled One which issue either su command or change a system file Any attack which either kills agents or try to trace them. This architecture handles attacks against the agents themselves Any attack which is possible to be specified by the user. It is possible to differentiate between ongoing attack and a new attack and also type of attacker;; i.e. a human or automated Any lower level to higher-level attack Any attack that is possible in sequence of other attacks can also be proactively handled. if the attack is a new one or an ongoing one Or if two different attacks have same goal. capable to handle concurrent attacks as well using multiple threads.
Which type of
possible Only tracing the place from where the intrusion commenced is possible. evade attackers and also resurrect killed agents . this architecture is attack resistant execute responses that are already designed for specific attacks. Newer responses using building blocks from the response toolkit Respond in the way user (proactive and after-attack) wants and have designed actions for. Check if the response failed to prevent an attack or Multiple responses can be provided for a single attack from different nodes.
Adaptation capability Almost none Depending on the user input, more backup agents can be generated Only responses which are possible to be constructed using given building blocks are possible Large response sets can be provided. The system can adapt to different type of attacks, different ways of carrying out the same attacks and even can adapt to check the effectiveness of a given response for a given attack
Intrusion Detection It is done by IDA and the response is just subsidiary Intrusion detection and response is done by same agents . Intrusion detection is done by a hierarchical IDS system Co-operative Intrusion detection system (CIDS) is a parent IDS. This IDS provides input to this system.
Uncertainty is handled No No Confidence metric and admin's Confidence in the alarm itself is used to find
Use Search at http://topicideas.net/search.php wisely To Get Information About Project Topic and Seminar ideas with report/source code along pdf and ppt presenaion