Using correlation engine and mobile agents for intrusion detection R´ eginald Lips lips [email protected]

Nabil El-Kadhi el-kad [email protected]

LERIA European Institute of Technology 24, rue Pasteur - 94270 Le Kremlin Bicˆetre, FRANCE

Abstract IMAIDS project (Intelligent Mobile Agent for Intrusion Detection System) is carried out by five 5th year students, R´eginald Lips, Nicolas Carlier, Damien Molot, Jean-Marie Peschoux and Alexandre Luciani, from Epitech (European Institute of Technology; http: // www. epitech. net/ ), within the framework of their end of studies project. The purpose of this document is to present a part of our research project which is using an expert system as correlation engine and mobile agents for intrusion detection. This paper has been co-written by R´eginald Lips, project leader of IMAIDS, Nabil El-Kadhi, director of the LERIA, and Davide Del Vecchio, senior security consultant for Telecom Italia. First, we will remind the goal and the general context of IMAIDS project, its objectives and the research topics aborded. Moreover, we will describe more in details the implementation and the theoretical basics of the expert system used to make a functionnal correlation engine applied to a mobile agent platform for intrusion detection.

Keywords: expert system, mobile agent, security, IDS.

1 1.1

General context The IMAIDS project

IMAIDS or Intelligent Mobile Agent for Intrusion Detection System is a research laboratory project applied to industry. The main goal of this project is to develop a finished intelligent tool prototype for intrusion detection. The global approach of the project has been described in a first publication [1]. IMAIDS is an Intrusion Detection System (IDS [2]). Basically, an IDS aims first to collect information in a computer network as network flow or system

logs, second to recognise an attack depending on a detection method and to notify the network administrator when an attack occured. The most known IDS ( [2], [3]) use two methods for detection. The first based on signatures [4], makes it possible to react with known attacks in a reliable way but is inefficient with the unindexed attacks. The second [5], is based on host behaviour analysis in the network. This method is more aggressive against the unknown attacks but less efficient because of false positives [6]. Moreover, these IDS are based on a monolithic architecture [7] which induces centralized data processing and substancially reduces performance and fault-tolerance, considerable disadvantages. The first main idea of the IMAIDS project is to get a complete decentralized system. That is why IMAIDS is based on a mobile agent platform. In addition, this decentralized system gives a new dimension to the detection because we can get here a global vision of the network. In this way, we developped a decentralized expert system in order to make relations between events on the network.

1.2

Basic principles

IMAIDS is based on a mobile agent platform [8] for intrusion detection. This specific platform is composed of a set of agents able to move on the network, communicate and find reason for an attack recognition logic. As we mentioned previously, IDS are based on rules, known as statics (signatures), to detect an intrusion [9]. Our project developed this technique by introducing the concept of partial signatures [10]. These new dynamic rules bring a similarity recognition to the system and make it possible to discover polymorphic attacks or attacks

based on the same vulnerabilities. IMAIDS uses a multi-agent platform for the deployment in order to acquire all the advantages of a distributed architecture. It adapts to heterogeneous networks and it is suitable for several operating systems. It is written in Java language which has been chosen for its compatibility with many systems and especially for the use of already existing multi-agent platforms which respect the standardization of the MAS (Multi-Agent Systems) described by the FIPA (Foundation for Intelligent Physical Agents). Finally, IMAIDS integrates three important concepts. The first is the information collection which could be dynamic on the network. The second is a partial signature computation, a decisional engine to raise alarms based on the information collected by each agent. The third is an organisational engine able to deploy and manage the agents on the platform.

2 2.1

IMAIDS architecture Technical description

IMAIDS is presented as a multi-agent architecture. The treatment itself cannot be summarized by the execution of a single program on a single host, but the execution of all mobile agents, which are able to move on a wide network. An agent can move to another host, be duplicated, communicate with other agents, or sleep. When the stability of a traditional program depends on a single host, this kind of platform can completely decentralize treatment on several hosts. Several JAVA frameworks are available to make agent platform. JADE [8] or Aglets [11] provide a complete agent platform and respect standardization like FIPA (Foundation for Intelligent Physical Agents). IMAIDS is based on JADE which allows a great integration flexibility and provides useful features. The IMAIDS mobile agent platform is composed by four types of agent. The agent organization is summarized in Figure 1.

Figure 1: Agent organization

2.2

The collector agent

The first step of intrusion detection is collecting information. For instance, IMAIDS is a network based IDS. So, the aim of the collector agent is to collect network flow. It patrols the network and find a host where it can listen to. The goal is not to catch all the trafic but to recover an interesting

information. Collector agent makes a first filtering process based on basic filtering rules and it will drop all useless information. Each collector agent, when deployed, is able to integrate several filters as protocol, IP, port and so on. Filters can be also used to distribute the collection. Figure 2 is simple example of a filtering rule:

* * * * * 22 SSH-1.99-OpenSSH_4.6 Figure 2: Filtering rule example

When a useful information is catched, the collector agent will raise an event to the correlator agent. This event contains several informations as an ID, a timestamp and details about the sender host. We will see more in details in the correlation engine the importance and the purpose of an event.

2.3

The correlator agent

The correlator agent is the main analyzing instance in the platform. It receives collector’s events and makes relations between them. The correlator agent uses a set of correlation rules to classify and deduce events from collected information. Keep in mind that collected events come from multiple distrinct collector agents. So, it gives a global vision of the network to deduction and detection analysis. The final idea is to deduce that an attack occured when received events check a set of crucial proper-

ties, even if there is a possible lack of information. These properties described by the correlation rules make it possible to specialize correlator agents and thus, distribute the computation. If a final deduction is found, we consider that an attack occured with a certain truth coefficient. This final information is forwarded to the corresponding analyzer agent which will take the decision to raise an alert to the network administrator.

2.4

The analyzer agent

The analyzer agent receives final deductions from correlator agents and will make some computation on the transmitted truth coefficient to decide if the attack occured and if the administrator should be aware. This agent has also a set of rules to define his behavior. Here is an example of analyzer rule in Figure 3

Attack on Web server Apache version 2.2.4 0.75 60000 Figure 3: Analyzer rule example

2.5

The manager agent

The agent manager is the organisational engine. It controls agent integration process in the platform. The manager is able to deploy the agents on sensitive hosts/networks, in a precise way. It will cre-

ate the different agent and will set there role by distribute the filtering rules, correlation rules and analyzer rules.

3

The correlation engine

3.1

An expert system applied to intrusion detection

The main idea of the IMAIDS project is to detect intrusion in a wide network by analyzing different crucial events on different hosts. The final goal is to deduce anomaly from facts. As we saw, the IMAIDS architecture makes it possible to get a global vision of the targeted network. The correlator agent brings back events from collectors and analyzes them. The correlator agent is specialized into making relation between the collected events. This is an expert system applied to intrusion detection [12] , it uses logical rules to define an attack or an unwanted behavior.

3.2

Network events

As a signature based IDS, we started to work on how to describe an attack for the best detection? what facts characterize an attack? A connection on host A port 80, connection attempts on servers B, C, D, a connection to vulnerable software, and so on. In our approach, we chose to split attacks into minimalist events to be able to easily factorize them. An event is generated from a collector’s filtering rule and transmitted to the correlator agent. An event is composed by an ID, corresponding to the filtering rule ID and several useful informations as: source IP, destination IP, source MAC, destination MAC and a timestamp. These attributes are sent to the correlator agent in order to ensure the matching rule computation.

3.3

Correlation rules

The correlation rules will deduce event from collected ones. It describes three relations between events: • OR: if event A OR event B has been seen on the network or deduced, then we consider that C occured. A⊕B ⇒C • AND: if event D AND event E have been seen on the network or deduced, then we consider that F occured.

DE ⇒F • AND with comparison attributes: if event G AND event H have been seen on the network (or deduced) with the same MAC address and the same IP address, then we consider that I occured.   GH ⇒I G.mac src = H.mac src  G.ip src = H.ip src In other hand, there are two types of rule computation. First, the forward engine which makes a regular deduction, if event A AND event B exist, then we consider that C occured. AB ⇒C Second, the backward engine which is the apposite, if event C exist, then we consider that event A AND event B occured. AB ⇐C An important point in rule computation is the truth coefficient of an event. In fact, we additionally used a kind of fuzzy logic [10] within the rule computation. Each event has a truth coefficient inclusive of 0 and 1. If an event is seen by a probe, then its truth coefficient will be 1, there is no doubt. But if an event is deduced, its truth coefficient will be the weighted mean of events composing the rule. As noted in our BNF, Figure 4, we can define a weight of an event in a rule. This weight will be used to calculate the truth coefficient.

3.4

Critical events

Correlation engine will generate events from collector’s observations, but when do we have finished the computation and detected an attack? Actually, the analyzer agent is the final step of the attack recognition. Its rules will determine which final event will be considered as attacks and with what truth coefficient. Analyzer agent sends a notification to correlator agents to register its critical events. If a correlator agent receives or deduces one of these critical events, then it will send it to analyzer agent with the corresponding truth coefficient. Analyzer agent will take the decision to alert the system administrator if the truth coefficient is high enough.

Rule Sub_Rule R_Event Event Info Coordinate Relation_prop Coordination_prop CP_Date CP_Double CP_Integer CP_String Oper_Date Info_Double Info_Integer Info_String Info_Date Bin_Op Relation Operand Negation Weight

::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::=

* => ?? Event_ID+ | | | | []* | | | [ Value] Truth_coef Port_src | Port_dst | Event_ID IP_src | IP_dst | Mac_src | Mac_dst Date_expired | Date_collected AND | OR | XOR < | > | <= | >= | == | != + | - | * | / | % ^ double Figure 4: BNF of correlation rules

3.5

Experimental case

To illustrate IMAIDS capabilities, we wanted to resolve a frequent problem with well-known IDS: the attack of vulnerable software generates an alert, even if this software is not running. This is a falsepositive. We put IMAIDS in this situation and to prevent this false positive we defined two filtering rules. The first able to detect the attack as a classical signature based IDS (Rule A). The second is able to detect if the vulnerable software is running (Rule B). For example, the most servers give there version signature in the default configuration when there are requested, Figure 2 will detect OpenSSH v4.6 running. These rules are sent to collectors. When a collector agent will match Rule A or B, it will raise an event A or B to the correlator agent. In other hand, a correlation rule is set with the following properties:   AB ⇒C A.ip dst = B.ip src  A.port dst = B.port src It means that if an event A and an event B are collected with: • Destination IP of event A = Source IP of event B

• Destination port of event A = Source port of event B Then, we can deduce event C (which could be considered as an attack, but not yet, not in correlation stage). Finally, in analyzer agent, we define that event C is a critical event (an attack), and administrator must be alerted (see example in Figure 3). As result, if the targeted attack occured, only on the vulnerable software, the system will take the decision to raise an alert to the administrator. In this case, IMAIDS substancialy reduces false-positive just by making correlation between an attack and the version of the targeted software.

Conclusion IMAIDS integrates two emerging technologies, a multi-agent platform, and attack recognition based on partial signatures to make an effective and intelligent intrusion detection system. IMAIDS will keep watch over a set of computers, reducing network resources, false-positive and without interfering with other hosts. IMAIDS has been tested in reserach lab environment. the obtained results encourage us to deploy it, after enriching the knowledge database on a large experimental network. A

set of points will be integrated and improved. Basically, we have to develop a kind of learning engine that will validate some specific rules. This engine will also carry on the filtering rules which will drastically limit any false positive. Additionnal information is available on: • https://pfe.epitech.net/projects/ imaids/ • http://leria.epitech.net/

References [1] R´eginald LIPS, Nabil El-Kadhi Intelligent Mobile Agent for Intrusion Detection System. Worldcomp - SAM’07, 2007 [2] Kerry J. Cox, Christopher Gerg. Managing Security with Snort & IDS Tools. O’Reilly, 2004. [3] The Prelude Hybrid IDS project. http://www. prelude-ids.org/ [4]

What You Need to Know About Intrusion Detection Systems. http: //www.windowsecurity.com/articles/ What_You_Need_to_Know_About_Intrusion_ Detection_Systems.html.

[5] The Evolution of Intrusion Detection Systems. http://www.securityfocus.com/infocus/ 1514.

[6] William Yurcik. Controlling Intrusion Detection Systems by Generating False Positives. http://www.projects.ncassr.org/ sift/papers/-lcn02.pdf. [7] Mark Crosbie, Gene Spafford. Defending a Computer System using Autonomous Agents. http://ftp.cerias. purdue.edu/pub/papers/mark-crosbie/ mcrosbie-spaf-NISC.pdf. Purdue University, March 11, 1994. [8] Fabio Luigi Bellifemine, Giovanni Caire, Dominic Greenwood. Developing Multi-agent Systems With Jade. John Wiley & Sons, 2007. [9] Stephen Northcutt, Judy Novak. Network Intrusion Detection: An Analyst’s Handbook. New Riders Publishing, September 22, 2000. [10] Jerry M. Mendel. Uncertain Rule-Based Fuzzy Logic Systems. Prentice Hall, December 2000. [11] Danny Lange, Oshima Mitsuru, Mitsuru Oshima. Programming and Deploying Java Mobile Agents With Aglets. Addison-Wesley Professional, 1998. [12] Nabil El-Kadhi, Romain Dequit, Fayal Daira. Using Correlation Detection for IMA-IDS Architecture. http://leria.epitech.net/site/ main.php?action_view=submenu&option= tree&id_tree=89, July 2004.

Using correlation engine and mobile agents for ...

Several JAVA frameworks are available to ... Attack on Web server Apache version 2.2.4 .... main.php?action_view=submenu&option=.

156KB Sizes 2 Downloads 155 Views

Recommend Documents

Combining techniques for protecting mobile agents
The techniques discussed are: environmental key generation, cryptographic traces, time-limited black boxes and blinded-key signatures. 1 Introduction. Mobile agent systems are a promising paradigm for building distributed applica- tions. They are cha

Using Induction and Correlation to Evaluate Public Policies and ...
1Postal address: 81 Beal Parkway S.E. Fort Walton Beach, FL, 32548, USA. E-mail Address: .... College graduation rate (gradcol) for persons age 25 and over is taken from the U.S.. Department of ...... Arts & Sciences, 6(2), pp. 731-742. 99.

Using Correlation Detection for IMA-IDS Architecture ...
Mar 9, 2004 - IMA-IDS is a global architecture for using intelligent and mobile agent ..... Bi-directional deduction rules : the description rules are in general bi-.

Using Correlation Detection for IMA-IDS Architecture ...
Mar 9, 2004 - IMA-IDS is a global architecture for using intelligent and mobile agent ..... Bi-directional deduction rules : the description rules are in general bi-.

Optimized Mobile Search Engine - IJRIT
its speed. These feature vectors from the client are then used in RSVM training to ... level can be set to high so that only limited personal information will be included in the feature vectors and passed ..... Internet Technology, vol. ... [17] C.E.

Optimized Mobile Search Engine - IJRIT
IJRIT International Journal of Research in Information Technology, Volume 1, .... So Many existing personalized web search systems are based click through data to .... And this design allows user privacy to be preserved in certain degree. Two.

Interaction with autonomous, mobile agents in a hazard ...
situation-aware pervasive system to support debris- flow disaster prediction and alerting in Taiwan. Network and Computer Applications 31(2008), 1–18. [8] McQuiggan, S. and Lester, J. Modeling and. Evaluating Empathy in Embodied Companion Agents. I

Consensus in networks of mobile communicating agents
Jan 23, 2012 - Overall, we believe that the simple and general model presented in this paper can ... emerging population-scale properties of the system.

Genetic variability and correlation for yield and ... - Semantic Scholar
T. Sabesan*, R. Suresh and K. Saravanan. Abstract. Fifty four rice varieties of diverse origin were studied for genetic variability and correlation analysis under ...

Indoor Navigation System for Mobile Robot using ...
navigation using wireless sensor network with ultrasonic sensors. Without the need ... to the ceiling maintain routing tables through flooding [5]. The routing table ...

Network Support for Mobile Multimedia Using a Self ...
We propose a self-adaptive distributed proxy system that pro- ... Our work is heavily influenced by the research in cluster based scalable network ..... As a result, Linux ..... resource requirement of each operator in terms of network I/O, file.

Designing mobile interfaces for children using ...
... the author/owner(s). CHI 2009, April 4 – April 9, 2009, Boston, MA, USA ... College Park, MD 20742 USA [email protected] ... Laptops are often too heavy for ...

Distributed Fault Correlation Scheme using a Semantic ...
Semantic Publish/Subscribe system. Wei Tai, Declan ... hierarchical manager/agent topologies and rely upon significant ... The overall architecture of our fault management system ..... file encoded using SNMP4J and then included in a KBN.

Seizure prediction using FFT, eigen values of correlation ... - GitHub
Email: {francisco.zamora, malmaraz, pbotella, juaparal}@uch.ceu.es ... This is the most important kind of proposed features, obtaining the best standalone result.

Predicting Item Adoption Using Social Correlation
these items to anyone with an internet connection. Con- sequently, sellers ...... case studies involving two types of users: one with a low self-dependency (relying ...

Coevolution of Intelligent Agents using Cartesian ...
Jul 11, 2007 - by a new kind of computational network based on a com- ..... assigned. The job of the first agent is to obtain the gold ..... to the presence of the second agent and the degree to which .... and Computer Science”, Wiley, 105-131.

Energy- and Cost-Efficient Mobile Communication using Multi-Cell ...
IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS. 1. Energy- and ... plementary technologies is of particular interest as multi-cell. MIMO is able to ...