A cooperative agent-based model for active security systems

https://doi.org/10.1016/j.jnca.2004.02.002Get rights and content

Abstract

This paper presents a multi-agent model for implementing active security concepts. In this model, a group of agents can carry out their tasks cooperatively in order to achieve an ultimate security goal. Thus a low-level module of the proposed model reads the values of interesting data items of the relevant current network events and passes them to a relational database. Comparing these measurements against predefined values in an intruder signature database may point to a particular attack.

The proposed model consists of two parts. (1) A multiagent Intrusion Detection System (MIDS) for detecting attacks. (2) An Active Security Mechanism (ASM) for taking active, network-wide, response against attackers. The proposed approach provides a customizable host environment built from various systems software components to allow an optimal match between the intrusion circumstances and the underlying security architecture. Thus, different frameworks can support alternative responses of existing security services. In addition, the ASM can take rapid response against attacks by making use of sensible sharing of attack intelligence. System agents communicate with each other on different hosts using an agent communication language through a message router.

Introduction

One fundamental problem with passive protection schemes is the computational complexity (Han and Cho, 2003). Because they passively monitor and compare the network traffic, they need to record all the concurrent incoming and outgoing connections even when there is no intrusion to trace. That is, for a host with m concurrent incoming connections and n concurrent outgoing connections, the passive network-based correlation approach would take 0(m×n) comparisons, in addition to the 0(m+n) scanning and recording of concurrent connections.

On the other hand, active security is concerned with performing one or more security functions when a host in a communication network is subjected to an attack (Anagnostakis et al., 2001, Anagnostakis et al., 2002, Dietrich, 2002). Such security functions include appropriate actions against attackers. Ideally, an active intrusion response (IR) to a network-based intrusion should be able to:

  • Disable detected intrusions at real-time.

  • Abort detected intruder ability to attack other targets.

  • Help to apprehend, intruders at real-time.

  • Help to recover as much as possible compromised network nodes.

  • Repel future intrusions that are similar to the detected ones.

The paper is organized as follows:

Section 2 presents the related work and Section 3 introduces the model of a cooperative, agent-based security system. Section 4 describes the design of a multiagent intrusion detection system. Section 5 describes the proposed system capabilities and the corresponding active security mechanism and Section 6 describes the frameworking concepts. Section 7 illustrates the experimental environment and system implementation as well as its response for some attacks.

Section snippets

Related work

There are different approaches for defending network-based intrusions. Such approaches can be categorized as intrusion detection and/or prevention. In particular, intrusion prevention utilizes authentication, encryption and/or firewalls to protect systems from being attacked and compromised (Eichert et al., 2002, Phaltankar, 2000). While it is useful to prevent networked systems from being attacked from outside network, there is virtually no defense against insider attacks. There are evidences,

The cooperative model

The proposed model, as such, exploits technologies and techniques already in existence. It provides a suitable infrastructure that can perform rapid response to attacks by sharing attack intelligence.

MIDS agents

MIDS consists of three agents NEA, SA and VSA. Actually, these agents are mainly database access agents written in JAVA. A database access agent contains two methods: (1) queryDatabase and (2) reportResults. On the database server, the queryDatabase method performs SQL queries using standard Java Dbase Connectivity (JDBC) calls and places the results of that query into its “Results” member variable. A standard JDBC–ODBC bridge is established between ODBC at database engine and JDBC SQL at the

ASM agents

The ASM is used for exchanging intruder information between hosts and taking appropriate active response against attackers. ASM can take rapid responses against attackers by proper sharing of attack intelligence. Agents may communicate with each other on different hosts using an agent communication language through a message router. It contains two agents: (1) Intruder Message Applet Agent (IMAA) and (2) Active Network Response Agent (ANRA), Fig. 3.

In the model, KQML has been used as an agent

Frameworking

The proposed system provides a customizable environment that can be built-up from software products in order to optimize the match between the intrusion circumstances and the underlying security architecture. Thus, different configurations can support various responses of existing software security services. The classes at the top of the framework are mostly abstracted. These classes form the basis for a hierarchy of successively increasingly specialized classes that can represent security

Implementation

Fig. 5 illustrates the experimental set-up of the proposed system. It is based on TCP/IP protocol. A firewall divides the network into two parts. One is trusted behind the firewall and the other is untrusted. The same host is used as FTP server and router to provide store and forward communication paradigm as well as KQML message processing. An IMAA can connect/disconnect/reconnect to this router and retrieve buffered messages. Also IMAA can send host intruder log to FTP server and can receive

Conclusion

A cooperative multi-agent intrusion detection model has been developed to provide active security responses against intruders. The model, as such, depends upon activating the underlying network and, customizing the operational environment in order to allow effective actions against the attacker.

The cooperative agent-based model includes:

  • A subset of auxiliary agents that can detect vulnerabilities, capture critical network events and identify intruders on the basis of their signatures.

  • An active

M. Zaki is the professor and chair, Computer and System Engineering Department, Faculty of Engineering, Al-Azhar University at Cairo. He received his B.Sc. and M.Sc. degrees in electrical engineering from Cairo University in 1968 and 1973 respectively. He received his Ph. D. degrees in computer engineering from Warsaw Technical University, Poland in 1977. His fields of interest include artificial intelligence, soft computing, and distributed systems.

References (16)

  • S Han et al.

    Detecting intrusion with rule-based integration of multiple models

    Comput Security

    (2003)
  • K.G Anagnostakis et al.

    Practical network applications on a lightweight active management environment

    (2001)
  • K.G Anagnostakis et al.

    Efficient packet monitoring for network management

    (2002)
  • Campbell RH, Liu Z, Mickunas MD, Naldurg P, Yi S. Seraphim: An Active Security Architecture for Active Networks. Dept....
  • R.H Campbell et al.

    An agent-based architecture for supporting application aware security

    (1997)
  • CSI/FBI. Annual Report CSI/FBI Computer Crime and Security Survey. From Computer Security Institute; 2001,...
  • S Dietrich

    Active network defense: some concepts and techniques

    USENIX;login: magazine

    (2002)
  • S Eichert et al.

    Commercially Viable Active Networking

    ACM Oper Syst Rev

    (2002)
There are more references available in the full text version of this article.

Cited by (10)

View all citing articles on Scopus

M. Zaki is the professor and chair, Computer and System Engineering Department, Faculty of Engineering, Al-Azhar University at Cairo. He received his B.Sc. and M.Sc. degrees in electrical engineering from Cairo University in 1968 and 1973 respectively. He received his Ph. D. degrees in computer engineering from Warsaw Technical University, Poland in 1977. His fields of interest include artificial intelligence, soft computing, and distributed systems.

Tarek S. Sobh received his B.Sc. degree in computer engineering from Military Technical College, Cairo in 1987. He received his M.Sc. and Ph.D. degrees from Computer and System Engineering Department, Faculty of Engineering, Al-Azhar University, Cairo, Egypt. He has designed and developed several package for business applications and security systems. His research of interest includes network management and security, knowledge discovery, and software engineering.

View full text