A cooperative agent-based model for active security systems
Introduction
One fundamental problem with passive protection schemes is the computational complexity (Han and Cho, 2003). Because they passively monitor and compare the network traffic, they need to record all the concurrent incoming and outgoing connections even when there is no intrusion to trace. That is, for a host with m concurrent incoming connections and n concurrent outgoing connections, the passive network-based correlation approach would take 0(m×n) comparisons, in addition to the 0(m+n) scanning and recording of concurrent connections.
On the other hand, active security is concerned with performing one or more security functions when a host in a communication network is subjected to an attack (Anagnostakis et al., 2001, Anagnostakis et al., 2002, Dietrich, 2002). Such security functions include appropriate actions against attackers. Ideally, an active intrusion response (IR) to a network-based intrusion should be able to:
- •
Disable detected intrusions at real-time.
- •
Abort detected intruder ability to attack other targets.
- •
Help to apprehend, intruders at real-time.
- •
Help to recover as much as possible compromised network nodes.
- •
Repel future intrusions that are similar to the detected ones.
The paper is organized as follows:
Section 2 presents the related work and Section 3 introduces the model of a cooperative, agent-based security system. Section 4 describes the design of a multiagent intrusion detection system. Section 5 describes the proposed system capabilities and the corresponding active security mechanism and Section 6 describes the frameworking concepts. Section 7 illustrates the experimental environment and system implementation as well as its response for some attacks.
Section snippets
Related work
There are different approaches for defending network-based intrusions. Such approaches can be categorized as intrusion detection and/or prevention. In particular, intrusion prevention utilizes authentication, encryption and/or firewalls to protect systems from being attacked and compromised (Eichert et al., 2002, Phaltankar, 2000). While it is useful to prevent networked systems from being attacked from outside network, there is virtually no defense against insider attacks. There are evidences,
The cooperative model
The proposed model, as such, exploits technologies and techniques already in existence. It provides a suitable infrastructure that can perform rapid response to attacks by sharing attack intelligence.
MIDS agents
MIDS consists of three agents NEA, SA and VSA. Actually, these agents are mainly database access agents written in JAVA. A database access agent contains two methods: (1) queryDatabase and (2) reportResults. On the database server, the queryDatabase method performs SQL queries using standard Java Dbase Connectivity (JDBC) calls and places the results of that query into its “Results” member variable. A standard JDBC–ODBC bridge is established between ODBC at database engine and JDBC SQL at the
ASM agents
The ASM is used for exchanging intruder information between hosts and taking appropriate active response against attackers. ASM can take rapid responses against attackers by proper sharing of attack intelligence. Agents may communicate with each other on different hosts using an agent communication language through a message router. It contains two agents: (1) Intruder Message Applet Agent (IMAA) and (2) Active Network Response Agent (ANRA), Fig. 3.
In the model, KQML has been used as an agent
Frameworking
The proposed system provides a customizable environment that can be built-up from software products in order to optimize the match between the intrusion circumstances and the underlying security architecture. Thus, different configurations can support various responses of existing software security services. The classes at the top of the framework are mostly abstracted. These classes form the basis for a hierarchy of successively increasingly specialized classes that can represent security
Implementation
Fig. 5 illustrates the experimental set-up of the proposed system. It is based on TCP/IP protocol. A firewall divides the network into two parts. One is trusted behind the firewall and the other is untrusted. The same host is used as FTP server and router to provide store and forward communication paradigm as well as KQML message processing. An IMAA can connect/disconnect/reconnect to this router and retrieve buffered messages. Also IMAA can send host intruder log to FTP server and can receive
Conclusion
A cooperative multi-agent intrusion detection model has been developed to provide active security responses against intruders. The model, as such, depends upon activating the underlying network and, customizing the operational environment in order to allow effective actions against the attacker.
The cooperative agent-based model includes:
- •
A subset of auxiliary agents that can detect vulnerabilities, capture critical network events and identify intruders on the basis of their signatures.
- •
An active
M. Zaki is the professor and chair, Computer and System Engineering Department, Faculty of Engineering, Al-Azhar University at Cairo. He received his B.Sc. and M.Sc. degrees in electrical engineering from Cairo University in 1968 and 1973 respectively. He received his Ph. D. degrees in computer engineering from Warsaw Technical University, Poland in 1977. His fields of interest include artificial intelligence, soft computing, and distributed systems.
References (16)
- et al.
Detecting intrusion with rule-based integration of multiple models
Comput Security
(2003) - et al.
Practical network applications on a lightweight active management environment
(2001) - et al.
Efficient packet monitoring for network management
(2002) - Campbell RH, Liu Z, Mickunas MD, Naldurg P, Yi S. Seraphim: An Active Security Architecture for Active Networks. Dept....
- et al.
An agent-based architecture for supporting application aware security
(1997) - CSI/FBI. Annual Report CSI/FBI Computer Crime and Security Survey. From Computer Security Institute; 2001,...
Active network defense: some concepts and techniques
USENIX;login: magazine
(2002)- et al.
Commercially Viable Active Networking
ACM Oper Syst Rev
(2002)
Cited by (10)
Vehicle active security based on driver modeling
2015, Proceedings of the 2015 27th Chinese Control and Decision Conference, CCDC 2015Unison: Towards a middleware architecture for autonomous cyber defence
2015, Proceedings - 2015 24th Australasian Software Engineering Conference, ASWEC 2015Modeling mental attributions of defense decision of networks security based on AML
2013, Information Technology JournalAn intelligent agent-based framework for information security management
2012, Advances in Intelligent and Soft ComputingResearch in intrusion detection system based on mobile agent
2011, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)Dynamically negotiated security service for multicast application in the active network
2006, IEE Proceedings: Communications
M. Zaki is the professor and chair, Computer and System Engineering Department, Faculty of Engineering, Al-Azhar University at Cairo. He received his B.Sc. and M.Sc. degrees in electrical engineering from Cairo University in 1968 and 1973 respectively. He received his Ph. D. degrees in computer engineering from Warsaw Technical University, Poland in 1977. His fields of interest include artificial intelligence, soft computing, and distributed systems.
Tarek S. Sobh received his B.Sc. degree in computer engineering from Military Technical College, Cairo in 1987. He received his M.Sc. and Ph.D. degrees from Computer and System Engineering Department, Faculty of Engineering, Al-Azhar University, Cairo, Egypt. He has designed and developed several package for business applications and security systems. His research of interest includes network management and security, knowledge discovery, and software engineering.