Architecture of Intrusion Detection Using Intelligent Agents

Architecture of Intrusion Detection using Intelligent Agents

Alex Roque School of Computer Science Florida International University Miami, FL 33199 [email protected]

Abstract 1.1 Intrusion Detection: Fundamentals

Intrusion detection, a topic that has evolved In order to comprehend the intricate heavily due to the rising concern for abstraction of an intrusion detection system, information technology security, has we must first understand the basic definition endured numerous architecture abstractions. of one. Intrusion Detection (ID) is defined All of these architecture abstractions have as “the problem of identifying individuals strengths and weaknesses with regards to who are using a computer system without various factors like efficiency, security, authorization (i.e., ‘crackers’) and those who integrity, durability, and cost-effectiveness, have legitimate access to the system but are to name a few. In this paper, we will abusing their privileges (i.e., the ‘insider attempt to describe the architecture of threat’)”[1]. For our purpose, we will use intrusion detection that minimizes the the word “intrusion” to mean both an weaknesses of this model. Our architecture external and internal threat. will heavily build upon the Autonomous It is also important to formally define an Agents For Intrusion Detection (AAFID) attempt as “any set of actions that attempt to architecture, which has already been compromise the integrity, confidentiality, or implemented in the Center for Education availability of a resource” [2]. These and Research in Information Assurance and definitions can let us clearly define the Security (CERIAS) center in Purdue system. University. We will, however, design a The models of intrusion detection are [1]: different functionality for our agents, making them rather intelligent. Such Misuse detection model: The intrusion will intelligent agents will seek to use tools that be detected by observing specific patterns in the field of artificial intelligence provides in the system that are used by known attacks order to maximize their probability of (also known as signatures). detecting intrusions. Anomaly detection model: Using a 1. Intrusion Detection statistical model, the system can observe deviations from known signatures (described in [3] ), and present these activities as We start our discussion by explaining presumed attacks [2]. intrusion detection and why it has become an important need in the information An Intrusion Detection System (IDS) is technology field. We will examine several defined as “a computer program that basic definitions that are of fundamental attempts to perform ID by either misuse or importance to the development of an anomaly detection, or a combination of intrusion detection system.

1 techniques” [2]. An IDS is then further What is even more astonishing is that categorized as a host-based or network- reports from F.B.I. and C.I.A. claim that based [1]. Host-based systems base their 80% of intrusion problems are caused analyzation on data retrieved at a single internally, that is from users that already host, while network-based monitor the entire belong to the system [5]. Even government network to which the host is connected [1] . institutions themselves, such as the CIA, Note that an IDS aims at preventing have hacked into the computer of European network intrusion by warning administrators officials as part of espionage plots [5]. These of malevolent and unusual activities, not by plots carry the purpose of stealing political actually mounting an offensive on such and economic secrets to leverage political activities. Examples of network attacks are power [5]. The increase in attacks has made either external or internal attacks, such as: IP it apparent that the resources spent on spoofing and packet sniffing (external), and implementing an IDS is worth it. password attacks and session hi-jacking (internal) [5]. Current mechanisms that have 1.3 Types of ID systems been used for illegal behavior detection in security programs have been listed as: As previously explained, an IDS may be statistical anomaly detection, rule-based categorized as a host-based or network- detection, and hybrid detection (a based, and each model has its advantages. A combination of rule-based and statistical network-based model has the benefits of anomaly) [5]. Not surprisingly, these evidence collection and real-time warnings mechanisms have also been used in current [7]. Host-based models can detect both ID systems. external and internal misuse. This is of particular interest because security breaches 1.2 Why an ID is needed? are more likely to come from an internal user [7]. Intrusion detection grew out of the need to However, regardless of its implementation, keep financial audits on the users who an IDS seeks to have certain desired accessed the then costly computing time of characteristics [1]: mainframes [7]. This gave birth to network monitoring in the 1990s, which established a  The system must run continuously way for administrators to maintain tight with minimal supervision. control over their networks [7].  The system must be fault tolerant, The large impact and growth of the meaning it must be able to recover Internet, coupled with the importance of from crashes to a previous safe and information technology in today’s functional state. commerce, has created the increasingly  The system must be self-conscious of important need to main the integrity of data. any activities that attempt to attack Statistics show that the number of people and modify itself. This condition is online in January 1993 was 1,313,000 known as resisting subversion. compared to 73,398,092, the number of  Since the IDS aims at being people online in January 2000 [5]. The beneficial to the network it protects, Computer Security Institute (CSI) reported it must run with minimal overhead to that IT professionals experienced $256 the network. million in losses due to network attacks in 2001, up 28% from 1999 [6].

2  An IDS must be configurable to the  Monolithic architectures contain a security policies administered by its “central analyzer” which represents a operator. single point of failure if  The IDS must be able to adapt to compromised by an attacker. non-intrusive changing conditions of  If all processing takes place on a the network (e.g. system upgrades, single host, scalability is jeopardized, and changing of resources by user). as a limit is placed on the size of the  Since speed is of extreme importance network that can be monitored. in the event of an attack, the IDS  Reconfiguration or upgrading may must be efficiently scalable to present a problem, as restarting the monitor large number of hosts while host may leave the network still providing information in a vulnerable to attack. timely manner.  The integrity of network data used  Graceful degradation of service must for analysis can be compromised. be provided. In other words, if some C.E.R.I.A.S. has shown that components of the IDS fail, other “performing collection of network components should not be affected. data in a host other than the one to  The IDS must allow dynamic which the data is destined can configuration, so that if a group of provide the attacker the possibility of hosts is being monitored, it becomes performing Insertion and Evasion unpractical to restart all if an update attacks”. Such attacks use must be made to a host. mismatched assumptions in the protocol stacks of different hosts to Another desired characteristic of an IDS create or hid attacks [8]. architecture is the ability to implement it in a  C.E.R.I.A.S. also lists systems of distributed format [1]. In an ideal case monolithic architecture to lack a where an IDS accurately protects the graceful degradation of service (a integrity of the system, a likely target for an desirable characteristic, as previously attack will be the IDS itself. Therefore, an mentioned) [9]. IDS must not only enforce tight security in itself, but it must not implement a Due to these limitations, the ID field has centralized architecture. A centralized seen a migration towards designing structure will allow an attacker to bring distributed systems in the past few years [9]. down an IDS by attacking a single point, which is undesired. 2. Intelligent Agents

1.4 ID Systems Limitations An agent is defined as “anything that can be viewed as perceiving its environment Existing ID systems have certain limitations through sensors and acting upon that that impede some desirable processes of an environment through effectors.” [10]. ID system. Most systems are monolithic in Furthermore, an ideal rational agent is an architecture, although they perform agent that, “For each possible sequence, an distributed operations [2]. The limitations, ideal rational agent should do whatever however, arise out of this monolithic action is expected to maximize its implementation [2]. They consist of [2]: performance measure, on the basis of the evidence provided by the percept sequence

3 and whatever built-in knowledge the agent  It will have to detect known has” [10]. From this definition, we intrusions in a timely manner. understand how the agent reaches its  It will have to learn to detect new, decision, which is either perceptual evidence unknown intrusions and remember or built-in knowledge. It is important to them for future reference. understand that agents play the key role in finding an intrusion. These agents must not Thus, the role of the intelligent agent in an only be intelligent enough to discover intrusion detection system will be very common intrusions, but must also be able to similar to the general behavior of the human adapt and learn new attacks. It is for this immune system. Once it learns about a reason that we will use agents capable of particular viral strain, it will use that intelligent data analysis as our preferred knowledge to defend against it in the future. agents. Once detection has been made, the intelligent agent must communicate and 2.1 What is an Intelligent Agent? notify other system components. In order to quickly mitigate the damage of the attack, In our discussion, we will define an the agents must first notify the system intelligent agent as an agent that uses administrator, in detailed form, that an artificially intelligent methods in order to intrusion is taking place. Then, the agent accomplish its purpose. Our definition will must quickly communicate to other agent(s) also take advantage of several definitions the new intrusion behavior it has learned. already defined in the field on IDS. Our Therefore, an important role of an agent definition will include autonomous intelligent agent is that it must be able to agents, which are “a software agent that communicate its knowledge, so that other performs a certain security monitoring agents may benefit from it. IBM refers to function at a host” [2]. We will also include this when it describes an agent meeting itinerant agents, which have been defined by point as : “an abstraction which supports the IBM as “programs which are dispatched interaction of agents with each other and from a source computer and which roam server based resources” [11]. We will among a set of networked servers until they assume in our architecture that an are able to accomplish their task” [11]. abstraction that allows intelligent agents to In this case, intelligent agents will roam pass information securely from one to the network, and we will design their task to another, or broadcast from one to many either never expire, or to be relieved by exists. After an intrusion has been another agent. Also, it is important that our attempted, the agent must immediately and intelligent agent carries the capability of efficiently continue to perform its security learning in order to become adaptive to new monitoring. intrusive attacks while being able to detect patterns in previously known attacks. 2.3 Intelligent Agent Implementation

2.2 Role of an Intelligent Agent Our next concern is the implementation of the intelligent agent (although we shall only In order to maximize the role of an concern ourselves now with the design of intelligent agent, one must first understand the agent, and not its domain). A good the detection process. The agents’ detection design scheme has been implemented in strategy will be two fold: C.E.R.I.A.S. for autonomous agents, for

4 which they argue the following to be . An intrusion that presents similar necessary [2]: characteristics to a known one.  Agents should be independent . An intrusion that is completely running entities, so they can be different from all others that are added, removed or re-configured known. without restarting the IDS.  Agents can be tested on a simple Our intelligent agents will therefore go testing environment before through a three fold process when detecting introducing them to a more complex an intrusion. It will first try use a rule based domain. system [5] to see if the intrusion matches one  Agents may be part of a group of of its rules. If not, it will use a statistical agents that can communicate and anomaly algorithm [5] to detect if it has any derive complex results as a group. similarities to any known patterns stored in  If the agents are organized in a the rule-based system. Lastly, if the mutually independent set and an intrusion is still not recognized, it will agent stops working, it should not “learn” the patterns of this new intrusion [4], cause the entire system to cease and convert it to a rule for future knowledge. working. Immediately, it will seek to communicate  Organizing agents in a hierarchical with other agents and pass its knowledge of structure with multiple layers will the newly detected intrusion. reduce the data transferred from level A rule-based system contains a set of rules to level, thus making the system that describe malevolent and illegal user scalable. behavior patterns [5]. The rules are formed  Since agents are implemented as a from the analysis of previous attacks. The separate process (controlled by the only disadvantage of this system is that it O.S.), each agent can be cannot detect and learn new attacks for implemented in the programming which patterns are not described in the rule- language that is best suited for. based system. Modern rule-based systems rely on expert systems to identify attacks Intelligent agents must, therefore, adhere to [4], which permit the access to an extensive these beneficial characteristics. However, amount of human experience in intrusion. there still exists the question of how to These systems utilize the knowledge stored detect an intrusion. As mentioned earlier, in their expert system to identify intrusions intrusions fall into one of two categories: the that match defined patterns of attack [4]. intrusion is either known (the agent The second attempt to recognize the recognizes the pattern), or it is new (agent intrusion will be the statistical anomaly does not recognize the pattern) and has algorithm [5]. This algorithm analyzes never been done before in the network. audit-log data to detect abnormal behavior in Furthermore, if an intrusion falls into the the system from an expected profile. This unknown category it can either be very profile is created from how an organization similar to a known intrusion, or it can be expects a certain user to behave and access completely different. Thus, at any point system resources. during the monitoring we can be sure that if Thus, once a profile of the user’s expected an intrusion occurs, it will be: behavior is created, audit logs typically . A known or recognized intrusion. compare the user’s current patterns to his/her expected patterns. If the current

5 patterns differ immensely from profiled ones  If no intrusion patterns match the (determining the degree of difference that ones in the expert system, it should causes the alarm is up to the administrator), try a statistical anomaly algorithm then it might become a potential intrusion for the user, and test for similarity to [5]. The drawback to this method is that it known signatures. only works if a user profile exists, which  If there is still no success in the more than likely restricts the intrusions to detection (and there exists an internal intrusions. intrusive action), it should “learn” Likewise, we can use the statistical this instrusion via neural nets. anomaly method to create profiles for “intrusions” rather than users [5]. For Although the incorporation of neural nets example, if an activity is very similar to a takes care of any disadvantages with an related attack, we can warn the system expert system, there are several issues with administrator that such an action might neural nets that may present problems. result in a malevolent act. The system There are two major reasons why neural administrator will be able to set the network implementations are difficult for an statistical variables that tell the system what intrusion system [4]. Neural nets are degree of tolerance it should perform with dependent on training time, and in order for this method. This method has been an instrusion to be detected, the neural established in Kumar and Spafford’s network must have training in the attack. security enhancement software [5,cited from For example, the training of neural nets for 12]. intrusion detection purposes will require a Lastly, our intelligent agent must be able large amount of attack sequences and to “learn” new intrusion patterns. The most signatures. Such sequences will require a useful format is to use neural networks to large amount of time to obtain [4]. Also, develop an adaptive atmosphere. Neural qualitative data that accurately represents a nets have been discussed as the method of new attack may not be available [4]. choice to train agents to learn new intrusive Second, neural networks also have an patterns [4]. Referring to neural nets and inability to show the basis for their intrusion, Cannady properly stated this successful decisions. This problem has scenario: “The constantly changing nature of plagued neural net implementations in the network attacks requires a flexible defensive past, and is often know as the “black box” system that is capable of analyzing the theory [4]. Cannady states: “Unlike expert enormous amount of network traffic ina systems which have hard-coded rules for the manner which is less structure than rule analysis of events, neural networks adapt based systems. A neural network-based their analysis of data in response to the misuse detection system could potentially training which is conducted on the network” address many of the problems that are found [4]. Furthermore, Cannady adds: “The in rule-based systems” [4]. connection weights and transfer functions of the various network nodes are usually frozen 2.4 Design Issues after the network has achieved an acceptable The intelligent agents will, therefore, perfom level of success in the identification of intrusion detection by: events. While the network analysis is  First, comparing the patterns with a achieving a sufficient probability of success, rule-based expert system. the basis for this level of accuracy is not often known” [4].

6 A challenge is therefore presented, Transceivers then report their results to one because although the actual agent will be or more monitors [2], which oversee the now be skilled at detection for a particular operation of transceivers. Since monitors attack, it will have difficulties are in charge of per-host entities, they can communicating to other agents what attack oversee a wider view of the network, and as pattern symbolizes this intrusion [4]. such, can detect intrusions on several hosts However, by designing an intelligent agent [2]. A monitor will not only perform a that stores learned signatures in a rule-based higher level of data correlation, but it may architecture, transcievers can be used to be organized in a hierachical fashion [2]. communicate newly learned patterns to the The monitor will be responsible for other agents. providing intrusion information and receiving commands from the user interface. 3. System Architecture Application programmatic interfaces (API) will be used to communicate between An architecture proposed by C.E.R.I.A.S. components [2]. called Autnomous Agents For Intrusion Detection (AAFID) [2], uses autonomous 3.2 Components agents to perform intrusion detection. We shall build on this architecture by adding We shall provide an in-depth description of intelligent agents, which will allow our IDS the architecture components in order to to be able to detect and learn new intrusions. understand the design. Agents are the most essential part of the 3.1 Overview system. Since we have already described their internal design, we will focus on A simple diagram which follows an AAFID describing their interaction with the external architecture is displayed in Figure 1 [2]. environment. First, it is important to realize This basic configuration shows the three that the agent does not have the authority to essential components: agents, transceivers, directly generate an alarm [2]. The results and monitors [2]. In this hierachical design, gathered by the agents are sent to each level will minimize the overhead by transceivers and then monitors, which do performing data reduction per level. posses the authority to generate alarms [2]. Although the components above are based To provide inter-agent communication, on the AAFID architecture, we shall add to agents must communicate to a transceiver, their model by adding intelligent agents. which in term will route the messages to Our defined intelligent agent will make it another agent [2]. Several interesting possible to learn and detect new attacks. possibilities are mentioned as part of the Following the distributed architecture AAFID system which we will implement provided by the AAFID system, we will [2]: allow each host to have a number of agents  Using genetic programming which will be responsible for the monitoring techniques, agents may evolve. of that host [2]. Per host, the agents will  In order to detect long term attacks, report their activities to a transceiver, which agents must employ a mechanism oversee the operations of their agents in that which remembers a state. host. Transceivers will have the ability to  Agents will be allowed to migrate, start, stop, and configure the agents [2]. using iterant agents (or mobile agents) architecture [11].

7 dddLegend

Transceivers Hosts

Monitors Agents

Control Flow Data Flow

E User Interface

Figure 1: This figure reprents the basic design and interaction between AAFID components [2].

Language implementation for all agents will depend on different factors (operating environment, speed, ease of use) and thus will be left to the developers choice.

8 Transceivers will be responsible for two importance to build a comprehensive API in functions: control and data processing [2]. the monitor that allows the user to gather During its control responsibility, any results desired. We will not give such transceivers will: an implementation, as it will be left up to the  Start and stop agents, which will be developer. encapsulated as an order from monitors or another agent.. 3.3 Inter-component communication  Be responsible for keeping track of all agents active on the host. A crucial part of our system is to provide  Repond to different requests by secure and accurate communication between monitors. all components. Any security compromise in the communication of the system can During its data processing responsibility, potentially become malevolent and bring the transceivers will [2]: IDS down. Specifically, since our  Receive reports generated by its intelligent agents have the ability to agents. communicate information, it is important  Process the data (analyze, minimize) that the information passed be accurate. If being brought by the agents. an intelligent agent is somehow  Route the appropriate results to the compromised, erroneous data can cause the monitors. system to be open for an attack. Further, monitors are seen as the highest Additionally, the following are desirable level entity in the AAFID architecture [2]. characteristics [2]: Monitors are the ones that have interaction  Different mechanisms should be with the user, and may detect an attack that used for different communication is unforeseen by transceivers [2]. Monitors needs. are different from transceivers in the sense  Mechanisms should not add a large that they can control entities running in overhead or latency to the network separate hosts, whereas transceivers only they protect. control local agents. Monitors, like  Communications must be reliable to transceivers, have a data processing and arrive at their destination. control role [2]. In the data processing role,  Security and confidentiality should monitors receive data correlated by be supported by a message transceivers that contain the results collected mechanism. by agent groups per host [2]. In their control Topics in secure communication and role, monitors can control transceivers and security in autonomous agents have been agents, and may communicate with other discussed in the AAFID architecture [2, monitors [2]. Also, monitors allow for an cited from 13,14]. API which allows user interaction, which allows the results to be retrieved from 4. Implementation monitors or other lower level components [2]. Although implementation details are left up In the AAFID architecture, C.E.R.I.A.S to a development team, we will look at quotes: “The most complex and feature-full examples of the AAFID architecture IDS can be useless if it does not have good developed in Purdue University which serve mechanisms to allow users to interact with as a proof-of-concept [2]. Although the and control it” [2]. Therefore, it is of major implementations do not take advantage of

9 the intelligent agents defined, such agent and security for inter-component implementations are feasible due to communication. advancements in the artificial intelligence This implementation allows for the current field. testing of new abstractions, and the exploring of new communication 4.1 Real World Examples mechanisms [2].

The first prototype created was built using a 4.2 Design Issues combination of low-level languages and scripting languages; languages used The development of these prototypes have included Perl, Tcl/Tk, and C [2]. Since allow developers at C.E.R.I.A.S. to these languages are very system native and experience some design issues [2]. It is of unportable, the system did not allow for a paramount importance to understand these flexible configuration. Much of the work issues, so they can be resolved in future done in this system was hard-coded, and it systems. used UDP as the communication protocol The main issues gathered from the second (which is unrealiable) [2]. Agents were prototype have been categorized as : developed according to th AAFID communications of components, impact of architecture, but they did not implement the an IDS on the performance of its network, intelligent features discussed earlier [2]. data processing and reduction, and user Besides serving as a proof-of-concept, this interface design [2]. The communications of implementation helped by giving experience components have been categorized as intra- in writing agents, and identifying other host and inter-host communication [2]. design issues, such as the importance of a Their design must provide not only a secure GUI for the monitor [2]. and reliable transfer, but must maintain a The second prototype was written mostly small (if any) overhead on the system. Since in Perl, increasing its portability to different most of the information analyzed will operating systems [2]. Drawing from require a context switch from kernel space to experiences in the first prototype, the second user space, this change will create an prototype allows testing of the architecture, undesirable overhead, which needs to be ease of use, and configurability [2]. The addressed. Network traffic will also major contribution of this implementation increase due to all the data processing, as are [2]: agents will have to process and forward data  Perl implementation allows for to transceivers, which will do the same for portability. monitors. Lastly, the system will suffer  A complete infrastructure greatly if there is not a coherent user implementation that allows interface which allows the administrator to development of new abstractions. retrieve any data he/she needs.  An API definition for agent development was created. 5. Conclusion  A clear separation of abstractions and communications was An IDS has grown to be an important established. defense in an information technology firm.  Communication details were Advances in the fields of security, established, including encapsulation networking, and artificial intelligence have contributed largely to an IDS which will be

10 ready to tackle modern and spontanous Proceedings of the 13th International attacks. The architecture described, coupled Conference of Software and Systems with the intelligent agents defined, provides Engineering and their Applications, the design needed to handle such attacks. Volume 4 (ICSSA 2000), School of Computing, Napier University References Scotland, U.K, December 2000. [1] Biswanath Mukherjee, Todd L. [6] Ramyn J. Hontacyn. Herberlein, and Karl N. Levitt. “ Emerging Technology: Deploying an “Network intrusion detection.” Effective Intrusion Detection System”, IEEE Network, Network Magazine, 8(3):26-41, http://www.networkmagazine.com/article/N May/June 1994 MG20000830S0003 [2] Jai Sundar Balasubramaniyan, Jose [7] Andrew Conry-Murray. Omar Garcia-Fernandez, David Isacoff, “Intrusion Detection”, Eugene Spafford, Diego Zamboni. Network Magazine, “ An Architecture for Intrusion Detection http://www.networkmagazine.com/article/N using Autonomous Agents.” MG20001130S0007 CERIAS Technical Report 98/05, Purdue University, [8] Thomas H. Ptacek and Timothy N. West Lafayette, IN, Newsham. June 11,1998, “ Insertion,evasion, and denial of service: http://www.cerias.purdue.edu/homes/aafid/ Eluding network intrusion detection.” Technical report, Secure Networks, Inc., [3] Dorothy E. Denning. January 1998. “An Intrusion-Detection Model.” IEEE Transactions on Software [9] Eugene H. Spafford, Diego Zamboni. Engineering, “ Intrusion detection using autonomous 13(2):222-232, agents.” February 1987. Computer Networks, 34(4):547-570, [4] James Cannady. C.E.R.I.A.S. , “ Artificial Neural Networks for Misuse Purdue University, Detection.” West Lafayette, IN, School of Computer and Information October 2000. Sciences, Nova Southeastern University, http://www.cerias.purdue.edu/homes/aafid/ Fort Lauderdale, FL 33314, October 5, 1998. [email protected] [10] Stuart Russell, Peter Norvig. “ Artificial Intelligence: A Modern [5] John Pikoulas, William Buchanan, Approach.” Kostas Triantafyllopoulos. “An Intelligent Prentice Hall, Intrusion Detection Environment using ISBN 0-13-103805-2 Software Agents”,

11 Pages 45-61 June, 2001

[11] David Chess, Benjamin N. Grosof, Colin G. Harrison, David W. Levine, Colin J. Parris. “Iterant Agents for Mobile Computing.” IBM publication, Octtober 1995. http://www.research.ibm.com/iagent/paps/rc 20010_abstract.html

[12] Sandeep Kumar, Gene Spafford. “ A Pattern Matching model for Misuse Intrusion Detection”, Proceedings of the the 17th National Computer Security Conference, October 1994

[13] IEEE Journal on Selected Areas in Communications, Special issue on Secure Communications. May 1989

[14] William M. Farmer, Joshu D. Guttman, and Vipin Swarup. “ Security for mobile agents:Issues and requirements”, In Proceedings of the 19th National Information Systems Security Conference, volume 2, pages 591-597, National Insitute of Standards and Technology, October 1996.