Advantages of mobile agents

Why use mobile agents for intrusion detection ? Some reasons which I could dig up are given below. They have been gathered primarily from

"MOBILE AGENTS IN INTRUSION DETECTION AND RESPONSE" W. Jansen, P. Mell, T. Karygiannis, D. Marks .National Institute for Standards and Technology Gaithersburg, MD 20815

Overcoming Network Latency: Mobile agents can be dispatched to carry out operations directly at the remote point of interest, allowing them to respond in real time to changes in their environment. In addition to detecting and diagnosing potential network intrusions, mobile agents can provide appropriate response mechanisms. Such actions include gathering attack information sent to or emitted by the target of an attack, shutting down or isolating a system under attack to protect it from further damage, tracing the path of an attack, and shutting down or isolating an attacker’s system if the attack is launched from an internal host

· Reducing Network Load: Instead of transferring the data across the network, mobile agents can be dispatched to the machine on which the data resides, essentially moving the computation to the data, instead of moving the data to the computation, thus reducing the network load. A side benefit where confidentiality is a concern, is the efficiency of moving an encrypted agent and its refined data versus all of the raw data in encrypted form.

· Autonomous and Asynchronous Execution: For large distributed systems the ability of the system to continue to operate when portions of it are destroyed or become isolated is essential. Mobile agents can exist and function independently from the creating platform, making them useful as IDS components.

· Dynamic Adaptation: The ability for mobile agent systems to sense their environment and react to changes is useful in intrusion detection. Agents may move elsewhere to gain better position or avoid danger, clone themselves for redundancy and parallelism, or marshal other agents for assistance. When combined with autonomous and asynchronous execution, these characteristics facilitate the building of robust and fault-tolerant systems.

· Platform Independence: Agent systems provide an abstract computing environment for agents, independent of the computer hardware and software on which it executes. These characteristics make it a suitable broad-based environment for network management applications in general and intrusion detection in particular, allowing relatively unfettered movement of agents within a domain. This is especially beneficial to response mechanisms, since when an intrusion is detected, remedies can be applied at or initiated from nearly any place in the network.

· Protocol Encapsulation: In conventional systems, the host owns the interface between communicating entities, requiring any changes to be synchronized for continued interoperation. Mobile agents can incorporate the protocol directly and bring about an upgrade in the interface with the movement of an agent to another host.

Some more agent based IDS models

The Java Agents for Meta-Learning (JAM) project at Columbia University applies meta-learning to distributed data mining using intelligent agents. The design has two key components: local agents that learn how to detect fraud and provide intrusion detection services within single corporate information system, and a secure, integrated meta-learning system that combines the collective knowledge acquired by individual loal agents. Data mining, like neural network and other single-point learning applications, does not engender knowledge sharing among agents. The meta-learning approach attempts to overcome this limitation by integrating a number of separately learned classifiers embodied as remote agents. A project at Iowa State University involves an IDS based upon intelligent agent technology, in a manner somewhat similar to JAM. Mobility is used to allow various types of intelligent agents that employ classifier algorithms to travel among collection points, referred to as data cleaners, and uncover suspicious activities. The architecture is hierarchical, with a data warehouse at the root, data cleaners at the leaves, and classifier agents in between. A classifier agent specializes on a specific category of intrusion and is capable of collaborating with agents of another category to determine the severity level of an activity deemed suspicious. Moving the computational analysis to each collection point avoids the costly movement of information to an aggregation unit. The resulting arrangement is also less likely to be vulnerable to attack, since static aggregation units are avoided.


The Intrusion Detection Agent (IDA) system at The Information-technology Promotion Agency
(IPA) in Japan, relies on mobile agents to trace intruders among the various hosts involved in an intrusion. IDA works by focusing on specific events that may relate to intrusions, referred to as “Marks Left by Suspected Intruder (MLSI).” If an MLSI is found, IDA gathers information related to the MLSI, analyzes the information, and decides whether or not an intrusion has occurred. The system follows a hierarchical structure, with a central manager at the root and a variety of agents at the leaves. A sensor agent statically resides at a node in search of an MLSI, and upon discovery, notifies the manager who dispatches a tracing agent to the host. The tracing agent initiates an information-gathering agent to collect related information at the host and continues onto any site identified as a suspected point of origination. The informationgathering
agent returns to the manager with its results and logs them on a bulletin board, used for ntegrating the information collected about the intrusion from the various agents involved. The tracing agent eventually returns to the manager when it exhausts all routes or ends up at the final point of origination. Possible duplication caused by multiple sensors detecting the same intrusion is resolved through a message board at each monitored host. The developers indicate that the resulting system is an efficient and effective way for detecting intrusions.

Existing IDS models based on mobile agents

Before designing the system, it is imperative to carry out a literature survey of existing inplementations. The following papers appear to be interesting. They provide a good overview of the several uses of a mobile agent in a security context. I am right now concentrating on looking at implementations. The idea is to study various architectures of a distributed security solution before designing your own.


Sobirey, Michael, and Birk Richter, “The Intrusion Detection System AID”, Brandenburg University of Technology at Cottbus.

A Client-server architecture that consists of agents residing on network hosts and a central monitoring station. Information is collected by the agents and sent to the central monitor for processing and analysis. It currently has implemented 100 rules and can detect ten attack scenarios. The prototype monitor is capable of handling eight agents. This system currently runs only on UNIX-based systems.

Zamboni, Diego, Jai Sundar Balasubramaniyan, Jose Omar Garcia-Fernandez, David Isacoff, and Eugene Spafford, “An Architecture for Intrusion Detection Using Autonomous Agents”, COAST Technical Report 98/05, COAST Laboratory, Purdue University, June 1998.

AAFID is designed as a hierarchy of components with agents at the lowest level of the tree performing the most basic functions. The agents can be added, started, or stopped, depending on the needs of the system. AAFID agents detect basic operations and report to a transceiver, which performs some basic analysis on the data and sends commands to the agents. A transceiver may transmit data to a transceiver on another host. If any interesting activity takes place, it is reported up the hierarchy to a monitor. The monitor analyzes the data of many transceivers to detect intrusions in the network. A monitor may report information to a higher-level monitor. The AAFID monitors still provide a central failure point in the system. AAFID has been developed into two prototypes: AAFID, which had many hard-coded variables and used UDP as the inter-host communication, and AAFID2, which was developed completely in PERL and is more robust. They run only on Unix-based systems.

Neumann, Peter, G., and Phillip A. Porras, “Experience with EMERALD to Date”, Proceedings 1st USENIX Workshop on Intrusion Detection and Network Monitoring Santa Clara, CA, April 1999.

It is designed to monitor large distributed networks with analysis and response units called monitors. Monitors are used sparingly throughout the domain to analyze network services. The information from these monitors is passed to other monitors that perform domain-wide correlation, obtaining a higher view of the network. These in turnreport to higher-level enterprise monitors that analyze the entire network. EMERALD is a rule based system. The target operating system has not been stated, but it is being designed as a multi-platform system. EMERALD provides a distributed architecture with no central controller or director; since the monitors are placed sparingly throughout the network, they could miss events happening on an unmonitored section.

These are some papers which I have reviewed so far.

JADE

As the project will be JAVA based and will involve extensive inter agent communication it is better to use an existing agent framework. A JAVA based distributed application would involve significant complexity in terms of inter agent communication. There are several open source agent frameworks which provide a standardised inter agent communication format. After careful consideration of the various open source software agent platforms available, I have shortlisted JADE.

JADE (Java Agent DEvelopment Framework) is a software Framework fully implemented in Java language. It simplifies the implementation of multi-agent systems through a middle-ware that complies with the FIPA specifications and through a set of graphical tools that supports the debugging and deployment phases. The agent platform can be distributed across machines (which not even need to share the same OS) and the configuration can be controlled via a remote GUI. The configuration can be even changed at run-time by moving agents from one machine to another one, as and when required. JADE is completely implemented in Java language and the minimal system requirement is the version 1.4 of JAVA (the run time environment or the JDK).

The other advantages are the various security plug ins available with JADE and an incredibly active online forum.

So long till the next post.

Aim of this blog

The main purpose of this blog is to chronicle the various steps which I take towards completing my final project. The scope of my project is given below.

• Implement a distributed firewall based on mobile software agents on a test bed consisting of Windows and Linux platforms
• The security policy will be centrally defined and be dynamically configured from a centralised GUI. The enforcement of the security policy is carried out by mobile software agents at individual hosts (micro firewall agents).
• The security policy will be adaptive and will dynamically respond to emerging network threats. This will involve a central correlator agent

Implementation methodology

As the test bed involves multiple platforms over which similar instances of a single software agent will execute, JAVA is the logical platform. Each instance of the agent will function as a separate thread. But as each agent (micro firewall) will execute system calls pertaining to specific network services in different Operating Systems, a certain amount of customisation is unavoidable.

The distributed application will be based on mobile software agents (micro firewalls)whose individual parameters will be varied as per messages exchanged between them and the central interface for specifying the security policy.

More on the next post