A Method of Tracing Intruders by Use of Mobile Agents

1
A Method of Tracing Intrudersby Use of Mobile
Agents

• Midori Asaka, Shunji Okazawa
• Atsushi Taguchi, Shigeki Goto
• INET 99

2
Outline

• Introduction
• IDA (Intrusion Detection Agent system)
• Components
• Action
• Implementation Evaluation
• Conclusion

3
Introduction

• Motivation
• The employment of both misuse and anomaly
  techniques is often inefficient.
• The volume of the system logs that are routinely
  transferred to an intrusion-detection server is
  very large.
• IDA (Intrusion Detection Agent system)
• MLSI (Marks Left by Suspected Intruder)
• - events that may relate to intrusions
• Adopting a mobile-agent paradigm
• - no need to transfer system logs to the server

4
Components of IDA

• Manager
• per each network segment
• Analyzing information gathered by
  information-gathering agents
• Deciding if an intrusion occured
• Sensor
• per each target system
• Monitoring system logs in search of MLSIs
• If a sensor finds an MLSI, it reports to the
  manager.
• Tracing agent
• Tracing the path of an intrusion
• When a MLSI is reported to a manager, the manager
  launches a tracing agent to the target system.

5
Components of IDA (Contd)

• Information-gathering agent
• activated by tracing agent
• gathering information related to MLSIs and
  reporting to the manager
• Bulletin board
• Existing on the manager-machine
• Used for recording information gathered from
  target systems by information-gathering agents
• message board
• Existing on each target system
• Used for preventing several agents tracing from
  overlapping

6
Action of IDA

• If a sensor detects an MLSI from the system log,
  it is reported to the manager.
• The manager dispatches a tracing agent to the
  target system.
• The tracing agent activates an information-gatheri
  ng agent.
• The tracing agent investigates the point of
  origin of the MLSI.
• After collecting information, the
  information-gathering agent returns to the
  manager, and enters the information on the
  bulletin board.
• The tracing agent moves to the next target system
  on the tracing route until arriving at the origin
  of the route, and it activates a new
  information-gathering agent.

7
Implementation

• Only local-attack detection and intrusion-route
  tracing in LAN are considered.
• Definition of MLSIs
• Most local-attacks involve start up of an
  unauthorized root shell and modification of
  critical files related to system security.
• Start up of root shell modification of critical
  files such as /etc/passwd, /etc/shadow,
  /etc/hosts.equiv, and /.rhosts

8
Evaluation

• Since many Internet intrusions occur by means of
  cracking tools distributed on the Internet, they
  simulated IDA attacks by use of these tools.
• The classification of used tools
• IDA detected 92.3 of all local attack.

9
Evaluation (Contd)

• Mobile agent performance
• Measuring the time period from when a sensor to
  when the tracing agent returns to the manager in
  each case of the number of target systems
  contained in an intrusion route.

10
Conclusion

• IDA gathers not information from the entire
  network but information only related to the MLSI.
• Although IDA fails to detect an intrusion
  directly, it may ultimately detect it indirectly
  from information gathered from other targets on
  the same intrusion-route.