Mobile Agents for Intrusion Detection - PowerPoint PPT Presentation

About This Presentation
Title:

Mobile Agents for Intrusion Detection

Description:

High number of False Positives. Burdensome Maintenance. Limited Flexibility ... High Number of False 's. IDS's still have too many false alarms that an ... – PowerPoint PPT presentation

Number of Views:56
Avg rating:3.0/5.0
Slides: 23
Provided by: sped9
Learn more at: http://www.cs.sjsu.edu
Category:

less

Transcript and Presenter's Notes

Title: Mobile Agents for Intrusion Detection


1
Mobile Agents for Intrusion Detection
  • Jaromy Ward

2
Mobile Agents?
  • What is a mobile agent?
  • Autonomous
  • Move on own to another machine
  • Platform / Agent
  • Duplicative
  • Adaptable

3
(No Transcript)
4
Traditional IDS
  • Hierarchical
  • Intrusion detection at end nodes
  • Aggregate nodes take data from end nodes
  • Command and control at top of hierarchy
  • IDS reports possible intrusions to human
  • The user must than make a decision
  • is this a real threat
  • What action should be taken

5
Problems with Traditional IDS
  • Lack of Efficiency
  • High number of False Positives
  • Burdensome Maintenance
  • Limited Flexibility
  • Vulnerable to Direct Attack
  • Vulnerable to Deception
  • Limited Response Capability
  • No Generic Building Methodology

6
Problems with Traditional IDS
  • Lack of Efficiency
  • Amount of data
  • Host-base IDS
  • Slow down performance of system
  • Network-base IDS
  • Cannot process all network traffic
  • High Number of False s
  • IDSs still have too many false alarms that an
    intrusion has taken place.
  • Also some attacks still go unnoticed.

7
Problems with Traditional IDS
  • Burdensome Maintenance
  • The maintenance of IDS requires knowledge of rule
    sets, which are different from system to system.
  • Limited Flexibility
  • IDSs are written for a specific environments
  • Not easily ported to different systems
  • Upgrade Requires shutting down IDS

8
Problems with Traditional IDS
  • Vulnerable to Attack
  • Levels of compromise
  • Root level worst case
  • Aggregation level next worse case
  • End node level not too bad
  • Lack of redundancy
  • Lack of mobility
  • Lack of dynamic recovery

9
Problems with Traditional IDS
  • Vulnerable to Deception
  • Network based use generic network protocol stack
    for analysis
  • Attacker could use this to decieve the IDS that
    the packet is good when in fact it is not
  • Limited Response Capability
  • Delay of Response
  • Human response time
  • Distance from end node and controller

10
Advantages of Mobile Agents
  • Reduce Network Load
  • Overcoming Network Latency
  • Autonomous Execution
  • Platform Independence
  • Dynamic Adaptation
  • Static Adaptation
  • Scalability
  • Fault Tolerance
  • Redundancy

11
Advantages
  • Reduce Network Load
  • Computation moved closer to affected nodes
  • Reduction in data to be moved
  • Overcoming Network Latency
  • More immediate response times
  • Closer to end nodes
  • Autonomous Execution
  • Communication with other MAs
  • Cloning of MAs
  • No need for central authority to take action

12
Advantages
  • Platform Independence
  • Run on any operating system
  • Only need to write code to run on platform not OS
  • Dynamic Adaptation
  • Reactions based on previous intrusions
  • Learn to avoid or move towards areas
  • Cloning for added protection

13
Advantages
  • Static Adaptation
  • Upgrades only require introducing new agent
  • Old Mobile agents removed later
  • Scalability
  • Introduction of more mobile agents
  • Fault Tolerance
  • Moves encrypted in the network with data it may
    need

14
Advantages
  • Redundancy
  • Central point of failure removed
  • Harder to locate MA as they are always moving
  • Keep in contact with other MAs
  • Determine state of network
  • Help other MA, produce clone

15
Disadvantages of MAs
  • Security
  • Need for PKI
  • Platforms need to ensure MA is not harmful
  • Signed by trusted authority
  • Encrypted with public key
  • Code Size
  • IDS is complicated
  • Minimize agent size
  • Function
  • Platform provide OS dependent operations

16
Disadvantages
  • Performance
  • Language used
  • Interpretive
  • Script
  • New Java VM developed to help save state
    information of MA.

17
Intrusion Responses
  • Dynamically modify or shutdown Target
  • Automated Tracing of Attackers
  • Automated Evidence Gathering
  • Operations on an Attackers Host
  • Isolating the Attacker/Target
  • Operations on Attacker and Target Subnet

18
Intrusion Responses
  • Dynamically modify or shutdown Target
  • Shutdown compromised target
  • Gather more information from target
  • Automated Tracing of Attackers
  • Follow trail of intruder
  • Automated Evidence Gathering
  • Mobil agents move to area of attack
  • Determine what collection is necessary

19
Intrusion Responses
  • Operations on an Attackers Host
  • Limit operations of Attacker
  • Isolating the Attacker/Target
  • Prevent network traffic from attacker/target
  • Operations on Attacker and Target Subnet
  • Deploy multiple agents to flood systems

20
Implementations
  • Mobile agents deployed in Hierarchy
  • Composed of three types of Agents
  • Data Collectors
  • Collect specific data
  • Minor processing of data
  • Detection Agents
  • Detect intrusions
  • Trace intrusions
  • Manager Agents
  • Oversee Data collectors and Detection agents

21
Conclusion
  • Still under development
  • Show great promise
  • Wireless networks could use Mobile agent
    protection.
  • For more information visit http//csrc.nist.gov/mo
    bilesecurity/

22
References
  • Wayne Jansen, Intrusion Detection with Mobile
    Agents , National Institute of Standards and
    Technology, October 2001
  • T. Karygiannis, Network Security Testing Using
    Mobile Agents, National Institute of Standard
    and Technology, June 2002
  • Peter Mell, Mark McLarnon, Mobile Agent Attack
    Resistant Distributed Hierarchical Intrusion
    Detection Systems, National Institute of
    Standards and Technology, November 1999
  • Gene Bradshaw, Mark Greaves, Heather Holmback, T.
    Karygiannis, Wayne Jansen, Barry Silverman,
    Niranjan Suri, Alex Wong, Agents for the
    Masses?, IEEE Journal pp. 53- 63, March/April
    1999
  • Asaka, S.Okazawa, A.Taguchi, and S.Goto, A
    Method of Tracing Intruders by Use of Mobile
    Agents, Proceedings of the Ninth Annual Internet
    Society Conference INET'99, San Jose, California,
    June 1999
  • W. Jansen, P. Mell, T. Karygiannis, D. Marks,
    Mobile Agents in Intrusion Detection and
    Response, National Institute of Standards,
    February 2000
  • Jai Balasubramaniyan, Jose Omar Garcia-Fernandez,
    David Isacoff, E. H. Spafford, and Diego Zamboni,
    An Architecture for Intrusion Detection using
    Autonomous Agents, Department of Computer
    Sciences, Purdue University, Coast TR 98-05, 1998
  • David Kotz, Robert Gray, Mobile Agents and the
    Future of the Internet, Department of Computer
    Science, Dartmouth College, New Hampshire,
    December 2002
  • Christopher Krugel, Thomas Toth, Applying
    Mobile Agent Technology to Intrusion Detection,
    Technical University Vienna, Vienna, Austria
    April 2001
  • W. Jansen, P. Mell, T. Karygiannis, D. Marks,
    Applying Mobile Agents in Intrusion Detection
    and Response, NIST Interim Report 6416,
    National Institute of Standards, October 1999
Write a Comment
User Comments (0)
About PowerShow.com