Agent based intrusion detection, response and blocking using signature method in active net(synopsis)
Download as DOC, PDF3 likes2,078 views
This document discusses an approach to intrusion prevention using active networks. It proposes using agents for intrusion detection and response that are integrated with a collaborative intrusion detection system (IDS) to provide a wider array of information. Signatures are used to detect intrusions, and when detected, responses include blocking the connection to prevent further access to data. The system is intended to provide rapid detection and response to evolving network threats.
![1. Introduction
Patches for system vulnerabilities are usually available long before a significant
number of intrusions have occurred. This provides a “window of opportunity” during
which administrators could patch/reconfigure their systems to be immune to such
intrusions. While patching systems or reconfiguring them is the most reliable solution, it
is not always possible to do so in a timely manner. Current trends indicate that the
window of opportunity is shrinking rapidly window.
An active network is one in which infrastructure nodes and end-hosts serve as platforms
for the execution of task-specific programs. These programs may be deployed once as
upgrades to the core infrastructure or may travel the network along with protocol data,
executing on a hop-by-hop basis. Active networks allow the rapid creation, deployment,
and reconfiguration of networking services. They can tailor the shared network
infrastructure to suit particular security needs. We have used active networks to provide
an extensible intrusion prevention solution that can harness the existing routing
infrastructure. We believe that leveraging the resources of routers, already topologically
positioned along potential attack paths, can give the power and flexibility to provide
quick and efficient attack prevention. Active networks allow flexible installation of
intrusion prevention capabilities anywhere in the network at any time.
Why Active Networks
The active networks model [4] [5] is a fertile foundation for developing a good
intrusion prevention solution. The active networks concept was first proposed by
Tennenhouse and Wetherall [6] (a similar concept was proposed by Zander, and
Forchheimer [7]). They suggested that the ability to create dynamic services atop a
flexible, generic infrastructure would rapidly increase the pace of innovation in
networking and distributed systems. active code, transported in conjunction with data
upon which to operate, can carry out distributed computation by migrating from node to
node, thus leveraging the vast computational resources of the network. The dynamism
envisioned by active network researchers is appealing for a variety of networked
applications. DARPA research project whose objectives include serving as a test case to
assess whether DARPA-funded active network ideas and technology can add significant
value to conventional TCP/IP networks, particularly in the automated intrusion detection
and response (IDR) problem domain.
Security Architecture
SANTS is an active network EE that provides authentication and authorization
services based on digital certificates [8]. It provides security enhancements to the ANTS
EE [6]. It was intended to support short-lived, high-level applications. In the SANTS
model, a program arrives in one or more packets. The SANTS EE verifies the integrity of](https://image.slidesharecdn.com/agentbasedintrusiondetectionresponseandblockingusingsignaturemethodinactivenetsynopsis-131016121718-phpapp02/85/Agent-based-intrusion-detection-response-and-blocking-using-signature-method-in-active-net-synopsis-3-320.jpg)
![the packets containing the application and its parameters. Then, it executes the
application synchronously. The program can perform computations and clone and
migrate itself to other active nodes. SANTS maintains packet integrity on hop-by-hop
and end-to-end bases. SANTS provide strong end-to-end authentication to enable permethod authorization enforcement. SANTS also provides key and certificate management
services. An application can request for SANTS to add one or more certificates to its
packets. When a packet arrives at a node, SANTS verifies the signatures and constructs a
security context from the verified certificates. Per-method authorization decisions are
made on the basis of this security context with respect to the policy stored in a local file.
Intrusion Detection
Two methods are suggested for the protection of the active packets: fault tolerance
techniques and encryption. Encryption refers to the situation where active packets do not
consist of clear text code and data. Encryption is usually used for code and data in transit.
However, the programs may even be executed in a non-clear text form, which leads to the
concept of cryptography. The fault tolerance techniques are replication, persistence, and
redirection. Replication means that packets replicate at each node. Persistence means that
packets are temporarily stored against node failure so that even if a node crashes, the
copy persists in storage. Redirection means that packets may seek alternative routes in
case their default route fails. Replication and persistence are unacceptable for the vast
majority of network packets because they consume memory and bandwidth, and only
very important active packets should be allowed to do this such as packets installing a
new version of a routing protocol in all nodes. Redirection and encryption have broader
applications in packet protection because they basically consume CPU cycles.
A combination of fault tolerance techniques and encryption may give very good
results in the problem of protecting active packets. However, because these techniques
are still in their infancy, there is much to be done before definite results are reached.
Combining all of the above, when a packet containing executable code arrives at a node,
the system must:
•
Accept the authenticity of the credentials of the packet,
• Identify the sending network element,
• Identify the sending user,
• Authorize access to appropriate resources based on these identifications and
credentials,
• Allow execution based on the authorizations and security policy,
• Monitor and control access to system resources throughout the execution,
• If needed, encrypt the packet to protect its code and data in transit.
• To performs connection to access the data
• Send signal to block the connection
If the packet is not identified properly, then it may be allowed to execute the code in a
restricted environment or it may not be allowed to execute the code at all [9].](https://image.slidesharecdn.com/agentbasedintrusiondetectionresponseandblockingusingsignaturemethodinactivenetsynopsis-131016121718-phpapp02/85/Agent-based-intrusion-detection-response-and-blocking-using-signature-method-in-active-net-synopsis-4-320.jpg)
![Intrusion Blocking
The administrator then sends an intrusion blocker directly to the routers connected
to vulnerable customer systems. The blocker looks for traffic that matches the attack
signature directed at the vulnerable systems— by executing the blocker only on routers
where it is necessary and only to prevent specific threats to known vulnerable systems,
the overall performance impact is reduced. When an attack is attempted, the blocker
drops the offending traffic and no longer allows communication on that connection. This
focus allows the blocker to be lightweight, while still allowing valid traffic.
The second intrusion blocker implementation uses the Active Signal Protocol
(ASP) Execution Environment, a Java-based EE, also part of the Active Networks
program. ASP was chosen because it offers more control over low-level network
functions. The new blocker implementation uses adaptive migration— a technique to
migrate the blocker based on dynamic network conditions— and also operates on the
high-end Intel IXP 1200 network processor. The IXP represents next-generation highspeed network processing systems that could be used for programmable routers.
The second blocker adaptively migrates, based on resource constraints. It can
determine when the router where it is executing is under greater network or processing
load. Under greater loads, it might not be able to monitor for potentially malicious traffic
and still forward unmonitored traffic. When the blocker identifies a potential overload
condition, it attempts to migrate to more powerful neighboring routers, such as an IXP
1200.Another example of adaptive migration would allow protection of a network whose
router’s security policy does not allow the blocker. When a blocker fails to migrate to
such a router, it could run on neighboring routers instead. The AN-IDR project is
concluding by measuring the performance of the Mobile Intrusion Blocker on the ASP
platform. This performance testing is intended to determine if the ASP EE is a viable
platform and whether the intrusion blocker can perform sufficiently for real world
deployment.
Agent Based System
This agent based system describes a preliminary model we are developing for use
in managing network defenses in a active manner. It combines an agent-based strategy
for investigation and response with an updated version of the HUMMER collaborative
intrusion detection system described in detail in [15] [16]. The original HUMMER
system provides for gathering and distributing data across enterprise boundaries, allows
for multiple “observation points” of intrusions, and can be used to manage intrusion
response for both individual and aggregate sites.
Combined with this framework, we provide for multiple instances of intrusion
detection, specific use agents. These agents are sent to network nodes, and may be used
to monitor or seek out a specific network or host-based event, or sequences of such](https://image.slidesharecdn.com/agentbasedintrusiondetectionresponseandblockingusingsignaturemethodinactivenetsynopsis-131016121718-phpapp02/85/Agent-based-intrusion-detection-response-and-blocking-using-signature-method-in-active-net-synopsis-5-320.jpg)
![events. Agents are classed as “tool agents”, “investigation agents”, and “defensive
agents”.
We have developed simple instances of both tool and investigation agents, and are
working towards a model of defensive agents. Agents are integrated with the
collaborative IDS in order to provide them with a wider array of information to use in
their response activities. This provides for adaptive defense, while still permitting agents
to remain small, and without losing the advantages of a traditional, stationary IDS.
In combination with the agent system above, we are investigating a method for
intelligently determining where network attacks are occurring based on techniques
outlined in [17]. These techniques will be used to aid Investigation by permitting us to
predict where to look for intrusions in progress. We divide the agents we dispatch into
three categories: “tool agents”, “investigation agents”, and “defensive agents”.
Our Tool agents are primarily used to manage data-gathering tools, and they are
present primarily to allow roving investigators to perform independently of Hummer
(although not, of course, of the agent environment Tahiti). These agents examine log files
or look at system features, and they have the advantages of being lightweight and of
being activated only when needed for a specific purpose.
Investigation agents are in a sense the “brains” of the Magpie system. These agents
control investigations of incidents of misuse; they may dispatch tool or defensive agents,
or communicate with the HUMMER system to obtain data. The investigation agents can
move between systems, which makes them harder for an attacker to eliminate (future
implementations will allow for redundancy of investigation agents).
Defensive agents will be used to provide for system defenses. In the long term,
defensive agents will be able to directly manage a host (or network)’s defensive posture.
At present, our prototype is intended to be far more limited, and we will allow our
defensive agents to work only by influencing the HUMMER perceived level of threat,
which HUMMER uses to modify network defenses.](https://image.slidesharecdn.com/agentbasedintrusiondetectionresponseandblockingusingsignaturemethodinactivenetsynopsis-131016121718-phpapp02/85/Agent-based-intrusion-detection-response-and-blocking-using-signature-method-in-active-net-synopsis-6-320.jpg)
Agent based intrusion detection, response and blocking using signature method in active net(synopsis)
- 1. An Agent Based Intrusion Detection, Response and Blocking using signature method in Active Networks (Synopsis)
- 2. Abstract As attackers use automated methods to inflict widespread damage on vulnerable systems connected to the network, it has become painfully clear that traditional manual methods of protection do not suffice. This paper discusses an intrusion prevention approach, intrusion detection, response based on active networks that helps to provide rapid response to vulnerability advisories. A intrusion detection and intrusion blocker that can provide interim protection against a limited and changing set of high-likelihood or high-priority threats. It is expected that this mechanism would be easily and adaptively configured and deployed to keep pace with the ever-evolving threats on the network, intrusion detection and response based on agent system, digital signature used to provide a security. Active networks are an exciting development in networking services in which the infrastructure provides customizable network services to packets. The custom network services can be deployed by the user inside the packets themselves. In this paper we propose the use of agent based intrusion detection and response. Agents are integrated with the collaborative IDS in order to provide them with a wider array of information to use their response activities.
- 3. 1. Introduction Patches for system vulnerabilities are usually available long before a significant number of intrusions have occurred. This provides a “window of opportunity” during which administrators could patch/reconfigure their systems to be immune to such intrusions. While patching systems or reconfiguring them is the most reliable solution, it is not always possible to do so in a timely manner. Current trends indicate that the window of opportunity is shrinking rapidly window. An active network is one in which infrastructure nodes and end-hosts serve as platforms for the execution of task-specific programs. These programs may be deployed once as upgrades to the core infrastructure or may travel the network along with protocol data, executing on a hop-by-hop basis. Active networks allow the rapid creation, deployment, and reconfiguration of networking services. They can tailor the shared network infrastructure to suit particular security needs. We have used active networks to provide an extensible intrusion prevention solution that can harness the existing routing infrastructure. We believe that leveraging the resources of routers, already topologically positioned along potential attack paths, can give the power and flexibility to provide quick and efficient attack prevention. Active networks allow flexible installation of intrusion prevention capabilities anywhere in the network at any time. Why Active Networks The active networks model [4] [5] is a fertile foundation for developing a good intrusion prevention solution. The active networks concept was first proposed by Tennenhouse and Wetherall [6] (a similar concept was proposed by Zander, and Forchheimer [7]). They suggested that the ability to create dynamic services atop a flexible, generic infrastructure would rapidly increase the pace of innovation in networking and distributed systems. active code, transported in conjunction with data upon which to operate, can carry out distributed computation by migrating from node to node, thus leveraging the vast computational resources of the network. The dynamism envisioned by active network researchers is appealing for a variety of networked applications. DARPA research project whose objectives include serving as a test case to assess whether DARPA-funded active network ideas and technology can add significant value to conventional TCP/IP networks, particularly in the automated intrusion detection and response (IDR) problem domain. Security Architecture SANTS is an active network EE that provides authentication and authorization services based on digital certificates [8]. It provides security enhancements to the ANTS EE [6]. It was intended to support short-lived, high-level applications. In the SANTS model, a program arrives in one or more packets. The SANTS EE verifies the integrity of
- 4. the packets containing the application and its parameters. Then, it executes the application synchronously. The program can perform computations and clone and migrate itself to other active nodes. SANTS maintains packet integrity on hop-by-hop and end-to-end bases. SANTS provide strong end-to-end authentication to enable permethod authorization enforcement. SANTS also provides key and certificate management services. An application can request for SANTS to add one or more certificates to its packets. When a packet arrives at a node, SANTS verifies the signatures and constructs a security context from the verified certificates. Per-method authorization decisions are made on the basis of this security context with respect to the policy stored in a local file. Intrusion Detection Two methods are suggested for the protection of the active packets: fault tolerance techniques and encryption. Encryption refers to the situation where active packets do not consist of clear text code and data. Encryption is usually used for code and data in transit. However, the programs may even be executed in a non-clear text form, which leads to the concept of cryptography. The fault tolerance techniques are replication, persistence, and redirection. Replication means that packets replicate at each node. Persistence means that packets are temporarily stored against node failure so that even if a node crashes, the copy persists in storage. Redirection means that packets may seek alternative routes in case their default route fails. Replication and persistence are unacceptable for the vast majority of network packets because they consume memory and bandwidth, and only very important active packets should be allowed to do this such as packets installing a new version of a routing protocol in all nodes. Redirection and encryption have broader applications in packet protection because they basically consume CPU cycles. A combination of fault tolerance techniques and encryption may give very good results in the problem of protecting active packets. However, because these techniques are still in their infancy, there is much to be done before definite results are reached. Combining all of the above, when a packet containing executable code arrives at a node, the system must: • Accept the authenticity of the credentials of the packet, • Identify the sending network element, • Identify the sending user, • Authorize access to appropriate resources based on these identifications and credentials, • Allow execution based on the authorizations and security policy, • Monitor and control access to system resources throughout the execution, • If needed, encrypt the packet to protect its code and data in transit. • To performs connection to access the data • Send signal to block the connection If the packet is not identified properly, then it may be allowed to execute the code in a restricted environment or it may not be allowed to execute the code at all [9].
- 5. Intrusion Blocking The administrator then sends an intrusion blocker directly to the routers connected to vulnerable customer systems. The blocker looks for traffic that matches the attack signature directed at the vulnerable systems— by executing the blocker only on routers where it is necessary and only to prevent specific threats to known vulnerable systems, the overall performance impact is reduced. When an attack is attempted, the blocker drops the offending traffic and no longer allows communication on that connection. This focus allows the blocker to be lightweight, while still allowing valid traffic. The second intrusion blocker implementation uses the Active Signal Protocol (ASP) Execution Environment, a Java-based EE, also part of the Active Networks program. ASP was chosen because it offers more control over low-level network functions. The new blocker implementation uses adaptive migration— a technique to migrate the blocker based on dynamic network conditions— and also operates on the high-end Intel IXP 1200 network processor. The IXP represents next-generation highspeed network processing systems that could be used for programmable routers. The second blocker adaptively migrates, based on resource constraints. It can determine when the router where it is executing is under greater network or processing load. Under greater loads, it might not be able to monitor for potentially malicious traffic and still forward unmonitored traffic. When the blocker identifies a potential overload condition, it attempts to migrate to more powerful neighboring routers, such as an IXP 1200.Another example of adaptive migration would allow protection of a network whose router’s security policy does not allow the blocker. When a blocker fails to migrate to such a router, it could run on neighboring routers instead. The AN-IDR project is concluding by measuring the performance of the Mobile Intrusion Blocker on the ASP platform. This performance testing is intended to determine if the ASP EE is a viable platform and whether the intrusion blocker can perform sufficiently for real world deployment. Agent Based System This agent based system describes a preliminary model we are developing for use in managing network defenses in a active manner. It combines an agent-based strategy for investigation and response with an updated version of the HUMMER collaborative intrusion detection system described in detail in [15] [16]. The original HUMMER system provides for gathering and distributing data across enterprise boundaries, allows for multiple “observation points” of intrusions, and can be used to manage intrusion response for both individual and aggregate sites. Combined with this framework, we provide for multiple instances of intrusion detection, specific use agents. These agents are sent to network nodes, and may be used to monitor or seek out a specific network or host-based event, or sequences of such
- 6. events. Agents are classed as “tool agents”, “investigation agents”, and “defensive agents”. We have developed simple instances of both tool and investigation agents, and are working towards a model of defensive agents. Agents are integrated with the collaborative IDS in order to provide them with a wider array of information to use in their response activities. This provides for adaptive defense, while still permitting agents to remain small, and without losing the advantages of a traditional, stationary IDS. In combination with the agent system above, we are investigating a method for intelligently determining where network attacks are occurring based on techniques outlined in [17]. These techniques will be used to aid Investigation by permitting us to predict where to look for intrusions in progress. We divide the agents we dispatch into three categories: “tool agents”, “investigation agents”, and “defensive agents”. Our Tool agents are primarily used to manage data-gathering tools, and they are present primarily to allow roving investigators to perform independently of Hummer (although not, of course, of the agent environment Tahiti). These agents examine log files or look at system features, and they have the advantages of being lightweight and of being activated only when needed for a specific purpose. Investigation agents are in a sense the “brains” of the Magpie system. These agents control investigations of incidents of misuse; they may dispatch tool or defensive agents, or communicate with the HUMMER system to obtain data. The investigation agents can move between systems, which makes them harder for an attacker to eliminate (future implementations will allow for redundancy of investigation agents). Defensive agents will be used to provide for system defenses. In the long term, defensive agents will be able to directly manage a host (or network)’s defensive posture. At present, our prototype is intended to be far more limited, and we will allow our defensive agents to work only by influencing the HUMMER perceived level of threat, which HUMMER uses to modify network defenses.
- 7. Proposed System Our proposed system management station provides a signature to the client. The client access data through digital signature. The digital signature and credential information about client are stored in the server in a file. The management station initiates the operation. The agent based system used to collect information, intrusion detection and response. Three types of agents used in this system • • • Tool agent to collect relevant information and credential information Investigation agent to detect the intrusion based on the detection policy Defensive agent send signal to blocker when detection identified otherwise to make connection to access the data. The intrusion blocker detects a specific threat by inspecting only for the vulnerable service if it determines an attack is being attempted it blocks the attack and stops future traffic on the connection while allowing subsequent connections. The blocker recognizes the attack signature, drops the attack packet and sets the connection state to drop any remaining traffic. An alert is sent to the management station which enables the administrator to see that an attack was attempted. SANTS is an active networks EE that provides authentication and authorization services based on digital certificates. SANTS provide strong end to end authentication to enable per-method authorization enforcement. SANTS also provides key and certificate management services. The management station to initiate agent based system. The intrusion detected by the system its information sends to the management station. Then intrusion blocked that information also inform to the management station.