An Agent-Based Distributed Framework for Intrusion Detection Using Mobile Shared Memory

MOHAMMAD ALLAHBAKHSH, HAMID REZA MOTAHARI NEZHAD

Computer Department, Faculty of Engineering University of Zabol

Jahad Square , Zabol IRAN

Abstract: - Increasing reliance of society, companies,… on networked information systems has prompted interest in making the information systems secure and dependable, so that they continue to perform their functions even in the presence of vulnerabilities susceptible to malicious attacks. To enable vulnerable systems to survive attacks, it is necessary to detect attacks and isolate failures resulting from attacks before they damage the system. In this filed of study the most important problems are: • Detecting in-progress attacks before they cause damage instead of detecting attacks after they have

succeeded, • Minimizing damage by isolating attacked components in real-time and • Tracing the origin of attacks . We address the detection problem by real-time event monitoring and comparison against events known to be unacceptable. Our presented framework is composed of several parts that each other has a defined duty and is implemented using a specific method and technology. Using this framework, you can specify your security policy independent of the algorithm that you will use for detecting every type of intrusion. This framework is light-weight, dependable, fault tolerant, simple to implement and is defined based on new technology of intelligent agents and a new type of shared memory called mobile shared memory. Theses attributes differentiates our presented framework from other works.

Key-Words: - Mobile shared memory, Large-Scaled networks, Distributed systems, management, monitoring

1 Introduction This presented framework is composed of several parts and every part uses a specific technology to perform it’s functionalities such as intelligent agents, shared memory, etc. So, at first, we should have a glance at these concepts. 1.1 Overview of Agents There is no standard definition for the agents to refer to. But we can say: A software agent is a program that performs some tasks for it’s user. In another word agent is a program but with a special set of characteristics. They can be Autonomous, Interactive, Adaptive, Mobile, Intelligent, etc. 1.2 Overview of Mobile Shared Memory (MSM)

One of the most important ways to transport data among nodes in a distributed system is to use a shared memory. Shared memory is a special-structure memory that all or some of nodes have access to it and can manipulate and use it’s contents. Data stored in a node can be divided into two categories: exclusive and public data. Exclusive data should be protected against non-authorized access by another node or program. But public data can be used by another nodes according to a defined policy and these are data that are stored in a shared memory. Shared memory is implemented in several ways: Central or Distributed Distributed shared memory is a very good solution to limitations. Every node or every group of nodes has access to one or more segments of the distributed memory. This mechanism is very powerful but is very complex too. It is very difficult to manage this type of memory especially to have it’s data fresh and up-to-

Proceedings of the 6th WSEAS International Conference on Applied Informatics and Communications, Elounda, Greece, August 18-20, 2006 (pp214-219)

date in all of the system life. The implementation of this memory is difficult and we need a tightly -coupled network to do that. Another approach that we have presented is to have a shared memory that moves between nodes and gathers data, in a defined manner. We call this type of shared memory “Mobile shared memory (MSM)”. This memory can be considered as a data structure that moves between nodes using some programs called stub. Every stub when receives data, can update or even read special parts of this structure, according to privileges defined for it. After performing needed operations (i.e. read, update,...) the MSM will be passed to the next node in the network specified by the policy we define for data circulation. By this method, we can propagate data in the network and also can gather needed data from the network. In this paper, this type of shared memory will be used for data transportation between nodes. 2 Intrusion Detection 2.1 Overview Intrusion is an attempt to break into or misuse computer system or network. The security policy defines what is permitted and what is denied on a system. From the security policy, misuse can be defined. Intrusion can occur inside or outside computer systems. Inside intrusion happens when authorized users attempt to gain additional privileges, which they are not authorized, or misuse the privileges given to them. Outside intrusion arises when attackers access the systems from outside of the computer systems, i.e. the Internet. Intrusion detection is the process of examining network traffic and activity for intrusion and raising alerts to such identified events. Intrusion Detection Systems (IDS) are hardware or software that automate the process of monitoring and analyzing the events occurring in a computer system or network to detect violations of a security policy and raise an alarm to notify the authority. 2.2 The Role of Intrusion Detection Systems Intrusion detection allows its users to monitor their system in order to detect dangers from network connections and the Internet. It is widely accepted that IDSs form a crucial component to every organization’s security infrastructure.

Some benefits of IDSs include: Prevention of problematic behaviors by increasing the probability of attackers being discovered during attempted intrusion. Detect security viola tions or breaches of the organization security's policy, which may otherwise be undetected by other implemented security measures. Handle preambles to attack such as network probes or "doorknob rattling" tactics. Act as quality control for security design and administration. Document information about existing threats and provide statistical data to improve diagnosis, recovery and thus enable corrective action to take place. 2.3. The Architecture of Intrusion Detection Systems

Figure 1: Common Intrusion Detection Framework DARPA Common Intrusion Detection Framework (CIDF) [3,5] defines a set of components that together define an intrusion detection system (Figure 1). The Common Intrusion Detection Framework consists of a monitoring system, event generators, a storage mechanism, an analysis engine, and event countermeasures. Monitor components (sensors) are the sources of data for detection, which can be keyboard input, command based logs, application based logs, network activities, host based security logs, etc. The Event component (E-box) collects data from monitor components (sensors) and stores the data permanently for later references or temporarily for processing in the storage component (S-box). The Analysis engine (A-box) performs algorithms to find violations. The algorithms performed at the analysis engine can be algorithms for anomaly based intrusion detection or signature based intrusion detection. The analysis engine processes

Proceedings of the 6th WSEAS International Conference on Applied Informatics and Communications, Elounda, Greece, August 18-20, 2006 (pp214-219)

based on configuration data and reference data. The configuration data pro- vides means to security staff to control the intrusion detection systems like how and where to collect data including how to response to intrusions. On the other hand, the reference data stores information about known intrusion signatures and profiles of normal behaviors. The final component is the response component (R-box), which handles output from intrusion detection systems actively or passively. The active response is an automated response to the violations and passive response is performed by send a notification to the appropriate staff. Since the passive response relies on human intervention, it will not be able to react at machine processing speeds if an attack is automated. On the other hand, the active response provides intrusion countermeasure techniques that are autonomously reacting to the violations. From a control point of view, IDSs are classified as centralized, semi-distributed or distributed [3,5]. Control architecture indicates how the elements of IDS are controlled and how the input and output of IDS is managed. In a centralized approach, all monitoring (sensors), detection, and response is controlled directly from a central location. In a semi-distributed approach, monitoring and detection is controlled from a local node with hierarchical reporting to one or more central locations. In a distributed approach, monitoring and detection is performed using autonomous agents [4], where response decisions are made at the point of analysis. 3 MSM Framework The architecture we proposed relies on concepts of MSM and intelligent agents. This is a framework that is composed of several parts presented in figure -2. In Data Collecting Segment (DCS) which is main distributed part of the framework, locate parts of the system that should explore, sniff and inspect nodes and data exists on the node or data that is communicated gather important data for the purpose of detection of possibly attacks or any other intrusion. These parts in reality are intelligent agents, which run on each node and gather information by processing logs, sniffing traffics, monitoring ports, etc. For this reason, on each node of the system which we are interested to monitor, we must install one application called stub and some intelligent agents. These programs will do the followings:

Agents are responsible for gatherin g information on the node (as described above). The stub is responsible for passing data through the network to the next node or the DSS, control existence of the agents, other fault-tolerance facilities. Also, we can put some critical algorithms in the implementation of the intelligent agents to detect intrusion in-time and prevent intruders to damage system. DCS DSS CMS

Figure-2: different Parts of proposed framework In DCS, the important parts are nodes that we should monitor. As we said, one stub and some agents are installed on every node (See figure-3). Every stub when receives MSM makes necessary changes on it’s contents or reads data it needs from the MSM, then it should pass the MSM to the next node. But who is the next node? To specify the next node and for the reason of system flexibility, one module named ‘find_next_node’ is implemented in the stub of each node and help the node to find it’s next neighbor in the network. In a simple way, we can arrange nodes in a circular manner and this module selects the next node in this order as the next neighbor for current node. Or we can implement this module so that it select the next neighbor according to the state of the node, state of the system, data gathered on this node, data received from previous nodes and other important parameters. To save gathered data for the purpose of detecting intrusions , and some times to have a log of the system function, we should save data in a database. In addition, it is necessary to have a fresh data because our decisions are made upon our data. So, we should pass gathered data to the server as soon as possible. If we send data immediately from every node directly to the server we may generate a high traffic on the network and decrease performance of the system. The other choice is to pass data to the server after a complete round. This will decrease freshness of data and accuracy of our decisions. Now what can we do?

Proceedings of the 6th WSEAS International Conference on Applied Informatics and Communications, Elounda, Greece, August 18-20, 2006 (pp214-219)

Suppose we have N nodes that are in danger and should be monitored. We recommend that after passing K node (K = N), MSM be passed to the DSS to save data. Then one empty MSM be passed to the next node (next neighbor of Kth node) to continue the operations. K is selected according to the network characteristics such as bandwidth, number of nodes, network traffic, etc. So, the value of K varies from system to system. Agent3 Agent4 Agent2 Agent1 Stubi Agentm

Network connection

Figure-3: Structure of a node Another function of the stub is establishing connection between agents from one node to the agents on the other node to communicate data and do a more effective monitor on the system. To establish a connection, stub checks the aliveness and accessibility of that node and in the case of any problem will notify the CMS to needed operation to solve the problem. So, we can say that from this point of view our system is fault-tolerant and has an acceptable performance. The structure of MSM that must be transferred between nodes depends on the parameters that should be monitored and data that should be collected about each node in the DSS. We have defined a general structure for it but it can change according to the needs of the systems. The structure is presented in figure-4. In this structure: Sender and Receiver are the address of sender and receiver of the MSM. Type and the size of the addresses depends on the protocol that network has been built on it. (i.e. IP) Type specifies the type of MSM and can have values of 0 or 1. MSM with type=0 is a regular MSM and carries data between nodes but if type=1 it is a configuration management message and have no data

but configuration information. Size of this field can one bit. Data contains data that should be passed. Size and structure of this field depends on type of message and characteristics of the system. CRC is a field for error control in data transfer between nodes. This structure is passed through the network and is the basic part of the system that is responsible for data delivery. Sender Receiver Type Data Data (continued) CRC

Figure-4: Structure of MSM The other responsibility of the stub is checking of existence of agents running on the node. If one agent dies, the stub will detect it immediately and will recover the error by running another instance of the agent or notify other agents to do extra work to compensate the occurred defect in the system. We can define a large number of fault-tolerant responsibilities of stub for the purpose of system reliability, availability, and accuracy. 3.1 Data Storage Segment (DSS) This part is responsible for data storage and all gathered data will be stored in it. It can be centralized or distributed. The main parts of this segment are one DBMS and some programs that control connections to the DBMS, data manipulation and other necessary operations. See figure-5. One of the most important programs run in this segment is a program that acts as an interface between stubs and DBMS. It controls and monitors all operations need access to data and guarantees prevention of unauthorized access to data. We call this program DBI (Database Interface). The privileges that every stub has, is defined in the system and is DBMS-independent. It depends on the system status. So we need DBI and ability of the system is strongly related to the ability of the DBI and we need to pay much attention to design good DBI for our system. Another parameter that is very important in this segment is DBMS. Selecting a powerful and reliable DBMS will increase the performance of the system.

Proceedings of the 6th WSEAS International Conference on Applied Informatics and Communications, Elounda, Greece, August 18-20, 2006 (pp214-219)

3.2 Control/Monitor Segment (CMS) This segment consists of two sub segments: To the stubs DBI DBMS

Figure-5: Structure of DSS 3.2.1 Monitor Unit (MU): This unit performs monitoring actions on the system. It interprets data and extract needed or some important information from raw data gathered form system and stored in the data base in DSS. Also if it determines that system or one of it’s components is or going to be in a special state (Some state s are defined in system as special states and when system goes in one of these states it means that system is under risk or is in a state that we should pay more attention to it.), it will notify the control unit to do necessary operations according to the new state of the system. 3.2.2 Control Unit (CU): This unit controls the configuration of the system (hardware and software configuration), behavior of system components, total behavior of the system, users access to system resources, and every management actions that is done in the system. The CU performs these operations by changing some system parameters, changing system status, starting some programs or services, stopping some services or programs, etc. All of these operations are done to guarantee that an effective, reliable and powerful control is applied on the system.

The CMS is the main component of the system that manages the system but the most important topic in CMS that we should pay most attention on it is cooperation of the CU and MU. If CU and MU be very powerful and well-defined, it is not defined a good relation between them, we can not gain our real system performance and we are not able to monitor and control our system in an acceptable way. See figure-6. DSS MU CU User Interface

Figure-6: CMS architecture In addition, another part of fault-tolerant facilities of the system is defined and implemented in this segment. We can not define explicitly that what facilities should be implemented in these segment, but we can say that if we want to make our system fault-tolerant (especially to tolerate software faults) the CMS is a very good place to do that, because the configuration of the system and the behavior of the system is controlled and defined in this segment. As you see in figure-6, the other part of the CMS is the user interface (UI). The UI is also very important, and should be designed and implemented in a standard and simple but effective and powerful form and all of system facilities and benefits be accessible in a simple way. The user interface can be text based or graphical. We strongly recommend graphical interface because we are able to show more information in graphical mode than text mode. UI has relations to CU and MU and according to user requests displays specified data such as charts, tables, etc. Here we have a control mechanism for access control to resources. Each user has it’s own rights, so it can have access to a specific set of facilities and data. It is necessary to implement a mechanism that

Proceedings of the 6th WSEAS International Conference on Applied Informatics and Communications, Elounda, Greece, August 18-20, 2006 (pp214-219)

performs these controls and protect system from unauthorized accesses.

4 Conclusions In this paper we have proposed a new framework for intrusion detection. It relies on intelligent agents and a new concept called mobile shared memory. As shown above, this method has some characteristics such as reliability, dependability, predictability, fault-tolerance, etc that are necessary for a proposed framework for intrusion detection. Also, simplicity and platform-independency are other factors that make this framework different from other framework. In this framework instead of using mobile agents we have used static agents that pass a mobile shared memory to each other. This will decrease overhead of the system and will force a lower traffic on the network because instead of code and data of a mobile agent we pass only data. It also has some limitations. In normal case the number of nodes in a network that should be monitored is small and this system is suitable for these options but in a special case and when the number of nodes grows up, some problems may cause. The data freshness may decrease and consequently decrease the accuracy of the system. Also it becomes difficult to present an optimal algorithm for finding next node or to specify an optimal value for K. We are working on these limitations and obtained solutions will be presented in future works. Also we have done some works on developing an intrusion detection system using this method and in next papers we will present them. References: [1] M. Allahbakhsh, “Agent Based Management of

Distributed Systems” – elecit2004, Mashhad - Iran

[2] M .Naghibzadeh, M. Allahbakhsh, “The RDM

Protocol for Dependable Message-Passing in Distributed Real-Time Systems”- IST2003 – Isfahan –Iran

[3] S. Staniford-Chen, ”Common Intrusion Detection

Framework”, http://www.isi.edu/gost/cidf/ [4] A.Sahi, C.Morin, “Towards distributed and

dynamic network management”

[5] Xiaoning Wang, Fernando C. Colon Osorio, A

survey of Intrusion Detection System vulnerabilities and the attack approaches, Technical Reports in the Department of Computer Science, Worcester Polytechnic Institute,, USA, June 2003.

[6] S.Franklin, A.Graesser, ” Is it an Agent, or just a

Program?: A Taxonomy for Autonomous Agents”, Proceedings of the Third International Workshop on Agent Theories, Architectures, and Languages, Springer-Verlag, 1996.

[7] Mahmoud Naghibzadeh, Round Data Mailer

Message , 2002 IEEE International Conference on Systems, Man and Cybernetics , Oct. 6-9, 2002, Hammamet, Tunisia

[8] J.Philippe, M.Flatin, S.Znaty, J. Hubaux , “A

Survey of Distributed EnterpriseNetwork and Systems Management Paradigms”, Journal of Network and Systems Management, 7(1):9–26, 1999

[9] K.Meyer, M.Erlinger, J.Betser, C.Sunshine,

“Decentralizing Control and Intelligence in Network Management”, in proceeding of 4th international symposium on integrated network management, Santa Barbara, CA, May 1995

[10] Ptacek, Thomas H., Timothy N. Newsham,

Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection, January 1998

Proceedings of the 6th WSEAS International Conference on Applied Informatics and Communications, Elounda, Greece, August 18-20, 2006 (pp214-219)