Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
A Multi-Agent Architecture for Intrusion Detection
1. 6 th Int. Conf. On Knowledge-Based Intelligent Information & Engineering Systems (KES 2002) Podere d’Ombriano, Crema, Italy Amparo Alonso Betanzos Bertha Guijarro Berdiñas Juan A. Suárez Romero A Multi-Agent Architecture for Intrusion Detection Laboratory for Research and Development in Artificial Intelligence Department of Computer Science Faculty of Informatics University of A Coruña, Spain
24. 6 th Int. Conf. On Knowledge-Based Intelligent Information & Engineering Systems (KES 2002) Podere d’Ombriano, Crema, Italy Amparo Alonso Betanzos Bertha Guijarro Berdiñas Juan A. Suárez Romero A Multi-Agent Architecture for Intrusion Detection Laboratory for Research and Development in Artificial Intelligence Department of Computer Science Faculty of Informatics University of A Coruña, Spain T h a n k y o u f o r y o u r a t t e n d a n c e !
Notes de l'éditeur
Thank you very much I’m going to present here the design lines of a multi-agent architecture for intrusion detection Press key ...
Firstly, what is intrusion detection? It’s the task performed in order to discover individuals who either use a system without authorization or misuse a system So, an intrusion detection system should include the following desired features First, it should be fault tolerant, in the sense that if some elements fail then the system should continue to function more or less correctly Second, it should resist the attacks performed by an intruder And last, it should be adaptable and configurable Press key ... One of the best choices to accomplish these features is the use of agents Press key ...
The first system that used agents in order to detect intrusions was AAFID , developed by Purdue University , autonomous agents for intrusion detection We can see in this slide its architecture In each machine we have several agents that collect information, either directly from the machine or from a filter Each agent sends its collected information to a transceiver, which consolidates this information and sends it to a monitor The monitors perform the intrusion detection, and they can be structured hierarchically Finally, the top level monitor sends its results to the user interface, through which the user interactuates with the system The main drawback of AAFID is its rigid architecture Press key ...
First, the information flows in a rigid manner Agents send their information to a transceiver, this transceiver to a monitor, this monitor to other monitors, and so on, until results reach the user interface Press key ...
So there are nodes in the architecture that are more critical that others For example, if this monitor fails all the elements besides this monitor also fails, because the information flow is broken Press key ...
In order to avoid these problems, we propose the design lines of a more flexible architecture that is mainly based on AAFID It uses agents too, and it includes the functionality of AAFID’s agents Also, it extends it including new types of agents that perform different tasks and, what is important, using dynamic relationships, so the agents, in principle, can relate with any other agent They choice their partners in order to accomplish their goals Press key ... But this implies the need for more knowledge to be included in our system Press key ...
The knowledge in our proposal is of two types First we have the domain knowledge, the knowledge that the agents use in order to do their tasks Each agent would use different type of domain knowledge depending on its goals Though in AAFID agents could use domain knowledge, actually only monitors use it In our proposal all agents would use domain knowledge Second we have the social knowledge In our proposal the agents collaborate among them by dynamic relationships To establish these relationships they need to know which ones are the agents to communicate with, and how to set up the relations: this knowledge is the social knowledge This communication is performed using an Agent Communication Language Press key ...
We can see here our proposed architecture, in which there is not a predetermined flow of information As we said, there are some agents that we can find in AAFID, and other types of agents that are new Let’s see each type of them Press key ...
First we have the information agents, that are also present in AAFID Press key ...
The information agents provide information to our system From several sources (logs, connections, and so on) And in a standard format So the information agents isolate the protected hardware and software from our system, making portability easier. Due to the different tasks in our system, there are different needs of information Thus information agents would form dynamic groups in order to satisfy these different needs For instance, we could have two information agents that provide two different types of information A third agent could provide a higher level of information summing up the information supplied by the other two agents This is similar to transceivers and agents in AAFID Press key ...
Next we have prevention agents Press key ...
That preclude or severely handicap the likelihood of a particular intrusion’s success This kind of agents doesn’t exist in AAFID Today, prevention is the most deployed aspect of security in organizations: there are firewalls, cryptography, and so on So our idea is to integrate this readily available elements in our architecture This is done by encapsulating them in prevention agents Press key ...
Also we have detection agents, that correspond with the monitors in AAFID Press key ...
These agents try to find attempts of intrusions or successful intrusions Our proposal is to have a population of detection agents using different detection techniques As we can notice on the background, the detection agents can establish groups among them This groups have two distinct goals Firstly, they can make a hierarchical structure so that they monitor different levels of the protected system For instance, we could have a network formed by several machines. Each machine could have one or more detection agents that are in charge of finding intrusions related with that machine . Now it could be formed a group in which an top level agent would try to find intrusions related with all the network This kind of goal is the same as in AAFID Second they could make a group in order to obtain a more complex detection technique combining two or more simpler techniques Press key ...
Other type of agents are the response agents, which are not present in AAFID Press key ...
They deal with the detected intrusions As for the detection agents, our proposal is to have a population of agents that implement several response policies Press key ...
Another new type of agents is the evidence-search agent Press key ...
The evidence-search agents collect evidences regarding an intrusion to use in a court Of course, to collect these evidences it is necessary to know what kind of evidences are valid and in what manner the agent needs to obtain these evidences Here there are two problems First, legal problems such as The privacy of the obtained data, and the different legislations in different countries The second problem is the conflict with response agents When a detection agent finds an intrusion, evidence-search agents try to collect more and more evidences related this intrusion But at the same time, response agents tries to cut the intrusion, which implies that perhaps the evidence-search agents don’t get a sufficient amount of evidence This problem is a typical one in which the collaboration of the two types of agents is needed Press key ...
Also we propose the use of interface agents Press key ...
In AAFID there is an user interface, but in our proposal there are several agents that act as the interface between the system and the users Here we must understood users as humans or as other systems For example, a user could be a more complex system in which our intrusion detection system should be integrated in order to manage it So the interface agents act as representants of users, and the system sees the users as agents Thus the interface agents could integrate learning algorithms to learn from the users in order to anticipate their needs, and even to incorporate new knowledge from the users in the system Press key ...
Finally we have special agents Press key ...
Which perform several tasks like The maintenance of the system Or provide several services to other agents Press key ...
As conclusions we can say that intrusion detection is a challenge research field that attracts more and more attention from the security community Press key ... We have seen AAFID, the first intrusion detection system that employes agents Its main drawback is the rigidity of its architecture, due mainly to the rigid communication flow Press key ... In order to solve this problem, we have presented here the design lines of a new architecture based on AAFID which incorporates seven classes of agents These agents are highly autonomous and they collaborate among them in a dynamical manner using both domain knowledge and social knowledge Press key ... At present we are working in the implementation of the detection agents Press key ...