Proceedings of National Conference on Challenges & Opportunities in Information Technology (COIT-2007) RIMT-IET, Mandi Gobindgarh. March 23, 2007.

Distributed Intrusion Detection using Aglet Mobile Agent Technology

Manmeet Singh1, S S Sodhi2
Student, M. Tech (IT), USIT, GGSIP University, Delhi manmeetg22@hotmail.com 2 Lecturer, School of Information Technology, GGSIP University, Delhi sartajsodhi@yahoo.com, confidentiality, integrity, and availability of computer resources are under the attack [1]. Most of the current IDSs use centralized Intrusion Detection (ID) models made of individual host and network monitors along with a centralized controller component [2]. The individual monitors send intrusion data to the centralized controller component that performs analysis of the information it receives from each of the monitors. Some of these issues with the existing centralized ID models are: Additions of new hosts cause the load on the centralized controller to increase significantly. As a result, it makes the IDS non-scalable. Communication with the central component can overload parts of the network. Some of these IDSs contain platform specific components.
1

Abstract These days network applications can be found anywhere due to widespread proliferation of Internet connections. This has made current computer network more vulnerable to intrusion than ever before, so the security of network becomes critical. Here is when, the Intrusion Detection System (IDS) should be adopted. IDS based on Mobile Agents uses a set of software entities called Mobile Agent (MA) that can move from one node to another node within a network. The distributed ID consists of multiple mobile agents which cooperate over a large network and communicate with each other, or with a central server that provide advanced network monitoring, incident analysis, and instant attack data. This as a whole reduces network bandwidth usage by moving data analysis computation to the location of the intrusion data & support heterogeneous platforms. This offers a lot of flexibility in creating IDS over traditional forms of centralised ID approach. In this regard, a model of MA based IDS using an Aglet framework has been suggested. Keywords: Intrusion detection, Mobile Agent, Aglet 1. INTRODUCTION Computer networks connected to Internet are always exposed to many kinds of cyber crimes. An internet user with malicious intent can access, modify, or delete sensitive information present on other computers or make some of the computer services unavailable to other users. The infrastructure of current computer networks is so huge and complex that it is almost impossible to completely secure such networks. Among all security issues, intrusion is the most critical and widespread. Intrusion can be defined as an attempt to compromise, or otherwise cause harm to a network. Intrusion detection involves the act of detecting unauthorized and malicious access of one or more computers. In addition to identifying attacks, the IDS can be used to identify security vulnerabilities and weaknesses, enforce security policies, and provide further system auditing by exploiting the logs/alerts from the output component of the intrusion detection system (IDS). Therefore, an IDS is needed to detect and respond effectively whenever the

IDS implemented using mobile agent is one of new paradigms for intrusion detection. MAs are particular software agents having the capability to move from one host to another. Mobile agents offer unique features that can be used to improve the ways in which IDS are designed, developed and deployed in the network. In this paper, firstly we present the basics of mobile agents and its development frameworks. Secondly, we list the advantages of MA based IDS. In the third section we will present the related work in the domain of mobile agent based IDS. Finally, we give our model architecture of MA based IDS. All the components of our model use JAVA based Aglet platform, making it platform independent and operable on heterogeneous environment. 2. MOBILE AGENTS AND ITS DEVELOPMENT FRAMEWORK The software agent can be treated as Mobile Agent, as they are able to migrate from one computer to another computer. Even if the host machine, which launched the agent, is eliminated from the network, the agent can still work. Thus, the mobile agents are very powerful programs, which can act even in the absence of the machine that initiated them. After completion of their assigned tasks, the mobile agents return to the host machine to report the result or simply terminate.

148

Proceedings of National Conference on Challenges & Opportunities in Information Technology (COIT-2007) RIMT-IET, Mandi Gobindgarh. March 23, 2007.

Useful Characteristic of Mobile agents are [3] Autonomy: agents are independently running entities, they operate ( in ideal cases) without human control, Mobility: agents are able to suspend processing on one platform and to move to another one where they resume execution, Rationality: agents embody the capacity to analyze and solve a problem in a rational manner. Reactivity: agents perceive their environment and adapt their behavior in a dynamic way to match, as soon as possible, new environment parameters, Inferential capability: agents are able to share a set of knowledge in order to achieve a specific goal, Pro-activeness: agents can decide to adapt their behavior to their environment, Social ability: agents are able to meet and interact with other agents. The interaction and collaboration between agents is achieved by an agent communication language (ACL) and it may depend on an ontology. The well-known mobile agents development frameworks are [15] Aglets Voyager Concordia Jumping Beans Messengers Obliq Odyssey Tacoma Ara D Agents 3. IBM Tokyo Lab Project Object Space (Recursion S/w) Mitsubishi Ad Astra Engineering University of Geneva DEC Research (Compaq) General Magic Univ. of Troms / Cornell Univ. University of Kaiserslautern Dartmouth University

central controller can be a single point of failure. The Intruder can discover the central point by some means and try to crash it. Custom Made: Some IDSs are developed with the intention to overcome the present situation. They might not scale well for large networks. Some tend to process entire data at a single point. This results in limiting the size of the network to be monitored. Reconfiguration Problems: Some IDSs does not allow reconfiguring the system at run time. At times it is achievable, but it involves tedious task of editing a configuration file, which requires special knowledge. Also sometimes the IDS has to be restarted to incorporate these changes. High False Positive Rate: The rate of false alarms is high in current IDS. This is because, they detect attacks based on the information from a single host or a single application.

Hence the deficiency of centralized intrusion detection systems leads the idea of MA based IDS. In an agent based IDS, there is no central station, therefore no central point of failure. In addition, since agent behaves independently, there is no hierarchy between them. A centralized ID system approach is not scalable, because under heavy network load the system suffers from poor capacity of central analyzer. Also, reconfiguration of sensors is usually difficult. Agents are autonomous software that can act independently from other agents and perform different tasks. In order to use mobile agents, all the hosts in the networks must have an agent platform installed, where agent is going to execute. 3.1 Advantages of using Mobile Agents in Intrusion Detection Several advantages related to mobile agent usage are listed in literature [2][4][5]. Some of them are listed here: Delay caused by Networks: When hierarchical IDSs are used in a network, it results in slower response when an attack occurs. This is because; the central controller (machine) has to send the information about the attack and the response to be taken to that particular host through the network. This may not always result in immediate response against the attack, as the time taken for the information to reach the destination host might be too long. Thus traditional hierarchical IDS may not be successful in achieving on time detection of attacks. On the other hand, if mobile agents are used, they can respond faster as they are directly dispatched from the central controller to the target host. Minimizing the network traffic: Traditional IDS employed different data collection mechanisms to collect data both at the host and the network level. This data was later used to track any intrusions. Generally, the collected data is very huge and for an intrusion to be detected, data from different hosts have to be collected and processed by the central controller. This results in increasing the network traffic and creating an overhead on the network. By employing mobile agents, the load on the network can be reduced as these

MOBILE AGENT BASED IDS

The main aim in employing mobile agents was to overcome some of the problems encountered by current IDS. Among them the most important characteristic [11] is that, an IDS should be able to run continuously with minimal human interaction. Also it must be able to withstand any crashes made intentionally or accidentally. IDS should be able to constantly monitor any malicious modifications. One of the most desired features of IDS is to put less overhead on the machine on which it is running. Finally, it should be capable of being adaptable to new changes in the system. Considering the growth of the network day by day, it is necessary that the IDS be able to scale well to monitor huge networks without compromising timely results. Other characteristics include capability to monitor the network even when some machines in the IDS fail, provision for runtime configuration, providing end-to-end encryption, bestow high-speed communications. However, the IDS, which do not employ mobile agents, have the following drawbacks: Employee Central Controller: Most of the IDS tend to use central controller, where all the controlling rests. This

149

Proceedings of National Conference on Challenges & Opportunities in Information Technology (COIT-2007) RIMT-IET, Mandi Gobindgarh. March 23, 2007.

mobile agents employ efficient search mechanisms there by reducing the necessity for data traffic among several hosts. Persistency: As mobile nodes operate autonomously and asynchronously, they are not prone to failure even if the machine, which hosted them, fails. This provides added advantage of employing mobile agents in IDS. In the case of the centralized machines, when the central controller fails, the entire IDS is considered to be down as there is no communication among other hosts. Structure and Platform Independence: Mobile agents can be used in IDS with a flexible structure. For example, one agent can be designated for collecting the data in the network, the other agent can be used to detect and report anomalies while the rest of them can be used to take appropriate action. Due to this structure, the mobile agents find tremendous application in IDS. Also, mobile agents from different vendors can be used to build IDS. Moreover, it is possible to write our own mobile code to make it applicable to the existing environment. Dynamic Nature: The dynamic nature of mobile agents enables them to be moved around the network. This makes it possible to reconfigure the system during runtime also. Mobile agents can be cloned, dispatched or put to sleep when the network configuration has to be changed. Also they can sense their execution environment and dynamically adapt to the situation. Heterogeneous Environment: Mobile agents can be interoperable on multiple platforms. This is possible because of the virtual interpreter installed on the host machine. Mobile agents are generally computer and transport-layer independent and are dependent only on the execution environment. This feature enables the mobile agents to be used on several different platforms without compatibility problems. Robust in Nature: Even if one of the agents fails, the other agents in the IDS can take up the tasks of the failed agent and continue the detection. This robust behavior of mobile agents makes them more applicable in large environments where several agents and their interaction is needed for proper monitoring of the network. Scalability: By employing distributed mobile-agent IDS, however large the network grows, it could be easily handled. Agents have the capability to clone and distribute themselves to the new machines when they are added to the network. 3.2 Drawbacks of using mobile agents 1. The main problem in using mobile agents rests in security. Mobile agents require administration rights as they initiate a response when an intrusion is identified. By granting a mobile agent all permissions to the host it is operating on, an intruder can easily induce any virus. These security problems are the main hindrances for vast growth of mobile technology. Some preliminary measures can be taken in order to alleviate these security problems. Some of them include providing limited access control to important resources, applying cryptographic methods to exchange information etc.

2. One more potential problem involved, is when the mobile agent contains credit card details of the user. Some hosts might try to get the private information from the mobile agents, which contain client details. 3. Observing the manner in which, the network attacks are increasing, it becomes obligatory on IDS to detect attacks immediately and report them spontaneously. If mobile agents are used to accomplish this, the result is that it reduces the performance of the entire network. 4. One more disadvantage arises when the code size of IDS is large. This results in slowing the network because when ever the mobile agent has to go round the network, the entire code has to be moved along with it. 4. RELATED WORK Many research works have been conducted in the area of applying mobile agents to intrusion detection systems. Most of them describe the drawbacks associated with traditional intrusion detection system (those that do not employ agent technology) and highlight the advantages obtained using mobile agents. Some of these intrusion detection systems (IDS) are: The cooperating Security Managers (CSM) [6] is a distributed IDS that uses decentralized architecture consisting of security managers installed on every monitored host that coordinate with other managers to detect distributed attack. On large network, it requires coordination with higher number of managers to detect every attack, and hence scalability can be an issue. The autonomous Agent for Intrusion Detection AAFID Project proposed in [14] is a new hierarchical architecture for developing IDS. This architecture is composed of agents at the lowest level, which perform data collection and analysis tasks. Agents, transceivers and monitors constitute the major components of the IDS. Each host has an agent performing the monitor activity and reporting any abnormality to the transceivers. Transceivers are used to control these agents and they report the result to the monitors. These monitors then perform high-level correlation amount several hosts and thus to the entire network. The paper also discusses the importance of communication mechanism among the network entities, thus making sure that the network is not overloaded. The AAFID architecture collects data from several sources and allows building IDS that is more capable to detect intrusion than the centralized systems. Another work describe in [7] uses a four components Manager, Assist MA, Response MA and Host monitoring agent. Each monitored in the network installed with host monitoring agent to implement intrusion detection. Manager components dispatches mobile agents and analyzed the gathered data. Manager maintains an access list for each suspicious access to surveying this suspicious access returns, gathered information will be added into this access list. If the suspicious level of the access is larger than the threshold, this

150

Proceedings of National Conference on Challenges & Opportunities in Information Technology (COIT-2007) RIMT-IET, Mandi Gobindgarh. March 23, 2007.

access is thought as an intrusion and corresponding actions are executed. Otherwise, until the time period is too long, this access list can be removed. The mobile agents in [7] are of two types: Patrolling and Fixed. The patrolling agents are similar to our roaming agents that collect intrusion related data from the monitored hosts. This model uses the GYPSY platform [12] for development of IDS. One of the most recent work describe in [8] also has four components are Static Agent (SA), MA Dispatcher (MAD), Mobile agent (MA) & alerting agent. The DIDMA is very much similar to approach given in [18] as it uses two types of agents. Static and mobile with only difference that the MA of DIDMA not just collect intrusion related data from monitored hosts but also aggregate and correlate it with data received from previous hosts. Therefore MA performs both the function of managers and patrolling agent and thus reduces load on central component by decentralized data analysis. The mobile agent used in DIDMA use Voyager [13]. Mobile agent platform Voyager offers secure socket for encrypted transmission of agents and JAVA sandbox type security and also run on secure platform. 5. OUR MODEL ARCHITECTURE Here we present model that is very much similar to the model discussed in [7][8] as it also has roaming agent which moves from host to host to collect the data. In contrast to the above model, our model does not use the stationary or static agent. In fact our roaming agent moves to predefined host to collect data. The supervisor also act as evaluator that takes the decision whether suspicious activity is detected at a particular host and alerts with the help of action agent. Figure 1 shows the architecture of our model of IDS.

host to host and collects the suspicious activities and coordinates with the supervisor. The roaming agent is composed of three parts: code, itinerary and results. It moves following a predetermined itinerary established by supervisor. Upon reaching a host the Aglet platform begin executing the code and carries the result. Action Agent: The main purpose of this agent is to notify the administrator when intrusion occurred. It receives an alert generated from supervisor. 5.1 How it works: The monitoring and detection starts with user interaction to the supervisor. The supervisor agent then sends a roaming agent, which then starts collecting data on the machine, which is to be monitored. The roaming agent also tries to detect deviation from the normal. If any deviation is noticed, information is send to the supervisor agent. The supervisor agent then detects the type of anomaly based on interference rule. Once the suspicious activity is found, a report is send to the action agent, which raises an alert. The following is the sample code to define the itinerary of an Aglet agent on creation. Here we use only single host with Tahiti server with different ports public void onCreation(Object ini) { parent = (AgletProxy) ini; slaveTrip = new SlaveItinerary(this, "", new MyTask()); slaveTrip.addPlan("atp://host1:9000"); slaveTrip.addPlan("atp:// host2:9000"); slaveTrip.addPlan("atp://host3:9000"); slaveTrip.startTrip(); } 5.2 Development framework Many agent frameworks are available as given in [15], offering development and mobility facilities to agents. We decided to use Aglet Software Development Kit [4][9] in our work. The ASDK environment was developed by IBM to provide mobility facilities to agent programs. Its written in Java, and includes primitives to create, move, communicate and dispose programs. A mobile agent in ASDK is known as an Aglet (contraction of agent + applet). The aglet migrates from one machine to another with help of a server module, known as Aglets Server or Tahiti Server (as shown in figure 2).

Figure 1: Our model Architecture

Supervisor Agent: This assigns the tasks to the other agents & dispatches the roaming agent. This decides which roam agent is to be dispatched. All the roaming agents coordinate with the supervisor. This agent as an evaluator determines the occurrence of intrusion with the help of inference rules. Roaming Agent: The roaming agent sits in the host or moves

Figure 2: Tahiti Server Interface

Hence the Aglet is: Mobile code in java

151

Proceedings of National Conference on Challenges & Opportunities in Information Technology (COIT-2007) RIMT-IET, Mandi Gobindgarh. March 23, 2007.

Globally uniquely named Accessible to other aglets via a proxy aglet Exists within an execution context Can migrate across the network, carrying its state

To travel aglet from one machine to other, the aglet contacts the aglets server from the target machine, in a predetermined TCP port, and identifies itself. After authorized, it starts serializing its state and code to a stream, and sends this stream to the target machine. After transferring the stream, the traveling aglet releases the resources in the source machine, and gets restored by the aglets server on the other end, by deserialization of the stream. The contact, the identification, the stream transfer, the control switching, all these are controlled with aid of the ATP protocol (Aglet Transfer Protocol). The ASDK model defines three mobility primitives: creation, dispatching, retraction and disposing. Each of them is related to a method defined in the Aglet object. The Aglet class defines the executable module of the ASDK program, and is similar to the Applet class. The Aglets reside in a context that is defined inside a host. A host can have several contexts, and aglets do move from one context to other. As Aglets objects are serialized to get moved, they can make use of any class, as long as these classes are also serializable. To allow communication between aglets, independently of its place, ASDK defines the Proxy object concept. When one aglet calls the create primitive, creating a new aglet (the son), a proxy object also gets created, and is returned to the original aglet (the father). With this proxy object, the father aglet can communicate and control its son, no matter which is its placing. Communication can be done synchronous and asynchronously 5.3 Implementation This project is in the development stage and at the time of writing this paper only ASDK evaluation and some base program is implemented with excellent results. In the coming future we expect to develop prototype to detect attacks like port scanning etc. We are working on our project using ASDK 1.0.3 and JDK 1.0.6 and afterwards we will proceed using new version of these packages i.e. ASDK 1.2 with JDK 1.2. JDK 1.2 introduces a number of improvements over JDK 1.1, and attempts to integrate all aspects of security into a manageable whole. 6. CONCLUSION & FUTURE WORK We have presented a Distributed IDS using Aglet mobile agents, which overcome some of the disadvantages of the centralized IDS. Our model employs a roaming agent as data collector and supervisor responding to attack based on data taken up by roaming agent. It exploits the benefits of employing mobile agents such as reduced network bandwidth, increased flexibility and ability to operate in heterogeneous

environments. One major point that we have not discussed is the security of the mobile agents themselves, which is one of the important issues that have to be addressed if system is to be deployed in the real environment. A mobile agent itself can cause damage to a host or a host can do harm to the mobile agent. In the near future, the objectives of our work shall be as follows: 1) New version of Aglet that supports security feature will be evaluated after the development of this project & security of agents in IDS. 2) To make our system more effective in attack response. 3) To develop evaluator agents that use fuzzy based mechanism for decision making. ACKNOWLEDGEMENT I express my sincere thanks to Mr Rinkaj Goyal, Lecturer USIT, GGSIPU, Delhi for his valuable guidance. I also extend my gratitude towards Prof Nupur Prakash, Dean & Prof Navin Rajpal, Course Coordinator, USIT, GGSIPU, Delhi for their kind support. REFERENCES 1. Biswanath Mukherjee, L. Todd Heberlein, and Karl N. Levitt, Network Intrusion Detection. IEEE Network, 8(3): 26-41, May/June 1994 W. Jansen, P. Mell, T. Karygiannis, D. Marks, Mobile Agents In Intrusion Detection And Response, NIST Interim report (IR)-6416, National Institute of Standards and Technology, USA, October 1999 Palmquis. Intelligent agents in computer and network management. Course paper, Texas University, 1998. http://www.gslis.utexas.edu/~palmquis/courses/project98 /agents/webpage.html Danny Lange and Mitsuru Oshima, Programming and Deploying Java Mobile Agents with Aglets, AddisonWesley, 1998. Jonathan Smith, A Survey of Process Migration Mechanisms, Operating Systems Review, 22(3), ACM Special Interest Group on Operating Systems, pp. 28-40, July 1988. G White, E. Fisch, and U. pooch. Cooperating Security managers: A peer-based intrusion detection system, IEEE network, 10(1):20-23,1994 Shao-Chun Zhong, Qing-Feng Song, Xiao-Chun Cheng, and Yan Zhang, A safe mobile agent system for distributed intrusion detection, Proc. of the international conference on Machine learning and cybernetics, Vol 4, pp 2009-2014, Nov 2003 Pradeep Kannadiga and Mohamaad Zulkernine, : A Distributed Intrusion Detection system using Mobile

2.

3.

4.

5.

6.

7.

8.

152

Proceedings of National Conference on Challenges & Opportunities in Information Technology (COIT-2007) RIMT-IET, Mandi Gobindgarh. March 23, 2007.

Agents, Proc. of sixth International conference on Software Engg, Artificial Intelligence, Networking and Parallel /distributed computing and First ACIS International workshop on Self-Assembling wireless network, IEEE 2005 9. Oshima, M., G. Karjoth. Aglets specification Version 1.0 (Draft). IBM, April/1998.
http://www.research.ibm.com/trl/aglets/spec11.htm

10. IBM Aglets Software Development Kit (1998). Home page [WWW document] http://www.trl.ibm.co.jp/aglets/ 11. Mark Crosbie and E. H Spafford, Active Defense of a Computer System Using Autonomous agents, Department of Computer Sciences, Purdue University, CSD-TR-95-008, 1995 12. [WWW document]: http://www.infosys.tuwien.ac.at/Gypsy 13. ObjectSpace: Voyager Overview [WWW document]
http://www.objectspace.com/products/vgroverview.html

14. J. Balasubramaniyam, J.O.G. Fernandez, D. Isacoff. E. H. Spafford and D. Zamboni, An Architecture for Intrusion Detection using Autonomous Agents, Technical report no. TR 98-05, Purdue university, USA, 1998 15. Mobile Agent Development Frameworks.
www.csse.monash.edu.au/~jpage/madevframeworks.pdf

153