Download Computer Security Based on Biological Systems

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
Document related concepts
no text concepts found
Transcript 
Computer Security Based on Biological Systems
Dieter Hutter and Raúl Monroy
Abstract
The evolution of computing and computing communication capabilities has come with an evolution in security requirements. Computer intrusion detection is one aspect to computer security and an active area of
research. Existing Intrusion Detection Systems (IDSs) are not sufficient,
both because of their structure and because of their lack of scalability.
Same as an immune system, an IDS should be distributed, made out of a
number of components, each of which is in constant movement, carrying
out a specific task. Underlying natural evolution, immune systems are
both highly reliable and robust. This research aims at the development
of a methodology to build robust, efficient, effective and highly adaptable
intrusion detection systems. It rests upon the conjecture that a procedure
inspired on an immune system is the key to fulfill computer intrusion detection using a multi-mobile-agent system.
1
Introduction
The evolution of computing and communication capabilities has been accompanied with an evolution in security requirements and increasing demands on
security mechanisms. In early computing systems, physical controls were an
effective means of protecting data and software from unauthorized access because these systems were physically isolated. Multiuser-programming and the
connection of computers to networks created a need for mechanisms to control
the sharing of data and programs amongst a community of users. The move
to distributed systems exacerbated these problems, providing remote access not
only for users, but also for attackers from anywhere in the world.
Computer intrusion detection is a key aspect to computer security and still
an active area of research. Intrusion detection is concerned with the problem
of identifying computer processes that are using a computer system without
authorization. Existing Intrusion Detection Systems (IDSs) are still insufficient.
This is both because they cannot handle the current level of sophistication in
computer attacks, and because they are not scalable, both in throughput and
performance.
The advent of the programming paradigm of mobile agents, which allows
programs to migrate between hosting computers during execution, gives rise
to the development of new intrusion detection systems. To approach intrusion
detection successfully, new IDSs ought to be distributed and made out of simple,
1
mobile components, each of which is responsible of achieving a simple, specific
aim. Mobility and specialization suggest an analogy between intrusion detection
and immune systems of life forms.
Underlying natural evolution, immune systems are both highly reliable and
robust. They are effective, efficient, highly-paralleled, distributed systems. Although each member carries out but a small part of a task, an immune system
is able to achieve complex goals by means of a coordinated action of its individuals. A similar behavior is found in some communities of insects, e.g. an
ant-hill. Immune systems provide an virtually inviolable protection system with
an outstanding performance.
The proposed project aims at the development of a methodology to build
robust, efficient, effective and highly adaptable intrusion detection systems as
a (mobile) multi-agent system. This research rests upon the conjecture that
techniques inspired on an immune system, or the behavior of a community of
insects, provide the key to fulfill computer intrusion detection. Our hypothesis is
that we can abstract out the behavior of each member of any one such a system
in order to build a mobile, multi-agent based mechanism whereby a significant
level of security can be provided.
1.1
Expected Contributions
In particular we are interested in the following objectives:
1. to provide a methodology to design intrusion detection systems inspired
on immune systems or social insects in biology and based on (mobile)
multi-agent systems;
2. to provide general methods for detection of anomaly and for distinguishing
the self from the non-self in particular; and
3. to provide a model in which a collection of mobile, dynamic agents cooperate one another in order to achieve computer security.
2
Intrusion Detection System
Intrusion Detection Systems (IDSs) are primarily concerned with providing confidentiality, integrity and availability of information. They involve a variety of
protection mechanisms aimed at detecting an ongoing attack, before it turns to
be an intrusion, yielding undesirable consequences [16]. IDSs all face the problem of judging the state of a system so as to distinguish normal activity from
malicious one. They should be scalable, robust, lightweight and should have a
low rate, ideally zero, of false alarms.
IDSs are usually based on two detection models, one for misuse and the
other for anomaly. Misuse models monitor weak points in the operating system;
anomaly models detect changes of the usual behavior of a system. To approach
intrusion detection, IDSs search for known, dangerous patterns both in computer trace execution or network traffic. These patterns aim to characterize
2
threatening behavior, traffic analysis, statistical-anomaly detection, state-based
detection, etc [1].
The development of IDSs dates back to the 80’s, with Denning’s work on a
intrusion-detection model [6]. Then, IDSs were centralized and data were collected on a single machine. Nowadays, approaches are based on a distributed
architecture, where the collection and the analysis of data are distributed on several machines. However, both workload and information distribution is static
and, hence, these systems are still subject to so-called distributed attacks. Example centralized IDSs include IDES [7], NDIX [2] and NADIR [11], while
NSM [10], DIDS [24] and A-IDS [4] are multi-host, network-based.
Intrusion detection systems are highly complex. They are best characterized
in terms of two sets of requirements, one performance and the other throughput,
they ought to enjoy. Performance requirements have to do with high-level,
behavioral specifications, while throughput ones have to do with response time
and other temporal properties.
3
Methodology
We aim to construct a mobile, multi-agent, distributed intrusion detection system, inspired in immune systems. To achieve our aim, we suggest to split the
work load into the following tasks:
1. Characterize ordinary activity, as well as developing mechanisms for automatically distinguishing potentially malicious one. To this aim, we suggest
to adopt or develop techniques to explore, identify and characterize computer attacks. Pattern recognition is to innate immunity, while learning
to acquired immunity. Either of these abilities can be pre-programmed
(thymus) or developed on the fly;
2. Develop mechanisms capable of classifying and grouping together both
traffic and processes that inhabit in each host of the computer network.
Clustering techniques will be used to hierarchically approach intrusion
detection: System response will be coordinated, resulting from a complex
combination of sensed activity at different system levels;
3. Model and develop computer agents that are able to identify one another
and to work in a coordinate manner in order to achieve a common task.
We aim to develop a formal model of behavior for an immune system. The
model will help building the IDS in an educated manner;
4. Implement the intrusion detection system in a typical, non-controlled environment; and
5. Design and carry out a testing methodology for checking the effectiveness
of the system, as well as comparing it against with rival techniques.
3
Summarizing, multi-mobile-agent systems allow one to model and build systems capable of exhibiting the behavior found in life forms. Using both technologies, it is possible to achieve both effectiveness and reactivity, while making
the entire system robust. Mobile computing and multi-agent systems, therefore, provide a solid framework, suitable for developing distributed intrusion
detection systems.
3.1
Work Plan
Our work plan is specified in terms, each of which comprehends 6 months. It
refers to the major tasks above mentioned, which will be equally and coordinately conducted by the grant holders, Dr. Hutter and Dr. Monroy.
Besides the grant holders, Dr. Klaus Fisher and Mr. Fernando Goı́nez will
also be involved in this project. They will all be responsible for the discovery
and formalization of the proposed intrusion detection system. To allow for a
smooth project realization, three annual site visits are planned, one for each
team member. The German institute will contribute to the development of the
methodology and its implementation in potential applications.
4
Reasons for Cooperation
Both Dr. Hutter and Dr. Monroy did joined work in the area of program synthesis and automated reasoning during their stays at the University of Edinburgh
(Prof. Alan Bundy). DFKI, the German party, has several ongoing projects that
are concerned with the security of mobile, multi-agent systems. In particular,
the SAMOA project, funded by the German Bundesamt für Sicherheit in der
Informationstechnik, is strongly related to the proposed research since it aims
at the applications of mobile, multi-agent systems to achieve the intrusion detection task. Furthermore, DFKI has a long tradition in research on multi-agent
systems. Several members of the DFKI are chairs or PC-members of multi-agent
related conferences and workshops. During the last four years the formal methods group at DFKI has gathered a lot of expertise in designing formal security
models for large industrial applications. DFKI is an “information technology
security evaluation facility” accredited to the German BSI (Bundesamt für die
Sicherheit in der Informationstechnik) and licensed to perform ITSEC (and also
CC in the near future) security evaluations.
5
Benefits for Each Country
The envisioned methodology has great economic potential as it aims at the development of intrusion detection systems which are capable to cope with arising
threads in the advent of mobile code E-commerce. Because most deployed computer systems are vulnerable to an ever increasing threat of attack, intrusion
detection is an important technology business sector as well as an active area of
research. The large number of false alarms is the limiting factor of an industrial
4
use of existing (commercial) IDS. Similar to techniques of face recognition based
on neural networks, the paradigm of mobile agents may provide the necessary
flexibility to adapt an IDS to new types of intruder goals and new attack scenarios. Besides the intended academic research in this field, the DFKI aims at
the implementation of such a system as part of a follow-up project of SAMOA
funded by the German BSI.
6
Experience of the Partners
Starting his academic career within the area of deduction systems, Dr. Dieter
Hutter, affiliated to DFKI in the department of Deduction and Multi-agent Systems headed by Prof. H. J. Siekmann, has now been engaged in the realization
of formal methods for almost ten years. The large variety of the different kinds
of projects, from academic basic research projects up to industrial applications
of VSE [13], allowed for a rapid feedback from the requirements occurring in
industrial practice to the orientation of academic research. The control of complexity arising in practical examples by a thorough use of available domain
knowledge has been a central theme of his research. Formal annotations for
deduction systems [14] and development graphs for managing formal developments [15] are two instances of how to use structuring information within a
complex environment.
Dr. Klaus Fischer studied computer science at the Technische Universität
(TU) in München. From 1986 to 1991 he worked in a joint research project
SFB 331 Information Processing in Autonomous Mobile Robot Systems at the
Department of Computer Science at the TU München. In 1992 he finished his
doctoral degree with his thesis on Distributed and Cooperative Planning in a
Flexible Manufacturing System. In January 1992 he joined the Multi-agent
System Research Group at DFKI GmbH in Saarbrücken in the department
of Deduction and Multi-agent Systems headed by Prof. H. J. Siekmann and
assumed the responsibility of group leader in November 1993 and deputy head
of department in 1996. He has successfully finished several research projects
and industrial application projects on multi-agent systems. Since 1989 he has
been a member of the German Special Interest Group on Distributed AI. From
1992 to 1993 he organized the mailing list for this group. From September 1995
to August 2000 he was spokesman of the group.
Joining the experiences of both groups, the DFKI is engaged into research
on security of mobile multi-agents [9]. While the project SAMOA, funded by
the BSI, analyses the use of mobile agents to increase the security of computer
networks, another project SEMAS, funded by the BMBF, investigates fundamental security threats and how to counteract these threats in the design of
mobile multi-agent systems within virtual market places.
The Mexican partner, Dr. Monroy, affiliated to Tecnológico de Monterrey,
Campus Estado de México, is concerned with the discovery of automatic methods for formal methods to software or hardware development. He has been
deeply involved in the discovery of a proof plan for the verification of commu-
5
nicating systems [18, 19], annotated term-rewriting [20], and in the productive
use of failure [17, 21]. Dr. Monroy’s interests have shifted gradually into computer security and is currently involved in various projects related to this area.
Relevant to this proposal, he is grant holder of the project called “The Use of
Proof Planning to Automating the Verification of Security Protocols”, funded
by CONACYT, under grant 33337-A.
Project CONACYT 33337-A aims to significantly reduce the time and effort
to the study of authentication protocols. An authentication protocol is a set of
rules and conventions whereby one or more pairs of principals agree about each
others’ identity. Authentication protocols may involve as few as two messages
but are surprisingly hard to get right. They are considered as safety-critical
applications. The project attempts to provide general knowledge heuristics for
driving the verification of authentication protocols, to build a totally automatic
research tool prototype capable of handling the verification task and to understand how to use failure so as to suggest high-level, intelligible, educated changes
to the structure of a faulty protocol.
References
[1] T. Bass. Intrusion Detection Systems and Multisensor Data Fusion. Communications of the ACM, Vol. 43(4), ACM 2000.
[2] D. Bauer and M. Koblentz. Ndix–an expert system for real-time network
intrusion detection. In IEEE Computer Networking Symposium, pages 98–
106, April 1988.
[3] H.-J. Bürckert, K. Fischer, and G. Vierke. Holonic Transport Scheduling
with TeleTruck. Journal of Applied Artificial Intelligence, 14:697–725,
Taylor & Francis 2000.
[4] M. Crosbie and G. Spafford. Active Defense of a Computer System Using
Autonomous Agents, Technical Report 95-008, Department of Computer
Science, Purdue University, February 1995.
[5] D. Dasgupta. Artificial Immune System and Their Applications. Springer,
U.S.A., 1998.
[6] D.-E. Denning. An Intrusion-Detection Model. IEEE Transactions on Software Engineering, 13(2):222-232, 1987.
[7] D. Denning et al. A prototype IDES: A real-time intrusion detection expert
system. Technical report, Computer Science Laboratory, SRI International,
August 1987.
[8] K. Fischer. Agent-Based Design of Holonic Manufacturing Systems. Journal
of Robotics and Autonomous Systems, 27:1–2:3–13, Elsevier Science B.V.
1999.
6
[9] K. Fischer, D. Hutter. Proceedings of the 1st International Workshop on
Security of Mobile Multiagent Systems 5th International Conference on Autonomous Agents (Agents 2001) Montreal, May, 2001.
[10] et al. Herberlein. A network security monitor. In IEEE, editor, IEEE CS
Symposium on Research in Security and Privacy, pages 296–303, New York,
NY., May 1990.
[11] et al. Hochberg. Nadir: An automated system for detecting network intrusion and misuse. Computers and Security, pages 235–248, 1993. Elsevier
Science, New York.
[12] S. Hofmeyr and S. Forrest. Architecture for an Artificial Immune System.
Evolutionary Computation Journal, 8(4):443-473, 2000.
[13] D. Hutter, B. Langenstein, G. Rock, J. Siekmann, W, Stephan, and
R. Vogt. Formal software development in the verification support environment. Journal of Experimental and Theoretical Artificial Intelligence, 12(4),
December 2000.
[14] D. Hutter. Automated reasoning. Annals of Mathematics and Artificial
Intelligence (AMAI). Special Issue on Strategies in Automated Deduction,
Kluwer, 29:183-222,2000.
[15] D. Hutter. Management of change in verification systems. In Proceedings
15th IEEE International Conference on Automated Software Engineering,
ASE-2000, pages 23–34. IEEE Computer Society, 2000.
[16] K. Kim and P. Bentley. An artificial immune model for network intrusion
detection. Department of Computer Science, University College London.
[17] R. Monroy. The use of Abduction and Recursion-Editor Techniques for
the Correction of Faulty Conjectures In: P. Flenner and P. Alexander
(eds.): Proceedings of the 15th Conference on Automated Software Engineering. Grenoble, France, pp. 91–99, IEEE Computer Society Press, 2000.
[18] R. Monroy, A. Bundy, and I. Green. Planning Proofs of Equations in CCS.
Automated Software Engineering Journal, 7(3):263–304, 2000.
[19] R. Monroy, A. Bundy, and I Green. Searching for a Solution to Program
Verification = Equation Solving in CCS. In O. Cairó and F. Cantú, editors, Mexican Internation Conference on Artificial Intelligence, MICAI‘00,
page To appear, Acapulco, Mexico, 2000. Springer-Verlag. Lecture Notes in
Artificial Intelligence.
[20] R. Monroy, A. Bundy, and I. Green. Annotated Term Rewriting for Deciding Observation Congruence. In H. Prade, editor, 13th European Conference
on Artificial Intelligence, ECAI’98, pages 393–397, Brighton, England, 1998.
Wiley & Sons.
7
[21] R. Monroy, A. Bundy, and A. Ireland. Proof Plans for the Correction
of False Conjectures In: F. Pfenning (ed.): Proceedings of the 5th International Conference on Logic Programming and Automated Reasoning,
LPAR’94. Kiev, Ukraine, pp. 54–68, Springer-Verlag. Lecture Notes in Artificial Intelligence, Vol. 822. Also available from Edinburgh as DAI Research
Paper No. 681.
[22] E. C. Oliveira, O. Stepankova, and K. Fischer. Multi-Agent Systems:
Which Research for which Application. Journal of Robotics and Autonomous
Systems, Vol. 27:1–2:91–106, Elsevier Science B.V. 1999.
[23] L. A. Segel and I. R. Cohen. Design Principles for the Immune System
and Other Distributed Autonomous Systems. Oxford University Press, New
York, U.S.A., 2000.
[24] S. et al. Snapp. A system for distributed intrusion detection. In IEEE,
editor, IEEE COMPCON, pages 170–176, New York, NY., March 1991.
8
Related documents
CIS 203 Artificial Intelligence
CIS 203 Artificial Intelligence
Abstract-The paper`s object is to develop a network intrusion
Abstract-The paper`s object is to develop a network intrusion
Intrusion Prevention Systems
Intrusion Prevention Systems
Lecture for Chapter 2.8 (Fall 11)
Lecture for Chapter 2.8 (Fall 11)
MAS_Notes
MAS_Notes
EHLANZENI DISTRICT MUNICIPALITY INTRUSION DETECTION
EHLANZENI DISTRICT MUNICIPALITY INTRUSION DETECTION
Intrusion Detection Technique by using K
Intrusion Detection Technique by using K
Intrusion Detection Technique by using K
Intrusion Detection Technique by using K
Heather Ames Chuan-Heng Chsiao Chaitanya Sai Gaddam 13
Heather Ames Chuan-Heng Chsiao Chaitanya Sai Gaddam 13
ppt
ppt
IDS
IDS