Autonomous Intelligent Systems: Agents and Data Mining Workshop
Home
Staff
Awards
Projects
Activities and Results
Conferences
Int.Collaboration
Publications
Annual Reports
Download
Related Links
Forum
Contact Us
Visited:
116381 since January 20, 2002
0051 today
Projects # 1686P

Contract for EOARD, ISTC (1999-2001)

1. Introduction and Overview

The problem of information security is recognized now as one of the most complex and its importance is growing coherently with increasing network connectivity, size, and implementation of new information technologies [1-21]. Today, information has become a highly valuable commodity and its vulnerability is of great concern within any large-scale organization utilizing computer networks. Networks and information are becoming increasingly vulnerable to intrusion due to new sophisticated threats and attacks, both direct and remote, aimed at overcoming or destroying existing information security means.

A widely accepted point of view intrusion is defined as "any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource" [19]. According to this definition, there exist three main types of threats for information security:

  1. threat of non-authorized access to information;
  2. threat of destroying information integrity, and
  3. threat of denial of service making crucial resource and/or information unavailable.

The information security problem has been in the focus of attention of specialists since the first computer networks were introduced. Presently, it is addressed on the level of hardware and software by development of a multi-level system of identification, authentication, access control, information encryption, detection of particular types of attacks and damage control. As a rule, these functions are performed on the software level by independently operating intrusion detection, access control and authentication subsystems, effective against previously known, catalogued types of attacks.

This approach, however, becomes inefficient for modern computer networks whose host computers perform millions of interconnections on a daily basis, interacting with numerous different servers, and are subjected to hundreds of various types of attacks. This approach requires formation of gigantic, partially duplicated, databases, and consumes excessive amount of network resources, causing inflexibility of software and hardware facilities of the network. In addition, it does not provide any protection from the distributed attacks and cannot adapt to new types of attacks thus leaving many enter points of future attacks unprotected.

Recently developing approaches don't focus attention on the defense of a computer against catalogued types of attack. Instead, they focus on more general principles of Information Security System (ISS) design. In particular, to detect intrusion they analyze statistically established user profiles, sequences of system calls at the enter point of servers, etc. aiming to differentiate normal and abnormal inputs [7,22]. Modern view on the information security problem is that particular protective mechanisms and corresponding software must be integrated within a global system, distributed between the hosts of the network. The specialized components of such information security system (ISS) must interact via message exchange to make decisions coordinated within each host and within entire network. They must be able to adapt to the reconfiguration of software and hardware of computer network, to network traffic variation and to detect unknown types of intrusions.

Many of the existing and proposed ISSs use a monolithic architecture but the experience is confirming that such systems are not able to provide the required level of computer network defense. Several approaches that exploit the idea of distributed ISS are given in [24, 26, 27, 29, 30]. The reasons of the recent interest to distributed approach for design of ISS are as follows:

  • Large number of enter points of the network (multiple eventual penetration points) takes to have many protective programs distributed within the computer network;
  • Distributed attacks against computer network can be defended naturally only in a distributed way;
  • Network-based ISS is reduced to operate with knowledge of large scale. Therefore, the only way to provide efficiency of such knowledge processing is to realize it in a distributed manner.

One of the most constructive and promising implementations of such ISS is the utilization of the intelligent multi-agent technology [24, 26, 27, 29] In the paper [30] the metaphor of immune system is exploited to develop a widely distributed program to intrusion detection problem solving. However, most authors apply this technology only to the intrusion detection task, limit the capabilities of particular agents and don't use advantage of implementing the intelligent properties of agents.

Thus, in [23] so-called AAFID architecture of intrusion detection system is reported. It utilizes the notion of an agent that mainly coincides the traditionally used notion of low level "demon", i.e. a program that is attached, for example, to a port to inspect the content of network packets and to perform operations based on this information. AAFID ISS itself can be distributed over a number of hosts in a network and may contain a great number of such agents. Each of them monitors a small aspect of entire network traffic to recognize in a sense "a probably suspicious behavior", say, not known IP address of input packet, an attempt to write information on a hard disk, etc. Each agent is "measuring" an attribute of input traffic or something else and comparing its value to an assigned "threshold". A "suspicious behavior" corresponds to the case when measured value overcomes the above threshold. Agents cooperate together via sending information to the so-called transceiver that is host-based aiming at detection of an intrusion on the basis of entire amount of information obtained by a host-based agency as a whole. An agent may also perform a simple function (say, a linear threshold function of input variables) which arguments are outputs of a group of agents. Nevertheless, even using such a relatively simple agent-based approach as a model of ISS leads to a number of advantages such as efficiency, fault tolerance, resilience to subversion, scalability, trainability, etc.

A multi-agent system for intrusion detection is considered in the paper [29] where a Cooperating Security Manager (CSM) is proposed. It is closer to the modern understanding of multi-agent system. CSM runs on each computer connected to a network and aimed at cooperative detection of probable intrusion. Its architecture include sensors that analyze users activity and input queries to the system to recognize abnormal system usage patterns. The entire system contain a number of host-based sensors that cooperate via information exchange that, in its turn, makes it possible to detect attacks in a host as well as in the network as a whole. For example, several agents based on different hosts detect the sequential attempts of entry having incorrect login and password. Herewith all of them have the same IP address of source. In this case no one agent is able to detect an attack but to be analyzed as a whole, this information is the certain evidence of attack on the network. Unfortunately, like previous approaches, the last one is based on relatively poor agent functionality, architecture and the way of cooperation. In addition the approach is aimed at solving the only intrusion detection task. Nevertheless, even such a relatively simple approach demonstrates a number of promising advantages of an agent-based model of ISS to detect network-based attacks.

Several close approaches are proposed in the papers [24,25,26,30,31].

Present state-of-the-art and tendencies in the area of information security determine the Project objective, problem statement and approaches that are intended to use. The objective of the Project is development of agent based model of integrated ISS. The problems that the Project is addressing to are as follows:

  1. Development of the architecture of the agent-based ISS as a whole and architectures of particular agents; development of the ontology of information security domain to design and to decompose distributed knowledge base structure.
  2. Development of a formal framework for representation of the agents' distributed knowledge, beliefs and intentions.
  3. Development of the procedure of the agents' cooperation for integrated information security task solving.
  4. Development and mathematical justification of the new methods of image-based information hiding (image-based steganography) to provide safe channels of information exchange.

The results of the Project will contribute new model of ISS and assessment of advantages of agent-based approach to integrated defense of computer network.

References

  1. Walker B.J., Blake I.F. Computer Security and Protection Structures. Dowden, Hutchinson and Ross, Inc., Stroudsburg, Pennsylvania, 1977.
  2. Hoffman L. Modern Methods for Computer Security and Privacy. Prentice­Hall, 1977.
  3. J.A. Goguen, J. Meseguer, Security Policies and Security Models, Proceedings of the 1982 Symposium on Security and Privacy, IEEE, April 20-21, 1982. Oakland, pp. I 1-26.
  4. Hsiao D.K., Kerr D.S., Madnick S.E. Computer Security. Academic Press. 1979.
  5. D. Denning, Cryptography and Data Security, Addison Wesley, Reading (MA), 1983.
  6. Shurakov V.V. Support of information safety in data processing. M. The finance and statistics. 1985 (in Russian).
  7. D. Denning, An Intrusion Detection Model. IEEE Transactions on Software Engineering, v. SE-13, № I, 1987, pp. 222-232.
  8. D.Russell, G.T.Gangemi Sr. Computer Security Basics, O'Reilly & Associates, Inc., 1991.
  9. Bezrukov N.V. Computer viruses: the reference book. Kiev, 1991 (in Russian).
  10. The Protection of Computer Software – its Technology and Applications. Ed. By D.Grover. Cambridge University Press. 1989.
  11. Spesivtsev A.V., Veter V.A. et al. Protection of information in personal computers. M. Radio and Communications. 1992 (in Russian).
  12. Muftic S. Security Mechanisms for Computer Networks. Ellis Horwood Limited. John Wiley&Sons. 1989.
  13. Rastorguev S.P. Program methods of information protection in computers and networks. M. 1993 (in Russian).
  14. Sherbakov A. Destroying program effects. M.: Edel, 1993 (in Russian).
  15. Gerasimenko V.A. Protection of information in the computer-based data processing systems. In 2 volumes. M.: Energoatomizdat. 1994 (in Russian).
  16. Stang D.J. Network Security Secrets. IDG Books. 1993.
  17. Bolshakov A.A., Petraev A.B. et.al Basics of data safety in computer systems and networks. St. Petersburg. 1995 (in Russian).
  18. Grusho A.A., Timonina E.E. Theoretical bases of information security. M. Publishing house of agency "Jakhtsmen". 1996 (in Russian).
  19. The theory and practice of support of information security. Editor P.D.Zegda. M. Publishing house of agency "Jakhtsmen". 1996 (in Russian).
  20. Melnikov V.V. Protection of information in computer systems M.: The finance and statistics. Elektroninform. 1997 (in Russian).
  21. Zima V.M., Moldovyan A.A. Multilevel protection of the information and software of computing systems. SPB. GETU. 1997 (in Russian).
  22. D. Anderson et al. Next Generation Intrusion Detection Expert System (NIDES). Software Design, Product Specification and Version Description Document, Project 3131, SRI International, July 11, 1994.
  23. J.Balasubramaniyan, J.Garcia-Fernandez, D.Isakoff, E.Spafford, D.Zamboni. An Architecture for Intrusion Detection using Autonomous Agents. Proceedings of the 14th Annual Computer Security Applications Conference. Phoenix, Arizona. December 7-11, 1998.
  24. Hochberg, et al. "NADIR": An Automated System for Detecting Network Intrusion and Misuse. Computers and Security, vol.12, No.3, 1993, pp.235-248.
  25. T.Lunt et al. Knowledge-based Intrusion Detection. Proceedings of 1989 Governmental Conference Artificial Intelligence Systems. March, 1989.
  26. P.A.Porras, P.G.Neumann. EMERALD: Event monitoring enabling responses to autonomous live disturbance. Proceedings of 20-th National Information System Security Conference. National Institute of Standards and Technologies, 1997.
  27. S.Stainford-Chen, et al. GrIDS: A Graph-based Intrusion Detection System for Large Networks. In Proceedings of the 19-th National Information System Security Conference. Vol.1, National Institute of Standards and Technology, October, 1996, pp.361-370.
  28. S.J.Stolfo, A.L.Prodromidis, S.Tselepis, W.Lee, D.W.Fan, P.K.Chan. Jam: Java agents for meta-learning over distributed databases. In Proceedings of the 3rd International Conference on Knowledge Discovery and Data Mining, Newport Beach, CA, 1997, pp.74-81.
  29. G.White, E.Fish, U.Pooch. Cooperating Security Managers: A Peer-Based Intrusion Detection System. IEEE Network, January/February 1996, pp.20-23.
  30. S.Forrest, S.A.Hofmeyer, A.Somayaji. Computer Immunology. Communication of the ACM, vol.40, No.10, October 1997, pp.88-96.
  31. S. Forrest, B. Javornik, R. Smith, and A. Perelson. Using genetic algorithms to explore pattern recognition in the immune system. Evolutionary Computation, 1(3):191– 211, 1993.

2. Expected Results

The Project comprises two parts.

The objective of the first part is development of the basic models of agent-based integrated ISS. It is addressing to the development of the architecture of ISS and its components; the ontology-based distributed knowledge representation and development a formal model of agent cooperative behavior within the entire ISS task. One more task is development of a new approach for image-based steganography task.

The second part is considered as extension of the first one. Its objective is development of the software that makes it possible to support implementation of the basic standard components of the agent-based ISS, i.e. standard components of software agents, software for message exchange and agents negotiation, for agent cloning and elimination. This software target is twofold: to assess the developed approaches and to sketch out the way of integrated agent-based ISS software implementation.

Expected results of the Part 1 of the Project are as follows

  1. Analysis and classification of possible types of attacks will be performed.
  2. Agent-based architecture of ISS will be developed.
  3. Architectures of particular agents of types 1,2, 3 and 7 will be developed (see section 6).
  4. A protocol of agent interaction and message exchange will be developed.
  5. An ontology-based formal framework for distributed representation of agents' common and specific knowledge, belief and intention will be developed.
  6. A comparative analysis of the existing techniques of image-based steganography will be performed.
  7. A new image-based steganography technique will be developed.
  8. A simulation of the software prototype of the agent-based ISS implementing proposed architecture, formal framework and techniques will be performed.
  9. Simulation-based investigation of the developed image-based steganography approach will be performed.

Expected results of the Part 2 of the Project are as follows

  1. The object-oriented design of the software tool prototype will be developed;
  2. Particular components of the software tool including (1) communicative components of the multi-agent system that provides asynchronous message exchange among distributed agents (2) components that facilitate on-line and off-line cloning and (3) destroying of agents will be developed.
  3. Software for generation of representation of distributed common knowledge of multi-agent ISS and of particular knowledge, beliefs and intentions of agents will be developed.
  4. Software for image based steganography utilizing the developed technique will be implemented
  5. Case study of agent-based ISS to assess the proposed model and as well as software will be developed.

The software will be provided by the user-friendly interface and implemented within JAVA+ Visual C++ environment. The expected results are of basic and application-oriented character. The Project doesn't aim at the development of any technology of obtaining results that might be considered as invention or contain business confidential information.

The results of the project research are outlined in the technical reports (see links below) in English and in Russian.
Technical Report 1 (English)
Technical Report 1 (Russian)
Technical Report 2 (English)
Technical Report 2 (Russian)
Technical Report 4 (English)
Technical Report 4 (Russian)
Technical Report 5 (English)

Copyright ©2004 Intelligent Systems Laboratory, SPIIRAS, All rights reserved.
In case of any problems, please contact the webmaster.