APPLICATION OF MULTI-AGENT SYSTEMS FOR NETWORK AND INFORMATION PROTECTION

Transcription

1 18-19 September 2014, BULGARIA 137 Proceedings of the International Conference on Information Technologies (InfoTech-2014) September 2014, Bulgaria APPLICATION OF MULTI-AGENT SYSTEMS FOR NETWORK AND INFORMATION PROTECTION Roumen Trifonov 1, Slavcho Manolov 2, Georgi Tsochev 1 1 Department of Computer Systems, Technical University of Sofia s: [email protected], [email protected], 2 Chairman of the Board and CEO of Association EDIBUL [email protected] Bulgaria Abstract: The Faculty of Computer Systems and Control at Technical University of Sofia began research on the application of intelligent systems for information security. This paper aims to show the directions of this research. Key words: Security intelligence, multi-agent systems, intrusion detection and protection systems 1. INTRODUCTION SECURITY INTELLIGENCE Too often, the unified security programs, based on comprehensive analyses of unified information from across the IT infrastructure, are costly, complex, difficult to implement and inefficient. As a result, most organizations lack accurate threat detection and informed risk-management capabilities. Therefore, the response to new information security threats can be a security intelligence approach with a reactive new policies or rules [1]. The case for security intelligence is compelling. Enterprises and government organizations have vast quantities of data that can help detect threats and areas of high risk if they have the means and the commitment to collect, aggregate and, most importantly, analyse it. This data comes not only from point security products, but also from sources such as network device configurations, servers, network traffic telemetry, applications, and end users and their activities. Security intelligence reduces risk, facilitates compliance, shows demonstrable return on investment (ROI) and maximizes investments in existing security technologies. The goals of security intelligence are to:

2 138 PROCEEDINGS of the International Conference InfoTech-2014 distill large amounts of information into an efficient decision-making process, reducing billions of pieces of data to a handful of action items; operationalize data collection and analysis through automation and ease of use; deliver high-value applications that help organizations derive the most benefit from their data to understand and control risk, detect problems and prioritize remediation; validate that the organization has the right policies in place; assure that the controls the organization has implemented are effectively enforcing those policies. Security intelligence should include a broader range of data, leveraging the full context in which systems are operating. That context includes, but is not limited to, security and network device logs, vulnerabilities, configuration data, network traffic telemetry, application events and activities, user identities, assets, geo-location, and application content. This produces a staggering amount of data. Security intelligence provides great value in leveraging that data to establish very specific context around each potential area of concern and executes sophisticated analytics to accurately detect more and different types of threats. For example, a potential exploit of a web server reported by an intrusion detection system can be validated by unusual outbound network activity detected by network behavioural anomaly detection capabilities. 2. INTRUSION DETECTION AND PREVENTION SYSTEMS Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. Incidents have many causes, such as malware (e.g., worms, spyware), attackers gaining unauthorized access to systems from the Internet, and authorized users of systems who misuse their privileges or attempt to gain additional privileges for which they are not authorized [2]. Although many incidents are malicious in nature, many others are not; for example, a person might mistype the address of a computer and accidentally attempt to connect to a different system without authorization. For example, an IDPS could detect when an attacker has successfully compromised a system by exploiting vulnerability in the system. The IDPS could also log information that could be used by the incident handlers. Many IDPSs can also be configured to recognize violations of security policies. For example, some IDPSs can be configured with firewall rule set-like settings, allowing them to identify network traffic that violates the organization s security or acceptable use policies. Also, some

3 18-19 September 2014, BULGARIA 139 IDPSs can monitor file transfers and identify ones that might be suspicious, such as copying a large database onto a user s laptop. Many IDPSs can also identify reconnaissance activity, which may indicate that an attack is imminent. An IDPS might be able to block reconnaissance and notify security administrators, who can take actions if needed to alter other security controls to prevent related incidents. Because reconnaissance activity is so frequent on the Internet, reconnaissance detection is often performed primarily on protected internal networks. In addition to identifying incidents and supporting incident response efforts, organizations have found other uses for IDPSs, including the following [2]: identifying security policy problems - an IDPS can provide some degree of quality control for security policy implementation, such as duplicating firewall rule sets and alerting when it sees network traffic that should have been blocked by the firewall but was not because of a firewall configuration error; documenting the existing threat to an organization. IDPSs log information about the threats that they detect. Understanding the frequency and characteristics of attacks against an organization s computing resources is helpful in identifying the appropriate security measures for protecting the resources. The information can also be used to educate management about the threats that the organization faces. deterring individuals from violating security policies. If individuals are aware that their actions are being monitored by IDPS technologies for security policy violations, they may be less likely to commit such violations because of the risk of detection. Because of the increasing dependence on information systems and the prevalence and potential impact of intrusions against those systems, IDPSs have become a necessary addition to the security infrastructure of nearly every organization. IDPS technologies use many methodologies to detect incidents. The primary classes of detection methodologies can be: signature-based, anomaly-based, and stateful protocol analysis, respectively. Most IDPS technologies use multiple detection methodologies, either separately or integrated, to provide more broad and accurate detection. 3. INTELLIGENT AGENTS Agents can be defined to be autonomous, problem-solving computational entities capable of effective operation in dynamic and open environments [3]. Agents are often deployed in environments in which they interact, and may be cooperate, with other agents (including both people and software) that have possibly conflicting

4 140 PROCEEDINGS of the International Conference InfoTech-2014 aims. Such environments are known as multi-agent systems. Agents can be distinguished from objects (in the sense of object oriented software) in that they are autonomous entities capable of exercising choice over their actions and interactions. Agents cannot, therefore, be directly invoked like objects. However, they may be constructed using object technology. Agent architectures are the fundamental engines underlying the autonomous components that support effective behavior in real-world, dynamic and open environments. Agent-based computing has been a source of technologies to a number of research areas, both theoretical and applied. These include distributed planning and decision-making, automated auction mechanisms and learning mechanisms. Moreover, agent technologies have drawn from, and contributed to, a diverse range of academic disciplines, in the humanities, the sciences and the social sciences. When designing agent systems, it is impossible to foresee all the potential situations an agent may encounter and specify behavior optimally in advance. Agents must therefore learn from, and adapt to, their environment. This task is more complex when the agent is situated in an environment that contains other agents with different (and in many cases unknown) capabilities, goals, and beliefs. Multi-agent learning, (the ability of agents to learn how to communicate, cooperate, and compete) becomes crucial in such domains. Learning is increasingly being seen as a key quality of agents, and research into learning agent technology, such as reinforcement learning and genetic algorithms, is now being carried out across Europe. Applications of learning agent technology have been especially successful in the areas of personalization and information retrieval, and promising results have been achieved in the areas of robotics and telecommunications. More effort will be needed, however, to make learning an inherent part of commercial agent applications. In Bulgaria remarkable achievements in the field of multi-agent systems have been realized in Plovdiv University. 4. MULTI-AGENT INTRUSION DETECTION SYSTEM The Faculty of Computer Systems and Management Technical University of Sofia began research on the application of intelligent systems for information security. This contribution aims to show the directions of this research. The chosen strategy of the network security applications implementation is based on the development of specialised software toll that could provide reusability of the most part of the software for design a wide range of agent based network security systems. According to the popular technologies for design of multi-agent systems (MAS) [4, 5], the idea about the complete architecture of the system is depicted in the Fig. 1.

5 18-19 September 2014, BULGARIA 141 Fig. 1 The Agent-based Simulator of Attacks against Computer Networks (ASACN) is intended to simulate the input traffic, i.e. a mixture of normal and abnormal stream of events. The abnormal stream of events is simulating attacks against the computer network. The input traffic can correspond to a reasonable sequence of these singlephase attacks using different entry points (hosts). The Multi-agent Intrusion Detection System (MIDS) is responsible for detection of attacks against the network. The Multi-agent Intrusion Detection Learning System (MIDLS) is intended for multilevel learning based on the interpreted data from the same sources and represented in the same structures as the ones used by the MIDS. In the ASACN, distributed attack is specified as a sequence of coordinated actions of the distributed malefactors. Each malefactor can be mapped as an intelligent agent of the same architecture possessing the similar functionality. While performing a distributed attack, malefactors can interact to coordinate their activity. MIDS can made decisions based on the multi-level input of data processing using a meta-classification scheme. The MIDS architecture can comprise some basic components, such as: agent responsible for the input traffic pre-processing, agents for authentication and for access control, agents for extraction of the meaningful patterns of events, etc. It is expected that the main peculiarities and resulting problems of intrusion detection learning technology will result from the peculiarities of learning data. It is necessary to have in mind the distributed nature and heterogeneity of data for intrusion detection learning. The data can be represented in different data structures and measured in different measurement scales.

6 142 PROCEEDINGS of the International Conference InfoTech-2014 MIDLS will include several copies of the following classes of agents: learning data management agents, which are intended for allocation of training and testing data between different copies of learning agents depending on their role in the general decision-making structure; classifier testing agents, which are responsible for testing of classifiers based on the data sample chosen as testing and assessing the learning quality of a classifier based on a specified set of criteria; meta-data forming agents, which possess the knowledge concerning to metaclassifiers of meta-data for training and testing. This knowledge will concern to the subset of base classifiers, which decisions will be combined; learning agents, which realize the main function of the MIDLS. It is planning to use two classes of the learning agents. The first class will be designed for the task in which training and testing data will be represented as ordered temporal sequences of random length. The second class will be designed for the learning classifiers that work with the training and testing data, represented in the form of attribute vectors. 5. CONCLUSIONS The paper presents the investigations concerning the capability of multi-agent systems to give contribution to enhancing network security. Is it intended to specify and to stimulate distributed attacks at various layers using a formal model of attack scenario. The variance of attacks can be ensured by the random choice of machine transition rules. The significant advantage of such solution is a capability of comparatively light components of a multi-agent security system to cooperate. The learning system is viewed as a multi-sensor and a multi-level data fusion system, which makes decisions on the basis of a multi-level model of network traffic and host-based audit data. REFERENCES [1] IT Executive Guide to Security Intelligence IBM, January 2013 [2] Guide to Intrusion Detection and Prevention Systems (IDPS) NIST, Special Publication , February 2007 [3] Michael Luck, Peter McBurney, Christ Preist Agent Technology: Next Generation Computing AgentLink II, January 2003 [4] S. D. Chi, J.S. Park, K.C. Jung and J.S. Lee Network Security Modeling and Cyber Attack Simulation Methodology Lecture Notes in Computer Science, Vol. 2119, 2001 [5] D. Dashgupta and F. Gonzales An Intelligent Intrusion Detection System Lecture Notes in Computer Science, Vol. 2052, 2001Michael Luck