APPLICATION OF MULTI-AGENT SYSTEMS FOR NETWORK AND INFORMATION PROTECTION



Similar documents
Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Guideline on Auditing and Log Management

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

WHITEPAPER IT EXECUTIVE GUIDE. To Security Intelligence. Transitioning from Log Management and SIEM to Security Intelligence. Q1Labs.

SANS Top 20 Critical Controls for Effective Cyber Defense

Taxonomy of Intrusion Detection System

Guide to Intrusion Detection and Prevention Systems (IDPS) (Draft)

IT executive guide to security intelligence

Critical Security Controls

A Proposed Architecture of Intrusion Detection Systems for Internet Banking

Looking at the SANS 20 Critical Security Controls

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Data Management Policies. Sage ERP Online

Defending Against Data Beaches: Internal Controls for Cybersecurity

Intrusion Detection from Simple to Cloud

Cyber Essentials Scheme

IDS : Intrusion Detection System the Survey of Information Security

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Cyber Situational Awareness for Enterprise Security

How To Manage Security On A Networked Computer System

Intrusion Detection Systems

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Observation and Findings

Introducing IBM s Advanced Threat Protection Platform

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

How To Audit The Mint'S Information Technology

What is Security Intelligence?

End-user Security Analytics Strengthens Protection with ArcSight

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

IBM QRadar Security Intelligence April 2013

Performance Evaluation of Intrusion Detection Systems

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS)

Goals. Understanding security testing

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Top 20 Critical Security Controls

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

Managing security risks and vulnerabilities

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

How To Protect A Virtual Desktop From Attack

Cisco Advanced Services for Network Security

Seven Things To Consider When Evaluating Privileged Account Security Solutions

IBM SECURITY QRADAR INCIDENT FORENSICS

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Cybersecurity and internal audit. August 15, 2014

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

SPEAR PHISHING UNDERSTANDING THE THREAT

The Importance of Cybersecurity Monitoring for Utilities

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Chapter-3 Intruder Detection and Intruder Identification

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Cisco Cyber Threat Defense - Visibility and Network Prevention

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Information Technology Policy

Q1 Labs Corporate Overview

Protecting Your Organisation from Targeted Cyber Intrusion

1. Thwart attacks on your network.

IBM Security Intrusion Prevention Solutions

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Network Mission Assurance

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Role of Anomaly IDS in Network

Safeguarding the cloud with IBM Dynamic Cloud Security

Using SIEM for Real- Time Threat Detection

CORE Security and GLBA

IBM Security IBM Corporation IBM Corporation

LogRhythm and NERC CIP Compliance

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Ecom Infotech. Page 1 of 6

CA Host-Based Intrusion Prevention System r8.1

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

CHAPTER 1 INTRODUCTION

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Effective Log Management

NitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring

Cyber Watch. Written by Peter Buxbaum

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Enterprise Cybersecurity: Building an Effective Defense

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Integration Misuse and Anomaly Detection Techniques on Distributed Sensors

Achieving SOX Compliance with Masergy Security Professional Services

Transcription:

18-19 September 2014, BULGARIA 137 Proceedings of the International Conference on Information Technologies (InfoTech-2014) 18-19 September 2014, Bulgaria APPLICATION OF MULTI-AGENT SYSTEMS FOR NETWORK AND INFORMATION PROTECTION Roumen Trifonov 1, Slavcho Manolov 2, Georgi Tsochev 1 1 Department of Computer Systems, Technical University of Sofia e-mails: r_trifonov@tu-sofia.bg, tsochev@tu-sofia.bg, 2 Chairman of the Board and CEO of Association EDIBUL e-mail: slav@usw.bg Bulgaria Abstract: The Faculty of Computer Systems and Control at Technical University of Sofia began research on the application of intelligent systems for information security. This paper aims to show the directions of this research. Key words: Security intelligence, multi-agent systems, intrusion detection and protection systems 1. INTRODUCTION SECURITY INTELLIGENCE Too often, the unified security programs, based on comprehensive analyses of unified information from across the IT infrastructure, are costly, complex, difficult to implement and inefficient. As a result, most organizations lack accurate threat detection and informed risk-management capabilities. Therefore, the response to new information security threats can be a security intelligence approach with a reactive new policies or rules [1]. The case for security intelligence is compelling. Enterprises and government organizations have vast quantities of data that can help detect threats and areas of high risk if they have the means and the commitment to collect, aggregate and, most importantly, analyse it. This data comes not only from point security products, but also from sources such as network device configurations, servers, network traffic telemetry, applications, and end users and their activities. Security intelligence reduces risk, facilitates compliance, shows demonstrable return on investment (ROI) and maximizes investments in existing security technologies. The goals of security intelligence are to:

138 PROCEEDINGS of the International Conference InfoTech-2014 distill large amounts of information into an efficient decision-making process, reducing billions of pieces of data to a handful of action items; operationalize data collection and analysis through automation and ease of use; deliver high-value applications that help organizations derive the most benefit from their data to understand and control risk, detect problems and prioritize remediation; validate that the organization has the right policies in place; assure that the controls the organization has implemented are effectively enforcing those policies. Security intelligence should include a broader range of data, leveraging the full context in which systems are operating. That context includes, but is not limited to, security and network device logs, vulnerabilities, configuration data, network traffic telemetry, application events and activities, user identities, assets, geo-location, and application content. This produces a staggering amount of data. Security intelligence provides great value in leveraging that data to establish very specific context around each potential area of concern and executes sophisticated analytics to accurately detect more and different types of threats. For example, a potential exploit of a web server reported by an intrusion detection system can be validated by unusual outbound network activity detected by network behavioural anomaly detection capabilities. 2. INTRUSION DETECTION AND PREVENTION SYSTEMS Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. Incidents have many causes, such as malware (e.g., worms, spyware), attackers gaining unauthorized access to systems from the Internet, and authorized users of systems who misuse their privileges or attempt to gain additional privileges for which they are not authorized [2]. Although many incidents are malicious in nature, many others are not; for example, a person might mistype the address of a computer and accidentally attempt to connect to a different system without authorization. For example, an IDPS could detect when an attacker has successfully compromised a system by exploiting vulnerability in the system. The IDPS could also log information that could be used by the incident handlers. Many IDPSs can also be configured to recognize violations of security policies. For example, some IDPSs can be configured with firewall rule set-like settings, allowing them to identify network traffic that violates the organization s security or acceptable use policies. Also, some

18-19 September 2014, BULGARIA 139 IDPSs can monitor file transfers and identify ones that might be suspicious, such as copying a large database onto a user s laptop. Many IDPSs can also identify reconnaissance activity, which may indicate that an attack is imminent. An IDPS might be able to block reconnaissance and notify security administrators, who can take actions if needed to alter other security controls to prevent related incidents. Because reconnaissance activity is so frequent on the Internet, reconnaissance detection is often performed primarily on protected internal networks. In addition to identifying incidents and supporting incident response efforts, organizations have found other uses for IDPSs, including the following [2]: identifying security policy problems - an IDPS can provide some degree of quality control for security policy implementation, such as duplicating firewall rule sets and alerting when it sees network traffic that should have been blocked by the firewall but was not because of a firewall configuration error; documenting the existing threat to an organization. IDPSs log information about the threats that they detect. Understanding the frequency and characteristics of attacks against an organization s computing resources is helpful in identifying the appropriate security measures for protecting the resources. The information can also be used to educate management about the threats that the organization faces. deterring individuals from violating security policies. If individuals are aware that their actions are being monitored by IDPS technologies for security policy violations, they may be less likely to commit such violations because of the risk of detection. Because of the increasing dependence on information systems and the prevalence and potential impact of intrusions against those systems, IDPSs have become a necessary addition to the security infrastructure of nearly every organization. IDPS technologies use many methodologies to detect incidents. The primary classes of detection methodologies can be: signature-based, anomaly-based, and stateful protocol analysis, respectively. Most IDPS technologies use multiple detection methodologies, either separately or integrated, to provide more broad and accurate detection. 3. INTELLIGENT AGENTS Agents can be defined to be autonomous, problem-solving computational entities capable of effective operation in dynamic and open environments [3]. Agents are often deployed in environments in which they interact, and may be cooperate, with other agents (including both people and software) that have possibly conflicting

140 PROCEEDINGS of the International Conference InfoTech-2014 aims. Such environments are known as multi-agent systems. Agents can be distinguished from objects (in the sense of object oriented software) in that they are autonomous entities capable of exercising choice over their actions and interactions. Agents cannot, therefore, be directly invoked like objects. However, they may be constructed using object technology. Agent architectures are the fundamental engines underlying the autonomous components that support effective behavior in real-world, dynamic and open environments. Agent-based computing has been a source of technologies to a number of research areas, both theoretical and applied. These include distributed planning and decision-making, automated auction mechanisms and learning mechanisms. Moreover, agent technologies have drawn from, and contributed to, a diverse range of academic disciplines, in the humanities, the sciences and the social sciences. When designing agent systems, it is impossible to foresee all the potential situations an agent may encounter and specify behavior optimally in advance. Agents must therefore learn from, and adapt to, their environment. This task is more complex when the agent is situated in an environment that contains other agents with different (and in many cases unknown) capabilities, goals, and beliefs. Multi-agent learning, (the ability of agents to learn how to communicate, cooperate, and compete) becomes crucial in such domains. Learning is increasingly being seen as a key quality of agents, and research into learning agent technology, such as reinforcement learning and genetic algorithms, is now being carried out across Europe. Applications of learning agent technology have been especially successful in the areas of personalization and information retrieval, and promising results have been achieved in the areas of robotics and telecommunications. More effort will be needed, however, to make learning an inherent part of commercial agent applications. In Bulgaria remarkable achievements in the field of multi-agent systems have been realized in Plovdiv University. 4. MULTI-AGENT INTRUSION DETECTION SYSTEM The Faculty of Computer Systems and Management Technical University of Sofia began research on the application of intelligent systems for information security. This contribution aims to show the directions of this research. The chosen strategy of the network security applications implementation is based on the development of specialised software toll that could provide reusability of the most part of the software for design a wide range of agent based network security systems. According to the popular technologies for design of multi-agent systems (MAS) [4, 5], the idea about the complete architecture of the system is depicted in the Fig. 1.

18-19 September 2014, BULGARIA 141 Fig. 1 The Agent-based Simulator of Attacks against Computer Networks (ASACN) is intended to simulate the input traffic, i.e. a mixture of normal and abnormal stream of events. The abnormal stream of events is simulating attacks against the computer network. The input traffic can correspond to a reasonable sequence of these singlephase attacks using different entry points (hosts). The Multi-agent Intrusion Detection System (MIDS) is responsible for detection of attacks against the network. The Multi-agent Intrusion Detection Learning System (MIDLS) is intended for multilevel learning based on the interpreted data from the same sources and represented in the same structures as the ones used by the MIDS. In the ASACN, distributed attack is specified as a sequence of coordinated actions of the distributed malefactors. Each malefactor can be mapped as an intelligent agent of the same architecture possessing the similar functionality. While performing a distributed attack, malefactors can interact to coordinate their activity. MIDS can made decisions based on the multi-level input of data processing using a meta-classification scheme. The MIDS architecture can comprise some basic components, such as: agent responsible for the input traffic pre-processing, agents for authentication and for access control, agents for extraction of the meaningful patterns of events, etc. It is expected that the main peculiarities and resulting problems of intrusion detection learning technology will result from the peculiarities of learning data. It is necessary to have in mind the distributed nature and heterogeneity of data for intrusion detection learning. The data can be represented in different data structures and measured in different measurement scales.

142 PROCEEDINGS of the International Conference InfoTech-2014 MIDLS will include several copies of the following classes of agents: learning data management agents, which are intended for allocation of training and testing data between different copies of learning agents depending on their role in the general decision-making structure; classifier testing agents, which are responsible for testing of classifiers based on the data sample chosen as testing and assessing the learning quality of a classifier based on a specified set of criteria; meta-data forming agents, which possess the knowledge concerning to metaclassifiers of meta-data for training and testing. This knowledge will concern to the subset of base classifiers, which decisions will be combined; learning agents, which realize the main function of the MIDLS. It is planning to use two classes of the learning agents. The first class will be designed for the task in which training and testing data will be represented as ordered temporal sequences of random length. The second class will be designed for the learning classifiers that work with the training and testing data, represented in the form of attribute vectors. 5. CONCLUSIONS The paper presents the investigations concerning the capability of multi-agent systems to give contribution to enhancing network security. Is it intended to specify and to stimulate distributed attacks at various layers using a formal model of attack scenario. The variance of attacks can be ensured by the random choice of machine transition rules. The significant advantage of such solution is a capability of comparatively light components of a multi-agent security system to cooperate. The learning system is viewed as a multi-sensor and a multi-level data fusion system, which makes decisions on the basis of a multi-level model of network traffic and host-based audit data. REFERENCES [1] IT Executive Guide to Security Intelligence IBM, January 2013 [2] Guide to Intrusion Detection and Prevention Systems (IDPS) NIST, Special Publication 800-94, February 2007 [3] Michael Luck, Peter McBurney, Christ Preist Agent Technology: Next Generation Computing AgentLink II, January 2003 [4] S. D. Chi, J.S. Park, K.C. Jung and J.S. Lee Network Security Modeling and Cyber Attack Simulation Methodology Lecture Notes in Computer Science, Vol. 2119, 2001 [5] D. Dashgupta and F. Gonzales An Intelligent Intrusion Detection System Lecture Notes in Computer Science, Vol. 2052, 2001Michael Luck

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information