MODEL OF SOFTWARE AGENT FOR NETWORK SECURITY ANALYSIS



Similar documents
HIDS and NIDS Hybrid Intrusion Detection System Model Design Zhenqi Wang 1, a, Dankai Zhang 1,b

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

From Network Security To Content Filtering

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Security Issues in Cloud Computing

SURVEY OF INTRUSION DETECTION SYSTEM

SIP, Security and Session Border Controllers

Chapter 2 PSTN and VoIP Services Context

IDS / IPS. James E. Thiel S.W.A.T.

A Proposed Architecture of Intrusion Detection Systems for Internet Banking

Introduction of Intrusion Detection Systems

Ensuring Security in Cloud with Multi-Level IDS and Log Management System

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Network Access Security. Lesson 10

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

EXPLOITING SIMILARITIES BETWEEN SIP AND RAS: THE ROLE OF THE RAS PROVIDER IN INTERNET TELEPHONY. Nick Marly, Dominique Chantrain, Jurgen Hofkens

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

Intrusion Detection Systems

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

Secure Networks for Process Control

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Intrusion Detection Systems

INTRUSION DETECTION SYSTEMS and Network Security

Customized Data Exchange Gateway (DEG) for Automated File Exchange across Networks

Multidomain Network Based on Programmable Networks: Security Architecture

A Model-based Methodology for Developing Secure VoIP Systems

Banking Security using Honeypot

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

Intrusion Detection from Simple to Cloud

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Architecture Overview

Critical Security Controls

MODELLING OF INTELLIGENCE IN INTERNET TELEPHONE SYSTEM

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

EAGLE EYE IP TAP. 1. Introduction

Internet Commercial Application Layer. Service Specific Layer. Service Common Layer

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

(MPLS) MultiProtocol Labling Switching. Software Engineering 4C03 Computer Network & Computer Security Dr. Kartik Krishnan Winter 2004.

Chapter 8 Router and Network Management

Name. Description. Rationale

Integration Misuse and Anomaly Detection Techniques on Distributed Sensors

Taxonomy of Intrusion Detection System

Implementation of a Department Local Area Network Management System

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Marlicia J. Pollard East Carolina University ICTN 4040 SECTION 602 Mrs. Boahn Dr. Lunsford

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

Network Security Administrator

Intrusion Detections Systems

Data Mining For Intrusion Detection Systems. Monique Wooten. Professor Robila

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International.

GFI White Paper PCI-DSS compliance and GFI Software products

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

A Review on Network Intrusion Detection System Using Open Source Snort

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

APPLICATION OF MULTI-AGENT SYSTEMS FOR NETWORK AND INFORMATION PROTECTION

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

BlackRidge Technology Transport Access Control: Overview

Firewalls, Tunnels, and Network Intrusion Detection

How To Ensure The C.E.A.S.A

A Phased Framework for Countering VoIP SPAM

Overview - Using ADAMS With a Firewall

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

State of Vermont. Intrusion Detection and Prevention Policy. Date: Approved by: Tom Pelham Policy Number:

co Characterizing and Tracing Packet Floods Using Cisco R

Overview - Using ADAMS With a Firewall

DIR Contract Number DIR-TSO-2621 Appendix C Pricing Index

SolarWinds Certified Professional. Exam Preparation Guide

Stateful Inspection Technology

Cisco Advanced Services for Network Security

CTS2134 Introduction to Networking. Module Network Security

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

CALNET 3 Category 7 Network Based Management Security. Table of Contents

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

An Inspection on Intrusion Detection and Prevention Mechanisms

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Service Identifier Comparison module Service Rule Comparison module Favourite Application Server Reinvocation Management module

3GPP TS V8.0.0 ( )

How To Protect A Network From Attack From A Hacker (Hbss)

Krishan Sabnani Bell Labs. Converged Networks of the Future

Network Security Management

GE Measurement & Control. Cyber Security for NEI 08-09

Transcription:

MODEL OF SOFTWARE AGENT FOR NETWORK SECURITY ANALYSIS Hristo Emilov Froloshki Department of telecommunications, Technical University of Sofia, 8 Kliment Ohridski st., 000, phone: +359 2 965 234, e-mail: hef@tu-sofia.bg Keywords: Software agents, IP network security, Intrusion detection systems, Distributed architecture, Telecommunication middleware Network operators have realized the need of protection against bandwidth theft and denial of service attacks, which come as downsides of the growing mass of subscribers. The article proposes a model that takes advantage of the freedom in implementation of computational objects, given by telecommunication middleware framework. The result is a viable approach in implementing intrusion detection system functionality at the level of resource management. The model creates communication channels within the protected network and uses them for transfer of information related to network security. The proposed agent is also able to scan streaming information and search for predefined sets of strings. The implementation is based on the client-server model of data communication. It was necessary to include both a client side and a server side within a single application with respect to the given task namely to initiate or respond to a communication request.. Introduction It is expected that IP technology will become the one technology for transport of voice, data, and multimedia over next generation networks. Services will be provided through application programming interfaces by the use of a common platform that contains the service capabilities. More and more clients have gained experience in the usage of different networks and realize the importance of security and safety, which forms their expectation of new network architecture and service provisioning, based on reliable tools and improved security methods. The distributed telecommunications middleware is a technology that allows the integration of security components into services as well as definition of value-added security services. The main idea behind the telecommunications middleware is to eliminate the distinction between telecommunication services and computer applications. 2. Telecommunications middleware Middleware is software that runs between a machine s operating system and the applications. It offers facilities that are common to many applications, such as managing the communication between applications on different machines. TINA (telecommunication and information networking architecture) provides a telecommunication middleware framework. TINA architecture is divided into two parts: Service architecture: the part of TINA in which services are executed; Resource management architecture: the part that contains the switching and transport equipment and logic.

The resource management architecture encapsulates the technology of the individual network elements and offers a generic API to the service architecture. By doing this so, TINA separates service logic from connection control. The impact of that separation is that services and network resources may follow their evolutionary paths at different speeds, with a side effect of stimulating each other s advance. Table gives an informal overview of the computational objects and their functions, defined in the service architecture. Table Computational objects in TINA service architecture Represents the first point of contact for the consumer in a foreign IA Initial agent network. Takes care of authentication, finding the user agent for the consumer, and starting the access session. UA User agent Represents the consumer within the retailer domain. Contains subscription data and user profiles. Runs the access session. PA Provider agent Represents the retailer within the consumer domain. Can be seen as a proxy through which the retailer makes service offers to the consumer. PeerA Peer agent Establishes connections between two retailer domains, if the service implies users in different domains (for example, a video conference between users in different networks). SF Service factory Creates service instances as the result of a service request, and configures the service. SSM Runs the actual service session. Keeps track of the parties involved Service session in a service and their relations. Requests connectivity from the manager communication session. ssuap Service session user application part Represents the service control interface in the terminal. The computational objects defined in the resource architecture, are briefly described in Table 2. CSM CC LNC TCSM TLA Table 2 Computational objects in TINA resource architecture Responsible for negotiating and selecting the terminal and network Communications capabilities, needed for the requested connection. Maintains the session manager state of the communication session. Connection coordinator Layer network coordinator Terminal communication session manager Terminal layer adapter Sets up the physical connection. Determines which layer networks to involve in the connectivity request. Contains knowledge about the transport and switching technology used in the layer network, end points within its domain. LNC is network and technology dependent. Counterpart of the CSM. Negotiates the terminal capabilities and maintains the state of the communication session. Assigns communication end points in the terminal and negotiates technology-specific settings with the LNC on the network side.

The entire TINA architecture is object-oriented and assumes the existence of a distributed processing environment that takes care of the communication between distributed objects. TINA does not define any protocols. In TINA, signaling is replaced by communications between distributed objects. The TINA distributed processing environment is based on OMG's CORBA (Common Object Request Broker Architecture). The unit of deployment and reuse in TINA is called computational object, which is defined as a component that consists of one or more CORBA interfaces. Nevertheless TINA provides a framework for service and resource architecture, it says nothing about the implementation of computational objects. A promising technology in the field of implementation is the one of software agents. They are appropriate for distributed systems, such as IDS (Intrusion Detection Systems). The need of security is obvious at both layers at service architecture it is necessary to provide an access control; at the network resource layer the network operators need it to ensure that their resources are properly used. Provisioning of security and safety features is a prerequisite for successful services of the future. 3. Intrusion detection systems. IDS technology is one of many software means used for the protection of electronic information. Its purpose is to track a predefined set of network or host parameters, and upon reaching a certain threshold to issue alerts to the system administrator or take countermeasures, which may limit the intrusion. There are two main approaches in intrusion detection: Host-Based IDS (HIDS) - host-based systems were the first type of IDS to be developed and implemented. These systems collect and analyze data that originate on a computer that hosts a service, such as a Web server. Once this data is aggregated for a given computer, it can either be analyzed locally or sent to a separate/central analysis machine. In addition to detecting unauthorized insider activity, host-based systems are also effective at detecting unauthorized file modification. Network-Based IDS (NIDS) - network-based intrusion detection analyzes data packets that travel over the actual network. These packets are examined and sometimes compared with empirical data to verify their nature: malicious or benign. Because they are responsible for monitoring a network, rather than a single host, Network-based intrusion detection systems (NIDS) tend to be more distributed than host-based IDS. In general, network-based systems are best at detecting the following activities: Unauthorized outsider access: When an unauthorized user logs in successfully, or attempts to log in, they are best tracked with host-based IDS. However, detecting the unauthorized user before their log on attempt is best accomplished with network-based IDS.

Bandwidth theft/denial of service: These attacks from outside the network single out network resources for abuse or overload. The packets that initiate/carry these attacks can best be noticed with use of network-based IDS. HIDS and NIDS Used in Combination - the two types of intrusion detection systems differ significantly from each other, but complement one another well. One implementation of IDS may include intelligent software agents (or computational objects if we use TINA terminology), which provide functions for monitoring and data collection (at resource management level). The use of these agents for solving problems in distributed systems is not uncommon. They are primarily used for extraction, filtering and analysis of information. Open Agent Systems are environments where the software agents are able to communicate in an unstructured fashion. Agents may also have goals and use available means for achieving these goals. 4. Computational objects modeled by IDS technology Let us consider a possible model of an IDS agent. The agent may be used for implementing computational objects in distributed architecture of the telecommunication middleware. The agent incorporates security functions. The agent s goal should be detection of forbidden (dangerous) words and appropriate reaction. The knowledge of the agent is based on several list structures, containing the recognized alphabet, forbidden words, safe words, and cache with words which don t belong to either of previous lists. First we should point a stream for analysis the delivery of the stream is beyond the scope of this article. The analysis is done on per word basis. The first check is for new symbols in the analyzed word its purpose to extend the known alphabet. This check may also be used for allowing/rejecting words, based on their syntax. Next step is to match the word against the list of forbidden words if positive an alerting message is displayed to the administrator and the word is no longer processed. If the check is negative, the word is passed to the next step check against the list of safe words the purpose is to ensure that the word is typical for the environment, where the agent runs. If this check is negative, i.e. the word is neither forbidden, nor safe it is considered unknown and is matched against a cache of such words each with an associated counter. The counters indicate how many times the word has been met in the stream. The administrator (user) may predefine a threshold value for the counter. The word is matched against the cache if not found it is stored with initial counter value of one, otherwise a check of the counter follows if the threshold isn t reached the counter is incremented by one and next word is extracted for analysis, otherwise the administrator is asked to classify the current processed word as safe or forbidden. If the word is recognized as forbidden it is added to the appropriate list and an update is issued to an adjacent agent. If the word is safe it is added to the list of safe words and next word is being processed. The algorithm is shown in Figure.

5. Conclusion The paper examines the applicability of IDS technology for implementation of distributed telecommunications middleware. IDS technology may be used both at service architecture level and at resource management architecture level. At service architecture level software agents may be used to implement computational object for access control. At resource management level software agent may include function for network monitoring against intrusions. The paper present a model of IDS agent used to implement security functions at resource management level. References [] Zuidweg J. Next Generation Intelligent Networks, ArtechHouse, 2003. [2] Paul Innella and Oba McMillan, Tetrad Digital Integrity, LLC An Introduction to Intrusion Detection Systems, http://www.securityfocus.com/infocus/520

Start Choose stream for analysis 2 More words? Load a word from the stream and prepare it for analysis Match against list of already met words? End Found new symbol in current word? Asses count_met Add word to list, count_met = Add new symbol to knowledge base Does count_met exceeds predefined threshold? Match against list of forbidden words? count_met++ Display warning message and reject forbidden word from stream User interaciton: where to add the identified word? Match against list of safe words? Add to forbidden list Display message for discovered safe word Send discovered word to nearby agent Add to safe list 2 Figure Algorithm of the proposed model

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information