Intrusion Forecasting System

{LANG_NAVORIGIN} Intrusion Detection
By: Surya Kumari Govindu, 03/15/2005

4. Implementation of the System

Mobile Security Agents

When a user logs-in, the mobile agent or its proxy, monitors the user and logs his activities. The first action of the mobile agent is to contact the server agent, and get the required user profile. This profile contains the specific user information on the previous history actions of the user and prediction values for this user session. The mobile agent monitors all the actions of the user and the resources that are accepted, in terms of both local resources and network resources. Each mobile agent collects information from the user behavior, and sends them back to the server agent. The server agent is responsible for storing user profiles for all users that have access to the protected network. It is also responsible for giving the user profile to the mobile agent, each time that a users profile is requested. It is also responsible for processing new profile data from each user.

If a mobile agent suspects a user’s behavior and contacts the server agent, requests from each node are queued up on the server whose input parameters are static and independent of the work load on the network. The Server agent will use Markov Methods to determine the probability of Intrusion.

4.1 Markov Model used by server Agent

Markov Property states that the state of the system at future time t_n depends on its present state t_n-1 and is independent of its past,



Markov Analysis looks at a sequence of events and analyzes the tendency of one event to be followed by another. Using this analysis, we can generate a new sequence of random but related events, which appear similar to the original.

Statistically, the transition probabilities derived from the present are a stream of events called a markov chain. A first order homogenous Markov model can be used for intrusion detection. Markov Probability distribution can be represented by a probability matrix A[i][j] given by



Steps in developing Markov Model:

1. Enumerate the states – In markov model, each node, at a time can be in one and only one state.
2. Define allowable state transition – If in compromised state, the node cannot move, but if in any other states it can go back to secure state.
3. Associate probabilities with the transitions – Determine the probability of going to each state from all the other states (probability transition matrix)
4. Analyze the Markov Model – The analysis can be performed by iteration model or Matrix algebra solution (Markov Chain) mode or by monte carlo simulation.
5. Perform Sensitivity Analysis – Assess the sensitivity of the model to changes in transition probabilities

In Markov model, a node is considered anomalous, if its probability, given the previous state and associated value in the state transition matrix is too low.


State Transition Model For attacks on the system

The State transition diagram shows that the system can come back to a secure state from any of the three states: vulnerable state 1, vulnerable state 2 and unsafe state. If the Server Agent detects an abnormal behavior and fixes the vulnerabilities in time, the system returns to the secure state. If the attacker is successful in attacking the system, the system is compromised and cannot be repaired.

4.2 Clustering

The figure also shows clustering of nodes in a particular state. They are grouped into a subset, based on a set of rules. Here we analyze the clusters and not the individual nodes.

Consider a sequence of n nodes to be clustered N _n = {N₁, N₂, …N _n}

1. Train the markov model for each node Ni
2. Compute the distance matrix D={D(N_i, N_j)} representing a similarity measure between the nodes.
3. Use a set of rules to perform clustering.
4. This approach builds features in which each node is represented by the vector of its similarities to a predefined set of reference nodes.

5. Conclusion

Intrusion Detection System technology itself is undergoing a lot of enhancements. It is therefore very important for organizations to clearly define their expectations from the IDS implementation. IDSs are becoming the logical next step for many organizations after deploying firewall technology at the network perimeter. As intrusion detection systems can protect the system from internal attacks, they should concentrate on an internal intrusion system, which can forecast the probability of an attack and thus alert the systems administrator of the attack. Hence the future lies in developing an Internal Intrusion Forecasting System using intelligent mobile agents, which can analyze the behavior of the user with less human interaction.

Note
The Intrusion Forecasting System discussed in this paper is being implemented at the research laboratory at Symbiosis Deemed University. The system is in the stage of finalization of design and specifications. Once the conceptual idea is finalized, the system shall be implemented. Hence, as of now, we are not able to provide any experimental results of the observations.

References

[1]An introduction to Intrusion detection, by Paul Innella and Oba McMillan, URL: ttp://www.securityfocus.com
[2]Biswanath Mukherjee, Todd L. Heberlein, and Karl N. Levitt. Network intrusion detection.IEEE Network, 8(3):26{41, May/June 1994.
[3] K. Ilgun. Ustat: A real-time intrusion detection system for UNIX. Master’s thesis, Computer Science, UCSB, July, 1992.
[4] M. Bishop, S. Cheung, et al. The Threat from the Net. IEEE Spectrum, 38(8), 1997.
[5] Jai Sundar Balasubramaniyan, Ganesh Krishnan, Eugene Spafford, Karyl Stein, Aurobindo Sundaram, Software Agents for Intrusion Detection, COAST Laboratory Technical Report, Department of Computer Sciences, Purdue University, May 15, 1997.
[6] Mark Crosbie and Eugene Spafford, , Active Defense of a Computer System using Autonomous Agents, COAST Laboratory Technical Report, Department of Computer Sciences, Purdue University, February 15, 1995.
[7] A New Approach To Intrusion Detection: Intrusion Prevention. URL: http://www.okena.com/pdf/IDS White Paper.pdf? (20 Nov 2002).
[8] INTRUSION DETECTION IS DEAD.LONG LIVE INTRUSION PREVENTION! SANS GIAC Certification Practical.
[9] Intrusion Prevention: Does it Measure up to the Hype? ,Brian C. Rudzonis SANS GSEC Practical v1.4b.














Your IP address will be sent with this e-mail

From e-mail to e-mail