A Model of Intrusion Prevention Base on Immune - Semantic Scholar

2009 Fifth International Conference on Information Assurance and Security

A Model of Intrusion Prevention Base on Immune Yaping Jiang, Yong Gan, Jianhua Zhou, Zengyu Cai, School of Computer and Communication Engineering, Zhengzhou University o f Light Industry, 450000, China, [email protected] nology as a study of the immune system inspired the evolution of AIS, which is an area of vast research over the last few years. Artificial immune system imitates the natural immune system that has sophisticated methodologies and capabilities to build computational algorithms that solves engineering problems efficiently. Burnet proposed clone Selection Theory[3]. Kepler and Pelrelson proposed somatic hyper mutation theory in 1993[4]. Negative Selection Algorithm proposed by Forrest[5]. Biology immune system’s basic functionality is identifying self and nonself and eliminating nonself. The main goal of the human immune system is to protect the internal components of the human body by fighting against the foreign elements such as virus and bacteria. It is interesting to observe that the process of recognition, identification and post processing involve several mechanisms such as the pattern recognition, learning, communication, adaptation, self-organization, memory and distributed control by which the body attains immunity. It is known that the immune system has lots of features such as diversity, distributed parallel processing, self-learning and self-adapting. Inspired by the theory of biology immune system, the local intrusion information detected can be treated as vaccine, which is sent to neighboring networks after encapsulated, then, similar intrusion can be detected quickly in the neighbors network. Mobile Agents are the programs that move between computers, while autonomously trying to fulfill some specific goals given by users[10]. Agents are different from other applications in that they are goal-oriented: they represent users and act on their behalf to achieve some set goals in an autonomous manner i.e. we have applied artificial immune system to multi agent systems for the computational intelligence of agents. The outcome of the research is a generic depth defence system based multi agent model named DDMMABI.

Abstract: The theory of modern immunology provides a novel idea to study network intrusion detection and defence system. Inspired information processing in biology immune system is a highly parallel and distributed intelligent computation which has learning, memory, and associative retrieval capabilities. The architecture of multi-agent in depth defence based on immune principle is proposed. The agents of intrusion detection detect all intrusion which passes by the agent, including known and unknown. The information of new intrusion, which gotten from current monitored network is encapsulated and sent to the other network as vaccine by mobile agents. So the other network can prevent the same intrusion. Intrusion packets are prevented from gateway of intrusion source by response agent. The experimental results show that the new model actualizes an active and distributed prevention policy than that of the traditional passive intrusion prevention systems. Keywords: Artificial Immune System, Vaccine, MultiAgents, IDS I. INTRODUCTION Computer systems security has become a major concern over the past few years. Attacks, or intrusions, against computer systems and networks have become commonplace events. Many intrusion detection systems and other tools are available to help counter the threat of these attacks; such as firewalls [1] and anti-virus software, are no longer efficient to block new breeds of attacks. Intrusion Detection System (IDS) have been developed for that matter and are starting to be widely deployed[2]. Though these systems pave the way to a more dynamic and high-level approach to intrusions, they still lack the crucial capability of actively blocking the detected attacks. In the other words, IDS is a passive and real-time prevention system and its lack the ability of joint defenses. The security equipment and technology we have is far from the demand of information security. For instance, firewall can do nothing about internal attack; the same thing is true for intrusion detection system when it faces upcoming and unknown attacks. Furthermore, no matter what kind of intrusion detections, such as host-based or network-based, all the detection methods only passively response and evaluate those already happened or happening intrusion behaviors. When an intruder attacks a system, the ideal response would be to stop his activity before he can do any damage or access sensitive information. Those attacks are found after they happened in fact. In order to improve the network abilities, advanced intrusion detection and depth defense systems are required to improve the network security policy. The study of biological systems is of interest to scientists and engineers as they turn out to be a source of rich theories. They are useful in constructing novel computer algorithms to solve complex engineering problems. Such as Genetic algorithms, neural networks and Artificial Immune System. Immu978-0-7695-3744-3/09 $25.00 © 2009 IEEE DOI 10.1109/IAS.2009.104

II. The Model of Artificial Immune Algorithm The natural immune system is a very complex system with several mechanisms for defense against infectious agents entering our system [16]. We defined the preliminary definitions in depth prevention system. Network traffic consists of a sequence of packets, and an attack is also a sequence of packets. The packet features and relationships between features of multiple packets can be used to determine if a particular sequence of packets is an attack or not. The external components to the immune system are antigens or called the non-self cells, as they are foreign substances to the body. The basic components of the immune system are the white blood cells, called self-cells or lymphocytes in immunological terms. Antigens are fixed length binary strings extracted from the Internet Protocol (IP) packets transferred in the network. The antigen consists of the source and destination IP addresses, port number, protocol type, IP flags, IP overall packet length, TCP/UDP fields, etc [17]. The structure of an antibody is the same as that

441

of an antigen. The essence behind the network behavior is transportation of data packets. Assume data packets are a set of binary strings with length Ɛ, denoted as U. This set comprises self-set (S) and nonself-set (T). The set of antibody defined as. D {d | d  s, age, count, ag !, s, ag U , age, count  N } Where s is the binary representation of antibody with length Ɛ, age denotes age of antibody, count is accumulated infinity, and ag is the antigen recognized by antibody. Positive and negative selection is a process of discrimination of self/non-self cells that prevents auto-immune diseases. This process filters out the cells that would work against self-cells and only the cells that would not bind self-cells circulate to fight against the antigens. Affinity represents the similarity between antibody and antigen. In this model, we take r-continuous matching algorithm to compute the affinity. Self-tolerance is a process of discrimination of self/non-self cells that prevents autoimmune diseases. This process filters out the cells that would work against self-cells and only the cells that would not bind self-cells circulate to fight against the antigens. First, new antibodies generated randomly [19]. It’s can prevent matching antibody from themselves through self-tolerance. If they match themselves, those new antibodies are deleted; otherwise, they become mature cells and join the set of intrusion detectors. Clone Selection is a process of selection of useful cells that recognize the antigen and reproduce those cells. This process of cloning multiplies the useful cells that are capable of recognizing the antigens. Therefore, the B cells that contain the specific receptor that match a particular antigen are also multiplied. Detectors’ set of intrusion detection comprises the set of mature antibodies (M) and the set of memory antibodies (R) [20]. When the mature antibody matches the antigen and accumulated infinity reaches a predefined threshold, it is activated and become a memory cell. Immune memory is a result of clone expansion. Some of the cloned cells differentiate into memory cells and the rest of the clones become plasma cells. B cells remember the shape of the antigen that they have fought and recollect when they see the same antigen again [21][22]. This process defined as secondary response, is a feedback of the past event for a current input. This process helps the system to learn and is called as reinforcement learning.

The architecture of depth defense system immunebased as figure 1 described include three parts: immune monitor, immune recognize and immune response. In immune monitor phase, detection agent detected all packets that pass by the network. In immune recognize phase, the information of abnormal packets was judging that if being in the set of intrusion feather database. The new intrusion feature is appended to intrusion feature database if it’s a new attack. And then accordingly policy is implemented by policy agents. In immune response phase, Immune response agents include evidence agent, tracing agent and defense agent. 3.1 Intrusion Detection Agent Based on Immunity All of Intrusion prevention and intrusion response relies on intrusion detection. IDS normally fall into two categories: Network based & Host based, NIDS &HIDS respectively. Network intrusion detection systems are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. Ideally all inbound and outbound traffic is scanned; however doing so, might create a bottleneck that would impair the overall speed of the network. Intrusion detection agent lies in every host. Its main function is pattern recognize. In the normal network, there are not generated new memory cells in immune detection agent. The primary IDS perform three evolutionary processes: gene library evolution and negative selection and clone selection. At the gene library evolution stage, it aims to gain general knowledge on effective detectors. The gene library of the artificial immune model stores the potential genes of detectors and diverse genetic mechanisms generate new detectors. The potential genes are the selected fields of profiles to describe anomalous network traffic patterns. They are selected after understanding the detailed mechanisms of network protocol and their security holes. At the negative selection stage, it aims to generate a number of diverse detectors, which do not match self, and transfer a number of unique detector sets to distributed local hosts. The gene expression process generates various pre-detectors via rearrangement of selected genes, the selection of various gene-joining points, and mutation of genes, which are randomly selected from the gene library. These mechanisms can lead to the generation of a vast number of possible pre-detectors from combinations of genes. When newly memory cells are generated, it means the intrusion gets started. Therefore, memory cells may record behavior of intrusion, and these everlasting memory cells are transmitted to nearby mainframe by checking routing table and kept in those mainframes. We name this procedure the distribution of immune cell. Mobile agent targets the intended host or network, capture, analyze, scan all vulnerabilities and report to the master agent/server for comprehensive analysis and security assessment, and master agent will act accordingly. The paper will also address advantages and issues regarding its implementation. For the intruding antigen, the first step is to detect memory antibody, if matching antigen, then sent to response agent. This step does not need learning. Otherwise, immune response step will be executed; the individuals with high infin-

III. Depth Defense System of Multi Agent Immune-based Immune Monitor

Immune Response

Immune Recognize Intrusion Feature Database

Detection Agent

New Attack? N

IP Packets

Policy Agent

Y

Evidence Agent Tracing Agent Defense Agent Response Agent

Fig. 1. The frame of intrusion defense system Immune-based

442

ity are cloned. The model of detection agent immune- based is shown in part A of figure 2. C Input Stream

Match

Update the Intrusion Character

B

Output Stream

Stream Control-

Clock

Mobile Agent

Encapsulate Vaccine New memory ll Data VaccineFuse Filtrate Decode Throw Vaccine Database off Antigen Isn’t exist in Throw memory cell off N Y Memory Cell

Nonself Thought Clone Detected detection selection

Evolution

A Death Haven’t match Mature Cell

Over Death lifecyenough antiClone l gen in lifecycle Thought Tolerance Tolerance failure detection succeed Generate Immature Cell Randomly The procedure of antigen detected The procedure of immune cell generated A: The model of detection agent immune-based B: The centre of vaccine treated C: The intrusion response based on mobile agent

Fig. 2. The arithmetic of detection and defense based on immunity

3.2 Defense Agent Based on Immune In particular, this system combines the advantages of both host-based and network-based scanning tools with the benefits of fast customization for detecting newly discovered vulnerabilities. The requirements for building a vulnerability scanning system using mobile agents have been developed. Agent enters the intended host easily and performs in-depth investigation for a wide range of the system problems including: Unauthorized software, unauthorized accounts, weak passwords, operating system, IP addresses, protocols, file system, open ports, firewall installed, antivirus installed, running processes etc. Different mainframes like different human individuals and selves are different such as providing different services. The transplant of unprocessed memory cells may bring immune exclusion like organic transplant of human. We call this new process “vaccination,” since it is inspired at a high level by vaccination in a human. So the encapsulation for memory cell is very important. The structure of vaccine is as follow: V: flag, s_ip, s_port, t_ip, t_port, begin_time, end_time The intrusion prevention system is making up of intrusion detection agent based on immune and the center of treated vaccine. The intrusion detection agent lies in gateway. It can monitor all packages by the network. The center of treated vaccine has two functions. The first is send vaccine and receive vaccine, and the second is receiving vaccine and treating vaccine.

Generate vaccine and send vaccine. The new memory cell generated in intrusion prevention agent record the intrusion information. It’s encapsulated and sent to the neighboring network as vaccine. For detection of the vulnerabilities, it must be in its database, so the number of entries in the vulnerability database determines how comprehensive the scan will be. It must he dynamically updated because Vulnerabilities are not fixed. Receive and fuse about vaccine. Part B in Fig. 2 shows the arithmetic of prevention based on vaccine. First of all, the vaccine is decoded, and then filtrate the failure and certain vaccine, such as the vaccine will be filtrate on Linux system if the intrusion only attack the vulnerability of windows system. At last, the vaccine will insert in memory cell set if it not exists in the native memory sells and then the cell can prevent the same intrusion fleetly, otherwise it will be append to the mature detectors sets. The consistency of certain antigen in the mature cell set increases the risk of intrusion by such antigens. When the intrusion occurs alike the vaccine it will be detect by memory cells firstly. If they match the matched memory cell will be cloned largely. Otherwise the intrusion packet will recognize by mature cells. Because the mature cells set exist in the vaccine, the vaccine cell has more affinity than others and then it’s activated to memory cell soon. There are various relationships among inoculated vaccine received by fusion centre, such as repetition and concurrency. “Vaccination” injects existing knowledge about an attack into the detection agent to develop antibody, which detect that attack plus generalized versions of it. Knowledge about the attack, specifically the relationships between packets in the attack, is used to develop an attack signature. For two decoded vaccine, if there is only difference in time and the distance of the time is small enough, the memory cell is repeated. We call these vaccines “repetition of vaccines”. For these vaccines, only one is remained. For two decoded vaccine, if the only difference in ip address and the distance of the time is small enough, we believe that the warning information is concurrent and only one memory cell warning information is remained, In the mean time, increase the risk index. We call these vaccines “concurrency of vaccines”. For these vaccines, count the number of vaccines within ­ time. Only one is remained If the number of the vaccines over the given threshold, Otherwise it maybe a new intrusion such as the DDoS attacks. The transmitted of vaccines occupy large resource of network at begin learning phase. After three weeks, only new memories cells are sent as a vaccine, the rate of network’s resource will be reduce quickly. So it has realized the function of union prevention against network intrusion. Extraction and recording of evidence in local intrusion may include the record of the path of intrusion’s behavior and may include the startup of anti-intrusion’s behavior. 3.3 Activity Defense Policy Based Agent An effective intrusion response (IR) to network-based intrusion should be able to: 1) detected intrusions at real-time; 2) counter detected intruder’s ability to attack other targets; 3) help to recover as much as possible compromised network

443

ally. The antibody consistency vary curve (thick line) is shown in Fig.4. There is a nearby network A and B. Memory cell is generated in immune detection agent of network A., and the memory cell is transmitted to network B by checking routing table. There is a vaccine in memory cells set in network B. When the attack occur in network B, network B recognize the intrusion at once. So immune cells need not cloned in network B. 30000

Packets/s

20000 10000 0 0

20

40

60

80

100

120

Time(s)

5LVN

Fig. 3. The attack-intensity curve of attack land

Antibody consistency(ͪ102)

nodes; 4) repel future intrusions that are similar to the detected ones. In order to be effective in today’s high-speed global networks, network-based intrusion response has to be networkwide and automatic. One major problem in building an effective response to network-based attacks is the lack of source identification. Without effective source tracing, the attacked victim is blind at defending network-base attacks and no effective intrusion countermeasures such as blocking and containing can be implemented. Network-based attacks can not be effectively repelled or eliminated until its source is known. Most of the network obstruction caused by DDoS was the result of a great number of puppet machine controlled by the malice host, so via response agent to control the network boundary gateway was the batter method. Therefore we can use communicate agent cooperated with response agent to achieve active defense frame. Part C in Fig.3 shows the frame. Multi agents are a population of agents, that is, more than one agent can change the environment to accomplish the task. They are distributed computational systems in which each agent has a list of individual goals or tasks that it will perform. Mobile agents are programs that can migrate from host to host in a network at times and to place of their own choosing. The state of the running program is saved, transported to the new host, and restored, allowing the program to continue where it left off. The function of defense agent record and maintain the list of network accessing and controlling, so it can detect source address and objective address. Mobile agent charges of translating and updating intrusion information that detected by detection agent. First of all, activity response message is sent to local gateway by intrusion response agent. Intrusion defense agent is awaked and then intrusion is restrained. Local gateway send response message to nearby gateway at the same time, and long-range defense agent is aroused till the source gateway of intrusion by this trace. Restrain response message is sent back by defense agent. All of mid-gateway cancels the filter rules.

1 0.8 0.6 0.4 0.2 0

Before inoculation After inoculation

0

20

40

60

80

100

120

7LPHV Fig. 4. The antibody consistency vary before inoculating and after

V. CONCLUSION In this paper we present a new immune-based model for detecting and preventing network intrusions. The proposed approach can detect the massive network intrusion in time, where a new scheme of vaccine is presented for quickly detecting the similar intrusion in neighbour’s networks. Using mobile agents in the vulnerability assessment domain offers several advantages over more traditional tools. First, agents are more easily tailored customize and can be quickly changed to detect newly discovered vulnerabilities. Security experts recommend that networked organizations should' regularly update their security systems. As a network grows larger, more agents can be added to migrate through hosts looking for vulnerabilities

IV. Experiments In network security institute, we train the system for three weeks. A total of 30 different attacks were chosen from simulate attacks set and make an attack database file, such as land, Backdoor and other. We have found that our method can correctly detect and classify all these attacks, which are suffered by the either a single computer in the network or the whole network. Furthermore we found that our estimate of the attack intensity for each kind of attacks is consistent with the real network attack intensity occurring in the network. The real-time attack intensity in the network is shown in Fig.3. From Fig. 3, accompanying with the augment of attack intensity, the relevant antibody consistency goes up sharply; when intensity of attack goes down, the relevant antibody consistency reduces slowly. When the real attack intensity reaches the maximum, our estimate attack intensity is so. On the other hand, as the real attack intensity decreases, the estimated attack intensity as well. The antibody consistency vary curve (thin line) in local host is shown before inoculating in Fig.4. When the attack of land occurs in the local host for the first time, immune cells are cloned and the antibody consistency increase gradually. Memory cell will be produced in a short period and then the antibody consistency reduces gradu-

REFERENCES [1] Scott Hazelburst, Adi Attar; Raymond Sinnappan. “Algorithms for Improving the Dependability of Firewall and Filter Rule Lists”. DSN2000. Proceedings international conference on. 2000, pp. 576-585. [2] E. Jonsson and T. Olovsson, “A quantitative model of the security intrusion process based on attacker behaviour”. IEEE Trans. on Software Engineering, 1997, pp. 235 - 245. [3] F.M.Burnet, “The Clone Selection Theory of Acquired Immunity.” Gambridge: Gambridge University Press.1959. [4] T.B.Kepler, A.S.Perelson, “Somatic hyper mutation in B cells: An optimal control treatment. ”, Theoret Biol, 1993, pp.37-64. [5] S.Forrest, A.S.Perelson, “Self-nonself discrimination in a computer.” IEEE Symposium in Security and Privacy, Oakland, CA, 1994. pp. 202-213. [6] L.N De casto,. J. timmis “An Artificial Immune Network for Multimode Function Optimisation.” Evolutionary Computation, 2002, CEC’02. Proceedings of the 2002 Congress on. Volume: 1, pp. 699-704.

444