Behaviour Based Detection of Unfavourable Resources - CiteSeerX

Behaviour Based Detection of Unfavourable Resources Krzysztof Cetnarowicz [email protected] Institute of Computer Science Gabriel Rojek [email protected] Department of Computer Science in Industry AGH University of Science and Technology Al. Mickiewicza 30 30-059 Krak´ow, Poland

Abstract This article considers problem of security in computer systems, which problem refers to identifing computer resource on the basis of this resource behaviour. There are presented mechanisms, which might enable recognizing and dismissing undesirable or harmful resources in the computer system on the basis of behavior observation. Proposed mechanisms were tested in simulations of computer system under DoS attack. Results of tests are presented and discussed. keywords: agent system, open system, security, behaviour detection, activity observation, decentralized security mechanisms, immune system

1 Introduction Uselly used security systems as antyviral software are systems based on the knowledge of patterns of code. Those patterns are called signatures. Every signature is charakteristic for individual resource, which should be deleted. Discovering a bit sequence like a known signature by the antyviral software means detecting of an undesirable program. A security system, in order to detect (and delete) a virus, should have knowledge about signature of this virus. Detecting of a virus, which signature is unknown, is impossible by such security system. Confonting this way how uselly used security systems work with facts, that: • every year more and more frequently new attack tools such as viruses or worms come into being,

• an undesirable and harmful programs propagate automatically with very high speed via the Internet,

it is visible the trend of reduced effectiveness of those security systems. This trend is coused by low speed and small efficiency in delivering of signatures for new undesirable programs. The problem is also enlarged by the fact, that we cannot anticipate new viruses, so we cannot create signatures for viruses, whiche are not yet created or are just starting to propagate in the Internet. Creating a signature (or a patch) for a new danger resource takes houres or days for people, who create security systems. This time is very long period confronying it with time of automatical propagation of undesirable programs in the Internet. From the other poin of view present computer systems become more and more complex and related to each other. Large nets, as well as almost all devices connected to the Internet, are open systems. To have full knowledge about topology or current state of such system is impossible even for the owner, or an administrator. Central control of open system does not exist or is ineffective, there is also no complete theory of open systems [6]. Rapidly developing agent technology makes possible full flow of resources among open computer systems. Autonomic agents can yet freely migrate in the net without knowledge of the owner or an administrator. Agents can also execute their tasks without anybody’s knowledge. These tasks can be equally well useful for the owner, as destructive for the system. Examples of agents coulde be viruses or worms, which self propagate in the Internet.

2 New approach to security problem

2.2 Division based on observation and evaluation of behavior

In introduction specifyd facts and trends leads to formulating new foundation of solution of computer’s security problem. Atacks have generally decentralized nature and causing this attacks harmful resources should be seen as in some way autonomous agents. In order to oppose against such threats, the computer system shoulde be seen as multiagent system, which consists of:

In open systems, which in unconstrained exchange of resources (programs, agents) is possible, origin of supply (”self” / ”nonself”) does not play essential part. Discrimination between ”good” and ”bad” can be accomplished only on basis of observation of behaviour of acting resource. Recognizing upon the resource structure will not cause distinguishing between the desirable and harmful resource. Undertaking by an acting agent actions should be seen as objects. Those object create a sequence, which coulde be registreted by agents observing that acting agent. Registrated objects–actions could be process in order to qualify rather it ist ”good” or ”bad” acting agent. It should be mentioned, that the quoted notions of ”good” and ”bad” do not have absolute meaning. ”Good” resource is a desirable resource for a definite computer system, in which evaluation takes place. ”Bad” resource is an undesirable resource for a given system, although it can happen, that in a different computer system, it would be greatly desirable. Obviously it is also possible the situation with ”good” resource in a certain system, which in a different system is undesirable and would be valued as ”bad”.

• ”good” (desirable) resources (e.g. agents, programs), • ”bad” (undesirable) resources, as it was proposed in [3]. Taking into considaration mentioned problems with security systems, which are centralized and operate on fragments of code (look for known signatures), it is proposed the way, how division ”good” / ”bad” should be made. It coulde be stated, that: • decentrlazed security system could be realized in the form of functions, mechanisms or algorithms, that are build in as big amount of components of protected system, as it is possible; • division ”good” / ”bad” could be based on observation and evaluation of behavior of components of protected system.

3 Division profile Division profile is a class of agent activity, which as goal has observation of others agents in a society and possible other elements of environment. Those observations should be done in order to distinguish individuals, whose behavior is unfavourable or incorrect (”bad”) for observer. Such distinguished ”bad” individuals should be adequately treated (e.g. convict, avoided, liquidated) what should also be formed by division profile. In the case of a multiagent system, it is possible to equip every agent in the system in division profile mechanisms, so the security is assured by all existed in the system agent. Division profile is defined as a d = (Md , Qd , Sd ), where:

2.1 Decentralization of security system Decentralization paradigm could be realized in multiagent algorithms in a way of equiping in some additional goals, tasks and mechanisms all agents, that exists in protected system. Those goals, tasks and mechanism should be designed to assure security for agents and the computer system, which those agents assemble. So agents will execute tasks, that for they have been created and simultaneously will execute tasks, that have been connected with security of all agents in the system and / or the computer system. Using model based on M–agent architecture, equiping every agent with a system of discrimination mechanisms consists in addition specialy dedicated profile — division profile. Activity of an autonomic agent in M–agent architecture, as it was introduced among others in [1], [2], is formed through profiles. Every profile is a different point of view, according to which the agent takes his actions (e.g. the intellectual profile means the group of goals, taken decisions and realized actions in sphere of basic jobs of an agent, for realization of which the agent was created; the energetic profile serves to determine the existence of a given agent in the environment depending on his ”energy”, which he can draw in dependence on actions taken by him; agents can have any other profile).

• Md — set of division states md of agent a, • Qd — configuration of goals q d of agent’s a division profile, • Sd — cofiguration of strategies s d of agent’s a division profile.

3.1 Division state Division state md of agent a is represented as a vector j md = (m1d , m2d , ..., mj−1 d , md ), where: 2

• j is the number of neighbouring agents; neighbouring agents are agents, which are visible for agent a (including itself); if all agents in a system are visible for agent a, j is equal to the numebr of all existing in a system agents,

3.2.2 Detectors The method of fixing division state refers to the mechanism of immune system. Once it is generated detector’s set and after it has hapend this generator’s set is used to find ”bad” among presented sequences of action–objects. In order to generate set of detectors R, own collection W should be specified. To this collection belong correct, ”good” sequences of action–objects. This collection W should consist of action–object’s sequences of lenght l, which agent — observer undertakes. This is correct, because of the assumption, that actions which an agent undertakes are by him evaluated as ”good”. Presuming there are stored h last actions undertaken by every agent, own collection W will contain h − l + 1 elements.

• mkd is the factor subordinated to neighbouring agent number k; this factor can be a number from any range and it indicates, whether the agent number k is ”good” or ”bad” (low number indicates ”good”, large number indicates ”bad”).

3.2 How to fix division state To fix division state (or to distinguish ”bad” and ”good” individuals) can be used some mechanisms of the immune system. This mechanisms should operate on actions made by observed agents. This approach is opposite to proposed in [4], [5] solution, in which immunological mechanisms operate on resource’s structure. Described in this article and in [4], [5] methods are based on the generation of T cells in the immune system. Immunological intruders detection in a computer environment has to be done on the basis of certain characteristic structures. These structures in the case of behaviour observation can be chains of made by an observed agent actions. These chains are of the settled length l, so one chain contains l objects, which present undeteked by observed agent actions (one object represents one action).

3.2.3 Algorithm of detectors generation The algorithm of detectors generation refers to the method, in which T–lymphocytes are generated. From set R 0 of generated sequences of length l are regected those reacting with any sequence from collection W . Set R 0 contains every possible sequence (but it is also possible to use set of random generated sequences). Sequence reaction means, that elements of those sequences are the same. Sequences from set R0 , which will pass such negative selection create set of detectors R. This process presents Fig. 1. Own Sequence (W )

3.2.1 Observation of neighbouring agents’ actions We should define the way, in what agent a will recognize (notice, but do not estimate, discriminate) actions undertaken by neighbours. It is possible to store all actions undertaken by agents in the environment of agent computer system. Stored action should be accopained by the notion, by whom a particular action was undertaken. This method presums the mediation of environment and / or resources of environment in the process of recognizing undertaken actions. If it is not allowed to store actions by the environment, it is possible to use intellectual profile of agent a. Agent a observes environment V and creates model m = I(V ) (refering to the M–agent architecture introduced among others in [1], [2]). Event Z change model m  in m . Every action taken by neighbour is possible to be described as change of environment’s model of agent’s a intellectual profile. The same event Z can be result of different agents’ actions, whose agents potentially can change m  in m . Observed event Z transposes itself onto action D of agent a, when the perpetrator of this event is known. Recognition of perpetrator can be possible, when in environment V will remain signs of the perpetrator, which changed model m.

Generate Sequence (R0 )

✲

❄ Match

✲ no

Detector Set (R)

yes ❄ Reject

Figure 1. Process of detectors generation.

3.2.4 Behavior estimation of neighbouring agents First stage is neighbour observation, during which actions (and order of those actions) executed by neighbouring agents are remembered. Those remembered actions create sequence N of presumed length h. After the next stage of detectors generation, generated detectors are used to find ”bad”, unfovurable agents. Every subsequence n of lenght l of sequence N is compared with every detector r from set R, as it is introduced onto Fig. 2. If sequence n and 3

r match, it means finding ”bad”, unfavourable actions. Sequence maching means, that the elements of compared sequences are the same.

3.4 Configuration of strategies of agent’s division profile Actions, which should be undertaken by agent a in order to treat an agent number k in the way described by configuration of goal, are specified by S d — configuration of strategies sd of agent’s division profile. Configuration of strategies of an agent is constant and in described system configuration of goals consists only of one goal:

Neigbour 1 (N1 ) ✁❆ Detector Set (R)

Neigbour 2 (N2 ) r r r Neigbour k (Nk ) r r r Neigbour j (Nj )

✗ ✲

❄❄ Match

no

• if the goal is to liquide agent number k, send to the environment a demand of deleting agent number k; to this demand is attributed the coefficient o d equal to the mkd .

✔ ✕

This configuration of strategies presumes intervation of system’s environment in liquidation of agent. In the described systems environment counts sum of attributed to demands coefficients for every agent separately and liquidate all agents, which:

yes ❄ Qualification of Neighbour k as ”bad” or ”worse”

• have maximum sum of coefficients, • this sum is greater than constant OU . Periodically, after a constant time period, counted sums of coefficients are set to 0. Constant coefficient OU is introduced in order to get tolerance for behaviour, that is evalueted as ”bad” in short time, or is evalueted as ”bad” by small amount of agents.

Figure 2. Process of behaviour estimation of neighbouring agents, process presented for agent number k.

The number of matches for every observed agent should be counted. On this basis is made behaviour estij mation – division state m d = [m1d , m2d , ..., mj−1 d , md ]  of agent-observer is modificated to the m d = j−1  j 1 2 [md , md , ..., md , md ], where:

4 Experiment In order to research presented security mechanisms, it was simulated a multiagent system. In the environment of the multiagent system there are two types of resources:

• j is the number of agents in the environment,

• resource A, • resource B.



• mkd is assign to the number of counted matches for agent number k.

At the beginnig of simulation there is constant number of units of resource A and constant number of units of resource B equal to U0 = 20. If the number of units A and the number of units B are at the same time smaller than U limit = 10 there are added new units of resource A and B. The number of added units is equal to U add = 20. Agents in the system can execute many times only two type of action:

3.3 Configuration of goals of agent’s division profile The way neighbouring agents are treated is described by Qd — configuration of goals q d of agent’s division profile. Configuration of goals of an agent is constant (however it is possible to design such system, which in goal’s adaptation is possible). In described system configuration of goals consists only from one goal:

• take one unit of resource A, • take one unit of resource B. Agent to execute his actions needs units of energy. At the beginning of simulation every agent has the number of energy units equal to constant E 0 = 25. In every constant

• liquidation neighbouring agent (or agents) number k, j if mkd = max(m1d , m2d , ..., mj−1 d , md ). 4

time period one unit of energy of every agent is removed, if an agent do not have any units of energy, he is elimineted. If agent gets one unit of any resource, this unit is changing into his one unit of energy. All agents in the system can demand in one constant time period to take one unit of resource A or one unit of resource B without any other restrictions. If there is in the environment any unit of demanded type of resource, this unit is given to the agent, which this resource demanded. Agents do not know, how many units of resources A or B are in the environment. Figure 3. Number of agents in separate time periods, every agent takes one unit of resource of random selected type, agents do not have any security mechanisms.

4.1 Simulation vs denial of service In computer system there are some opperation, which must be executed in couples, for example: open and close a file, connection request and disconnection request. There are a lot of attack techniques, which consist in doing only one from a couples (or trios...) of such a way obligatory operations (for example so–called SYN flood attack [7]). In simulated system, if the same number of units of resources A i B is taken by agents, resources would be restored. If only one type of resources is taken, the system would be blocked. The refernce to the real–world computer system under DoS attack is noticeable.

4.2 Simulation — computer system There are 80 agents in the system. All agents in the system take one unit of random selected resource (random selected means, that with the probability equal to 50 per cent resource type A is taken and with the probability equal to 50 per cent resource type B is taken). Agents do not have any security mechanisms. The system was simulated to 300 time periods. There were made 10 simulations, diagram onto Fig. 3 shows the average numebr of agents and diagram onto Fig. 4 shows the average number of A and B units in the environment. Because in constant time periods there is approximately the same number of taken units of resource A and resource B, number of A and B units is on the same level in the environment. This effect in replenshing of A and B resources (what happend only if the number of units A and the number of units B are at the same time smaller than U limit = 10). Existance of any A and B units in the system makes possible to exist agents in the system, so the simulated system can work without any disturbance.

Figure 4. Number of units of resources A and B in separate time periods, every agent takes one unit of resource of random selected type, agents do not have any security mechanisms.

• agent type I — takes one unit of random selected resource and needs energy to execute his actions, • agent type II — takes every time resource A and does not need energy (he cannot be elimineted becouse of lack of his energy). At the begining of the simulation there is a constant number of agents type I and type II — 80 per cent of agents are agent type I, 20 per cent of agent are agents of type II. An agent cannot change his type and do not have any security mechanisms. The system was simulated to 300 time periods. There were made 10 simulations, diagram onto Fig. 5 shows the average numebr of agents and diagram onto Fig. 6 shows the average number of A and B units in the environment. At the beginnig of simulation 20 per cent of agents take only resource A. It means, that there is no balance between

4.3 Simulation — computer system under DoS attack There are 50 agents in the system and there are two types of agents: 5

4.4.1 Simulation parameters In the environment there are stored last 18 actions undertaken by every agents. After 18 actions had been undertaken by every agent, detectors were constructed of length l = 5. Agents use their division profile mechanisms to calculate, which naighbouring agent they want to eliminate. Agent demand to eliminate these naighbours, which have maximum of detector’s machings. Agents present their demands to the environment with the numebr of matchings. The environment counts matchings in presented demands and eliminates agents as it was propose in description of division profile mechanisms. The constant OU is set up to 480.

Figure 5. Number of agents in separate time periods, 20 per cent of agents take only A resource.

4.4.2 Simulation results The system was simulated to 300 time periods. There were made 10 simulations, diagram onto Fig. 7 shows the average numebr of agents and diagram onto Fig. 8 shows the average number of A and B units in the environment.

Figure 6. Number of units of resources A and B in separate time periods, 20 per cent of agents take only A resource. Figure 7. Number of agents in separate time periods, 20 per cent of agents take only A resource, all agents in the system were equiped with division profile mechanisms.

use of A and B units of energy. There is lack of A units in the system, but some B units remain in the environment and new units of resources cannot be added (what happend only if the number of units A and the number of units B are at the same time smaller than U limit = 10). Agents, which belong to type I have problems to get unit of desired resource and die because of the lack of energy. Agents, which belong to type II, do not need energy to function, so they still remain in the blocketed system.

In the environment are strored last 18 actions undertaken by agents, so after 18 periods of time it was possible to generate detectors by all agent existing in the system. In the next time period, agents which take only A resource were distinguished due to division profile mechanisms. In the same time period recognized agents were deleted, what makes possible free functioning of agents belonging to type I. After deletation of agents there is approximately the same number of taken units of resource A and resource B, the simulated system can work without any disturbance.

4.4 Simulation — secure computer system under DoS attack There are 80 agents in the system of types I and II. At the begining of the simulation there is a constant number of agents type I and type II — 80 per cent of agents are agent type I, 20 per cent of agent are agents of type II. An agent cannot change his type. All agents in the system were equiped with division profile security mechanisms.

5 Conlusion This paper presents simulation of computer system under DoS attack. There were proposed security solutions, 6

[2]

[3]

[4] [5]

Figure 8. Number of units of resources A and B in separate time periods, 20 per cent of agents take only A resource, all agents in the system were equiped with division profile mechanisms.

[6] [7]

which function well in the practice. This solutions create new security paradigms in order to creat secure computer systems: • equip all system resources (e. g. agents, programs) in security mechanisms, • security mechanisms should base on activity observation rather then looking for some fragments of code — signatures, • design the environment of computer system in the way to support security mechanisms, with which system’s resources are equiped. In this paper security mechanisms with immunological approach were presented, which fulfil mentioned security paradigms. All this security mechanisms were called division profile. Presented conception was simulated and received results confirm effectiveness of this solution. Security mechanisms designed on the ground of presented conception have such advantages as: • detection of previously unseen danger activities, • detection on the ground of activity observation, • decentralized detection. Presented simulation enables to anticipate, how desribed mechanisms will function in the real world computer systems.

References [1] K. Cetnarowicz. M–agent architecture based method of development of multiagent systems. In Proc. of the 8th Join EPS-

7

APS International Conference on Physics Computing, ACC Cyfronet, Krak´ow, Poland, 1996. ˙ nska. M–agent K. Cetnarowicz, E. Nawarecki, and M. Zabi´ architecture and its application to the agent oriented technology. In Proc. of the DAIMAS’97. International workshop: Distributed Artificial Intelligence and Multi–Agent Systems, St. Petersburg, Russia, 1997. K. Cetnarowicz, G. Rojek, J. Werszowiec-Plazowski, and M. Suwara. Utilization of ethical and social mechanisms in maintenance of computer resources’ security. In Proc. of the Agent Day 2002, Belfort, France, 2002. S. Forrest, S. A. Hofmeyr, and A. Somayaji. Computer immunology. Communications of the ACM, 40(10):88–96, 1997. S. Forrest, A. S. Perelson, L. Allen, and R. Cherukuri. Selfnonself discrimination in a computer. In Proceedings of the 1994 IEEE Symposium on Research in Security and Privacy, Los Alamitos, CA, 1994. IEEE Computer Society Press. W. W. Gibbs. Jak przetrwa´c w niebezpiecznym s´wiecie? ´ Swiat nauki, July 2002. E. Schetina, K. Green, and J. Carlson. Bezpiecze´nstwo w sieci. Wydawnictwo HELION, Gliwice, Poland, 2002.