Computer Security Based on Biological Systems. Dieter Hutter and Raúl Monroy. Abstract. The evolution of computing and computing communication capabili-.
Computer Security Based on Biological Systems Dieter Hutter and Ra´ ul Monroy Abstract The evolution of computing and computing communication capabilities has come with an evolution in security requirements. Computer intrusion detection is one aspect to computer security and an active area of research. Existing Intrusion Detection Systems (IDSs) are not sufficient, both because of their structure and because of their lack of scalability. Same as an immune system, an IDS should be distributed, made out of a number of components, each of which is in constant movement, carrying out a specific task. Underlying natural evolution, immune systems are both highly reliable and robust. This research aims at the development of a methodology to build robust, efficient, effective and highly adaptable intrusion detection systems. It rests upon the conjecture that a procedure inspired on an immune system is the key to fulfill computer intrusion detection using a multi-mobile-agent system.
1
Introduction
The evolution of computing and communication capabilities has been accompanied with an evolution in security requirements and increasing demands on security mechanisms. In early computing systems, physical controls were an effective means of protecting data and software from unauthorized access because these systems were physically isolated. Multiuser-programming and the connection of computers to networks created a need for mechanisms to control the sharing of data and programs amongst a community of users. The move to distributed systems exacerbated these problems, providing remote access not only for users, but also for attackers from anywhere in the world. Computer intrusion detection is a key aspect to computer security and still an active area of research. Intrusion detection is concerned with the problem of identifying computer processes that are using a computer system without authorization. Existing Intrusion Detection Systems (IDSs) are still insufficient. This is both because they cannot handle the current level of sophistication in computer attacks, and because they are not scalable, both in throughput and performance. The advent of the programming paradigm of mobile agents, which allows programs to migrate between hosting computers during execution, gives rise to the development of new intrusion detection systems. To approach intrusion detection successfully, new IDSs ought to be distributed and made out of simple, 1
mobile components, each of which is responsible of achieving a simple, specific aim. Mobility and specialization suggest an analogy between intrusion detection and immune systems of life forms. Underlying natural evolution, immune systems are both highly reliable and robust. They are effective, efficient, highly-paralleled, distributed systems. Although each member carries out but a small part of a task, an immune system is able to achieve complex goals by means of a coordinated action of its individuals. A similar behavior is found in some communities of insects, e.g. an ant-hill. Immune systems provide an virtually inviolable protection system with an outstanding performance. The proposed project aims at the development of a methodology to build robust, efficient, effective and highly adaptable intrusion detection systems as a (mobile) multi-agent system. This research rests upon the conjecture that techniques inspired on an immune system, or the behavior of a community of insects, provide the key to fulfill computer intrusion detection. Our hypothesis is that we can abstract out the behavior of each member of any one such a system in order to build a mobile, multi-agent based mechanism whereby a significant level of security can be provided.
1.1
Expected Contributions
In particular we are interested in the following objectives: 1. to provide a methodology to design intrusion detection systems inspired on immune systems or social insects in biology and based on (mobile) multi-agent systems; 2. to provide general methods for detection of anomaly and for distinguishing the self from the non-self in particular; and 3. to provide a model in which a collection of mobile, dynamic agents cooperate one another in order to achieve computer security.
2
Intrusion Detection System
Intrusion Detection Systems (IDSs) are primarily concerned with providing confidentiality, integrity and availability of information. They involve a variety of protection mechanisms aimed at detecting an ongoing attack, before it turns to be an intrusion, yielding undesirable consequences [16]. IDSs all face the problem of judging the state of a system so as to distinguish normal activity from malicious one. They should be scalable, robust, lightweight and should have a low rate, ideally zero, of false alarms. IDSs are usually based on two detection models, one for misuse and the other for anomaly. Misuse models monitor weak points in the operating system; anomaly models detect changes of the usual behavior of a system. To approach intrusion detection, IDSs search for known, dangerous patterns both in computer trace execution or network traffic. These patterns aim to characterize 2
threatening behavior, traffic analysis, statistical-anomaly detection, state-based detection, etc [1]. The development of IDSs dates back to the 80’s, with Denning’s work on a intrusion-detection model [6]. Then, IDSs were centralized and data were collected on a single machine. Nowadays, approaches are based on a distributed architecture, where the collection and the analysis of data are distributed on several machines. However, both workload and information distribution is static and, hence, these systems are still subject to so-called distributed attacks. Example centralized IDSs include IDES [7], NDIX [2] and NADIR [11], while NSM [10], DIDS [24] and A-IDS [4] are multi-host, network-based. Intrusion detection systems are highly complex. They are best characterized in terms of two sets of requirements, one performance and the other throughput, they ought to enjoy. Performance requirements have to do with high-level, behavioral specifications, while throughput ones have to do with response time and other temporal properties.
3
Methodology
We aim to construct a mobile, multi-agent, distributed intrusion detection system, inspired in immune systems. To achieve our aim, we suggest to split the work load into the following tasks: 1. Characterize ordinary activity, as well as developing mechanisms for automatically distinguishing potentially malicious one. To this aim, we suggest to adopt or develop techniques to explore, identify and characterize computer attacks. Pattern recognition is to innate immunity, while learning to acquired immunity. Either of these abilities can be pre-programmed (thymus) or developed on the fly; 2. Develop mechanisms capable of classifying and grouping together both traffic and processes that inhabit in each host of the computer network. Clustering techniques will be used to hierarchically approach intrusion detection: System response will be coordinated, resulting from a complex combination of sensed activity at different system levels; 3. Model and develop computer agents that are able to identify one another and to work in a coordinate manner in order to achieve a common task. We aim to develop a formal model of behavior for an immune system. The model will help building the IDS in an educated manner; 4. Implement the intrusion detection system in a typical, non-controlled environment; and 5. Design and carry out a testing methodology for checking the effectiveness of the system, as well as comparing it against with rival techniques.
3
Summarizing, multi-mobile-agent systems allow one to model and build systems capable of exhibiting the behavior found in life forms. Using both technologies, it is possible to achieve both effectiveness and reactivity, while making the entire system robust. Mobile computing and multi-agent systems, therefore, provide a solid framework, suitable for developing distributed intrusion detection systems.
3.1
Work Plan
Our work plan is specified in terms, each of which comprehends 6 months. It refers to the major tasks above mentioned, which will be equally and coordinately conducted by the grant holders, Dr. Hutter and Dr. Monroy. Besides the grant holders, Dr. Klaus Fisher and Mr. Fernando Go´ınez will also be involved in this project. They will all be responsible for the discovery and formalization of the proposed intrusion detection system. To allow for a smooth project realization, three annual site visits are planned, one for each team member. The German institute will contribute to the development of the methodology and its implementation in potential applications.
4
Reasons for Cooperation
Both Dr. Hutter and Dr. Monroy did joined work in the area of program synthesis and automated reasoning during their stays at the University of Edinburgh (Prof. Alan Bundy). DFKI, the German party, has several ongoing projects that are concerned with the security of mobile, multi-agent systems. In particular, the SAMOA project, funded by the German Bundesamt f¨ ur Sicherheit in der Informationstechnik, is strongly related to the proposed research since it aims at the applications of mobile, multi-agent systems to achieve the intrusion detection task. Furthermore, DFKI has a long tradition in research on multi-agent systems. Several members of the DFKI are chairs or PC-members of multi-agent related conferences and workshops. During the last four years the formal methods group at DFKI has gathered a lot of expertise in designing formal security models for large industrial applications. DFKI is an “information technology security evaluation facility” accredited to the German BSI (Bundesamt f¨ ur die Sicherheit in der Informationstechnik) and licensed to perform ITSEC (and also CC in the near future) security evaluations.
5
Benefits for Each Country
The envisioned methodology has great economic potential as it aims at the development of intrusion detection systems which are capable to cope with arising threads in the advent of mobile code E-commerce. Because most deployed computer systems are vulnerable to an ever increasing threat of attack, intrusion detection is an important technology business sector as well as an active area of research. The large number of false alarms is the limiting factor of an industrial 4
use of existing (commercial) IDS. Similar to techniques of face recognition based on neural networks, the paradigm of mobile agents may provide the necessary flexibility to adapt an IDS to new types of intruder goals and new attack scenarios. Besides the intended academic research in this field, the DFKI aims at the implementation of such a system as part of a follow-up project of SAMOA funded by the German BSI.
6
Experience of the Partners
Starting his academic career within the area of deduction systems, Dr. Dieter Hutter, affiliated to DFKI in the department of Deduction and Multi-agent Systems headed by Prof. H. J. Siekmann, has now been engaged in the realization of formal methods for almost ten years. The large variety of the different kinds of projects, from academic basic research projects up to industrial applications of VSE [13], allowed for a rapid feedback from the requirements occurring in industrial practice to the orientation of academic research. The control of complexity arising in practical examples by a thorough use of available domain knowledge has been a central theme of his research. Formal annotations for deduction systems [14] and development graphs for managing formal developments [15] are two instances of how to use structuring information within a complex environment. Dr. Klaus Fischer studied computer science at the Technische Universit¨at (TU) in M¨ unchen. From 1986 to 1991 he worked in a joint research project SFB 331 Information Processing in Autonomous Mobile Robot Systems at the Department of Computer Science at the TU M¨ unchen. In 1992 he finished his doctoral degree with his thesis on Distributed and Cooperative Planning in a Flexible Manufacturing System. In January 1992 he joined the Multi-agent System Research Group at DFKI GmbH in Saarbr¨ ucken in the department of Deduction and Multi-agent Systems headed by Prof. H. J. Siekmann and assumed the responsibility of group leader in November 1993 and deputy head of department in 1996. He has successfully finished several research projects and industrial application projects on multi-agent systems. Since 1989 he has been a member of the German Special Interest Group on Distributed AI. From 1992 to 1993 he organized the mailing list for this group. From September 1995 to August 2000 he was spokesman of the group. Joining the experiences of both groups, the DFKI is engaged into research on security of mobile multi-agents [9]. While the project SAMOA, funded by the BSI, analyses the use of mobile agents to increase the security of computer networks, another project SEMAS, funded by the BMBF, investigates fundamental security threats and how to counteract these threats in the design of mobile multi-agent systems within virtual market places. The Mexican partner, Dr. Monroy, affiliated to Tecnol´ogico de Monterrey, Campus Estado de M´exico, is concerned with the discovery of automatic methods for formal methods to software or hardware development. He has been deeply involved in the discovery of a proof plan for the verification of commu-
5
nicating systems [18, 19], annotated term-rewriting [20], and in the productive use of failure [17, 21]. Dr. Monroy’s interests have shifted gradually into computer security and is currently involved in various projects related to this area. Relevant to this proposal, he is grant holder of the project called “The Use of Proof Planning to Automating the Verification of Security Protocols”, funded by CONACYT, under grant 33337-A. Project CONACYT 33337-A aims to significantly reduce the time and effort to the study of authentication protocols. An authentication protocol is a set of rules and conventions whereby one or more pairs of principals agree about each others’ identity. Authentication protocols may involve as few as two messages but are surprisingly hard to get right. They are considered as safety-critical applications. The project attempts to provide general knowledge heuristics for driving the verification of authentication protocols, to build a totally automatic research tool prototype capable of handling the verification task and to understand how to use failure so as to suggest high-level, intelligible, educated changes to the structure of a faulty protocol.
References [1] T. Bass. Intrusion Detection Systems and Multisensor Data Fusion. Communications of the ACM, Vol. 43(4), ACM 2000. [2] D. Bauer and M. Koblentz. Ndix–an expert system for real-time network intrusion detection. In IEEE Computer Networking Symposium, pages 98– 106, April 1988. [3] H.-J. B¨ urckert, K. Fischer, and G. Vierke. Holonic Transport Scheduling with TeleTruck. Journal of Applied Artificial Intelligence, 14:697–725, Taylor & Francis 2000. [4] M. Crosbie and G. Spafford. Active Defense of a Computer System Using Autonomous Agents, Technical Report 95-008, Department of Computer Science, Purdue University, February 1995. [5] D. Dasgupta. Artificial Immune System and Their Applications. Springer, U.S.A., 1998. [6] D.-E. Denning. An Intrusion-Detection Model. IEEE Transactions on Software Engineering, 13(2):222-232, 1987. [7] D. Denning et al. A prototype IDES: A real-time intrusion detection expert system. Technical report, Computer Science Laboratory, SRI International, August 1987. [8] K. Fischer. Agent-Based Design of Holonic Manufacturing Systems. Journal of Robotics and Autonomous Systems, 27:1–2:3–13, Elsevier Science B.V. 1999.
6
[9] K. Fischer, D. Hutter. Proceedings of the 1st International Workshop on Security of Mobile Multiagent Systems 5th International Conference on Autonomous Agents (Agents 2001) Montreal, May, 2001. [10] et al. Herberlein. A network security monitor. In IEEE, editor, IEEE CS Symposium on Research in Security and Privacy, pages 296–303, New York, NY., May 1990. [11] et al. Hochberg. Nadir: An automated system for detecting network intrusion and misuse. Computers and Security, pages 235–248, 1993. Elsevier Science, New York. [12] S. Hofmeyr and S. Forrest. Architecture for an Artificial Immune System. Evolutionary Computation Journal, 8(4):443-473, 2000. [13] D. Hutter, B. Langenstein, G. Rock, J. Siekmann, W, Stephan, and R. Vogt. Formal software development in the verification support environment. Journal of Experimental and Theoretical Artificial Intelligence, 12(4), December 2000. [14] D. Hutter. Automated reasoning. Annals of Mathematics and Artificial Intelligence (AMAI). Special Issue on Strategies in Automated Deduction, Kluwer, 29:183-222,2000. [15] D. Hutter. Management of change in verification systems. In Proceedings 15th IEEE International Conference on Automated Software Engineering, ASE-2000, pages 23–34. IEEE Computer Society, 2000. [16] K. Kim and P. Bentley. An artificial immune model for network intrusion detection. Department of Computer Science, University College London. [17] R. Monroy. The use of Abduction and Recursion-Editor Techniques for the Correction of Faulty Conjectures In: P. Flenner and P. Alexander (eds.): Proceedings of the 15th Conference on Automated Software Engineering. Grenoble, France, pp. 91–99, IEEE Computer Society Press, 2000. [18] R. Monroy, A. Bundy, and I. Green. Planning Proofs of Equations in CCS. Automated Software Engineering Journal, 7(3):263–304, 2000. [19] R. Monroy, A. Bundy, and I Green. Searching for a Solution to Program Verification = Equation Solving in CCS. In O. Cair´o and F. Cant´ u, editors, Mexican Internation Conference on Artificial Intelligence, MICAI‘00, page To appear, Acapulco, Mexico, 2000. Springer-Verlag. Lecture Notes in Artificial Intelligence. [20] R. Monroy, A. Bundy, and I. Green. Annotated Term Rewriting for Deciding Observation Congruence. In H. Prade, editor, 13th European Conference on Artificial Intelligence, ECAI’98, pages 393–397, Brighton, England, 1998. Wiley & Sons.
7
[21] R. Monroy, A. Bundy, and A. Ireland. Proof Plans for the Correction of False Conjectures In: F. Pfenning (ed.): Proceedings of the 5th International Conference on Logic Programming and Automated Reasoning, LPAR’94. Kiev, Ukraine, pp. 54–68, Springer-Verlag. Lecture Notes in Artificial Intelligence, Vol. 822. Also available from Edinburgh as DAI Research Paper No. 681. [22] E. C. Oliveira, O. Stepankova, and K. Fischer. Multi-Agent Systems: Which Research for which Application. Journal of Robotics and Autonomous Systems, Vol. 27:1–2:91–106, Elsevier Science B.V. 1999. [23] L. A. Segel and I. R. Cohen. Design Principles for the Immune System and Other Distributed Autonomous Systems. Oxford University Press, New York, U.S.A., 2000. [24] S. et al. Snapp. A system for distributed intrusion detection. In IEEE, editor, IEEE COMPCON, pages 170–176, New York, NY., March 1991.
8
