MMDS: Multilevel Monitoring and Detection System D. Dasgupta, J. Gomez, F. Gonzalez, M. Kaniganti, K. Yallapu, R. Yarramsettii Intelligent Security Systems Research Laboratory Division of Computer Science University of Memphis Memphis, TN-38152 Contact email:
[email protected] Gomez and Gonzalez are also assistant professors at Universidad Nacional de Colombia
Abstract The paper presents an agent-based approach for monitoring and detecting different kinds of attacks in wireless networks. The long-term goal of this research is to develop a self-adaptive system that will perform real-time, monitoring, analysis, detection, and generation of appropriate responses to intrusive activities. This multi-agent architecture, which supports necessary agent interactions, uses fuzzy decision support system to generate rules for different attacks by monitoring parameters at multiple levels. The system is able to operate in a wireless network, detect and act in response to events in real-time, according to its broad decision objectives and security policies.
1 Introduction Wireless LANs are in growing use and changing the landscape of computer networking. With the increased usage of wireless LANs, network security has become a major issue [5,6]. As, Wired Equivalent Privacy (WEP) has been proved vulnerable to attacks [1], it is necessary to monitor the activities of the wireless LAN. Network probes or scans attempt to discover vulnerabilities and network probes are attempts to find open doors for future attacks if the network probe returns positive results for the hacker. This work is motivated by the fact that most existing intrusion detection systems (IDSs) fail to detect many cyber attacks because they lack intelligent techniques to make correct decisions in detecting distributed attacks [2,4]. One way to build intelligent decision-making systems to use in intrusion detection relies on learning the typical user/application behavior from a set of normal (positive) data [3]. By normal, we mean usage data that have been collected while no cyber attacks have taken place. However, the notion of normalcy in computer and network usage is rarely static but dynamic in nature. This means that the modeling of behavior must be elastic, or adapt to the normal fluctuations of the usage with time. Our current work focuses on anomaly detection in ad-hoc and infrastructure wireless networks (explained in detail in later sections). The security features usually provided by wireless networks include Wired Equivalent Privacy (WEP), Medium Access Control (MAC) filtering, and disabling the Service Set IDentification (SSID) broadcast. The security capabilities of each of these features are explained below. Enabling WEP
WEP was introduced in wireless networks as a security measure in order to prevent the access of network resources by using similar wireless LAN equipment and to prevent eavesdropping on the network [14]. MAC filtering
MAC filtering is the process of configuring an access point with a list of MAC addresses that will be allowed (or not allowed) to gain access to the rest of the network.
SSID broadcast
SSID is associated with the access point. It is the network name by which the access point is identified. The access point sends beacon packets at regular intervals of time so that the mobile nodes can know the existence of the access point.
2
MMDS Security Agent Architecture
We developed a multi-agent system (called MMDS), which uses intelligent decision support modules for robust intrusion detection. The MMDS (Multi-level Monitoring and Detection System) provides a hierarchical security agent framework, where a security node consists of four different agents (Manager agent, Monitor Agent, Decision Agent, and Action Agent) as shown in Figure 1. However, the activities of these agents are coordinated through the Manager Agent during sensing, communicating, and generating responses. Each agent performs a unique function (in coordination) to address various security issues of the monitored environment. User Interaction 1
Scenario 1
Manager
Start 2
Diagnosis and Recommendation
Anomaly Detected
Action
Decision
Monitor 3
4
GIDO’s Objects
5
TARGET SYSTEM
Figure 1: MMDS Security Agent Architecture
The Decision Agent consists of a fuzzy inference engine, which can take a robust decision in case of any abnormalities/intrusions. Since the difference between the normal and abnormal activities is not distinct, but rather fuzzy, so the purpose of a Fuzzy system is to provide imprecise and heuristic knowledge. In our current implementation, the action agent reports the state of the monitored environment in IDMEF (Intrusion Detection Message Exchange Format) format. Accordingly, the action agent generates alerts, heartbeats, etc. and that represents intrusion/ anomalous state, diagnosis, and recommends actions. The purpose is to send these objects to other system management devices in order to take necessary action, which may include: killing a process, disabling the access to a user who is a potential intruder, alerting the administrator about the intrusion, etc.
2.1 Fuzzy Decision Engine A Fuzzy system is based on the concept of fuzzy logic. In fuzzy logic, objects can belong to a set and cannot belong to the set at the same time. Fuzzy sets define the linguistic notions in fuzzy logic, and membership functions define the truth-value of such linguistic expressions. Table 1 shows the difference between classic sets and fuzzy sets.
FUZZY SETS In fuzzy sets, an object can partially be in a set. The membership degree takes values between 0 and 1. 1 means entirely in the set, 0 means entirely no in the set, other values means partially in the set.
CLASSIC SETS In classic sets, an object is entirely in a set or is not. The membership degree takes only two values: 0 or 1. 1 means entirely in the set, 0 means entirely outside the set. Other values are not allowed.
Table 1: Differences between Fuzzy sets and Classic sets
The degree of membership, of each object in the universe of discourse to a fuzzy set, defines a function where the universe of discourse is the domain, and the interval [0,1] is the range. That function is called membership function. Also, a function between the universe of discourse and the interval [0-1] can be used as a membership function for some fuzzy set. Figure 2 shows the most used membership function, the triangular membership function.
1.0 0.6
x
Universe of discourse
Figure 2: Triangular membership function for a fuzzy set
Usually, the universe of discourse is normalized between 0.0 and 1.0. A fuzzy space, collection of fuzzy sets, has to be defined for each monitored parameter and for each deviation indicator. A fuzzy space is shown in Figure 3.
Low Medium low Medium Medium High High
1.0
1.0
Figure 3: Fuzzy space
An atomic fuzzy expression is an expression of the form: Variable is [not] fuzzyset Where, variable is a variable that takes values in the universe of discourse, and fuzzyset is the fuzzy set name that has been defined by a fuzzy membership function. The truth-value is the variable membership degree to the fuzzy set. Therefore, truth-values are expressed by a number between 0 and 1, where 0 means entirely false and 1 means entirely true, other values means partially true. For each classical logic operator (and, or, negation), there is a common fuzzy logic operator:
p AND q = min{p, q} p OR q = max{p, q} NOT p = 1.0-p Fuzzy rules [7] have the form: IF fuzzy predicate THEN consequent Where fuzzy predicate is a predicate that uses fuzzy logic operators and atomic fuzzy expressions. Rules examples: IF x is HIGH and y is LOW THEN action3 IF x is MEDIUM and y is HIGH THEN action2 To infer a conclusion using a set of fuzzy rules, the following algorithm is used: 1. Evaluate the antecedent of each rule over the deviation of parameters. 2. Select a rule with the biggest antecedent truth-value. 3. The action to take is the consequent of such rule. Inference example: Rules: R1: IF x is HIGH and y is LOW THEN action3 R2: IF x is MEDIUM HIGH and y is MEDIUM THEN action3 R3: IF x is MEDIUM and y is MEDIUM LOW THEN action1 Variables values: x is 0.7 and y is 0.3 Degree of Membership: x in HIGH is 0.2, x in MEDIUM HIGH 0.7, and, x in MEDIUM is 0.3 y in LOW is 0.4, y in MEDIUM LOW is 0.8, and, y in MEDIUM is 0.4 Rules truth values: R1 = 0.2, R2 = 0.4, and, R3 = 0.3 Chosen Rule: R3 Conclusion: action3 As the difference between the normal and the abnormal activities are not distinct, but rather fuzzy, this module can reduce the false signal in determining intrusive activities. The purpose of this component is to use imprecise and heuristic knowledge to describe the state of the system as normal, or as a specific attack (if the attack is known) or just as an attack (if the attack is unknown). The imprecise knowledge is represented using fuzzy logic; this allows representing vague concepts as ‘small’, ‘high’, etc. The fuzzy rules are specified in a XML file. The format of this file is defined by the following DTD (Document Type Definition): ]> This is an example rules file:
