As a solution, this research proposes an intrusion detection heuristic that enables the delineation of specific intrusions in a distributed multi-agent system.
Security in a Autonomous Multi-Agent System An Intrusion Detection Mechanism Nathan Gnanasambandam and Soundar R.T. Kumara Marcus Department of Industrial and Manufacturing Engineering Pennsylvania State University University Park, PA 16802 {gsnathan, skumara}@psu.edu
Abstract— This research identifies and analyzes ways that ensure the secure operation of a multi-agent system (MAS) on an untrusted host. Because of the propensity of the malicious host to spy and leak usage patterns, block useful work and feed false or misleading information, it becomes necessary for the software agent to detect intrusions and protect its security. While enabling secure transactions on a malicious host is considered one of the most challenging problems in mobile agent security, ideas such as code obfuscation, timelimited black-box security, and alternating usage of secure hardware can be found in literature. The goal of this project is to design a simple protocol that utilizes a combination of the aforementioned ideas in conjunction with some novel ideas in code/data separation, trust-establishment and a probabilistic method to mask legitimate data transmission and interaction patterns to demonstrate certain levels of security can be achieved in a malicious environment. Index Terms— Multi-Agent Systems, Security, Intrusion Detection.
I. I NTRODUCTION Since mobile agents move from computer to computer, carrying data (e.g. cryptographic keys) and capabilities (e.g. code and policies) is often problematic. Both the capabilities and the data needed for execution have to be secured. Furthermore, if the node on which the agent operates is malicious, executing secure transactions may in some situations become infeasible [1]. Most agent frameworks that are used to design agents for untrusted environments provide a unclear statement of their meaning of security. Although there is the mention of commercial grade security (snoop-proof and tamper-proof properties through encryption), there may still may be issues relating to leakage or denial of service when an agent is operating within the scope of a untrusted host. A large portion of security research focuses on systems that have a trusted back-end or operating system. In the mobile agent paradigm this assumption is not feasible i.e. the untrusted host is assumed to be the default. The primary question that is posed in this research is as follows. What properties/strategies should the mobile agent system possess and/or implement in order to provide security in an untrusted host? As a solution, this research proposes an intrusion detection heuristic that enables the delineation of specific intrusions in a distributed multi-agent system (DMAS).
A. Problem Statement The literature is divided on the notion of whether or not confidentiality and integrity can be provided on an untrusted host. We consider a distributed multi-agent system of which certain components are forced to function on hosts that are suspect. The problem is that most MASs are unable to detect whether or not the suspect host is attacking the integrity and confidentiality of the agent that resides on it. In other words, when we consider the usual principles in communication namely Alice and Bob, Alice being an agent located on a secure host and Bob being potentially co-located on the suspect host along with Mallory, the challenge is to detect if Mallory is attacking Bob. This notion of Bob+Mallory is somewhat different from many security problems where the operating system or infrastructure is usually a trusted computing base (TCB). B. Research Objective The goal of this research is to propose an intrusion detection heuristic for detecting integrity and confidentiality attacks on the suspect host. A hierarchy of agents is assumed that when inter-connected delivers the functionality of logistics planning and execution. Within the hierarchy, there are agents that are secure and ones that need to be monitored because they are untrusted. A number of theoretical techniques have been found in the literature and a brief taxonomy of techniques and the properties they assure is elaborated in Section II. To accomplish the detection of intrusions on the suspect host, a heuristic has been employed that uses ideas such as code-obfuscation, hybrid usage of secure/untrusted hardware and a variant of the time-limited black box security notion [2]. Results from empirical simulations have also been provided to justify the claims. The structure of this paper is organized as follows. Section II describes and categorizes the work related to this area of providing security to multi-agent systems. The solution methodology has been explained in Section III along with empirical results. We conclude by discussing some of the main ideas and future work in Section IV. II. R ELATED W ORK A host of techniques for providing various levels of security are available in the literature. Protection mechanisms
range from passive avoidance techniques to actively providing as many attributes of security (such as confidentiality, integrity or execution privacy) as possible on the remote host for the application under consideration. A detailed classification of the various levels of security that can be implemented to counter a malicious host is provided in [1]. Because it is clear that none of the mechanisms address all of the issues (for security attacks by malicious hosts refer [2]), several techniques may have to be used in parallel. To provide some context as to what functionality an intrusion detection mechanism may provide, a further elaboration of the representative methods of DMAS security (as in [1]) is provided below. A. Avoidance Avoidance can be viewed as a preventive or precautionary measure to provide some measure of security in the malicious host problem. Statistics on the “trustworthiness” of hosts could be maintained and leveraged by the agent owner node to make decisions about whether or not dispatch an agent to a questionable node (social control). This soft mechanism could in some applications be sufficient as claimed by Rasmusson and Jansson [3]. On the one hand, this class of methods do not really solve the security issues for more demanding applications. On the other hand, once an intrusion is detected, this method can be resorted to as mobile agents are equipped to abandon physical resources that do not satisfy their security requirements. B. Data Protection Conventional security principles such as cryptography, signing and certificates could be utilized in part to ascertain that data is not tampered with until it reaches the desired destination. However, the malicious node may still be able to view the contents upon receipt at the destination thereby compromising the confidentiality. Although some of the aforementioned cryptographic methods could be adopted, it appears the data protection can only be used in conjunction with other protection levels. Because of the broad nature of conventional practices for data protection, examples for this mechanism are not discussed. In our set-up, the infrastructure (i.e. Cougaar[4]) does provide this security service. C. Execution Integrity The malicious host may feed the agent with bad information or not cooperate even in situations conducive to cooperation thereby causing stalls or misjudgements in the agent’s task structure or decision making. Hence security measures have to ascertain if the output of computation is in accordance with the designed methodology or accuracy levels. Vigna [5] proposes cryptographic traces as a post-mortem method for determining if the agent has been performing the intended activities. By marking an execution statement as white (statement involving the agent’s internal variables only) or black (statements involving external input), and
recording the output from the statements for historical purposes, claims could be made on whether the agent in its untampered form would or would not have performed an execution leading to the output under question. While costly mechanisms can be utilized to ensure integrity, often using a combination of trusted and untrusted hosts suffices because the usage of the DMAS as one combined computing entity (as in Ultra*Log[6]). D. Execution Privacy Although the above measures relate to providing desirable security attributes, protecting the code and data of an agent at an alien location is of prime concern. The methodologies that provide privacy include code obfuscation, function hiding or indirect methods for key generation. The main idea is to disable or delay the attacker (the host) from discovering what the agent is doing or what it contains. Riordan and Schneier [7] introduce the concept of environmental key generation which relates to generating a key that is hidden as H(N )(hash of an observation N ) in the environment. For instance, the environment could be a Usenet group or a web-server that contains a steganographic stash of the key. The agent carries with it the hash of H(N ) (which is equal to M ) as well as the method to search the environment. Although the malicious host may discover that the agent is searching for the key in the environment, it still needs to figure out what that the observation N before discovering the key H(N ). In other words, the agent masks its activation and key generation by using data hidden somewhere in the public domain. Page et al. [8] describe a self-executing security examination as a method to ensure the code (and some data) of a MAS has not been tampered with. This self checking mechanism would run a scan on itself frequently to verify if the result of the scan matches a digital signature issued by the agent owner. Although the authors portray that this method’s independence on environmental factors for activation as an advantage, the attacker could easily forge the signature or provide a false result if the scan algorithm is not sufficiently obfuscated. The idea of computing with encrypted functions is described by Sander and Tschudin [9, 10] although it seems like this idea has existed for some time in relation to data and circuits [11]. This method involves using encrypted functions (homomorphic or composable functions) rather than using plain-text data in the program and then transmitting the computation of the functions in the clear. The belief is that the attacker would not be able to figure out the program’s function. This methodology is novel but suffers from the disadvantage that beyond a small class of encryptable functions (such as polynomials and rational functions) we may run into implementation issues. A similar technique has been described for information hiding by Loureira and Molva [12] using error correcting codes rather than encryption of data as above. By further extending the encrypted functions idea and incorporating a third-party secure computation service
(trusted computing base), Algesheimer et al. [13] introduce the concept of cryptographic security for mobile code. The previous approach (i.e [9]) is a software only approach and shares some results with the untrusted host. But in situations where virtually no result of computation must be known to the potentially malicious host, the idea of using a trusted third party may be utilized. This third party does not learn anything from the computation and could be simultaneously used by several agents, which in some ways is the analogous to public-key infrastructure (PKI). Code obfuscation (by adding “mess-up code”) deals with hiding the intention of the agent, albeit for a limited amount of time, could be used effectively to protect the privacy of an agent [14]. This idea has been effectively introduced by Hohl [14] as time-limited black-box security, which implies that for a period less than the expiration time no data or code can be subjected to read or manipulation attacks. If however, the attacks persist after the expiration period elapses, the attacks may have no effect because the agent shrinks to a state that is useless to the malicious host. By using code obfuscation with some form of collaborating agents (with some bogus agents), the task of figuring out the true intentions of the agent system could be further delayed [15]. Such a mechanism that could be made light-weight and adaptive would be applicable in a large-scale DMASs (such as Ultra*Log [6]) where hierarchy and collaboration are mandatory for useful computation, especially in association with intrusion detection heuristics to trigger adaptivity. III. S OLUTION M ETHODOLOGY The solution that has been proposed is that of an intrusion detection heuristic to isolate patterns of malicious activity on the part of the host. This section provides the architecture of the solution methodology as well as some results from empirical studies. While this heuristic is expected to perform in unison with other pattern isolation mechanisms, it has been designed to perform well in specific situations. Hence, it becomes necessary to examine situations that been be seen as the weaknesses of the heuristic, a situation mitigated by the fact that in an actual scenario, the heuristic will function on a robust platform along with other procedures to tackle the other weaknesses. This section also analyzes certain scenarios that may be exploited as weaknesses. A. Architectural Framework The proposed mechanism in this research has been tested on the DARPA Cougaar agent development platform [4]. Cougaar [4] is an agent framework for large-scale logistics networks such as Ultra*Log [6]. The Continuous Planning and Execution (CPE) agent system has been built on this framework and is a testbed for performance, security and robustness experiments. The main scope of this paper, however, is to concentrate on the security aspect of CPE going beyond traditional security mechanisms based on hashing and encryption primitives (protecting on the wire transfer). While Cougaar [4] does support these primitives, notions of an untrusted host, a network with partial trustworthiness or
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
Fig. 1.
�
�
�
�
�
�
�
�
Superior-subordinate pair in security framework
intrusion detection are aspects that are not deeply explored within Cougaar [4]. The primary structure for the intrusion detection methodology is a two-layered hierarchy that mimics (superiorsubordinate) pairs of command and control structures in military logistics. This structure is depicted in Fig. 1 where both secure and untrusted parts of the network are shown for the monitoring process. The agent on which Bob and Mallory are co-located is monitored for suspicious activity using a time-series of round-trip times (RTTs) for a (bogus) set of packets. Alice is the hierarchically superior agent that intersperses the work packets with the (bogus) security packets that are utilized for monitoring. Alice maintains the time-series as well as runs integrity checks using another agent Bob_secure as a reference agent which is in pretty much the same habitat as Bob and Mallory. B. Main Assumptions The heuristic relies on the fact that, in-spite of network jitters, malicious activity on the suspect host consumes a finite and perceivable amount of work. This activity results in a detectable number of spikes/surges in time-consumption because that can be monitored in Alice. Coupled with the facts that only packets of certain types (unknown to Mallory) are monitored, other heuristics are present to detect any monotonous types of intrusion and a reference agent also exists in the same environmental conditions (exhibiting delays, delay-jitters etc.) we assume that the surges of activity can be isolated and compared against the reference agent. The activities can be thought of as the time required to decrypt packets that are destined for Bob, snoop on memory and process boundaries belonging to Bob and to run some brute-force attacks to understand the internal working of Bob. Since, Mallory is or is part of the untrusted host, she is assumed to have access or could gain access through some work mentioned above to Bob’s information including keys. The idea of maintaining a time-series in Alice corresponding to Bob and Bob_secure to isolate intrusion denoting surges of activity is depicted in Fig. 2. C. Methodology Details The key sequence of activities in this detection methodology is illustrated in Fig. 3. The salient steps in the methodology are described below:
�
�
�
�
�
�
�
�
� �
�
�
�
�
�
�
�
�
�
�
�
�
�
�
� �
�
�
�
�
)
�
�
�
�
�
�
�
�
�
*
�
�
�
�
�
�
�
�
�
�
�
�
� �
# �
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
� �
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
'
�
�
�
�
�
�
(
%
�
�
�
�
�
�
�
�
�
�
�
$
�
�
�
�
�
�
�
�
�
�
'
(
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
Time-series of activities in Bob and Bob-secure �
�
+
•
�
�
�
�
•
�
�
$
�
�
�
�
�
�
&
�
�
�
� �
&
•
�
�
�
�
�
�
•
�
�
"
�
�
•
�
!
�
�
Fig. 2.
�
�
�
A set of trusted and untrusted (to be monitored) hosts are available. Atleast, one secure reference host is available for each suspect host. The agents distributed among the different hosts are performing the job of logistics planning and execution. Intrusion detection is but a thread of activity that continues in parallel. So work packets are interspersed with security packets. The intruder has to perform several time-consuming activities or collude in complex ways to conclude, often erroneously, any order in which work and security packets are mixed. The notion of Bob_secure also has a probabilistic nature associated with it - i.e. the identity of Bob_secure may change in time. Also, packets to Bob_secure are both occasional (following a threshold policy that obeys a Uniform distribution, say psend > 0.3 ) and adaptive (i.e. psend may increase if the indicators of intrusion become more visible). Certain patterns such as spikes, surges, similarities are analyzed from a statistical and AI (artificial intelligence) sense so as to determine an indicator of an intrusion detection. An intuitive meaning of pattern identification has been suggested in this paper. A deep analysis is outside the scope of this paper, although a pattern is defined on the basis of a rule which depends on the number of positive indicator values. Once a threshold on the number of positive indicators has been hit an intrusion is said to have occurred with a certain probability. The arguments of the Bayesian fallacy as applied to any intrusion detection mechanism are also valid here [16]. Hence, we do not rule out the existence of false positives. Often, the thresholds are domainand time-sensitive, hence making the determination of this variable a result of empirical analysis. Once an intrusion has been detected, among other things, two possibilities exist as counter-measures. Since the agents are mobile, they can be withdrawn from Mallory or agent can sink to a state that emulates a black-box in the sense defined in [14]. If the number of indicators is below the threshold limit, for purposes of not declaring a false positive, we wait and go back to identifying anomalies. Checks on the integrity of packets received back are also
�
�
�
�
�
�
�
�
�
�
�
%
�
�
�
Fig. 3.
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
,
Flowchart of the intrusion detection mechanism
simultaneously conducted to aid in the overall process. The key ideas that have been utilized in this work include that of code-obfuscation from the standpoint of using timelimited black-box security and hybrid schemes of host configurations [14, 15]. D. Empirical Results 1) Experiment Set-up: The experiment consisted of three distributed agents that were exchanging work and security packets between each other. The work stream consisted of several classes of packets between which the security packets were randomly inserted. This can be seen as a variant of “mess-up code” [15] that cannot be easily figured out by the intruder. The key observable we consider for monitoring is is the round trip time (RTT) of the security packets. Considering RTT is closely related with response time of a command and control loop in military logistics scenarios, using RTT is not a bad assumption. For the purpose of demonstration, we used a mixture of secure (Alice and Bob_secure) and insecure (Bob) agents. Alice, the superior agent utilizes a subordinate agent as a reference for stress conditions in the vicinity of the (possibly) insecure agent Bob. Of course, Alice can act as a reference itself in the absence of Bob_secure. Bob_secure would be viewed as a bogus agent by the intruder, Mallory, while Alice would be Bob’s collaborating agent. The attack is carried out on Bob’s host using a separate plug-in whom we assume has access to the data in the agent blackboard. Our aim is to see if and how soon Alice can detect that its data is compromised. We introduce two types of probabilistic attacks, namely the confidentiality_attack and the integrity_attack. In the confidentiality_attack, the intruder spies on the data leading to confinement issues [17]. In the integrity_attack, the intruder manipulates the data or supplies incorrect results to Bob. Both of these attacks can be detected successfully by using the reference agent.
Fig. 4.
Fig. 5.
Intrusion detection in Alice from the time-series
Actual attacks (cumulative) initiated by Mallory
We set a threshold for flagging the intrusion (which is 3 in this case) and maintain logs of the observable RTT for security packets within Alice. If an intrusion is flagged, Bob is signaled to move to a black_box state [14]. 2) Results: The results in Fig. 4 and Fig. 5 show that intrusions are successfully identified for a case where the actual intrusion by Mallory is according to probabilities pconf identiality_attack = 0.2 and pintegrity_attack = 0.1. The threshold for identifying an intrusion has been set to three. According to Fig. 4, there are three places where the system suspects an intrusion detection based upon the disparity between expected and actual observed RTTs. The system maintains a counter for this type of observations and flags an intrusion if the threshold is exceeded. Since sending packets to Bob_secure continuously is seen as a performance inhibitor the associated packet dispatch probability is adaptive and is increased in case of heightened levels of perceived threats. In this case it has been set as ppacket_dispatch_probability = 0.3. The diagrams show both the detection process at Alice as well as the number of attacks by Mallory. Notice that not all the attacks are detected. There could be some false calls as well as some areas in which a call cannot be made because of lack of reference data points.
E. Possible Pitfalls There could be some pitfalls if this heuristic is not used cleverly with other specialized procedures. One of them is as follows: if Mallory decides to artificially inflate the time required to execute a packet every time a packet is received (of course, it has to first accomplish which packets it needs to inflate in the mix of work and security packet), it could sometimes mask the actual time taken to process the packet. Alternatively, if Mallory keeps dropping packets of specific types, she could keep sending the wrong signals to Alice resulting in false positives every time. The comforting aspect is that Alice could decide that the node is unreliable and move Bob anyway. A certain degree of node reliability and the accompanying desire on Mallory part to project the node as a good candidate for computing is a pre-requisite for Alice to put Bob on Mallory. So it is in Mallory’s interest to project its node as an ideal candidate failing which it will be rejected on the grounds of performance before security plays in. IV. C ONCLUSIONS AND F UTURE W ORK The contribution of this work is to have implemented an intrusion detection heuristic in the context of MASs whose requirement is typically ignored in this area. Often, the light-weight requirement outweighs the need for a robust security procedure’s deployment. But with growing concerns of security especially with reference to confinement issues in MASs, the necessity to harden traditional methods is becoming rapidly important. This work embodies, to the knowledge of the author, the first attempt to embed some heuristics of intrusion detection in MASs and hence extends the conventional security in this promising domain. A quick recapitulation of the key ideas used in this work include the following: • Employ hybrid infrastructure strategies: Involve computation on both secure as well as untrusted hosts. • Utilize code-obfuscation: Probabilistically mix bogus data and destinations with real data and destinations. • Use Pattern Identification: Using statistical / AI methods to isolate patterns within the trust group (mostly superiors) to watch out for the subordinates. Possibly utilize a reference host to mimic similar environmental conditions as the suspect host. • Employ agent-migration or time-limited black-box security: On detection of a malicious host, abandon the host or sink to a black-box state [14]. • Adaptivity: Due to performance constraints, tradeoff security procedures (frequency of sending bogus packets to the host to be monitored and bogus destinations such as reference hosts) to meet performance objectives and vice-versa. The main lessons that have been learnt as part of this work is that intrusion detection can be employed to offer certain levels of security. That does not mean that this procedure is a panacea for all problems, but merely that effectiveness depends of simultaneous usage of other traditional (encryption, hashing) / non-traditional strategies
(other accompanying heuristics) as well. With the increased usage of multi-agent frameworks providing a concrete MAS infrastructure, it becomes easier to provide these intrusion detection heuristics as a service. Furthermore, the mobility of agents as well as the combined resources of the entire grid of agents acting as a coordinated team favors the argument of considering potentially performance intensive security measures. The risk levels that can be tolerated dictates what and how many of these procedures can be employed simultaneously. Often, empirical studies are necessary before successful field deployments. This work proposes some novel strategies, but more use cases and tests are necessary to identify potential weaknesses and companion heuristics that would enhance the robustness of this procedure. Another line of future work could encompass self-learning mechanisms to augment settings from empirical studies. ACKNOWLEDGMENT The work described here was performed under the DARPA Ultra*Log Grant#: MDA972-1-1-0038. The authors wish to acknowledge DARPA for their generous support. The authors wish to thank Dr. Patrick McDaniel for his insights and comments. R EFERENCES [1] J. Claessens, B. Preneel, and J. Vandewalle, “How can mobile agents do secure electronic transactions on untrusted hosts? a survey of the security issues and the current solutions,” ACM Transactions on Internet Technology, vol. 3, no. 1, pp. 28–48, 2003. [2] F. Hohl, “A model of attacks of malicious hosts against mobile agents,” Fourth Workshop on Mobile Object Systems (MOS98): Secure Internet Mobile Communications, 1998. [3] L. Rasmusson and S. Jansson, “Simulated social control for secure internet commerce,” Proceedings of the ACM Workshop on New Security Paradigms, 1996. [4] “Cougaar open source site,” http://www.cougaar.org. DARPA. [5] G. Vigna, “Cryptographic traces for mobile agents,” Mobile Agents and Security, vol. 1419, pp. 137–153, 1998. [6] “Ultralog program site,” http://www.ultralog.net. DARPA. [7] J. Riordan and B. Schneier, “Environmental key generation towards clueless agents,” Mobile Agent and Security, 1998. [8] J. Page, A. Zalavsky, and M. Indrawan, “Countering security vulnerabilities in agent execution using a self executing security examination,” Autonomous Agents and Multi Agent Systems, 2004. [9] T. Sander and C. F. Tschudin, “Protecting mobile agents against malicious hosts,” Mobile Agent Security, Lecture Notes on Computer Science, February 1998.
[10] T. Sander and C. F. Tschudin, “Towards mobile cryptography,” Proceedings of the IEEE Symposium on Security and Privacy, 1998. [11] M. Abadi and J. Feigenbaum, “Secure circuit evaluation,” Journal of Cryptology, 1990. [12] S. Loueiro and R. Molva, “Function hiding based in error correcting codes,” Proceedings of the CryptTEC International Workshop on Cryptographic Techniques and Electronic Commerce, 1999. [13] J. Algesheimer, C. Cachin, J. Camenisch, and G. Karjoth, “Cryptographic security for mobile code,” Proceedings of the IEEE Symposium on Security and Privacy, vol. 2, no. 11, 2001. [14] F. Hohl, “Time limited blackbox security: Protecting mobile agents from malicious hosts,” Mobile Agents and Security, 1998. [15] S.-K. Ng and K.-W. Cheung, “Intension spreading: An extensible theme to protect mobile agents from read attack hoisted by malicious hosts,” Intelligent Agent Technology: Systems, Methodologies and Tools: First Asia-Pacific Conference on Intelligent Agent Technology (IAT 99), 1999. [16] S. Axelsson, “The base-rate fallacy and its implications for the difficulty of intrusion detection,” The Sixth ACM Conference on Computer and Communications Security, pp. 1–7, 2000. [17] B. W. Lampson, “A note on the confinement problem,” Communications of the ACM, vol. 16, no. 10, pp. 613– 615, 1973.
