the large Windows activities and the in- ... framework installed on the network server. The HIP component operates in - side the .... Monitor some kernel-mode.
Surviving cyber warfare with a hybrid multiagent-based intrusion prevention system © PHOTODISC & BRAND X PICTURES
Mohamed Shouman, Amani Salah, and Hossam M. Faheem
W
e have entered a new age of cyber warfare that threatens the survival and reliability of e-organizations. This threat necessitates developing a new generation of security solutions that are able to provide instantaneous in-line layered preemptive protection. Developing such a security solution is a challenge, since threats against e-organizations have increased in number and sophistication, to the point where many security experts believe that the situation is out of control. Successful network attacks follow the life cycle as shown in Fig. 1. The first two stages are highly subject to reconnaissance. The last three stages involve the most harmful malicious activities (mal-
Digital Object Identifier 10.1109/MPOT.2009.935611
32
0278-6648/10/$26.00 © 2010 IEEE
wares) that an attacker can perform. Malware (malicious software) is a generic term used to describe any program that is inserted into the system, with the intent of compromising the confidentiality, integrity, and privileges of the operating system, such as viruses, worms, rootkits, and others. Intrusion prevention systems (IPSs) introduce the technology that enables the network and its hosts to defend themselves with the intelligence to accurately identify and block malicious traffic and activities. To determine which IPS delivers an accurate and preemptive protection, it must have superior characteristics in the following areas: 1) Performance: the ability to perform transparently without disrupting normal operations. Prevention actions must occur in real time. IEEE POTENTIALS
2) High protection level: providing a high level of protection requires many protocol identifications and careful analysis and understanding for operating systems. 3) Research: powerful intrusion prevention is based on up-to-the-second updates that keep pace with the changing threat landscape. 4) 24/7 monitoring: Effective monitoring requires active 24/7 monitoring. IPSs are classified based on the operating platform and detection technologies. The operating platform classifies the IPS products into: host intrusion prevention systems (HIPS) and network intrusion prevention systems (NIPS). NIPS inspect the network traffic to detect malicious packets and connection sessions. HIPS rely on software agents installed on network hosts to protect them against malwares. Detection technologies classifications vary between signature based, anomaly based, rule based, behavioral based and others. The deficiency of centralized network security solutions leads to the idea of using multiagent systems. Multiagent systems have received increasing interest as a new means of designing and building complex software systems, particularly networked and distributed systems. This is due to its flexibility and autonomy that provide lightweight and efficient solutions to treat complex problems. In multiagent systems, there is no central point of failure, where centralized network systems are not scalable, because under heavy network load the system suffers from poor performance. Using multiagent paradigms to implement and develop network security solutions result in the following features: • Reduced network load . Mobile agents eliminate the need of transferring a huge amount of data, where the agent can migrate, containing the processing code, since an agent is smaller than the processed data. • Overcome network latency. Mobile agents are able to migrate from a host to carry out operations, thus the agent provides an appropriate response faster than hierarchical applications, which have to communicate with a central coordinator. • Platform independency. The agent platform allows agents to travel in a heterogeneous environment. Mobile agents can be created, cloned, dispatched, or killed at runtime, as network’s configuration or topology change over time. JANUARY/FEBRUARY 2010
• Fault tolerant. Mobile agents can still act, while their creating platform is unreachable.
Windows into the proposed system The proposed system is implemented inside a Microsoft Windows environment. This framework is a general framework that can be used to protect any object inside the operating system. The security strategy of the proposed system focuses on the protected object behavior rather than threats behavior, where network threats are augmented every day in number, complexity, and creativity, hence the actual behavior of a hacker can’t accurately predict in order to be ahead of it. Focusing on threats behavior may bring a huge number of false positives, affecting the protected system with a bundle of zero-day threats.
(1) Reconnaissance (5) Covering Tracks
(4) Maintaining Access
(2) Scanning
(3) Gaining Access
Fig. 1 Network attacks life cycle.
ables identifying and blocking threats at earlier stages before propagating over the protected network. The proposed system is mainly composed of two multi-agent frameworks: server framework and host framework.
To build an accurate protection system, security experts should carefully select the critical objects inside the operating system that leads to useful monitoring results and a limited number of false negatives.
Subsequently, focusing on the protected objects behavior rather than threats behavior leads to a limited number of false positives and enhances the ability of detecting zero-day attacks. A good picture of Microsoft Windows behavior can be developed by monitoring different components inside the operating system such as user-mode interactions with Windows APIs, Windows registry, and kernel objects and drivers. But maintaining healthy monitoring for the large Windows activities and the installed software packages makes it more difficult to build an ideal normal behavior file for the system. To build an accurate protection system, security experts should carefully select the critical objects inside the operating system that leads to useful monitoring results and a limited number of false negatives. Another important strategy in the proposed system is implementing the defense-in-depth security strategy inside the protection mechanism. Defense-in-depth means defending the protected system in different layers in the network and operating system. Applying such a defense strategy ensures that any threat must bypass by one or more of the defense layers. This en-
Server framework is a multiagent integrated network intrusion prevention (NIP)/host intrusion prevention (HIP) framework installed on the network server. The HIP component operates inside the operating system.
Server framework Server framework is a multiagent integrated NIP/HIP framework. The NIP component focuses on network and packets behaviors by inspecting network traffic. The HIP component focuses on the operating system and applications behaviors. The two components work parallel inside a single platform. Figure 2 shows the server’s framework structure and the agents’ interactions inside the framework. Tables 1 and 2 show the agents’ types, percepts, actions, and goals of the NIP component and HIP component.
NIP component The NIP component operates on the network driver of the external network interface of the server, particularly on the TCP/IP stack. The NIP component starts work by sniffing the traffic from the external interface by the sniffing agent. The sniffing agent communicates 33
NIP Component
HIP Component DB 3
DB 2
Profiles Agent
Update Agent
Registry Agent
Logging Agent
WFP Agent
Attacks Prevention Agent
Malware Prevention Agent
Rule-Based Analysis/ Detection Agent
Kernel Analysis/ Detection Agent
Behavioral Analysis/ Detection Agent
User Analysis/ Detection Agent
Sniffer Agent
Profiles Agent
DB 2 DB 1
Update Agent
Kernel-Mode Monitoring Agent
Broadcasting Agent
User-Mode Monitoring Agent
DB 1
Hosts Advisory Agent
DB 4
Fig. 2 Server framework architecture.
with a kernel driver (sniffer driver) that operates as a hook inside the TCP/IP stack (tcpip.sys) as shown in Fig. 3. The sniffing agent then sends its processed data to the analysis and detection module, which contains two agents that work in parallel: the rule-based analysis and detection agent and the behavior-based analysis and detection agent. These agents don’t concern the
packets’ payload and concern only the packets’ header. The behavior-based analysis and detection agent analyzes captured packets based on a statistical profile that reflects the normal behavior of network flow. This agent focuses on connection-oriented analysis strategy rather than packetoriented analysis strategy. The criteria that are used to build this profile are network
server rush hours, duration of successful connections, total sent and received bytes, average packet size and fragmentation probabilities, number of successful TCP connections, and the number of unsuccessful TCP connections. If the network traffic flow deviates from the normal profile statistical ranges, the behavior-based analysis and detection agent analyzes the connections that deviates to detect attack trials, and then sends the results of the detected deviations to the attack prevention agent to take the appropriate action. The rule-based analysis and detection agent analyzes packets based on a predefined criteria and rules. This agent uses both packet-oriented and connection-oriented analysis strategies. The analysis criteria and rules are obtained from rules engine (DB1) as shown previously in Fig. 2 ; The NIP component by default contains some analysis rules that are described in Table 3 ; these analysis rules can detect most TCP/IP attack trials that target the packets’ header. Another function of the rule-based analysis and detection agent is updating the rules database. If an attack is detected many times in the analysis step from a specific port or IP, this agent sends an update to the access control list (ACL), which are located in the rules database. The ACL contains allow/deny filtering rules for IPs, ports, and payload protocols. The ACL stops traffic from attacking the system without requiring the IPS to consume resources to analyze the traffic. The attacks prevention agent prevents the attacks according to attack’s
Table 1. NIP component agents. Agent
Type
Percepts From
Percepts What
Actions
Goals
Sniffing agent
Simple reflex
TCP/IP stack
Packets
Record and filter captured traffic
Identify network traffic
Behavior-based analysis/ detection agent
Goal based
Sniffing agent
Filtered TCP/IP packets
Analyze filtered TCP/IP packets based on normal profile
Detect attacks based on a statistical normal profile, which describe network normal behavior.
Rule-based analysis/ detection agent
Goal based
Sniffer agent
Filtered TCP/IP packets
Analyze filtered TCP/IP packets based on predefined rules
Detect network attacks based on the detection rules
Attacks prevention agent
Utility based
Analysis and behavior and rule-based detection agents
Detected attacks
Prevent attacks with the suitable action
Prevent attacks by providing the suitable reaction
Logging agent
Simple reflex
Rules and behavioral analysis/detection and malwares prevention agent
Analysis, detection and prevention results
Write to logs database DB3
Record results to be analyzed by IT experts
Update agent
Simple reflex
DB1
Recent updates
Update analysis and detection agents
Make the framework up-to-date
34
IEEE POTENTIALS
Table 2. HIP component agents. Percepts From
Percepts What
Actions
Goals
Model based
OS kernel
Kernel-mode activities
Monitor some kernel-mode activities
Send the monitored activities to analysis agents
User monitoring agent
Model based
WIN32 subsystem
User-mode activities
Monitor some user-mode activities
Send the monitored activities to analysis agents
Kernel analysis/ detection agent
Goal based
Kernel monitoring agent
Kernel-mode activities
Analyze kernel-mode activities and detect deviations from normal profiles
Detect kernel-mode malwares
User analysis/ detection agent
Goal based
User monitoring agent
User-mode activities
Analyze user-mode activities and detect deviations from normal profiles
Detect user-mode malwares
WFP agent
Goal based
WFP service
WFP parameters and DLLs
Monitor WFP parameters to avoid hacking this service
Protect user-mode windows executables
Registry agent
Goal based
Windows registry
Important registry keys
Protect the registry keys values from modifying.
Protect user-mode behavior
Malwares prevention agent
Utility based
User and kernel analysis/detection agents
Detection results
Take the right prevent action, and write it the logs database DB3
Prevent malwares
Logging agent
Simple reflex
User and kernel analysis and malwares prevention agents
Analysis, detection and prevention results
Write to Logs database DB3
Record results to be analyzed by IT experts
Update agent
Model based
DB1
Recent updates
Update analysis and detection agents
Make the framework up-to-date
Profiles agent
Model based
DB2
Analyzed object normal profile
Send the profile to the user and kernel analysis/ detection agents
Supply user and kernel analysis/ detection agents with the needed information
Agent
Type
Kernel monitoring agent
severity, which is decided in the detection and analysis phase. This agent is the simplest one because it’s always a reaction for the detection agent. The prevention actions may be one of the following: drop packet, blocking port or IP, and finalize connection. Finally, the attack prevention agent sends the analysis and detection results and the action it takes to the logging agent, which writes these results in the logs database DB3.
activities such as the inturrpt discriptor table (IDT), system service dispatcher table (SSDT) or ditect kernel object maniplution (DKOM). The monitoring agents send their data to the analysis and detection agents to be analyzed. These agents are the kernel-mode analysis and detection agent and the user-mode analysis and detection agent. These agents compare the protected object with its prebuild normal profile to detect the unnormal
activity of that object, then send their results to the malware prevention agent to take the appropriate action to block the malware behavior according to its severity. Finally, the malware prevention agent sends the analysis and detection results, and the action it takes, to the logging agent to write these results in the logs database DB3. The Windows file Protection (WFP) Agent is responsible to protect the
HIP component The HIP component starts work by monitoring the critical system and user activities that may be a potential target for hackers in kernel and user modes using two agents: the user-mode monitoring agent and the kernel-mode monitoring agent. The user-mode monitoring agent monitors user-mode activities including the authorized processes and services list, critical registry keys, executables execution path, executables import address table\export address tables (IAT\EAT), and Windows APIs calls. The kernelmode monitoring agent monitors kernel JANUARY/FEBRUARY 2010
User Mode User Applications API (WS2_32.DLL) Transport Service (MASFD.DLL) System Library (NTDLL.DLL)
Kernel Mode TCP/IP Driver I/O Manager
Sniffer Driver
Physical Device Transport Driver Interface NIC
Fig. 3 Sniffer driver.
35
Table 3. The rules that are used by the rule-based analysis agent. Rule Name
Rule Attributes
Attribute Values
R1
TCP flags: SYN,ACK.
Packet (SYN=1, ACK=0), Packet (SYN=1, ACK=1), Packet (ACK=1)
R2
Sequence number and acknowledgment number.
Sequence no. of P (N) =Sequence no. of P (N-1) +Packet size. Acknowledgement no. of P (N-1) =Sequence no. of P (N).
R3
Time interval
(Time of P (N-1) – Time of P (N)) =< Median (P Time)
R4
SNMP
Port = 161 or 162
R5
Payload size, flags: SYN, FIN, RST
If (Flag=SYN||FIN||RST) Payload Size=0
R6
ICMP echo
Source IP = Server IP
examples for the critical keys of the registry: 1) “HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows\ AppInit_DLLs.” If this key contains DLL values, it causes every process that loads User32.dll to load the DLLs listed in that key. These DLLs may be malicious code injected by an attacker, and causes infection for most processes. 2) “HKLM\SYSTEM\CurrentControlSet\Control\Terminal server.” This key contains some values that may facilitate to the hacker some remote activities such as remote registry control and remote desktop control.
Host framework WFP service from hacking. The WFP protects system executables from overwriting by another malformed file. The WFP Agent monitors the SFC watcher thread to prevent any calls that leads to disabling the WFP, by monitoring the following: 1) SfcTerminateWatcherThread. This function that is exported form SFC_ OS.DLL disables the WFP service until the next system reboot. 2) SfcFileException. This function that is exported form SFC_OS.DLL registers a
Registry Agent
WFP Agent
Logging Agent
temporary SFC exception for a specific file. The period of the exception is one minute. 3) Registry key. The value SFCDisable of the key “HKLM\Software\Policies\ Microsof t\WindowsN T\W i n d o w s FileProtection” can be used to disable the WFP service if its value becomes 0xFFFFFF9D. The registry agent monitors the most critical registry keys that may provide hackers with some system weak points. The following keys are
Prevention Agent
Profiles Agent
DB 2
Broadcasting Agent
Kernel-Mode Analysis/Detection Agent
Kernel-Mode Monitoring Agent
Hosts Advisory Agent
User-Mode Analysis/Detection Agent
User-Mode Monitoring Agent
Update Agent DB 3
DB 1
Network Server
Implementation and case study
Fig. 4 Host framework architecture.
Table 4. Broadcasting and advisory agents characteristics. Agent
Type
Percepts From
Percepts What
Hosts advisory agent
Utility based
Network hosts
Broadcast agent
Model based
User and kernel analysis agents
36
Host framework performs the same tasks of the HIP component of the server framework, in addition to other tasks, and will be explored below. The analysis and detection agents may be confused to define an activity as a malware, or not. Take, for example, if a new process is detected in the process list of a specific host. This process may be a remote process initiated by the server or a malicious process injected to the system. In such cases the user-mode analysis and detection agent sends such information to the host advisory agent to ask the server about its decision in such case, and then this agent replies to the host with the corresponding decision. The broadcasting agent’s role arises when the analysis and detection agents detect a malware; they send the malware information to the broadcasting agent that resides in the network server. Then this agent broadcasts this information to all network hosts, to make them aware to the threat before accessing their systems. Fig. 4 shows the design of the host framework, and the used agents in this framework are described before in the HIP component in Table 2. Table 4 shows the characteristics of the broadcasting agent and host advisory agent.
Actions
Goals
Security problem
Send problem to server to take decision
More security for hosts
Malware alarm
Broadcast to network hosts
More security for hosts
The proposed system is composed of two main components: the NIP and HIP components that compose both of server and host frameworks. In this section, we explore the implementation phases and the experimental results of the NIP and HIP components not for the frameworks, since host framework is nearly similar to the HIP component of the server framework. The proposed system is installed and tested in a network as shown in Fig. 5. IEEE POTENTIALS
Host 3 10.22.59.12
HIP
NIP
Network Server 10.22.59.1 192.168.1.2
Host 2 10.22.59.11
Host 1 10.22.59.10
Fig. 5 The proposed system deployment model.
NIP component NIP component is a part of the sever framework that defends the network’s sever against network attacks such as footprinting, network scanning, enumeration, SYN flood, ping sweep, port scans, and session hijacking. The proposed system was tested against the previous attacks using some tools from the Certified Ethical Hacker course V5 toolkits that performs the previous attacks with different methods. The proposed system succeeded in detecting these attacks which target packets’ header. Fig. 6 shows a screenshot of the NIP component, which shows the ratio of traffic and intrusions over the time.
Fig. 6 Screenshot for the NIP component.
HIP component (IAT/EAT hooking)
To implement this scenario, the proposed system follows the following steps:
IAT/EAT hooking is a user-mode malware that targets the portable executables (PE). In PE optional headers there are data directories that contain tables that describe some information about a current process, such as import address table (IAT), export address table (EAT), and others. Each IAT contains the DLLs and the functions which are essential to run an executable. The IAT is shown in the Fig. 7. When the Windows loader loads the executable image it will also load up all DLLs and the functions in the DLL that the binary will use. The loader will locate each of these DLLs on disk and map them into memory. The loader will then put the address of the function in the IAT of the binary that calls the function. Each imported DLL has a container structure called IMAGE_IMPORT_DESCRIPTOR, which embraces the address of first thunk and the address of original first thunk. When the operating system loads the application in memory, it parses IMAGE_ JANUARY/FEBRUARY 2010
IMPORT_ DESCRIPTOR structure and loads each required DLL into the application’s memory. Within the target process’ address space, the malicious DLL can parse the portable executable file format and find the location of the target function within the IAT. It then replaces the target function with a hook function from the malicious code. As a result, the malicious code executes whenever the target API is called, and data passing to and from the target function is altered.
Protection scenario
1) Create executables’ IAT normal rrofiles. Read each executable individually into memory, then find the IMAGE_ IMPORT_DESCRIPTOR chunk of the executable to locate the IMAGE_THUNK_ DATA, which holds the original address of the imported function, and then write the entries of the IAT in the XML file, as shown in Fig. 8. This file is created once, at the first installation of the proposed system. 2) Monitoring IATs . The monitori ng agent mon itors system calls to IMAGE_IMPORT_DESCRIPTOR , it reads the virtual and physical images of the IAT of the authorized executables, and then sends these readings to the
Original First Thunk Time Date Stamp
0 × 1034
GetModuleHandleA
Forwarder Chain
0 × 1047
LoadLibrary
First Thunk
0 × 1204
DialogBoxParamW
Original First Thunk
0 × 1216
EndDialog
Imported DLL Name
...
...
Time Date Stamp Forwarder Chain
0 × 1300
RegOpenKeyExA
Imported DLL Name
0 × 1310
RegCloseKey ...
First Thunk Original First Thunk Time Date Stamp Forwarder Chain Imported DLL Name
Kernel32.dll User32.dll Advapi32.dll
First Thunk
Fig. 7 IAT of PE file.
37
user-mode analysis and detection agent. 3) Analyzing IATs. The user-mode analysis and detection agent percepts the results of the monitoring agent and compares them with the normal profiles created in step 1 and returns any deviations from the normal profile. These deviations are sent to the malware prevention agent to take the appropriate action. 4) Disable WFP system service. If the infected executable was system executable, the WFP service must be disabled first to restore
Fig. 8 The normal profile for an authorized process.
the infected file to its original values. The SfcFileException API was used to register a temporary SFC exception for a specific file for 1 minute, allowing the file to be updated. 5) Preventing the IAT hooks. Restore each hooked API by copying the relevant bytes from the normal profile image to the memory images or physical images. 6) Logging results. The results of the user-mode analysis/detection agent and malware prevention agent are sent to the logging agent, which writes these logs in an XML file database, as shown in Fig. 9. Fig. 10 summarizes the scenario of protecting hosts and server against IAT rootkits.
Experimental results The Import Table Runtime Redirector rootkit used to test the HIP component in defending against any IAT\EAT hooks. This tool injects code into the IAT of a specified process at runtime. Another rootkit used to test the system named InjectDLL, which is an IAT rootkit that injects DLL into the process address space. In Fig. 11 is a screenshot OF these rootkits detected by the proposed system.
Fig. 9 Log of IAT hook detected by the NIP component.
Start
HIP component (SSDT hooking) Create Executables’ IAT Normal Profile
SSDT hooking is a kernel-mode malware and targets the SSDT that contains all native APIs and service addresses. This table resides in the KiServiceTable member of the structure KeSeriveDescriptorTable that is exported by the ntoskrnl.exe. By modifying the contents of the SSDT to point to a rootkit function, all API calls regardless of their origin (user-mode or kernel-mode) can be redirected to call the rootkit code causing a dangerous wide hook in the OS.
Monitor IMAGE_IMPORT_DESCRIPTOR Calls by User-Mode Monitoring Agent Send IAT Entries to the User-Mode Analysis/Detection Agent Get the Normal Profile of Targeted IAT Send Analysis Results to Prevention Agent
Yes
Deviations ? No
Yes
Disable WFP
System Executable? No Repair IAT
No Action Send Results to Logging Agent
Fig. 10 The flowchart of protecting executables IAT.
38
Protection scenario Fig. 12 summarizes the implementation steps of protecting the SSDT. To protect a kernel object such as SSDT, we have to invoke kernel address space, which is protected by the operating system, as follows: 1) Create SSDT normal profile . To create a normal profile for the IEEE POTENTIALS
SSDT ker nel component, KiServiceT a b l e should be accessed to read its entries. But it can’t be accessed directly, because it’s located in the kernel add ress space. Therefore, a c kernel driver named “Lookup” was developed. The Lookup driver is installed as a Windows kernel service, then a C# GUI receives the driver output buffer, and saves the KiServiceTable entries in an XML file as shown in Fig. 13 . The SSDT normal profile file is created once at the first installation of the proposed system. 2) Monitoring SSDT. The monitoring agent reads the kernel driver output buffer and then sends SSDT entries to the kernel analysis and detection agent to be analyzed. 3) Analyzing SSDT entries. The kernel-mode analysis and detection agent percepts the results of the monitoring agent and compares them with the normal profile created in step 1. It returns any deviations from the normal profile and these deviations are sent to the malware prevention agent for the appropriate action. 4) Preventing SSDT hooks . The malware prevention agent restores the SSDT component into its original values as in the normal profile. To do that, the kernel address space must be invoked. We accessed the kernel memory from user-mode by allowing direct writing to the kernel address space (\device \physicalmemory). 5) Logging results. The results of the kernel-mode analysis/detection agent and malware prevention agent are sent to the logging agent; this agent writes these logs in an XML file database, as shown in Fig. 14.
Fig. 11 Screenshot for the HIP component while detecting an IAT hook.
Start Install Kernel Driver Create SSDT Normal Profile
Monitor KeService Descriptor Table Calls by Kernel-Mode Monitoring Agent Send SSDT Entries to the Kernel-Mode Analysis/Detection Agent
Experimental results Rootkit named “NtOpenProcess Hook” was used to test the HIP component in defending against SSDT hooks. This rootkit is a kernel rootkit that uses SSDT hooking as a way to prevent access to a user-mode program and deny any request for a handle by hooking the NtOpenProcess native API. Fig. 15 includes a screenshot for the proposed system while detecting the rootkit. This rootkit also was detected by ESET Smart Security and MacAfee security systems; hence the proposed system proves its ability in detecting any rootkits targeting the SSDT, regardless of the used hacking technique. JANUARY/FEBRUARY 2010
Get the Normal Profile of the SSDT Entries Send Analysis Results to Prevention Agent
Yes
Allow Write to\Device\Physical Memory Form User Mode
Deviations? No
No Action Repair the SSDT Disable Write to\Device\Physical Memory Form User Mode
Send Results to Logging Agent
Fig. 12 SSDT hooking protection flowchart.
39
Conclusion Inspecting network traffic that only protects the network and its entire host is not sufficient to secure the network and is a time wasting task, since network traffic payloads may contain polymorphic or encrypted malicious code and executables. The proposed system ensures the preemptive protection against zero-day attacks and malwares, by applying behavioral analysis techniques that focus on objects’ behaviors rather than the behaviors of threats. Fig. 13 SSDT normal profile.
Fig. 14 Log of SSDT hook detected by HIP component.
Applying behavioral analysis techniques eliminates the high rate of false positives and negatives and eliminates the huge amount of data needed to train and build the anomaly normal profiles. Applying a defense-in-depth security strategy enables the identification and blocking of threats at earlier stages before propagating over the network. The proposed system has the ability to protect the critical objects inside the operating system and provides the accurate protection against any revolution in hacking techniques without updating the signatures database. The only required update to make the system current is the process of creating normal profiles for the new invented objects of the operating system, but first the object should be analyzed carefully to build an accurate normal profile that describes its behavior. Using a multiagent paradigm in intrusion prevention systems delivers the maximum performance of the system and ensures real-time detection for attacks and malwares.
Read more about it • K. Graves, Official Certified Ethical Hacker Review Guide. New York: Wiley, 2007. • J. Lind , “Issues in agent-oriented software engineering,” in Proc. The 1st Int. Workshop Agent-Oriented Software Engineering, Limerick , Ireland , 2000, pp. 45–58. • A. Danehkar, “Injective code inside import table,” The Code Project, 2007. • H. Harkus, “Kernel look-up,” The Code Project, 2006.
About the authors
Fig. 15 Screenshot for the HIP component while detecting and SSDT hook.
40
Mohamed Shouman (drsouman@ yahoo.com) is the dean of the Faculty of Computers and Informatics, Zagazig University, Zagazig, Egypt. Amani Salah (aamani_salah@yahoo. com) is a lecturer assistant at the Faculty of Computers and Informatics, Zagazig University, Zagazig, Egypt. Hossam M. Faheem (hmfaheem@ ieee.org) is an associate professor at the Faculty of Computers and Information Sciences, Ain Shams University, Cairo, Egypt.
IEEE POTENTIALS