Surviving cyber warfare with a hybrid multiagent-based intrusion ...

5 downloads 90962 Views 4MB Size Report
the large Windows activities and the in- ... framework installed on the network server. The HIP component operates in - side the .... Monitor some kernel-mode.
Surviving cyber warfare with a hybrid multiagent-based intrusion prevention system © PHOTODISC & BRAND X PICTURES

Mohamed Shouman, Amani Salah, and Hossam M. Faheem

W

e have entered a new age of cyber warfare that threatens the survival and reliability of e-organizations. This threat necessitates developing a new generation of security solutions that are able to provide instantaneous in-line layered preemptive protection. Developing such a security solution is a challenge, since threats against e-organizations have increased in number and sophistication, to the point where many security experts believe that the situation is out of control. Successful network attacks follow the life cycle as shown in Fig. 1. The first two stages are highly subject to reconnaissance. The last three stages involve the most harmful malicious activities (mal-

Digital Object Identifier 10.1109/MPOT.2009.935611

32

0278-6648/10/$26.00 © 2010 IEEE

wares) that an attacker can perform. Malware (malicious software) is a generic term used to describe any program that is inserted into the system, with the intent of compromising the confidentiality, integrity, and privileges of the operating system, such as viruses, worms, rootkits, and others. Intrusion prevention systems (IPSs) introduce the technology that enables the network and its hosts to defend themselves with the intelligence to accurately identify and block malicious traffic and activities. To determine which IPS delivers an accurate and preemptive protection, it must have superior characteristics in the following areas: 1) Performance: the ability to perform transparently without disrupting normal operations. Prevention actions must occur in real time. IEEE POTENTIALS

2) High protection level: providing a high level of protection requires many protocol identifications and careful analysis and understanding for operating systems. 3) Research: powerful intrusion prevention is based on up-to-the-second updates that keep pace with the changing threat landscape. 4) 24/7 monitoring: Effective monitoring requires active 24/7 monitoring. IPSs are classified based on the operating platform and detection technologies. The operating platform classifies the IPS products into: host intrusion prevention systems (HIPS) and network intrusion prevention systems (NIPS). NIPS inspect the network traffic to detect malicious packets and connection sessions. HIPS rely on software agents installed on network hosts to protect them against malwares. Detection technologies classifications vary between signature based, anomaly based, rule based, behavioral based and others. The deficiency of centralized network security solutions leads to the idea of using multiagent systems. Multiagent systems have received increasing interest as a new means of designing and building complex software systems, particularly networked and distributed systems. This is due to its flexibility and autonomy that provide lightweight and efficient solutions to treat complex problems. In multiagent systems, there is no central point of failure, where centralized network systems are not scalable, because under heavy network load the system suffers from poor performance. Using multiagent paradigms to implement and develop network security solutions result in the following features: • Reduced network load . Mobile agents eliminate the need of transferring a huge amount of data, where the agent can migrate, containing the processing code, since an agent is smaller than the processed data. • Overcome network latency. Mobile agents are able to migrate from a host to carry out operations, thus the agent provides an appropriate response faster than hierarchical applications, which have to communicate with a central coordinator. • Platform independency. The agent platform allows agents to travel in a heterogeneous environment. Mobile agents can be created, cloned, dispatched, or killed at runtime, as network’s configuration or topology change over time. JANUARY/FEBRUARY 2010

• Fault tolerant. Mobile agents can still act, while their creating platform is unreachable.

Windows into the proposed system The proposed system is implemented inside a Microsoft Windows environment. This framework is a general framework that can be used to protect any object inside the operating system. The security strategy of the proposed system focuses on the protected object behavior rather than threats behavior, where network threats are augmented every day in number, complexity, and creativity, hence the actual behavior of a hacker can’t accurately predict in order to be ahead of it. Focusing on threats behavior may bring a huge number of false positives, affecting the protected system with a bundle of zero-day threats.

(1) Reconnaissance (5) Covering Tracks

(4) Maintaining Access

(2) Scanning

(3) Gaining Access

Fig. 1 Network attacks life cycle.

ables identifying and blocking threats at earlier stages before propagating over the protected network. The proposed system is mainly composed of two multi-agent frameworks: server framework and host framework.

To build an accurate protection system, security experts should carefully select the critical objects inside the operating system that leads to useful monitoring results and a limited number of false negatives.

Subsequently, focusing on the protected objects behavior rather than threats behavior leads to a limited number of false positives and enhances the ability of detecting zero-day attacks. A good picture of Microsoft Windows behavior can be developed by monitoring different components inside the operating system such as user-mode interactions with Windows APIs, Windows registry, and kernel objects and drivers. But maintaining healthy monitoring for the large Windows activities and the installed software packages makes it more difficult to build an ideal normal behavior file for the system. To build an accurate protection system, security experts should carefully select the critical objects inside the operating system that leads to useful monitoring results and a limited number of false negatives. Another important strategy in the proposed system is implementing the defense-in-depth security strategy inside the protection mechanism. Defense-in-depth means defending the protected system in different layers in the network and operating system. Applying such a defense strategy ensures that any threat must bypass by one or more of the defense layers. This en-

Server framework is a multiagent integrated network intrusion prevention (NIP)/host intrusion prevention (HIP) framework installed on the network server. The HIP component operates inside the operating system.

Server framework Server framework is a multiagent integrated NIP/HIP framework. The NIP component focuses on network and packets behaviors by inspecting network traffic. The HIP component focuses on the operating system and applications behaviors. The two components work parallel inside a single platform. Figure 2 shows the server’s framework structure and the agents’ interactions inside the framework. Tables 1 and 2 show the agents’ types, percepts, actions, and goals of the NIP component and HIP component.

NIP component The NIP component operates on the network driver of the external network interface of the server, particularly on the TCP/IP stack. The NIP component starts work by sniffing the traffic from the external interface by the sniffing agent. The sniffing agent communicates 33

NIP Component

HIP Component DB 3

DB 2

Profiles Agent

Update Agent

Registry Agent

Logging Agent

WFP Agent

Attacks Prevention Agent

Malware Prevention Agent

Rule-Based Analysis/ Detection Agent

Kernel Analysis/ Detection Agent

Behavioral Analysis/ Detection Agent

User Analysis/ Detection Agent

Sniffer Agent

Profiles Agent

DB 2 DB 1

Update Agent

Kernel-Mode Monitoring Agent

Broadcasting Agent

User-Mode Monitoring Agent

DB 1

Hosts Advisory Agent

DB 4

Fig. 2 Server framework architecture.

with a kernel driver (sniffer driver) that operates as a hook inside the TCP/IP stack (tcpip.sys) as shown in Fig. 3. The sniffing agent then sends its processed data to the analysis and detection module, which contains two agents that work in parallel: the rule-based analysis and detection agent and the behavior-based analysis and detection agent. These agents don’t concern the

packets’ payload and concern only the packets’ header. The behavior-based analysis and detection agent analyzes captured packets based on a statistical profile that reflects the normal behavior of network flow. This agent focuses on connection-oriented analysis strategy rather than packetoriented analysis strategy. The criteria that are used to build this profile are network

server rush hours, duration of successful connections, total sent and received bytes, average packet size and fragmentation probabilities, number of successful TCP connections, and the number of unsuccessful TCP connections. If the network traffic flow deviates from the normal profile statistical ranges, the behavior-based analysis and detection agent analyzes the connections that deviates to detect attack trials, and then sends the results of the detected deviations to the attack prevention agent to take the appropriate action. The rule-based analysis and detection agent analyzes packets based on a predefined criteria and rules. This agent uses both packet-oriented and connection-oriented analysis strategies. The analysis criteria and rules are obtained from rules engine (DB1) as shown previously in Fig. 2 ; The NIP component by default contains some analysis rules that are described in Table 3 ; these analysis rules can detect most TCP/IP attack trials that target the packets’ header. Another function of the rule-based analysis and detection agent is updating the rules database. If an attack is detected many times in the analysis step from a specific port or IP, this agent sends an update to the access control list (ACL), which are located in the rules database. The ACL contains allow/deny filtering rules for IPs, ports, and payload protocols. The ACL stops traffic from attacking the system without requiring the IPS to consume resources to analyze the traffic. The attacks prevention agent prevents the attacks according to attack’s

Table 1. NIP component agents. Agent

Type

Percepts From

Percepts What

Actions

Goals

Sniffing agent

Simple reflex

TCP/IP stack

Packets

Record and filter captured traffic

Identify network traffic

Behavior-based analysis/ detection agent

Goal based

Sniffing agent

Filtered TCP/IP packets

Analyze filtered TCP/IP packets based on normal profile

Detect attacks based on a statistical normal profile, which describe network normal behavior.

Rule-based analysis/ detection agent

Goal based

Sniffer agent

Filtered TCP/IP packets

Analyze filtered TCP/IP packets based on predefined rules

Detect network attacks based on the detection rules

Attacks prevention agent

Utility based

Analysis and behavior and rule-based detection agents

Detected attacks

Prevent attacks with the suitable action

Prevent attacks by providing the suitable reaction

Logging agent

Simple reflex

Rules and behavioral analysis/detection and malwares prevention agent

Analysis, detection and prevention results

Write to logs database DB3

Record results to be analyzed by IT experts

Update agent

Simple reflex

DB1

Recent updates

Update analysis and detection agents

Make the framework up-to-date

34

IEEE POTENTIALS

Table 2. HIP component agents. Percepts From

Percepts What

Actions

Goals

Model based

OS kernel

Kernel-mode activities

Monitor some kernel-mode activities

Send the monitored activities to analysis agents

User monitoring agent

Model based

WIN32 subsystem

User-mode activities

Monitor some user-mode activities

Send the monitored activities to analysis agents

Kernel analysis/ detection agent

Goal based

Kernel monitoring agent

Kernel-mode activities

Analyze kernel-mode activities and detect deviations from normal profiles

Detect kernel-mode malwares

User analysis/ detection agent

Goal based

User monitoring agent

User-mode activities

Analyze user-mode activities and detect deviations from normal profiles

Detect user-mode malwares

WFP agent

Goal based

WFP service

WFP parameters and DLLs

Monitor WFP parameters to avoid hacking this service

Protect user-mode windows executables

Registry agent

Goal based

Windows registry

Important registry keys

Protect the registry keys values from modifying.

Protect user-mode behavior

Malwares prevention agent

Utility based

User and kernel analysis/detection agents

Detection results

Take the right prevent action, and write it the logs database DB3

Prevent malwares

Logging agent

Simple reflex

User and kernel analysis and malwares prevention agents

Analysis, detection and prevention results

Write to Logs database DB3

Record results to be analyzed by IT experts

Update agent

Model based

DB1

Recent updates

Update analysis and detection agents

Make the framework up-to-date

Profiles agent

Model based

DB2

Analyzed object normal profile

Send the profile to the user and kernel analysis/ detection agents

Supply user and kernel analysis/ detection agents with the needed information

Agent

Type

Kernel monitoring agent

severity, which is decided in the detection and analysis phase. This agent is the simplest one because it’s always a reaction for the detection agent. The prevention actions may be one of the following: drop packet, blocking port or IP, and finalize connection. Finally, the attack prevention agent sends the analysis and detection results and the action it takes to the logging agent, which writes these results in the logs database DB3.

activities such as the inturrpt discriptor table (IDT), system service dispatcher table (SSDT) or ditect kernel object maniplution (DKOM). The monitoring agents send their data to the analysis and detection agents to be analyzed. These agents are the kernel-mode analysis and detection agent and the user-mode analysis and detection agent. These agents compare the protected object with its prebuild normal profile to detect the unnormal

activity of that object, then send their results to the malware prevention agent to take the appropriate action to block the malware behavior according to its severity. Finally, the malware prevention agent sends the analysis and detection results, and the action it takes, to the logging agent to write these results in the logs database DB3. The Windows file Protection (WFP) Agent is responsible to protect the

HIP component The HIP component starts work by monitoring the critical system and user activities that may be a potential target for hackers in kernel and user modes using two agents: the user-mode monitoring agent and the kernel-mode monitoring agent. The user-mode monitoring agent monitors user-mode activities including the authorized processes and services list, critical registry keys, executables execution path, executables import address table\export address tables (IAT\EAT), and Windows APIs calls. The kernelmode monitoring agent monitors kernel JANUARY/FEBRUARY 2010

User Mode User Applications API (WS2_32.DLL) Transport Service (MASFD.DLL) System Library (NTDLL.DLL)

Kernel Mode TCP/IP Driver I/O Manager

Sniffer Driver

Physical Device Transport Driver Interface NIC

Fig. 3 Sniffer driver.

35

Table 3. The rules that are used by the rule-based analysis agent. Rule Name

Rule Attributes

Attribute Values

R1

TCP flags: SYN,ACK.

Packet (SYN=1, ACK=0), Packet (SYN=1, ACK=1), Packet (ACK=1)

R2

Sequence number and acknowledgment number.

Sequence no. of P (N) =Sequence no. of P (N-1) +Packet size. Acknowledgement no. of P (N-1) =Sequence no. of P (N).

R3

Time interval

(Time of P (N-1) – Time of P (N)) =< Median (P Time)

R4

SNMP

Port = 161 or 162

R5

Payload size, flags: SYN, FIN, RST

If (Flag=SYN||FIN||RST) Payload Size=0

R6

ICMP echo

Source IP = Server IP

examples for the critical keys of the registry: 1) “HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows\ AppInit_DLLs.” If this key contains DLL values, it causes every process that loads User32.dll to load the DLLs listed in that key. These DLLs may be malicious code injected by an attacker, and causes infection for most processes. 2) “HKLM\SYSTEM\CurrentControlSet\Control\Terminal server.” This key contains some values that may facilitate to the hacker some remote activities such as remote registry control and remote desktop control.

Host framework WFP service from hacking. The WFP protects system executables from overwriting by another malformed file. The WFP Agent monitors the SFC watcher thread to prevent any calls that leads to disabling the WFP, by monitoring the following: 1) SfcTerminateWatcherThread. This function that is exported form SFC_ OS.DLL disables the WFP service until the next system reboot. 2) SfcFileException. This function that is exported form SFC_OS.DLL registers a

Registry Agent

WFP Agent

Logging Agent

temporary SFC exception for a specific file. The period of the exception is one minute. 3) Registry key. The value SFCDisable of the key “HKLM\Software\Policies\ Microsof t\WindowsN T\W i n d o w s FileProtection” can be used to disable the WFP service if its value becomes 0xFFFFFF9D. The registry agent monitors the most critical registry keys that may provide hackers with some system weak points. The following keys are

Prevention Agent

Profiles Agent

DB 2

Broadcasting Agent

Kernel-Mode Analysis/Detection Agent

Kernel-Mode Monitoring Agent

Hosts Advisory Agent

User-Mode Analysis/Detection Agent

User-Mode Monitoring Agent

Update Agent DB 3

DB 1

Network Server

Implementation and case study

Fig. 4 Host framework architecture.

Table 4. Broadcasting and advisory agents characteristics. Agent

Type

Percepts From

Percepts What

Hosts advisory agent

Utility based

Network hosts

Broadcast agent

Model based

User and kernel analysis agents

36

Host framework performs the same tasks of the HIP component of the server framework, in addition to other tasks, and will be explored below. The analysis and detection agents may be confused to define an activity as a malware, or not. Take, for example, if a new process is detected in the process list of a specific host. This process may be a remote process initiated by the server or a malicious process injected to the system. In such cases the user-mode analysis and detection agent sends such information to the host advisory agent to ask the server about its decision in such case, and then this agent replies to the host with the corresponding decision. The broadcasting agent’s role arises when the analysis and detection agents detect a malware; they send the malware information to the broadcasting agent that resides in the network server. Then this agent broadcasts this information to all network hosts, to make them aware to the threat before accessing their systems. Fig. 4 shows the design of the host framework, and the used agents in this framework are described before in the HIP component in Table 2. Table 4 shows the characteristics of the broadcasting agent and host advisory agent.

Actions

Goals

Security problem

Send problem to server to take decision

More security for hosts

Malware alarm

Broadcast to network hosts

More security for hosts

The proposed system is composed of two main components: the NIP and HIP components that compose both of server and host frameworks. In this section, we explore the implementation phases and the experimental results of the NIP and HIP components not for the frameworks, since host framework is nearly similar to the HIP component of the server framework. The proposed system is installed and tested in a network as shown in Fig. 5. IEEE POTENTIALS

Host 3 10.22.59.12

HIP

NIP

Network Server 10.22.59.1 192.168.1.2

Host 2 10.22.59.11

Host 1 10.22.59.10

Fig. 5 The proposed system deployment model.

NIP component NIP component is a part of the sever framework that defends the network’s sever against network attacks such as footprinting, network scanning, enumeration, SYN flood, ping sweep, port scans, and session hijacking. The proposed system was tested against the previous attacks using some tools from the Certified Ethical Hacker course V5 toolkits that performs the previous attacks with different methods. The proposed system succeeded in detecting these attacks which target packets’ header. Fig. 6 shows a screenshot of the NIP component, which shows the ratio of traffic and intrusions over the time.

Fig. 6 Screenshot for the NIP component.

HIP component (IAT/EAT hooking)

To implement this scenario, the proposed system follows the following steps:

IAT/EAT hooking is a user-mode malware that targets the portable executables (PE). In PE optional headers there are data directories that contain tables that describe some information about a current process, such as import address table (IAT), export address table (EAT), and others. Each IAT contains the DLLs and the functions which are essential to run an executable. The IAT is shown in the Fig. 7. When the Windows loader loads the executable image it will also load up all DLLs and the functions in the DLL that the binary will use. The loader will locate each of these DLLs on disk and map them into memory. The loader will then put the address of the function in the IAT of the binary that calls the function. Each imported DLL has a container structure called IMAGE_IMPORT_DESCRIPTOR, which embraces the address of first thunk and the address of original first thunk. When the operating system loads the application in memory, it parses IMAGE_ JANUARY/FEBRUARY 2010

IMPORT_ DESCRIPTOR structure and loads each required DLL into the application’s memory. Within the target process’ address space, the malicious DLL can parse the portable executable file format and find the location of the target function within the IAT. It then replaces the target function with a hook function from the malicious code. As a result, the malicious code executes whenever the target API is called, and data passing to and from the target function is altered.

Protection scenario

1) Create executables’ IAT normal rrofiles. Read each executable individually into memory, then find the IMAGE_ IMPORT_DESCRIPTOR chunk of the executable to locate the IMAGE_THUNK_ DATA, which holds the original address of the imported function, and then write the entries of the IAT in the XML file, as shown in Fig. 8. This file is created once, at the first installation of the proposed system. 2) Monitoring IATs . The monitori ng agent mon itors system calls to IMAGE_IMPORT_DESCRIPTOR , it reads the virtual and physical images of the IAT of the authorized executables, and then sends these readings to the

Original First Thunk Time Date Stamp

0 × 1034

GetModuleHandleA

Forwarder Chain

0 × 1047

LoadLibrary

First Thunk

0 × 1204

DialogBoxParamW

Original First Thunk

0 × 1216

EndDialog

Imported DLL Name

...

...

Time Date Stamp Forwarder Chain

0 × 1300

RegOpenKeyExA

Imported DLL Name

0 × 1310

RegCloseKey ...

First Thunk Original First Thunk Time Date Stamp Forwarder Chain Imported DLL Name

Kernel32.dll User32.dll Advapi32.dll

First Thunk

Fig. 7 IAT of PE file.

37

user-mode analysis and detection agent. 3) Analyzing IATs. The user-mode analysis and detection agent percepts the results of the monitoring agent and compares them with the normal profiles created in step 1 and returns any deviations from the normal profile. These deviations are sent to the malware prevention agent to take the appropriate action. 4) Disable WFP system service. If the infected executable was system executable, the WFP service must be disabled first to restore

Fig. 8 The normal profile for an authorized process.

the infected file to its original values. The SfcFileException API was used to register a temporary SFC exception for a specific file for 1 minute, allowing the file to be updated. 5) Preventing the IAT hooks. Restore each hooked API by copying the relevant bytes from the normal profile image to the memory images or physical images. 6) Logging results. The results of the user-mode analysis/detection agent and malware prevention agent are sent to the logging agent, which writes these logs in an XML file database, as shown in Fig. 9. Fig. 10 summarizes the scenario of protecting hosts and server against IAT rootkits.

Experimental results The Import Table Runtime Redirector rootkit used to test the HIP component in defending against any IAT\EAT hooks. This tool injects code into the IAT of a specified process at runtime. Another rootkit used to test the system named InjectDLL, which is an IAT rootkit that injects DLL into the process address space. In Fig. 11 is a screenshot OF these rootkits detected by the proposed system.

Fig. 9 Log of IAT hook detected by the NIP component.

Start

HIP component (SSDT hooking) Create Executables’ IAT Normal Profile

SSDT hooking is a kernel-mode malware and targets the SSDT that contains all native APIs and service addresses. This table resides in the KiServiceTable member of the structure KeSeriveDescriptorTable that is exported by the ntoskrnl.exe. By modifying the contents of the SSDT to point to a rootkit function, all API calls regardless of their origin (user-mode or kernel-mode) can be redirected to call the rootkit code causing a dangerous wide hook in the OS.

Monitor IMAGE_IMPORT_DESCRIPTOR Calls by User-Mode Monitoring Agent Send IAT Entries to the User-Mode Analysis/Detection Agent Get the Normal Profile of Targeted IAT Send Analysis Results to Prevention Agent

Yes

Deviations ? No

Yes

Disable WFP

System Executable? No Repair IAT

No Action Send Results to Logging Agent

Fig. 10 The flowchart of protecting executables IAT.

38

Protection scenario Fig. 12 summarizes the implementation steps of protecting the SSDT. To protect a kernel object such as SSDT, we have to invoke kernel address space, which is protected by the operating system, as follows: 1) Create SSDT normal profile . To create a normal profile for the IEEE POTENTIALS

SSDT ker nel component, KiServiceT a b l e should be accessed to read its entries. But it can’t be accessed directly, because it’s located in the kernel add ress space. Therefore, a c kernel driver named “Lookup” was developed. The Lookup driver is installed as a Windows kernel service, then a C# GUI receives the driver output buffer, and saves the KiServiceTable entries in an XML file as shown in Fig. 13 . The SSDT normal profile file is created once at the first installation of the proposed system. 2) Monitoring SSDT. The monitoring agent reads the kernel driver output buffer and then sends SSDT entries to the kernel analysis and detection agent to be analyzed. 3) Analyzing SSDT entries. The kernel-mode analysis and detection agent percepts the results of the monitoring agent and compares them with the normal profile created in step 1. It returns any deviations from the normal profile and these deviations are sent to the malware prevention agent for the appropriate action. 4) Preventing SSDT hooks . The malware prevention agent restores the SSDT component into its original values as in the normal profile. To do that, the kernel address space must be invoked. We accessed the kernel memory from user-mode by allowing direct writing to the kernel address space (\device \physicalmemory). 5) Logging results. The results of the kernel-mode analysis/detection agent and malware prevention agent are sent to the logging agent; this agent writes these logs in an XML file database, as shown in Fig. 14.

Fig. 11 Screenshot for the HIP component while detecting an IAT hook.

Start Install Kernel Driver Create SSDT Normal Profile

Monitor KeService Descriptor Table Calls by Kernel-Mode Monitoring Agent Send SSDT Entries to the Kernel-Mode Analysis/Detection Agent

Experimental results Rootkit named “NtOpenProcess Hook” was used to test the HIP component in defending against SSDT hooks. This rootkit is a kernel rootkit that uses SSDT hooking as a way to prevent access to a user-mode program and deny any request for a handle by hooking the NtOpenProcess native API. Fig. 15 includes a screenshot for the proposed system while detecting the rootkit. This rootkit also was detected by ESET Smart Security and MacAfee security systems; hence the proposed system proves its ability in detecting any rootkits targeting the SSDT, regardless of the used hacking technique. JANUARY/FEBRUARY 2010

Get the Normal Profile of the SSDT Entries Send Analysis Results to Prevention Agent

Yes

Allow Write to\Device\Physical Memory Form User Mode

Deviations? No

No Action Repair the SSDT Disable Write to\Device\Physical Memory Form User Mode

Send Results to Logging Agent

Fig. 12 SSDT hooking protection flowchart.

39

Conclusion Inspecting network traffic that only protects the network and its entire host is not sufficient to secure the network and is a time wasting task, since network traffic payloads may contain polymorphic or encrypted malicious code and executables. The proposed system ensures the preemptive protection against zero-day attacks and malwares, by applying behavioral analysis techniques that focus on objects’ behaviors rather than the behaviors of threats. Fig. 13 SSDT normal profile.

Fig. 14 Log of SSDT hook detected by HIP component.

Applying behavioral analysis techniques eliminates the high rate of false positives and negatives and eliminates the huge amount of data needed to train and build the anomaly normal profiles. Applying a defense-in-depth security strategy enables the identification and blocking of threats at earlier stages before propagating over the network. The proposed system has the ability to protect the critical objects inside the operating system and provides the accurate protection against any revolution in hacking techniques without updating the signatures database. The only required update to make the system current is the process of creating normal profiles for the new invented objects of the operating system, but first the object should be analyzed carefully to build an accurate normal profile that describes its behavior. Using a multiagent paradigm in intrusion prevention systems delivers the maximum performance of the system and ensures real-time detection for attacks and malwares.

Read more about it • K. Graves, Official Certified Ethical Hacker Review Guide. New York: Wiley, 2007. • J. Lind , “Issues in agent-oriented software engineering,” in Proc. The 1st Int. Workshop Agent-Oriented Software Engineering, Limerick , Ireland , 2000, pp. 45–58. • A. Danehkar, “Injective code inside import table,” The Code Project, 2007. • H. Harkus, “Kernel look-up,” The Code Project, 2006.

About the authors

Fig. 15 Screenshot for the HIP component while detecting and SSDT hook.

40

Mohamed Shouman (drsouman@ yahoo.com) is the dean of the Faculty of Computers and Informatics, Zagazig University, Zagazig, Egypt. Amani Salah (aamani_salah@yahoo. com) is a lecturer assistant at the Faculty of Computers and Informatics, Zagazig University, Zagazig, Egypt. Hossam M. Faheem (hmfaheem@ ieee.org) is an associate professor at the Faculty of Computers and Information Sciences, Ain Shams University, Cairo, Egypt.

IEEE POTENTIALS