Using correlation engine and mobile agents for ... - Google Sites

Using correlation engine and mobile agents for intrusion detection R´ eginald Lips lips [email protected]

Nabil El-Kadhi el-kad [email protected]

LERIA European Institute of Technology 24, rue Pasteur - 94270 Le Kremlin Bicˆetre, FRANCE

Abstract IMAIDS project (Intelligent Mobile Agent for Intrusion Detection System) is carried out by five 5th year students, R´eginald Lips, Nicolas Carlier, Damien Molot, Jean-Marie Peschoux and Alexandre Luciani, from Epitech (European Institute of Technology; http: // www. epitech. net/ ), within the framework of their end of studies project. The purpose of this document is to present a part of our research project which is using an expert system as correlation engine and mobile agents for intrusion detection. This paper has been co-written by R´eginald Lips, project leader of IMAIDS, Nabil El-Kadhi, director of the LERIA, and Davide Del Vecchio, senior security consultant for Telecom Italia. First, we will remind the goal and the general context of IMAIDS project, its objectives and the research topics aborded. Moreover, we will describe more in details the implementation and the theoretical basics of the expert system used to make a functionnal correlation engine applied to a mobile agent platform for intrusion detection.

Keywords: expert system, mobile agent, security, IDS.

1 1.1

General context The IMAIDS project

IMAIDS or Intelligent Mobile Agent for Intrusion Detection System is a research laboratory project applied to industry. The main goal of this project is to develop a finished intelligent tool prototype for intrusion detection. The global approach of the project has been described in a first publication [1]. IMAIDS is an Intrusion Detection System (IDS [2]). Basically, an IDS aims first to collect information in a computer network as network flow or system

logs, second to recognise an attack depending on a detection method and to notify the network administrator when an attack occured. The most known IDS ( [2], [3]) use two methods for detection. The first based on signatures [4], makes it possible to react with known attacks in a reliable way but is inefficient with the unindexed attacks. The second [5], is based on host behaviour analysis in the network. This method is more aggressive against the unknown attacks but less efficient because of false positives [6]. Moreover, these IDS are based on a monolithic architecture [7] which induces centralized > * * * * * 22 SSH-1.99-OpenSSH_4.6 Figure 2: Filtering rule example

When a useful information is catched, the collector agent will raise an event to the correlator agent. This event contains several informations as an ID, a timestamp and details about the sender host. We will see more in details in the correlation engine the importance and the purpose of an event.

2.3

The correlator agent

The correlator agent is the main analyzing instance in the platform. It receives collector’s events and makes relations between them. The correlator agent uses a set of correlation rules to classify and deduce events from collected information. Keep in mind that collected events come from multiple distrinct collector agents. So, it gives a global vision of the network to deduction and detection analysis. The final idea is to deduce that an attack occured when received events check a set of crucial proper-

ties, even if there is a possible lack of information. These properties described by the correlation rules make it possible to specialize correlator agents and thus, distribute the computation. If a final deduction is found, we consider that an attack occured with a certain truth coefficient. This final information is forwarded to the corresponding analyzer agent which will take the decision to raise an alert to the network administrator.

2.4

The analyzer agent

The analyzer agent receives final deductions from correlator agents and will make some computation on the transmitted truth coefficient to decide if the attack occured and if the administrator should be aware. This agent has also a set of rules to define his behavior. Here is an example of analyzer rule in Figure 3

Attack on Web server Apache version 2.2.4 0.75 60000 Figure 3: Analyzer rule example

2.5

The manager agent

The agent manager is the organisational engine. It controls agent integration process in the platform. The manager is able to deploy the agents on sensitive hosts/networks, in a precise way. It will cre-

ate the different agent and will set there role by distribute the filtering rules, correlation rules and analyzer rules.

3

The correlation engine

3.1

An expert system applied to intrusion detection

The main idea of the IMAIDS project is to detect intrusion in a wide network by analyzing different crucial events on different hosts. The final goal is to deduce anomaly from facts. As we saw, the IMAIDS architecture makes it possible to get a global vision of the targeted network. The correlator agent brings back events from collectors and analyzes them. The correlator agent is specialized into making relation between the collected events. This is an expert system applied to intrusion detection [12] , it uses logical rules to define an attack or an unwanted behavior.

3.2

Network events

As a signature based IDS, we started to work on how to describe an attack for the best detection? what facts characterize an attack? A connection on host A port 80, connection attempts on servers B, C, D, a connection to vulnerable software, and so on. In our approach, we chose to split attacks into minimalist events to be able to easily factorize them. An event is generated from a collector’s filtering rule and transmitted to the correlator agent. An event is composed by an ID, corresponding to the filtering rule ID and several useful informations as: source IP, destination IP, source MAC, destination MAC and a timestamp. These attributes are sent to the correlator agent in order to ensure the matching rule computation.

3.3

Correlation rules

The correlation rules will deduce event from collected ones. It describes three relations between events: • OR: if event A OR event B has been seen on the network or deduced, then we consider that C occured. A⊕B ⇒C • AND: if event D AND event E have been seen on the network or deduced, then we consider that F occured.

DE ⇒F • AND with comparison attributes: if event G AND event H have been seen on the network (or deduced) with the same MAC address and the same IP address, then we consider that I occured.   GH ⇒I G.mac src = H.mac src  G.ip src = H.ip src In other hand, there are two types of rule computation. First, the forward engine which makes a regular deduction, if event A AND event B exist, then we consider that C occured. AB ⇒C Second, the backward engine which is the apposite, if event C exist, then we consider that event A AND event B occured. AB ⇐C An important point in rule computation is the truth coefficient of an event. In fact, we additionally used a kind of fuzzy logic [10] within the rule computation. Each event has a truth coefficient inclusive of 0 and 1. If an event is seen by a probe, then its truth coefficient will be 1, there is no doubt. But if an event is deduced, its truth coefficient will be the weighted mean of events composing the rule. As noted in our BNF, Figure 4, we can define a weight of an event in a rule. This weight will be used to calculate the truth coefficient.

3.4

Critical events

Correlation engine will generate events from collector’s observations, but when do we have finished the computation and detected an attack? Actually, the analyzer agent is the final step of the attack recognition. Its rules will determine which final event will be considered as attacks and with what truth coefficient. Analyzer agent sends a notification to correlator agents to register its critical events. If a correlator agent receives or deduces one of these critical events, then it will send it to analyzer agent with the corresponding truth coefficient. Analyzer agent will take the decision to alert the system administrator if the truth coefficient is high enough.

Rule Sub_Rule R_Event Event Info Coordinate Relation_prop Coordination_prop CP_Date CP_Double CP_Integer CP_String Oper_Date Info_Double Info_Integer Info_String Info_Date Bin_Op Relation Operand Negation Weight

::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::= ::=

* => ?? Event_ID+ | | | | []* | | | [ Value] Truth_coef Port_src | Port_dst | Event_ID IP_src | IP_dst | Mac_src | Mac_dst Date_expired | Date_collected AND | OR | XOR < | > | = | == | != + | - | * | / | % ^ double Figure 4: BNF of correlation rules

3.5

Experimental case

To illustrate IMAIDS capabilities, we wanted to resolve a frequent problem with well-known IDS: the attack of vulnerable software generates an alert, even if this software is not running. This is a falsepositive. We put IMAIDS in this situation and to prevent this false positive we defined two filtering rules. The first able to detect the attack as a classical signature based IDS (Rule A). The second is able to detect if the vulnerable software is running (Rule B). For example, the most servers give there version signature in the default configuration when there are requested, Figure 2 will detect OpenSSH v4.6 running. These rules are sent to collectors. When a collector agent will match Rule A or B, it will raise an event A or B to the correlator agent. In other hand, a correlation rule is set with the following properties:   AB ⇒C A.ip dst = B.ip src  A.port dst = B.port src It means that if an event A and an event B are collected with: • Destination IP of event A = Source IP of event B

• Destination port of event A = Source port of event B Then, we can deduce event C (which could be considered as an attack, but not yet, not in correlation stage). Finally, in analyzer agent, we define that event C is a critical event (an attack), and administrator must be alerted (see example in Figure 3). As result, if the targeted attack occured, only on the vulnerable software, the system will take the decision to raise an alert to the administrator. In this case, IMAIDS substancialy reduces false-positive just by making correlation between an attack and the version of the targeted software.

Conclusion IMAIDS integrates two emerging technologies, a multi-agent platform, and attack recognition based on partial signatures to make an effective and intelligent intrusion detection system. IMAIDS will keep watch over a set of computers, reducing network resources, false-positive and without interfering with other hosts. IMAIDS has been tested in reserach lab environment. the obtained results encourage us to deploy it, after enriching the knowledge database on a large experimental network. A

set of points will be integrated and improved. Basically, we have to develop a kind of learning engine that will validate some specific rules. This engine will also carry on the filtering rules which will drastically limit any false positive. Additionnal information is available on: • https://pfe.epitech.net/projects/ imaids/ • http://leria.epitech.net/

References [1] R´eginald LIPS, Nabil El-Kadhi Intelligent Mobile Agent for Intrusion Detection System. Worldcomp - SAM’07, 2007 [2] Kerry J. Cox, Christopher Gerg. Managing Security with Snort & IDS Tools. O’Reilly, 2004. [3] The Prelude Hybrid IDS project. http://www. prelude-ids.org/ [4]

What You Need to Know About Intrusion Detection Systems. http: //www.windowsecurity.com/articles/ What_You_Need_to_Know_About_Intrusion_ Detection_Systems.html.

[5] The Evolution of Intrusion Detection Systems. http://www.securityfocus.com/infocus/ 1514.

[6] William Yurcik. Controlling Intrusion Detection Systems by Generating False Positives. http://www.projects.ncassr.org/ sift/papers/-lcn02.pdf. [7] Mark Crosbie, Gene Spafford. Defending a Computer System using Autonomous Agents. http://ftp.cerias. purdue.edu/pub/papers/mark-crosbie/ mcrosbie-spaf-NISC.pdf. Purdue University, March 11, 1994. [8] Fabio Luigi Bellifemine, Giovanni Caire, Dominic Greenwood. Developing Multi-agent Systems With Jade. John Wiley & Sons, 2007. [9] Stephen Northcutt, Judy Novak. Network Intrusion Detection: An Analyst’s Handbook. New Riders Publishing, September 22, 2000. [10] Jerry M. Mendel. Uncertain Rule-Based Fuzzy Logic Systems. Prentice Hall, December 2000. [11] Danny Lange, Oshima Mitsuru, Mitsuru Oshima. Programming and Deploying Java Mobile Agents With Aglets. Addison-Wesley Professional, 1998. [12] Nabil El-Kadhi, Romain Dequit, Fayal Daira. Using Correlation Detection for IMA-IDS Architecture. http://leria.epitech.net/site/ main.php?action_view=submenu&option= tree&id_tree=89, July 2004.