5.1 A Nature Inspired Model Enhancing Self-Organization and Self-Control
The efficiency of natural systems as complex systems completely, distributed and dynamic, was a source of foundation of our IDRS architecture. The intrusion detection system was designed with the immune system in mind whereas the intrusion response system was designed with the ant colony organization in mind. Indeed, there are some interesting parallels between these two natural systems and the IDRS:
at a local level, both systems (natural systems as well as IDRS) are faced with complex recognition problem. More precisely, the immune system deals with self/non self protein recognition [19] to detect anomalous cells whereas the intrusion detection system deals with normal/abnormal pattern recognition to detect suspicious activities. Similarly, the social insects like ants deal with the recognition of the highest pheromonal gradient to follow the source of food, whereas the intrusion response system has to recognize remotely the type of alert launched in order to follow the source of attack 1 and perform the relevant response.
at a global level, both systems (natural systems as well as IDRS) behave as complex systems with a set of single components engaged in local inter- actions. These interactions between single components exhibit a global co- herent and emergent behavior. As already mentioned this self-organization process is one of the natural system properties. This property can be applied to IDRS in order to obtain an IDRS with an emergent detection and response behavior that stays safe and coherent. Globally, the detection system has to avoid as many false positive as possible whereas the immune system has to avoid so called auto-immune behavior 2. Globally, the response system has to avoid many answers at the same location while there is no more attack, whereas an ant system has to avoid having many ants following a trail to an exhausted source of food.
5.2 A Mobile Agent Based Architecture for IDRS
We propose in this paper a distributed IDRS composed of two kinds of mobile agent population. An Intrusion Detection Agent (IDA) population taking its inspiration from immune systems and an Intrusion Response Agent (IRA) pop- ulation, taking its inspiration from social insect behavior. Mobility is an essential factor in the design of our system. Indeed, as the network could be very wide, it
1
by source of attack it is meant the location where the attack was detected. Thus, the response system independently from the detection system will be remotely activated.
2
by auto-immune behavior happens when the immune system identifies its own safe components as unsafe or foreign ones and destroys them.
is difficult to imagine the implementation of different kinds of intrusion detection and response behavior at each node of the network. Mobility is a way to imple- ment these behaviors at a small scale and propagate their use on a more larger scale. On another hand, having the components of the IDRS mobile, makes it more robust to attacks because of mobile agents furtivity.
Schematically the IDRS architecture is as follows:
The considered system is a network of interconnected hosts which could be a LAN or an Intranet for instance. This Intranet is divided into several security domains depending on the topology as well as on security needs of the corresponding domain.
A population of IDAs incarnates the Intrusion Detection System (IDS). To detect local3 attacks, IDAs responsible for a local domain have to be able to discriminate between normal and abnormal activity. For more simplic- ity the good running of different programs and their deviation compared to a normal activity is supervised. For that, short sequences of system calls when the program runs in safe conditions and environment are collected, as it was done in [9]. In each local domain we run a different program and build a database specific to the program as showed in Figure 1. This avoids having too big databases needed for data collection. This is a well known problem in anomaly detection system. This also avoids having too big corresponding management. This presupposes that, at the second stage when the system runs in normal conditions, the MAs placed in each domain will be special- ized in one program, in the sense that they will have to detect deviation of system calls specific to this program. In each domain, MAs specific to a program are able to memorize a safe sequence obtained from the normal profile database. Each program specific MA selects a set randomly (or se- lects randomly a block of n consecutive sequences) and examines locally (in each domain it is located), the deviation of the incoming sequences from the selected set (Figure 2). If the deviation is too high the MA launches an alert. Otherwise, under a certain level of deviation the sequence is accepted. Each MA can be considered as short lived because it continually selects and mem- orizes new sequences from its database. In order to detect anomaly emerging locally from other programs or to allow a MA specific to a program to detect an anomaly in all the subdivided Intranet the mobility is essential. Indeed each program specific agent circulates continuously and visits randomly the neighbor domains where it performs anomaly detection before returning in its home domain to do the next sequence random selection. A-priori, as the number of MAs per domain is limited, a MA is cloned before moving to the next domain, only if the level of suspicion for an anomaly becomes too high in the current domain, because the level of suspicion augments with the frequency of alerts for this anomaly.
A population IRAs incarnates the Intrusion Response System (IRS). In par- allel to the IDA population each IRA of the IRS performs a random walk
3 Local in the sense of local domain. In fact, anomalous patterns due to distributed attacks are also considered
Fig. 1. The Learning Stage
Fig. 2. The Detection Stage
through the network. As soon as an alert is launched, the IDA releases through the network a so called electronic pheromone which will be used by IRAs to trace the route back to the alert source. This electronic infor- mation embeds all the essential features dedicated to the attack. The main fields are:
The identifier of the IDA which built the pheromone after the attack was detected.
The number of hops that corresponds to the distance in term of nodes at which the pheromone will be diffused.
The gradient that decreases hop by hop and will be used by the IRAs to follow back the pheromonal path to the alert source.
The suspicion index that corresponds to the importance degree of the attack. This importance degree is fixed a-priori and is adjusted during the system running.
This pheromone is diffused randomly in one direction by another agent popu- lation, namely the PheromonePropagators. This dissociation of roles is quite useful because it allows the different population of agents to work indepen- dently from each others in an asynchronous way. The pheromone is deposited and the roaming IRAs will follow it as soon as they detect its existence. Of course, this pheromonal information acts as a communication medium to alarm the good IRA population. As already said, the Intranet is logically divided into security domains and as the IDAs, the IRAs are also specialized in different tasks. Thus, the information carried by the pheromone is differ- ent according to the detected attack as well as its seriousness. This allows the IRAs to perform the adequate response. This is quite advantageous in term of performance because it avoids having inappropriate agents moving at a location where they will be useless. Moreover the pheromone will also evaporate after a certain laps of time. This laps of time is adjusted according to:
The average time needed by an IRA to perform its task when visiting a node among all, to read and interpret the pheromonal information and also to choose the next node to visit.
The number of IRAs that have already performed a response for the current pheromone.
Here also, this evaporation process contributes to limit IRAs activity as well as useless resources consumption.