Self-monitoring with Immunity-Based Diagnostic Model in Distributed Intrusion Detection System

Self-monitoring with Immunity-Based Diagnostic Model in Distributed Intrusion Detection System Yuji ATANABE and Yoshiteru ISHIDA, Toyohashi University of Technology Abstract: In distributed intrusion detection system (D), self-monitoring can be a difficult problem. One possibility is that each is checked periodically by others. In this paper, we propose mutual tests among s using immunity-based diagnosis. Some simulation results show that corrupted gradually decreases its credibility. Furthermore, we compare self-monitoring using direct communication between s with one using mobile agent. Key ords: Intrusion Detection System, Immunity-based diagnosis, Self-monitoring, Mobile agent 2) 3) 5) Intrusion Detection System 6) ), 2) Forrest 3) Unix 9) ) T negative selection 4) ARTIS LISYS 5) 6) Crosbie Spafford 7), 8) 4), 5) 2 7) Fig. 5 i j 9) ) monolithic 2 3 5 8) 5), 8) self-monitoring Fig. false positive 4 5 false negative B i R i

+ + - - - + - - 2 4 5 3 (R, R2, R3, R4, R5) (,,,, ) (,,,, ) (,,,, ) Fig. An example of mutual evaluation network. dr i (t) dt = j T ji R j + j R i (t) = T ij R j 2 + exp( r i (t)) j {k:t ik } (T ij + ) () (2) rules monitor r i (, ) (2) # EB-CGI RULES #-------------- # R i [, ] T ij alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"eb-cgi i j HyperSeek hsx.cgi directory traversal attempt"; uricontent:"/hsx.cgi"; content:"../../"; content:"%"; flow:to_server,established; reference:bugtraq,234; reference:cve,can-2-253; alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"eb-cgi HyperSeek hsx.cgi access"; uricontent:"/hsx.cgi"; flow:to_server, established; reference:bugtraq,234; reference:cve,can-2-253; classtype:web-application-activity; sid:67; rev:3;) 3.2 [root@wata root]# () i 2 3 i Fig. 3 Example of snort rules. 7) L 3) L h ( L) L h = L L h L/N 3 3. e( < e ) Fig. 2 N C Fig. 2 N N c (2 N c < N) N f ( N) snort 7) 5 /etc/snort/ 3.2 Fig. 3 () T ij Fig. 4 i j A,B, X B C 2 C G N H H2 HN corrupted Host Fig. 2 Model of distributed intrusion detection system. [root@wata root]# ls /etc/snort/ RCS local.rules snmp.rules attack-responses.rules misc.rules snort.conf backdoor.rules multimedia.rules snort_tutkie.conf bad-traffic.rules mysql.rules sql.rules chat.rules netbios.rules telnet.rules classification.config nntp.rules tftp.rules ddos.rules oracle.rules virus.rules deleted.rules other-ids.rules web-attacks.rules dns.rules p2p.rules web-cgi.rules dos.rules policy.rules web-client.rules experimental.rules pop3.rules web-coldfusion.rules exploit.rules porn.rules web-frontpage.rules finger.rules reference.config web-iis.rules ftp.rules rpc.rules web-misc.rules icmp-info.rules rservices.rules web-php.rules icmp.rules scan.rules x.rules imap.rules shellcode.rules info.rules smtp.rules [root@wata root]# head /etc/snort/web-cgi.rules # (C) Copyright 2,22, Martin Roesch, Brian Caswell, et al. # All rights reserved. # $Id: web-cgi.rules,v.56 22/8/8 2:28:43 cazz Exp $ #--------------

rules i Hi X Tji, Rj B C j Fig. 4 Self-monitoring using direct communication between hosts. Hj Mobile Ma Ma2 migrate MaM agent rules monitor Fig. 5 Self-monitoring using mobile agents.. i L t ( L h ) j Fig. 4 L t = 2 2. j T ji 3.3 Fig. 5 T ji = // j (3) Fig. 5 Ma Fig. 4 A Ma 2 C T ji = 3. j T ji R j i Ma Ma M 4. i j T ij L t 5. i N c M/N () (2) N c R i 6. L h L t N c Fig. 5 Ma M 4 4. L t R i false L positive false negative L h α β X B D B C 2 E C C G N H H2 HN corrupted Host

Table. Parameters list. R i ()..6 r i (). () N 5.4 N f 5.2 e.5 L 5 L h L t 5 N c s. 5 M/N.8 credibility.8 5 5 2 25 3 step normal corrupted Fig. 6 Transitions of credibility for normal and corrupted over 5 trials using direct communication between credibility.6.4 α = N low t N N f (4).2 normal corrupted 5 5 2 25 3 step β = N high f (5) N f Fig. 7 Transitions of credibility for normal and corrupted over 5 trials using mobile agent. N N f N f Nt low.8 N high f.2 Table Java 4.3 3 5 3.2 ᾱ β Table N c L h Fig. 8 N 4.2 c L h 3 ᾱ β 5 L h = 5, N c = M/N = 6 N c Fig. 6 L h = 5 Fig. 7 5 L h N c 5 M/N L h Fig. 9 M/N L h 3 ᾱ β 5

false positive rate (α).5.45.4.35.3.25.2.5..5 L h =5 L h =5 L h =25 L h =5 5 5 2 number of connected hosts (N c ) false positive rate (α).5.45.4.35.3.25.2.5..5 L h =5 L h =5 L h =25 L h =5 5 5 2 number of mobile agents per host (M/N) false negative rate (β).8.6.4.2 L h =5 L h =5 L h =25 L h =5 false negative rate (β).8.6.4.2 L h =5 L h =5 L h =25 L h =5 5 5 2 number of connected hosts (N c ) 5 5 2 number of mobile agents per host (M/N) Fig. 8 Average false positive/negative rate (ᾱ and β) vs. number of connected hosts (N c ). Fig. 9 Average false positive/negative rate (ᾱ and β) vs. number of mobile agents per host(m/n). M/N Table 5 N f e L h = 5 5 5 T ij = Fig. 4 T ij T ij = L h T ij Fig. 8 Fig. 9 Fig. 2 A 2,3 5) 5

4) S. Forrest, S. Hofmeyr, and A. Somayaji: Computer immunology, Communications of the ACM, 4,, 88 96, (997). 5) S. Hofmeyr and S. Forrest: Architecture for an artificial immune system, Evolutionary Computation 8), 9) Journal, 7,, 45 68, (2). 6),, : 2, 6, (2). 7) M. Crosbie and E. Spafford: Defending a computer system using autonomous agents, In Proc. of the 8th National Information Systems Security Conference, (995). 8) E. Spafford and D. Zamboni: Intrusion detection using autonomous agents, Computer Networks, 34, 547 57, (2). Chess 2) 9) :, (DI), J8-D-I, 5, 532 539, (998). ) G. Helmer, J. ong, V. Honavar, and L. Miller: Intelligent agents for intrusion detection, In Proc. of the IEEE Information Technology Conference, 2 24, (998). 6 ) D. Dasgupta: Immunity-based intrusion detection systems: a general framework, In Proc. of the 22nd National Information Systems Security Conference, (999). 2) N. K. Jerne: The immune system, Scientific American, 229,, 52 6, (973). 3) Y. Ishida: Fully distributed diagnosis by PDP 5 learning algorithm: towards immune network PDP model, In Proc. International Joint Conference on Neural Networks, 777 782, (99). 4) Y. Ishida: An immune network approach to 5 sensor-based diagnosis by self-organization, In Complex Systems, Vol., 73 9. Complex Systems Publication, (996). 5) :,, (998). 6), :, (DI), J85-D-I, 8, 758 766, (22). 7) Snort.org, http://www.snort.org/. 8) L. Lamport, R. Shostak, and M. Pease: The ), :, byzantine generals problem, ACM Trans. on Programming Languages and Systems, 4, 3, 382 4,, (2). 2), : (982). N 9) :, (B), J83-B, 9, 29 26, (2).,, 32, 6, 3) S. Forrest, S. Hofmeyr, A. Somayaji, and 682 693, (99). T. Longstaff: A sense of self for unix process, In Proc. of 996 IEEE Symposium on Security and Privacy, 2 28, (996). 2) D. M. Chess: Security issues in mobile code systems, In G. Vigna, editor, Mobile Agents and Security, LNCS 49, 4. Springer Verlag, (998).