113-15 March 2002 GSAW 2002Hydra: Agents for Information SecurityA Systems Approach to SecurityJim RossMorris Brill13-15 March 2002 GSAW 2002 2Introduction!Hydra integrates intrusion detection system(IDS), scanning, and vulnerability assessmenttools within an agent framework!Intelligent agent and AI techniques used tocollect, detect, evaluate, and respond to events!All tools are open source!New tools can be integrated into the agentframework13-15 March 2002 GSAW 2002 3Hydra Architecture isDistributed and Extensible!Agents act as wrappers for IDStools!Agents collect, format andforward data to host agent!IDS data is evaluated forsignificant events using AImethods!Agents respond intelligently bystarting defensive or offensiveagents!ZEUS provides theinfrastructure!Each agent makes decisionsabout its environment andtasks13-15 March 2002 GSAW 2002 4Hydra IntegratesPublicly Available Tools!ZEUS: Infrastructure to build intelligent agent systems!CLIPS (C Language Integrated Production System): Aproductive development and delivery expert system shell!FIPA (Foundation for Intelligent Physical Agents):Communication protocol that binds Hydra agents"FIPA is a group of standards specifying the communications and otherprotocols for intelligent agents!Open source scanners and other tools: portsentry, clog,nmap, logcheck, snort, etc.13-15 March 2002 GSAW 2002 5Hydra Evaluates DataFused from Independent Agents!Each agent contributes its piece of the totalpicture!The information is evaluated by host agents!The follow information is evaluated:"The age of the data"The type of agent"The dependability of the data"Criticality (or importance) of the data"The number of other agents reporting similar data"The number of other agents reporting conflicting data13-15 March 2002 GSAW 2002 6Example Scenario: IDSScan or AttackControl and CoordinationOffensive ActionsHost with AgentHostHost with AgentHostFirewallRouterBad GuyData Collection andDecision AgentHost with AgentDefensive ActionsData13-15 March 2002 GSAW 2002 7Distributed Intrusion DetectionIncreases Probability of Detection!Different computer architectures (e.g., operatingsystems) detect different attacks!Distributed IDS uses open source and existingtools (e.g. snort, portsentry, ISS)!Agents intelligently coordinate intrusion reports"Improves performance during coordinated attacks"Evaluates data using attack signatures from multiplesystems13-15 March 2002 GSAW 2002 8Hydra: Benefits of the System Approach!Integrates standalone capabilities into a coordinated end-to-end security system"Collect, detect, evaluate, respond!Uses all open source tools to reduce life cycle costs!Incorporates IDS, scanning, and evaluation tools used on adaily basis by typical security operations centers"Not a prototype or superficial construct"Not reinventing the wheel!Java cross platform capability integrates tools running ontheir native platform!True intelligent agents13-15 March 2002 GSAW 2002 9Further Information!Jim Ross: [email protected]!Morris Brill: