Mobile Agents for Intrusion DetectionMobile Agents?PowerPoint PresentationTraditional IDSProblems with Traditional IDSSlide 6Slide 7Slide 8Slide 9Advantages of Mobile AgentsAdvantagesSlide 12Slide 13Slide 14Disadvantages of MA’sDisadvantagesIntrusion ResponsesSlide 18Slide 19ImplementationsConclusionReferencesMobile Agents for Intrusion Mobile Agents for Intrusion DetectionDetectionJaromy WardJaromy WardMobile Agents?Mobile Agents?What is a mobile agent?What is a mobile agent?–AutonomousAutonomous–Move on own to another machineMove on own to another machine–Platform / AgentPlatform / Agent–DuplicativeDuplicative–AdaptableAdaptableTraditional IDSTraditional IDSHierarchicalHierarchical–Intrusion detection at end nodesIntrusion detection at end nodes–Aggregate nodes take data from end nodesAggregate nodes take data from end nodes–Command and control at top of hierarchyCommand and control at top of hierarchy–IDS reports possible intrusions to humanIDS reports possible intrusions to humanThe user must than make a decisionThe user must than make a decision–is this a real threatis this a real threat–What action should be takenWhat action should be takenProblems with Traditional IDSProblems with Traditional IDSLack of EfficiencyLack of EfficiencyHigh number of False PositivesHigh number of False PositivesBurdensome MaintenanceBurdensome MaintenanceLimited FlexibilityLimited FlexibilityVulnerable to Direct AttackVulnerable to Direct AttackVulnerable to DeceptionVulnerable to DeceptionLimited Response CapabilityLimited Response CapabilityNo Generic Building MethodologyNo Generic Building MethodologyProblems with Traditional IDSProblems with Traditional IDSLack of EfficiencyLack of Efficiency–Amount of dataAmount of data–Host-base IDSHost-base IDSSlow down performance of systemSlow down performance of system–Network-base IDSNetwork-base IDSCannot process all network trafficCannot process all network trafficHigh Number of False +’sHigh Number of False +’s–IDS’s still have too many false alarms that an IDS’s still have too many false alarms that an intrusion has taken place. intrusion has taken place. –Also some attacks still go unnoticed.Also some attacks still go unnoticed.Problems with Traditional IDSProblems with Traditional IDSBurdensome MaintenanceBurdensome Maintenance–The maintenance of IDS requires knowledge The maintenance of IDS requires knowledge of rule sets, which are different from system to of rule sets, which are different from system to system. system. Limited FlexibilityLimited Flexibility–IDS’s are written for a specific environmentsIDS’s are written for a specific environments–Not easily ported to different systemsNot easily ported to different systems–Upgrade Requires shutting down IDSUpgrade Requires shutting down IDSProblems with Traditional IDSProblems with Traditional IDSVulnerable to AttackVulnerable to Attack–Levels of compromiseLevels of compromiseRoot level – worst caseRoot level – worst caseAggregation level – next worse caseAggregation level – next worse caseEnd node level – not too badEnd node level – not too bad–Lack of redundancyLack of redundancy–Lack of mobilityLack of mobility–Lack of dynamic recoveryLack of dynamic recoveryProblems with Traditional IDSProblems with Traditional IDSVulnerable to DeceptionVulnerable to Deception–Network based use generic network protocol Network based use generic network protocol stack for analysisstack for analysis–Attacker could use this to decieve the IDS that Attacker could use this to decieve the IDS that the packet is good when in fact it is notthe packet is good when in fact it is notLimited Response CapabilityLimited Response Capability–Delay of ResponseDelay of ResponseHuman response timeHuman response timeDistance from end node and controllerDistance from end node and controllerAdvantages of Mobile AgentsAdvantages of Mobile AgentsReduce Network LoadReduce Network LoadOvercoming Network LatencyOvercoming Network LatencyAutonomous ExecutionAutonomous ExecutionPlatform IndependencePlatform IndependenceDynamic AdaptationDynamic AdaptationStatic AdaptationStatic AdaptationScalabilityScalabilityFault ToleranceFault ToleranceRedundancyRedundancyAdvantagesAdvantagesReduce Network LoadReduce Network Load–Computation moved closer to affected nodesComputation moved closer to affected nodes–Reduction in data to be movedReduction in data to be movedOvercoming Network LatencyOvercoming Network Latency–More immediate response timesMore immediate response times–Closer to end nodesCloser to end nodesAutonomous ExecutionAutonomous Execution–Communication with other MA’sCommunication with other MA’s–Cloning of MA’sCloning of MA’s–No need for central authority to take actionNo need for central authority to take actionAdvantagesAdvantagesPlatform IndependencePlatform Independence–Run on any operating systemRun on any operating system–Only need to write code to run on platform not Only need to write code to run on platform not OSOSDynamic AdaptationDynamic Adaptation–Reactions based on previous intrusionsReactions based on previous intrusions–Learn to avoid or move towards areasLearn to avoid or move towards areas–Cloning for added protectionCloning for added protectionAdvantagesAdvantagesStatic AdaptationStatic Adaptation–Upgrades only require introducing new agentUpgrades only require introducing new agent–Old Mobile agents removed laterOld Mobile agents removed laterScalabilityScalability–Introduction of more mobile agentsIntroduction of more mobile agentsFault ToleranceFault Tolerance–Moves encrypted in the network with data it Moves encrypted in the network with data it may needmay needAdvantagesAdvantagesRedundancyRedundancy–Central point of failure removedCentral point of failure removed–Harder to locate MA as they are always Harder to locate MA as they are always movingmoving–Keep in contact with other MA’s Keep in contact with other MA’s Determine state of networkDetermine state of networkHelp other MA, produce cloneHelp other MA, produce cloneDisadvantages of MA’sDisadvantages of MA’sSecuritySecurity–Need for PKINeed for PKI–Platforms need to ensure MA is not harmfulPlatforms need to ensure MA is not harmfulSigned by trusted authoritySigned by trusted authorityEncrypted with public keyEncrypted with public keyCode SizeCode Size–IDS is complicatedIDS is complicated–Minimize agent
View Full Document
Unlocking...