Mobile Agent Attack Resistant Distributed Hierarchical Intrusion Detection Systems

Distributed intrusion detection systems are especially vulnerable to attacks because the components reside at a static location and are connected together into a hierarchical structure. An attacker can disable such a system by taking out a node high in the hierarchy, thus amputating a portion of the distributed system. One solution to this problem is to cast the internal nodes in the system hierarchy as mobile agents. These mobile agents randomly move around the network such that an attacker can not locate their position. If an attacker takes out a mobile agent platform, the remaining agents estimate the location of the attacker and automatically avoid those networks. Killed agents are resurrected by a group of backups that retain all or partial state information. We are implementing this technology as an API such that existing intrusion detection systems can wrap their components as mobile agents in order to gain a type of “attack resistance”. 1.0 Introduction Intrusion detection systems (IDSs) are obvious targets for network intruders. Take out the IDS and an attacker can slip invisibly into vulnerable computer systems. This problem becomes more pronounced as commercial IDSs migrate to massively distributed hierarchical architectures. In these systems, an attacker can amputate portions of an IDS by taking out statically located command and control hosts. The resulting IDS has reduced detection capability at best and is completely disabled at worst. This inherent weakness in modern distributed IDSs is due to their hierarchical nature. For example, if one shuts down the root node of a distributed hierarchical application, it ceases to function. However, organizing IDS components into a hierarchical structure is an ideal way to detect and respond to attacks in large networks. The majority of IDSs that scale to large networks are organized in a hierarchical fashion because this structure provides many performance and organizational advantages. The alternative, a completely distributed non-hierarchical IDS structure has been tried by several research IDSs but has proven inefficient both in detecting distributed attacks and in quickly reporting attacks. The objective of our work is to enable IDS developers to retain the hierarchical organization of IDS components while removing the inherent vulnerabilities that hierarchical structures create. Our interest is in making IDSs resistant to denial of service attacks and penetration attacks that disable IDS components. We do not address the issues involved with an attacker penetrating an IDS and altering its functionality. We accomplish our stated goal by converting the statically placed non-leaf components of a distributed hierarchical IDS into mobile agents (MAs). As MAs the IDS components can hide themselves in a network, evade attackers, and recover themselves if killed. The agents randomly move around the network and thus it is difficult for an attacker to pinpoint an important agent’s location. The agents are attack evasive in that if an attacker shuts down a host, agents move away from network locations they think might be under an attacker’s influence. If an agent is destroyed, backup agents resurrect the destroyed agent and connect themselves back into the hierarchical IDS structure. Thus, the agent framework mitigates the single point of failure problems found * Published in the proceedings of the 2 International Workshop on Recent Advances in Intrusion Detection, West Layfayette, Indiana, USA; September 7-9 1999. † However, we do limit how one penetrated IDS component can damage other IDS components. Form SF298 Citation Data