Maintenance Agents for the Computer Security Domain

Ioan Alfred LETIATechnical University of Cluj Napoca

Department of Computer ScienceCluj-Napoca, Romania

letia@cs.utcluj.ro

Dan Alexandru MARIANTechnical University of Cluj Napoca

Department of Computer ScienceCluj-Napoca, Romania

marian.dan.alexandru@gmail.com

Abstract

Maintenance agents have the purpose of ensuringthat the specified conditions are fulfilled, by employingtheir capabilities and exploiting the local context in-formation. They offer the benefits of decentralised pro-cessing and distributed control, robustness and scal-ability. The maintenance agents described describedin this paper were designed for the network intrusiondetection domain and exploit the anomaly detectionstrategy. The reactive nature of these agents ensuresthat the network traffic obeys the rules describingnormal traffic patterns. Maintenance agents leverageusers from specifying normal traffic characteristics, areable to adapt to the environment in which they operateand take time information into consideration.

1. Introduction

Defending computer networks from internal or ex-ternal attacks represents the goal of any security strat-egy. The main objective of this paper is the specifica-tion of autonomous agents for maintaining the propersecurity level in Local Area Networks.

The approach used in this paper is specific toanomaly based intrusion detection systems. The modelof normal behaviour is learned and used for specifyingagents goals. What distinguishes maintenance agents[1], from other types of agents, is that they strive to en-sure that the certain conditions, viewed as maintenancegoals, are always satisfied. We consider conditions ofnormal behaviour to be maintenance goals. For fulfill-ing them, maintenance agents are required to act basedon their beliefs, while having at their disposal a set ofcommands specific to each networking device. Ratherthan specifying the sequence of actions required forachieving the maintenance goals, agents have the free-dom of choosing themselves the sequence of actions.

Hence, no ordering of actions is enforced. Networkdisruption and insecurity is therefore perceived as aquantifiable, but acceptable, risk to network security.By using this approach, low level implementation de-tails are decoupled from high level goal specifications,allowing agents to learn the adequate response tosecurity threats, on different Operating Systems (OS)and networking devices.

Maintenance goals are similar to security policies.One of the main difficulties associated with securitypolicies is their specification. One has to know both theattack strategies and the ways to diminish their effectsfor enforcing them. In contrast, maintenance goals relymainly on the normal traffic model and maintenanceagents are allowed to use a non-deterministic sequenceof actions for fulfilling the maintenance goals. Eventhough several papers address the issues of specifyingand / or enforcing security policies [2] or the use ofagents for performing security tasks [3] [4], the use ofmaintenance agents has received less attention.

2. Motivation

The use of agents for accomplishing tasks in the do-main of computer security is more pervasive now thanever, in synergy with the evolution of computing archi-tectures, such as cloud and service oriented computing.Maintenance agents set the premisses to leverage com-puter administrators from specifying security policiesand are a solution to the policy enforcement problem.More specific and granular security constraints maybe enforced, and attack techniques can be more easilytargeted. Maintenance agents would be more easilydeployed on different systems, playing different roleswithin the given infrastructure, since their main re-quirement is that of maintaining the normal behaviourof the given system. The main issue is that of settingthe baseline for normal behaviour. A solution has been

978-1-4244-8230-6/10/$26.00 ©2010 IEEE 111

already offered in the case of host based intrusiondetection / prevention by the systrace utility programwhich learns the normal program call sequences andis latter able to deny deviations from it.

The paper focuses mainly on the use of maintenanceagents in network intrusion detection, taking a reactiveperspective to intrusion attempts.

The use of agents in the network security domain isnot a new one, since agents have several benefits overcentralised detection systems. Agents address both thebottleneck and the single point of failure problem,common in the case of centralised systems. In addition,agents have more time allocated for processing contextinformation and are able to take local decisions. Fur-thermore, the required functionality of the detectionsystem can be distributed across several independentlyrunning agents, thus reducing the complexity of thesystem and facilitating the modification of the softwarecomponents. The scalability and the robustness of thedetection system are also enhanced, compared to thecentralised approach.

The specification of the agents presented in thispaper is done in GOAL (Goal Oriented AgentLanguage), a framework described in [5] and [1] thathas mission of filling the gap between agent logics andthe agents actual programming [5]. We assume thatGOAL has temporally extended declarative goals asdescribed in [6]. Several simplifying assumptions weremade, either due to the limitations of the languages orto the need to make the examples understandable. Eachagent has its collection of goals, and is not requiredto communicate with other agents. An agent can havemultiple competing goals, and each of them can beachieved at different time steps[5]. Mutually exclusivegoals can be specified and they are accomplished indifferent time steps [5]. Operators from temporal logicare used : � for ”always”, ♦ ”eventually” and ©”in next state”, and modal logic: B ”belief” and G”goal”.

3. Agent specification

The environment in which the agents are distributedis a dynamic and not fully accessible. We will refer tomaintenance agents using the generic term of securityagents.

Security agents have the achievement goals of en-suring network security. Even though it is possibleto deliberately drop the network connectivity to theoutside world for preventing attackers from penetratingthe network, security agents also have the maintenancegoal of ensuring network connectivity. Hence, if thenetwork security would also be a maintenance goal,

‘worlds‘ in which the maintenance goals would beinconsistent and the agent will not be unable to act,would exist. As a consequence we view network in-trusion detection as a maintenance goal, while networkdefence is seen as an achievement goal, that the agentshope to ensure by setting firewall rules, for example.The actions that the agent can take for fulfilling theachievement goals are limited by the existing mainte-nance goals [1]. In this case, the network connectivityand the network intrusion detection maintenance goalsconstrain the actions that the agent can take in orderto fulfil the network defence achievement goal.

Since the objective of this paper are maintenancegoals, we neglect the beliefs and some of the actionsthat are related to achievement goals due to reasons ofspace.

Let us first consider the requirements that an agentmay have, in order to illustrate the operators that willbe used throughout this paper. The agent softwareneeds to be compiled and linked so that it can be run bythe OS. Next, the OS has to load the binary applicationfile from persistent storage into memory. Thereforesuch a file must exist � application file exists,the user must have the permission to launch theagent into execution � permission to run agent,and sufficient memory has to be available � memory.When an agent terminates, its memory is de-allocated(and other resources explicitly specified) and it stopsrunning:

♦ (exit → ((©¬running) ∧ (©©¬memory)))Notice that we enforce the fact that an agent must

eventually terminate its execution, and that the usedmemory must be freed after the process stopped run-ning (i.e in next state). Furthermore, note that all thespecified conditions reduce to logic propositions andthat the goals must be satisfiable (the application musteventually stop). While the second requirement is evi-dent, the first one is used to address the valuation prob-lem in temporal logic. A proposition such as syn ackis true when there is a network packet having thesynchronization (SYN) and acknowledgement (ACK)flags set. These flags are specific to the TransportControl Protocol (TCP) and represent synchronizationrequest and acknowledgement.

The maintenance goals of an agent responsible fornetwork intrusion detection are obtained by observingand representing normal behaviour. The strategy usedis that of searching for rules in network traffic. Theips ipd is used to denote a combination of InternetProtocol (IP) source address (ips) and IP destinationaddress (ipd). Network packets having the combinationips ipd are assumed to travel from the local networkto the remote facility, and ipd ips from the remote

112

facility to the local network. The ports portd is usedto denote the combination of source and destinationports.

TCP uses a three-way-handshake for connectionestablishment. By analysing the network traffic, rulesof normal behaviour are extracted. In the first stagepackets with ips ipd∧ports portd∧syn (i.e networkpackets with an IP source and destination address, asource and a destination port and the synchronizationflag corresponding to the TCP transport protocol set)are sent by a computer from the local network to aremote facility, requiring a connection establishment.The remote facility replies to the synchronizationrequest with a ipd ips ∧ portd ports ∧ syn ∧ ackpacket. The computer from the local network thensends an acknowledgement to the remote facilityips ipd∧ports portd∧ack. The lost packets scenario(including lost acknowledgements) is not considereddue to reasons of space.

Once the connection between the two end deviceshas been established, the data transfer can begin. Theconnection would eventually have to be terminated:

� (connection → ♦ terminate connection)Connection termination can be accomplished using

either graceful teardown employing sending networkpackets with the fin flag set and by both partiesacknowledging the connection termination or using anabrupt connection reset employing a packet with therst (i.e reset) flag set.

Going one step further, we introduce the time intoequation. By analysing the network traffic, agents maynote that acknowledgement packets are a response tosynchronization requests, hence they appear after them.While the literature is full of papers dealing with theuse of Artificial Neural Networks and Genetic Algo-rithms for discovering static patterns, temporal patternshave received less attention. Event logic and temporallogic are used for handling this kind of information.Since our agents have temporally extended goals, suchnormal activity patterns can be expressed in rules suchas:� ips ipd ∧ ports portd ∧ syn →♦ (ipd ips∧ portd ports∧syn∧ack)before time-out.

What makes these agents special is the fact that thetime-out value is learned from the underlying networktraffic. This is particularly important due to the fact thatOS use different protocol stack implementations, eventhough Internet protocols have well defined standards.Furthermore, since the time-out value is learned, theissues related to setting a fixed threshold value areovercome. This is particularly useful in case of dif-ferent network latencies.

In the given example, also note that the normalbehaviour assumes that whenever there is a synchro-

nization request there will eventually be a positiveresponse from the remote end. In the abnormal case,a syn port sweep network reconnaissance techniquewould produce a large number of connection resets (i.epackets with the rst flag set). By employing this datadriven normal traffic learning process, agents are ableto learn the peculiarities of the environment in whichthey operate and adapt to it.

The preceding rules must be globally held true. InGOAL, maintenance goals can neither be dynamicallyadded, nor removed [1]. They are considered to bestatic, in contrast to achievement goals, which areremoved when the agent believes that an action hasaccomplished the goal [1]. Once the agent’s goals andcapabilities have been specified, they are ready to actbased on their beliefs.

For example, considering that an agent can takeseveral actions, where the action do(interface down)has the effect of dropping network connectivity(B (do(interface down) → © ¬ connectivity)),do(interface up) establishes it (© connectivity),and that the agent believes that network connectivityis needed for normal operation (� connectivity), thatis B � connectivity, the agent can infer that it shouldnot execute action do(interface down) since:

( B (do(interface down) → ©¬ connectivity)∧ B � connectivity) → B ¬do(interface down)

The firewall actions pass, forward, block are mod-elled in a similar way in GOAL. The agent expects toreceive a packet in the next state:

B © packet → B ((do(pass) ∨ do(forward))∧ (packet ∧ ¬ do(block))),

since by executing do(pass) and do(forward) apacket is received (assuming a continuous flow ofpackets), and if a packet has been already received,the action do(block) was not executed.

These action are used to fulfil the achievementgoal of receiving a packet (G packet received),that must be consistent with the belief base, mustnot already be achieved (B ¬ packet received) andit is achievable (¬B ¬ packet received). If thereis no network connectivity the achievement goal ofreceiving a packet can be removed from the goal base� (B ¬ connectivity → drop(G packet received)).Once network connectivity is established, the goal canbe added in the agent’s goal base:

� (B connectivity → adopt(G packet received)).In a similar manner, the competing goal of dropping

network packets is defined (G packet dropped).They can be fulfilled for different packets and atdifferent time steps by employing the actions thatare enabled. Note that the do(block) is used for ful-filling the goal G packet dropped, and the other

113

two for G packet received. The maintenance con-ditions act as enabling rules for these actions. Thedecision process is done in two steps: first the decisionis made and next the action is enforced. Since forenabling actions a conjunction of a large numberof propositions is needed, we assume the existenceof B pass, B forward and B block. Hence,the action action pre-conditions are: � (do(pass) →B pass), � (do(forward) → B forward) and� (do(drop) → B drop). Since firewalls operateunder the Closed World Assumption,

� ((¬B pass ∧ ¬B forward) → B drop).B ¬ drop does not imply anything. Exactly one suchbelief is adopted: agents either accepts or drops packetsfor which its host is the destination, and forwardpackets destined to other hosts agents (traffic is char-acteristic to each host since for each host a networktraffic model is built).

A maintenance condition for normal TCP traffic isthe following: � (hostip ips ∧ ¬ fragmentation ∧¬ urgent ∧ ¬ differentiated services ∧¬ reserved bit ¬ ttl 2 ∧ ¬ empty buffer ∧(� hostip ipd ∧ ports portd ∧ syn →♦ (ipd hostip ∧ portd ports ∧ syn ∧ack)) → B pass) and for ICMP traffic� (hostip ipd ∧ ¬ ttl less than 1 ∧¬ fragmentation∧¬ source quench∧¬ redirect →B pass). Note that hostip ips denotes a host IPdifferent from the source IP (ips,incoming trafficcase), hence it covers also different Denial of ServiceAttacks which exploit identical IP addresses. Theseare minimum network requirements for passing apacket. We can group into a generic propositionp and test them once per packet. Then p canbe further enhanced with other conditions suchas known ips, known destination port, destina-tion port less than 1024 or admissible packet size.

4. Conclusions and Related work

The paper relied on [1] [5] [6] as a theoreticalbackground for the specification of GOAL agents withtemporarily extended goals.

The use of agents for data collection and processingpurposes has been explored in [7] which employs eventcorrelation as a driving mechanism. The agent specifi-cation described in this paper assumes that the agentsdistributed in the local network learn the networktraffic model and rely on local context only. Hence,they do not rely on other agents which could raise trustissues. Furthermore, they are able to act independentlybased upon their internal state, in a decentralisedfashion, and deny deviations from what they believe to

be the normal traffic model. The agents rely on headerbased information and do not aggregate or performexpensive computations on such data, as compared toagents described in [8] which collaborate in findingintrusion attempts. Even though such functionality canbe easily added, the paper focused on finding rules thatcan be easily mapped to firewall rules. Furthermore, ithas taken time into consideration which would allowthe detection of attacks that span across different timeperiods.

In conclusion, the described maintenance agents arelocal context aware and have the benefits of decen-tralised processing and distributed control allowingthem to react to deviations from normal traffic be-haviour which are perceived as intrusion attempts.

Acknowledgements. Part of this work was sup-ported by the grant ID 170/672 from the NationalResearch Council of the Romanian Ministry for Ed-ucation and Research.

References

[1] K. V. Hindriks and M. B. van Riemsdijk, “Satisfyingmaintenance goals,” in DALT’07: Proceedings of the 5thinternational conference on Declarative agent languagesand technologies V, Berlin, 2008.

[2] D. Vanoverberghe and F. Piessens, “Security enforce-ment aware software development,” Information andSoftware Technology, 2009.

[3] V. Krmicek, P. Celeda, M. Rehak, and M. Pechoucek,“Agent-based network intrusion detection system,” inIAT ’07: Proceedings of the 2007 IEEE/WIC/ACM In-ternational Conference on Intelligent Agent Technology,2007.

[4] P. Kannadiga and M. Zulkernine, “Didma: A distributedintrusion detection system using mobile agents,” in Snpd-sawn ’05, 2005.

[5] F. de Boer, K. Hindriks, W. van der Hoek, and J.-J.Meyer, “A verification framework for agent program-ming with declarative goals,” Journal of Applied Logic,2007.

[6] K. V. Hindriks, W. van der Hoek, and M. B. van Riems-dijk, “Agent programming with temporally extendedgoals,” in Aamas ’09, 2009.

[7] C. Krgel and T. Toth, “Sparta a mobile agent based in-trusion detection system,” in In Proceedings of the IFIPConference on Network Security (I-NetSec. KluwerAcademic Publishers, 2001.

[8] M. Rehak, M. Pechoucek, K. Bartos, M. Grill, andP. Celeda, “Network intrusion detection by means ofcommunity of trusting agents,” in IAT ’07: Proceedingsof the 2007 IEEE/WIC/ACM International Conference onIntelligent Agent Technology. Washington, DC, USA:IEEE Computer Society, 2007, pp. 498–504.

114