Authors: Salvador Mandujano

Abstract:

This paper describes the design and results of FROID, an outbound intrusion detection system built with agent technology and supported by an attacker-centric ontology. The prototype features a misuse-based detection mechanism that identifies remote attack tools in execution. Misuse signatures composed of attributes selected through entropy analysis of outgoing traffic streams and process runtime data are derived from execution variants of attack programs. The core of the architecture is a mesh of self-contained detection cells organized non-hierarchically that group agents in a functional fashion. The experiments show performance gains when the ontology is enabled as well as an increase in accuracy achieved when correlation cells combine detection evidence received from independent detection cells.

Keywords: Outbound intrusion detection, knowledge management, multiagent systems, ontology.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1073345

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1617

References:

[1] X. Guan, Y. Yang and J. You. G. O. Young, "POM - A mobile agent security model against malicious hosts", Proceedings of the 4th International Conference on High-Performance Computing in the Asia- Pacific Region, vol. 2, pp. 1165-1168, May 2000.
[2] D. Lange and M. Oshima, "Programming and deploying Java mobile agents with Aglets", Addison-Wesley Press, Menlo Park, CA, 1998.
[3] V. Raskin, C. Helpenmann, K. Triezenberg, and S. Nirenburg, "Ontology in information security: a useful theoretical foundation and methodological tool", New Security Paradigms Workshop, ACM Press, pp. 53-59, Cloudcroft, NM, 2001.
[4] S. Mandujano, A. Galván, J. A. Nolazco, "An Ontology-based Multiagent Architecture for Outbound Intrusion Detection", 3rd ACS/IEEE International Conference on Computer Systems and Applications, AICCSA '05, vol. 1, pp. 120-128, Cairo, Egypt, January 2005.
[5] S. Mandujano and A. Galván, "Outbound Intrusion Detection", Proceedings of the International Computer, Communications and Control Technologies, CCCT 04, vol. 1, pp. 68-73, Austin, TX, Nov. 2004.
[6] C.J. Coit, S. Staniford, and J. McAlerney, "Towards Faster String Matching for Intrusion Detection or Exceeding the Speed of Snort", DARPA Information Survivability Conference and Exposition (DISCEX II), vo1. 1, pp. 132-139, Anaheim, CA, June, 2001.
[7] J. Undercoffer, A. Joshi,, T. Finin, and John Pinkston, "A target centric ontology for intrusion detection: using DAML+OIL to classify intrusive behaviors", Knowledge Engineering Review, Cambridge University Press, pp. 23-29, January, 2004.
[8] P. Schneider, P. Hayes, I. Horrocks, F. Van-Harmelen, "Web Ontology Language (OWL): abstract syntax and semantics", working draft, W3C web consortium, November, 2002.
[9] P. Rapalus et al., "CSI/FBI Computer Crime & Security Survey 2004", Computer Security Institute and Federal Bureau of Investigations, April, 2004.