A Multiagent Approach to Outbound Intrusion Detection

Hdl Handle:
http://hdl.handle.net/11285/572223
Title:
A Multiagent Approach to Outbound Intrusion Detection
Authors:
Mandujano Vergar, Salvador
Issue Date:
01/12/2004
Abstract:
A Multiagent Approach to Outbound Intrusion Detection. Ph.D. dissertation by Salvador Mandujano Vergara, Instituto Tecnológico y de Estudios Superiores de Monterrey. Advisor: Prof. Arturo Galván. December � 2004. This is a dissertation on the topic of intrusion detection. It supports the philosophy of system vigilance by exploring the concept of outbound intrusion detection, which is concerned with the identification and collection of evidence that helps prove local resources are being used to compromise external systems. We discuss the motivation behind the approach, explain the need for splitting the scope of intrusion detection into sub-problems, and present trends in computer security that reveal basic design considerations that need to be taken into account when developing modern information security tools. We propose a multiagent architecture for outbound intrusion detection supported by an ontology. Groups of agents collectively monitor outbound network traffic and local activity in order to identify references to neighboring systems that may be indicative of a compromise attempt. We organize agents into sub-environments called agent cells that are connected to each other in a non-hierarchical fashion. Different classes of agents and cells compose the system, which performs attack modeling by employing multiple concurrent agents. Detection cells implement independent misuse intrusion strategies whose output is systematically fed to correlation cells capable of more accurate diagnosis. We present an attack-source-centric ontology that extends previous work in the area. It enables message interpretation and enhanced agent communication within the architecture sim- plifying at the same time system maintenance and facilitating the integration of new components. We describe the implementation of the proposed architecture through the FROID prototype as a proof of concept. This is a misuse-based intrusion detection system built with agent and semantic web open-source technology whose particular focus is the identification of automated remote attack tools. It performs signature generation, matching, and correlation, and supports a signature deployment mechanism over the Internet. We introduce a similarity matching method that improves the performance of existing algorithms by leveraging entropy and frequency properties of the input hereby reducing search time. We link detection with incident response by procuring low false alarm rates that allow us to study local and external reaction methods to outbound intrusion events. We also present a component of the architecture that performs tracing of interactive sessions as a way of identifying the root location of a security event. We describe the experimental design and report the results obtained with the prototype that show the feasibility of the approach as an alternate way of containing the impact of security incidents through the integration of a mesh of monitoring agents.
Keywords:
Detection; Technologies; Intrusion
Degree Program:
Electronics, Computing, Information and Communications graduate program
Advisors:
Arturo Galván Rodríguez
Committee Member / Sinodal:
Ramón Brena Pinero; JesÚs Arturo Pérez Díaz; Gerardo Ayala San Martín; Pascal Meunier
Degree Level:
Doctoral Program in Artificial Intelligence
School:
Escuela de Graduados en Electrónica, Computación, Información y Comunicación
Campus Program:
Campus Monterrey
Discipline:
Ingeniería y Ciencias Aplicadas / Engineering & Applied Sciences
Appears in Collections:
Ciencias Exactas

Full metadata record

DC FieldValue Language
dc.contributor.advisorArturo Galván Rodríguezes
dc.contributor.authorMandujano Vergar, Salvadores
dc.date.accessioned2015-08-17T11:24:03Zen
dc.date.available2015-08-17T11:24:03Zen
dc.date.issued01/12/2004-
dc.identifier.urihttp://hdl.handle.net/11285/572223en
dc.description.abstractA Multiagent Approach to Outbound Intrusion Detection. Ph.D. dissertation by Salvador Mandujano Vergara, Instituto Tecnológico y de Estudios Superiores de Monterrey. Advisor: Prof. Arturo Galván. December � 2004. This is a dissertation on the topic of intrusion detection. It supports the philosophy of system vigilance by exploring the concept of outbound intrusion detection, which is concerned with the identification and collection of evidence that helps prove local resources are being used to compromise external systems. We discuss the motivation behind the approach, explain the need for splitting the scope of intrusion detection into sub-problems, and present trends in computer security that reveal basic design considerations that need to be taken into account when developing modern information security tools. We propose a multiagent architecture for outbound intrusion detection supported by an ontology. Groups of agents collectively monitor outbound network traffic and local activity in order to identify references to neighboring systems that may be indicative of a compromise attempt. We organize agents into sub-environments called agent cells that are connected to each other in a non-hierarchical fashion. Different classes of agents and cells compose the system, which performs attack modeling by employing multiple concurrent agents. Detection cells implement independent misuse intrusion strategies whose output is systematically fed to correlation cells capable of more accurate diagnosis. We present an attack-source-centric ontology that extends previous work in the area. It enables message interpretation and enhanced agent communication within the architecture sim- plifying at the same time system maintenance and facilitating the integration of new components. We describe the implementation of the proposed architecture through the FROID prototype as a proof of concept. This is a misuse-based intrusion detection system built with agent and semantic web open-source technology whose particular focus is the identification of automated remote attack tools. It performs signature generation, matching, and correlation, and supports a signature deployment mechanism over the Internet. We introduce a similarity matching method that improves the performance of existing algorithms by leveraging entropy and frequency properties of the input hereby reducing search time. We link detection with incident response by procuring low false alarm rates that allow us to study local and external reaction methods to outbound intrusion events. We also present a component of the architecture that performs tracing of interactive sessions as a way of identifying the root location of a security event. We describe the experimental design and report the results obtained with the prototype that show the feasibility of the approach as an alternate way of containing the impact of security incidents through the integration of a mesh of monitoring agents.en
dc.language.isoenen
dc.rightsOpen Accessen
dc.rights.urihttp://creativecommons.org/licenses/by-nc-nd/4.0/*
dc.titleA Multiagent Approach to Outbound Intrusion Detectionen
dc.typeTesis de Doctoradoes
thesis.degree.grantorInstituto Tecnológico y de Estudios Superiores de Monterreyes
thesis.degree.levelDoctoral Program in Artificial Intelligencees
dc.contributor.committeememberRamón Brena Pineroes
dc.contributor.committeememberJesÚs Arturo Pérez Díazes
dc.contributor.committeememberGerardo Ayala San Martínes
dc.contributor.committeememberPascal Meunieres
thesis.degree.disciplineEscuela de Graduados en Electrónica, Computación, Información y Comunicaciónes
thesis.degree.nameElectronics, Computing, Information and Communications graduate programen
dc.subject.keywordDetectionen
dc.subject.keywordTechnologiesen
dc.subject.keywordIntrusionen
thesis.degree.programCampus Monterreyes
dc.subject.disciplineIngeniería y Ciencias Aplicadas / Engineering & Applied Scienceses
All Items in REPOSITORIO DEL TECNOLOGICO DE MONTERREY are protected by copyright, with all rights reserved, unless otherwise indicated.