agent-based attack and defense for an intranet environment dr. yuh-jong hu tsai chang-hsien, and pan...
Post on 20-Dec-2015
215 views
TRANSCRIPT
Agent-Based Attack and Defense for
an Intranet Environment
Dr. Yuh-Jong HuTsai Chang-hsien, and Pan Hsien-kuo
{jong, s8514, s8552}@cherry.cs.nccu.edu.tw
Emerging Network Technology(ENT) Lab
Dept. of Computer ScienceNational Chengchi University, Taipei,
Taiwan
Software Agent Definitions
An agent is a computer system, situated in some environment, that is capable of flexible autonomous action in order to meet its design objectives(1).
Three key concepts in this definition: situatedness, autonomy, and flexibility.
Software agent can be classified as: stationary agent and mobile agent
Mobile agent security concerns are hosts protection, agents protection, and agent trustworthiness, while stationary agent security concern is agent trustworthiness.
Definitions of Information Warfare
Information warfare consists of those actions intended to protect, exploit, corrupt, deny, or destroy information or information resources in order to achieve a significant advantage, objective, or victory over an adversary(17).
Information warfare can be dichotomized as(5)(6):
Offensive Information Warfare
Defensive Information Warfare Offensive and defensive information warfare is
considered as a primal and dual problem.
Definitions of Information Warfare(Conti.)
Offensive information warfare operations produce a win-lose outcome by altering the availability and integrity of information resources to the benefits of the offensive and to the detriment of defensive(5).
Defensive information warfare seeks to protect information resources from attack, to preserve the value of resources, or in the event of a successful attack, recover lost value(5).
Internet vs. Intranet Information Warfare
An Intranet information warfare was exercised in a protection network domain with firewall as a gatekeeper.
The domain for Internet information warfare is larger than simple Intranet warfare subdomain so to simulate an Internet warfare is much harder.
Internet information warfare is advantage to offensive side due to the widespread of defensive weakness area.
Why Agent-Based Information Warfare?
Pure manual-based information warfare operations are cumbersome, tedious, and the attack and defense strategies are not easy to formulate.
Agent-based information warfare provides autonomous, proactive, reactive, and cooperative attack/defense operations.
Attack/defense strategies are easy to formulate and the attack/defense operations initiative is transparent.
Agent-based information warfare does not exclude manual-based attack/defense.
How Agent-Based Information Warfare?
Some of software agent’s characteristics, such as situatedness, autonomy, and flexibility(responsive, pro-active, social) are demonstrated in agent-based offensive and defensive information warfare.
Agents are classified into several categories to play their specific missions in our offensive/defensive information warfare.
Some of existing manual operation codes to exploit system vulnerability are reused in our agent-based offensive, including scanner, remote exploit, local exploit, and monitoring tools, etc.
How Agent-Based Information Warfare?(Conti)
All of our offensive/defensive agents are codes in Java, so we must handle the integration problems between Java and other existing intrusion tools.
Offensive and defensive information warfare were developed by two different groups and the warfare were lasted for 5 days in our ENT lab’s Intranet.
The initiative of agent-based offensive/defensive information warfare can be taken be anyone, who did not have too much cyberspace attack and defense knowledge.
We expect to increase the power of attack/defense via agent technology.
The Framework of our Intranet InformationWarfare
CheckPoint Firewall-1
Windows
NT Server
LinuxRedH
at
NT Client
Windows
98
RedHatLinux
Windows 98
Information Warfare Win-Lose Criteria
Offensive group and defensive group discussed the project together but implemented the system separately.
The advantage to the offensive group is the familiarity of our Intranet environment without too much further probing activities.
The advantage to the defensive group is the protection of firewall with flexible security policies adjustment.
In general, there are several win-lose criteria to evaluate the offensive and defensive warfare achievements.
We did not consider social engineering attack/defense issues via our agent-based system.
Information Warfare Win-Lose Criteria(Conti.)
Win-lose criteria for offensive group to achieve the following attacks successfully:
denial of service attack data integrity attack data confidentiality attack end-user general permission attack root privileged permission vulnerability attack
Information Warfare Win-Lose Criteria(Conti.)
Win-lose criteria for defensive group to achieve the following defenses successfully:
timely detect all kinds of attacks accurately decide the attack category properly react to the anomalous intrusion effectively recover from the successful attack cooperate with firewall to counter similar
attacks
Agent-Based Offensive Information Warfare
Scanning, remote exploiting, local exploiting, monitoring, and stealth are all exercised via software agents(1).
Offensive software agents are classified as: scanning agent, master agent, attack agent, and repository agent.
Scanning agent is embedded with Nessus probing tools. Master agent is the decision maker to launch the right ex
ploit codes based on scanning agent‘s probing results. Attack agent loads the right exploit codes to attack. Repository agent stores and classifies different exploit c
odes for future possible attacks.
Agent-Based Offensive Information Warfare(Conti.)
Offensive procedures are:(1) Master agent submits targets(IP) to scanning agent.(2) Scanning agents probe targets information.(3) Scanning agents return information to master agent.(4) Master agent analyze information and decide the suitabl
e attack policies and mechanisms.(5) Master agent fires the attack actions and the attack agent
s do the real attack.(6) If root account was obtained, agent will clean the
log files and set up backdoor for future similar attacks.
Master Agent GUI
Tools and Techniques for Agent-Based Offensive Information Warfare
Nessus scanning tools Java socket JNI(Java Native Interface) Rootkit Loki2 Crack Satan Back Orifice
Java Native Interface
Attack AgentAttack Agent JNIJNI ExploitCode
Database
ExploitCode
DatabaseAttackingAttacking
JNI implement
For example, the exploit code is written by C . (1)Writing a java function to load exploit code.(2)Using javah to create .h file from the java class.(3)Include the .h file in exploit code.(4)Using JNI in the exploit code to transfer
parameters.
(5)Compiling this exploit code to a new library.
Agent Communication Interfaces
DetectScan
Parse Analyze Attack
Repository Agent
Attack Tools
DetectAgent
Log Agent
Attack tools
Generator Agent
Repository Agent
Master
Agent
Attack
Agent
Repository
Agent
JNI
Attack Methods
SnifferFTP Conversions AttackUserhelper and PAM VulnerabiliyBackdooringLog Cleaning
FTP Conversion Attack
A user can convert/archive/compress data on the fly when retrieving files from a FTP server.
Request a filename and appends .tar/.tar.gz/.Z/.gz to the filename
Tar arguments :
--use-compress-program PROG
Backdooring
Backing up passwd/shadow files Adding a temp user Getting your login trojan Install login trojan Being smart
Log Cleaning
/etc/syslog.conf/var/log/messages/var/log/secure (TCP Wrapper log)/var/log/xferlog/var/log/wtmp~/.bash_history
Agent-Based Defensive Information Warfare
Intrusion detection, attack recognition and reaction, counter attacks and damage recovery are all operated via software agents.
Defensive software agents are based on client-server model with client side as responsive agents and server side as supervisor agent.
Responsive agent is composed of agent manager, security manager, and a group of Java agent entities.
Supervisor agent is composed of alert manager, decision manager, agent register, and host display.
Agent-Based Defensive Information Warfare(Conti.)
Responsive agents are responsible for the timely detecting all kinds of intrusion so they are distributed over the entire Intranet’s hosts.
Supervisor agent accurately decides the intrusion category and properly react to the anomalous intrusion.
Supervisor agent with responsive agents must effectively recovers from the successful attack.
Supervisor agent and a group of responsive agents cooperate with firewall to counter any kinds of attack.
The Framework of Defensive Agent System(Client)
Client
User InterfaceUser Interface
Server
FTP (port21)
Agent ManagerAgent Manager
Other Service
TELNET (port23)
SMTP (port 25)
Responsive
HTTP (port 80)
Security ManagerSecurity Manager
The Framework of Defensive Agent System(Server)
Server
User InterfaceUser Interface
Decision Manager
Decision Manager
Host DisplayHost Display
Alert ManagerAlert Manager
Agent RegisterAgent Register
Supervisor
Client Client Client
Defensive Steps
Agent entity
Agent entity
Agent entity
Agent entity
Agent ManagerAgent Manager
Alert ManagerAlert ManagerHost DisplayHost Display
Decision Manager
Decision Manager
Services
1
10
9
4 3
5 2
Client
Supervisor Agent
Responsive Agent
Server
7
8
6
Agent entity
Agent entity
Agent-Based Defensive Steps
(1)Agent entity detects possible attacks via regularor irregular status report.
(2)Agent entity reports the collected preprocessingstatus to agent manager.
(3)Agent manager asks decision manager for attackcountermeasure solution.
(4)Decision manager tells agent manager theresolution.
(5)Agent manager informs agent entity of thisresolution.
Agent-Based Defensive Steps(cont.)
(6)Agent entity executes the resolution.(7)Agent entity reports the execution results.(8)Agent manager reports to decision manager.(9)Decision manager informs alert manager if necessary(10)Decision manager shows countermeasure results to
host display.
Supervisor GUI
Supervisor GUI
Tools and Techniques for Agent-Based Defensive Information
Warfare
Check Point FireWall-I Apache Web Server War-FTP Sniffer Java programming language Scanner for detecting Internal Intranet/hosts
weakness Log files analyzer for: system status report network status report network services report
FireWall Authentication
Use client authentication and user authentication to protect TELNET and FTP services.
After successful client authentication, we allow connections from a specific IP address.
When a rule was specified for user authentication, the corresponding FireWall-I security server is invoked to mediate the associated connections.
Agent-Based Defensive Rule
When agent entity detects denial of Telnet and FTP services, supervisor agent bans the initiative attacks IP.
When agent entity detects mail bomb, supervisor agent bans the initiative attacks IP.
When agent entity detects denial of HTTP services, supervisor agent alerts system administrator.
Agent entity checks the services that FireWall-1 allows, and reports whether the services are still alive.
Agent-Based Offensive Information Warfare vs. Firewall Services
Agent-based offensive information warfare must adjust its attack strategy to different level of firewall services.
Configure firewall network services allows us to simulate the attacks under different tightness level of network security policy and mechanism.
The tightest control of firewall’s network services might reduce a lot of outside attack events but it also reduces the network services availability and flexibility.
Agent-Based Defensive Information Warfare vs. Firewall Services
Agent-based defensive information warfare aims at handling intrusion detection so it must cooperate with firewall’s intrusion prevention.
Ideally, defense agents must dynamically adjust different level of firewall services based on system, network status, and end-user services request.
Awareness of different level of firewall services can reduce a lot of efforts to analyze the system/network log files.
Downgrade Firewall Services for Different Phases of Warfare
The information warfare was lasted for 5 days and the FireWall-1 service policies were downgraded gradually to simulate the real world Internet security protection level.
Day 1: smtp, ftp, http, telnet Day 2: default Day 3: gopher, pop-3, tftp, who Day 4: dns, echo, nntp, ntp-tcp Day 5: all
Fictitious Auction Server for Mobile Agent Services(Not Done Yet]
An fictitious auction server is going to set up within the Intranet to provide mobile agents to bid the auction items.
In general, firewall does not provide mobile agent’s (code) authentication and authorization so auction server must handle this issue by itself.
Flexibility and security are always in conflict. Mobile agent provides flexibility bidding services but it reduces the Intranet security.
The popularity of Java code makes the possibility of providing mobile code services within the Intranet.
Mobile Agent Security Issues
Mobile agent(code) security is an emerging research problem because of the attractive of mobile agent services and the popularity of Java mobile code.
Hosts(network) protection, agents protection, and agents trustworthiness are the major research issues.
Hosts(network) protection is a traditional problem except the relaxation of adoption foreign codes constraints.
Agents protection is a hard problem. Agents trustworthiness is handled via agent
authentication and authorization.
Mobile Agent Authentication and Authorization
Java 2 provides some basic authentication and authorization mechanisms but not enough.
Existing X.509 authentication services framework might not general and robust enough to handle mobile agent authentication and authorization problem.
We need a distributed trust management framework, which allow us to generate a lot of mobile agents that can be verified and granted access rights dynamically.
The mobile agent system engines must set up for each platform before the Intranet can provide mobile code services.
Conclusion
Offensive and defensive information warfare must consider together in order to realize the attack and defense strategy in an optimal manner so we consider this is a primal and dual problem.
What software agent characteristics can be shown in the agent-based information warfare to enhance our attack or defense power is the primary reason for us to adopt agent technology.
We did not know the power of agent-based information warfare for Internet and for social engineering attack and defense.
References
(1)Boulanger, A., Catapults and grappling hooks: The tools and techniques of information warfare. IBM System Journal, 37(1), 1998, 106-114.
(2)Cohen, Fred, Information System Attacks: A Preliminary Classification Scheme. Computers & Security, 16(1997), 29-46.
(3)Cohen, Fred, Information Systems Defences: A Preliminary Classification Scheme. Computers & Security, 16(1997), 94-114.
References(Conti.)
(4)Crosbie, M. and Spafford, G., Defending a Computer System using Autonomous Agents http://www.cs.purdue.edu/coast/projects/autonomous-agents.html
(5)Denning, E. Dorothy, Information Warfare and Security. Addison-Wesley, 1999.
(6)Dorothy, E. Denning, Cyberspace Attacks and Countermeasures. Internet Besieged: Countering Cyberspace Scofflaws. AW, 1998.
References(Conti.)
(7)Farmer, D. and Venema, W., Improving the Security of Your Site by Breaking Into it. http://www.epm.ornl.gov/~dunigan/cracking.html(8)Farmer, D. and Venema, W., SATAN-Security Analysis Tool for Auditing Networks.
(9)Farmer, D. and Spafford, E. The COPS Security Checker System. Proceedings of Summer USENIX Conference, 1990, 165-170.
(10)Forrest, S., Hofmeyer, A. S., and Somayaji, A., Computer Immunology. CACM, 40(10), Oct. 1997.
References(Conti.)
(11)Greenberg, S. M., Byington, J. C., and Harper, D. G., Mobile Agents and Security, IEEE Communications Magazine, July 1998.
(12)Jennings, R. N., Sycara, K., Wooldridge, M., A Roadmap of Agent Research and Development. Autonomous Agents and Multi-Agent Systems, 1, 7-38, 1998.
(13)Mukherjee, B., Heberlein, L. T., and Levitt, K. N., Network Intrusion Detection. IEEE Network, 8(3), 26-41, May/June, 1994.
(14)The Nessus Project, http://www.nessus.org.
References(Conti.)
(15)Paller, A., SHADOW(SANS’s Heuristic Analysis for Defensive Online Warfare), SANS Institute, http://www.sans.org.
(16)Porras, A. P., Neumann, P. G., EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances, 1997 National Information Systems Security Conference, http://www.csl.sri.com/intrusion.html.
(17)Schwartau, Winn, Information Warfare, 2nd Edition, Thunder’s Mouth Press, 1996, p. 12.
(18)Thorn, T., Programming Languages for Mobile Code. ACM Computing Surveys, 29(3), Sep. 1997.