Guy G. Helmer

Intelligent agents for intrusion detection

The paper focuses on intrusion detection and countermeasures with respect to widely-used operating systems and networks. The design and architecture of an intrusion detection system built from distributed agents is proposed to implement an intelligent system on which data mining can be performed to provide global, temporal views of an entire networked system. A starting point for agent intelligence in the system is the research into the use of machine learning over system call traces from the privileged sendmail program on UNIX. The authors use a rule learning algorithm to classify the system call traces for intrusion detection purposes and show the results.

Lightweight agents for intrusion detection

We have designed and implemented an intrusion detection system (IDS) prototype based on mobile agents. Our agents travel between monitored systems in a network of distributed systems, obtain information from data cleaning agents, classify and correlate information, and report the information to a user interface and database via mediators.Agent systems with lightweight agent support allow runtime addition of new capabilities to agents. We describe the design of our Multi-agent IDS and show how lightweight agent capabilities allowed us to add communication and collaboration capabilities to the mobile agents in our IDS.

A Software Fault Tree Approach to Requirements Analysis of an Intrusion Detection System

Requirements analysis for an intrusion detection system (IDS) involves deriving requirements for the IDS from analysis of the intrusion domain. When the IDS is, as here, a collection of mobile agents that detect, classify, and correlate system and network activities, the derived requirements include what activities the agent software should monitor, what intrusion characteristics the agents should correlate, where the IDS agents should be placed to feasibly detect the intrusions, and what countermeasures the software should initiate. This paper describes the use of software fault trees for requirements identification and analysis in an IDS. Intrusions are divided into seven stages (following Ruiu), and a fault subtree is developed to model each of the seven stages (reconnaissance, penetration, etc.). Two examples are provided. This approach was found to support requirements evolution (as new intrusions were identified), incremental development of the IDS, and prioritisation of countermeasures.

Automated discovery of concise predictive rules for intrusion detection

This paper details an essential component of a multi-agent distributed knowledge network system for intrusion detection. We describe a distributed intrusion detection architecture, complete with a data warehouse and mobile and stationary agents for distributed problem-solving to facilitate building, monitoring, and analyzing global, spatio-temporal views of intrusions on large distributed systems. An agent for the intrusion detection system, which uses a machine learning approach to automated discovery of concise rules from system call traces, is described.We use a feature vector representation to describe the system calls executed by privileged processes. The feature vectors are labeled as good or bad depending on whether or not they were executed during an observed attack. A rule learning algorithm is then used to induce rules that can be used to monitor the system and detect potential intrusions. We study the performance of the rule learning algorithm on this task with and without feature subset selection using a genetic algorithm. Feature subset selection is shown to significantly reduce the number of features used while improving the accuracy of predictions.

Software fault tree and coloured Petri net based specification, design and implementation of agent-based intrusion detection systems

The integration of Software Fault Tree (SFT), which describes intrusions and Coloured Petri Nets (CPNs) that specifies design, is examined for an Intrusion Detection System (IDS). The IDS under development is a collection of mobile agents that detect, classify, and correlate the system and network activities. SFTs, augmented with nodes that describe trust, temporal and contextual relationships, are used to describe intrusions. CPNs for intrusion detection are built using CPN templates created from the augmented SFTs. Hierarchical CPNs are created to detect critical stages of intrusions. The agentbased implementation of the IDS is then constructed from the CPNs. Examples of intrusions and descriptions of the prototype implementation are used to demonstrate how the CPN approach has been used in the development of the IDS. The main contribution of this paper is an approach to systematic specification, design and implementation of an IDS; Innovations include (1) using stages of intrusions to structure the specification and design of the IDS; (2) augmentation of SFT with trust, temporal and contextual nodes to model intrusions; (3) algorithmic construction of CPNs from augmented SFT; and (4) generation of mobile agents from CPNs.

SMART mobile agent facility

Abstract With ever growing use of Internet for electronic commerce and data mining type applications there seems to be a need for new network computing paradigms that can overcome the barriers posed by network congestion and unreliability. Mobile agent programming is a paradigm that enables the programs to move from one host to another, do the processing locally and return results asynchronously. In this paper, we present the design and development of a mobile agent system that will provide a platform for developing mobile applications that are Mobile Agent Facility (MAF) specification compliant. We start by exploring mobile agent technology and establish its merits with respect to the client–server technology. Next, we introduce a concept called dynamic aggregation to improve the performance of mobile agent applications. We, then focus on the design and implementation issues of our system, Scalable, Mobile and Reliable Technology (SMART), which is based on the MAF specification.

Safety analysis of requirements for a product family

A safety analysis was performed on the software requirements for a family of flight instrumentation displays of commercial aircraft. First, an existing safety checklist was extended to apply to four-variable models and used to analyze the requirements models for representative members of the product family. The results were evaluated against an initial specification of the product familys required commonalities and variabilities. The safety checklist was found to be effective at analyzing the completeness of the product family requirements and at identifying additional variabilities and commonalities. Secondly, a forward and backward search for hazards was performed on representative members of the product family. Additional safety requirements for enhanced fault tolerance were derived from these searches. The safety analysis techniques used here appear to have applicability for enhancing the completeness and robustness of a product familys safety related software requirements.

Anomalous intrusion detection system for hostile Java applets

Abstract An intrusion detection system (IDS) aims to increase the security of a computer system by dynamically monitoring various features and parameters of the system so as to be able to detect intrusions at the earliest possible. IDSs have been developed for privileged UNIX programs like sendmail, lpr, and login. The IDS that we have built is for applets. It serves as a protection against malicious applets and warns the user when such applets are downloaded. Our system monitors applets using system call traces from the Java runtime environment. Feature vectors created from the system call traces are used to train a machine learning algorithm. The rule-set produced by the algorithm can then be used to distinguish hostile applets from good applets.