Identifying Attack Code through an Ontology-Based Multiagent Tool: FROID

This paper describes the design and results of FROID, an outbound intrusion detection system built with agent technology and supported by an attacker-centric ontology. The prototype features a misuse-based detection mechanism that identifies remote attack tools in execution. Misuse signatures composed of attributes selected through entropy analysis of outgoing traffic streams and process runtime data are derived from execution variants of attack programs. The core of the architecture is a mesh of self-contained detection cells organized non-hierarchically that group agents in a functional fashion. The experiments show performance gains when the ontology is enabled as well as an increase in accuracy achieved when correlation cells combine detection evidence received from independent detection cells.

Authors:

• Salvador Mandujano

Keywords:

• Outbound intrusion detection
• knowledge management
• multiagent systems
• ontology.

References:

[1] X. Guan, Y. Yang and J. You. G. O. Young, "POM - A mobile agent
security model against malicious hosts", Proceedings of the 4th
International Conference on High-Performance Computing in the Asia-
Pacific Region, vol. 2, pp. 1165-1168, May 2000.
[2] D. Lange and M. Oshima, "Programming and deploying Java mobile
agents with Aglets", Addison-Wesley Press, Menlo Park, CA, 1998.
[3] V. Raskin, C. Helpenmann, K. Triezenberg, and S. Nirenburg,
"Ontology in information security: a useful theoretical foundation and
methodological tool", New Security Paradigms Workshop, ACM Press,
pp. 53-59, Cloudcroft, NM, 2001.
[4] S. Mandujano, A. Galván, J. A. Nolazco, "An Ontology-based
Multiagent Architecture for Outbound Intrusion Detection", 3rd
ACS/IEEE International Conference on Computer Systems and
Applications, AICCSA '05, vol. 1, pp. 120-128, Cairo, Egypt, January
2005.
[5] S. Mandujano and A. Galván, "Outbound Intrusion Detection",
Proceedings of the International Computer, Communications and
Control Technologies, CCCT 04, vol. 1, pp. 68-73, Austin, TX, Nov.
2004.
[6] C.J. Coit, S. Staniford, and J. McAlerney, "Towards Faster String
Matching for Intrusion Detection or Exceeding the Speed of Snort",
DARPA Information Survivability Conference and Exposition (DISCEX
II), vo1. 1, pp. 132-139, Anaheim, CA, June, 2001.
[7] J. Undercoffer, A. Joshi,, T. Finin, and John Pinkston, "A target centric
ontology for intrusion detection: using DAML+OIL to classify intrusive
behaviors", Knowledge Engineering Review, Cambridge University
Press, pp. 23-29, January, 2004.
[8] P. Schneider, P. Hayes, I. Horrocks, F. Van-Harmelen, "Web Ontology
Language (OWL): abstract syntax and semantics", working draft, W3C
web consortium, November, 2002.
[9] P. Rapalus et al., "CSI/FBI Computer Crime & Security Survey 2004",
Computer Security Institute and Federal Bureau of Investigations, April,
2004.