Adaptive Response Tool Foils Hacker Intrusion
New software under development employs case-based reasoning and intelligent agents to adapt to and defend computer networks.
Software designers are applying artificial intelligence principles to new computer security systems. These tools and protocols create the potential for agile software capable of quickly identifying and responding to new threats.
Recent cyberattacks on major corporate and government computer networks and World Wide Web sites continue to prove that the Internet can be a rough neighborhood. But choosing the appropriate level of response to attacks and probes still presents a conundrum.
Using existing software has its own dilemmas. Intrusion detection packages available on the market must often work from a centralized location within a network, and they may not be compatible with one another. Administrators are faced with the laborious task of configuring multiple machines within a network and sorting through a variety of data and reports to determine if someone has penetrated the firewall.
New software under development promises to ease these tasks by allowing once disparate tools to communicate with one another and provide a flexible, adaptable response to both internal and external threats through the use of artificial intelligence. Using features such as intelligent agents and case-based reasoning, the program’s artificial intelligence engine creates a list of responses to hacking attempts that it can use and modify through experience.
Called SoSMART, for system or security manager’s adaptive response tool, the software is being developed by Integrated Management Services Incorporated (IMSI), an Arlington, Virginia-based security and information systems provider. Intended for use in both government and corporate sectors, the software will be ready for delivery sometime in mid-2000, says Scott Musman, IMSI’s director of research and development.
Inspiration for developing SoSMART came from the firm’s clients, Musman says. Despite varying network security needs, they all required something to enhance their intrusion response capability. “There is nothing that allows them to manage the diverse types of security tools that exist, and a lot of the tools that exist don’t provide any kind of response capability,” he observes.
SoSMART is designed to be extremely interoperable with other software. Musman notes that a benefit of using intelligent agent technology is that it becomes very easy to integrate existing software packages and security tools. By comparison, most other products either log files or make entries into a current system log. The agents being created for the software will make adding more tools a simple process, he continues.
While SoSMART does provide intrusion detection capabilities, the primary thrust of the project is to create a system that maps or takes other programs—such as an operating system or a commercially available intrusion detection tool—and provides them with automated response capabilities. Automated response can be limited to an individual machine, a remote site or the whole network. “Part of what we’re doing duplicates a little bit of what happens in an intrusion detection system, but we assume that you can buy an intrusion detection system, and it will provide some of the triggers that we respond to,” he says.
In addition, security programs do exist that can protect multiple machines, but, he notes, they function from a central server. SoSMART, however, instead of residing in a central server or a single computer in a network, distributes itself in nodes throughout a system. This allows the network access to be reconfigured through a single broadcast message or protocol. By being distributed across a network, the software provides an important security feature—in the event of a local server failure, the isolated machines are still protected.
Case-based reasoning lies at the heart of SoSMART’s adaptability. Modeled on human problem-solving processes, it allows the software to collect pieces of information and match them up to previous encounters. Musman describes case-based reasoning as an attempt to match the program’s current situation with previous successes.
Although case-based reasoning is popular in many help-desk applications, what sets IMSI’s use of this tool apart from other applications is its location in a network, Musman says. Case-based reasoning is usually built to make very high-level decisions based on a wide variety of different data. SoSMART takes this even deeper by matching more material at the resource level, which in turn can be passed down to another level in the system. He notes that this multilevel matching of information is something that is not being done by many other software designers.
One long-term potential of case-based reasoning Musman would like to exploit is the use of its iterative cycle to conduct machine learning. The potential application is that information can be fed into the case-based reasoning system where it is categorized into clusters of similar and diverse situations. From this, the software would essentially learn the typical characteristics of the system it is loaded on and modify itself to meet that network’s specific needs. However, he cautions that this is a long-term objective that, while theoretically obtainable, will not be a part of next year’s product.
Because government and corporate users have very different security needs, the near-term goal is to produce a system with baseline capabilities. These envisioned capabilities are a package with a set of software tools and a number of preset cases that can be used to match against information coming from the security tools. Users can then take this basic “out-of-the-box” system and tailor it to their specific requirements.
Those needs will include providing the appropriate level of response to the particular type of attack or intrusion. Probing attacks are one example. Pat Flesher, IMSI’s program manager/senior security analyst, explains that probing is an attempt by someone to examine all the ports on a given network in order to find holes or entry points. The hacker then uses the data gathered during the probe to break into the network.
One standard response that is being built into the SoSMART software is to disconnect the router to deny connection from the prober’s address. Another response is to have the firewall reconfigure itself to add on additional safeguards such as triggers. She notes that another option is to have each system on the network add extra triggers. These would enable data gathering about the hackers’ activities. For example, are they going after the ports they have found, and what are they trying to do when they go after them?
Besides locking out an individual machine or domain, there is a more clever approach to denying hackers entry, says Musman. One of IMSI’s long-term objectives is to sufficiently delay first-time probing traffic to foil attempts to acquire data about the target system. On the other hand, he says, someone conducting legitimate work from the same machine would be able to get connected.
The software also can be set to search for anyone trying to remove files, particularly password files, or trying to install hostile programs, such as viruses, or trying to monitor software in the system. Specific responses, for example to an attempt to break into the system’s password file, could be alerting the administrators and shutting down any suspect machines or accounts.
Through its case-based reasoning system, the software adapts itself online based on characteristics of previous threats. Something like a simple probing attack can either evoke an immediate response or a more subtle response that is activated by additional logging from the suspect domain or machine, says Musman. “What’s nice about this is that under normal circumstances your system is not doing a lot of security work. But if things are at a high level of intention and you really are under attack, then all of a sudden the amount of security work is going to go up and match the amount that you are under attack.”
A variable response is important, Flesher points out, because if an administrator or the software overreacts and denies network service to its users due to a simple probe, they are unintentionally shutting themselves down. She adds that they have seen a number of organizations react this way, blocking out entire domains when an attack occurs.
However, there are still some hurdles to clear before SoSMART goes to market. Providing total interoperability was a challenge in the early developmental stages, says Musman. The first prototype was basically developed as a UNIX system running on UNIX boxes. The software is now under development to operate in a Microsoft Windows NT environment.
The diversity of operating systems proved to be the biggest hurdle, he offers. But the goal is to provide the user with a consistent interface, no matter what system on which SoSMART is operating. The program’s intelligent software agents play an important part in this because they abstract and categorize intrusion information reported on different log files on multiple machines in a variety of formats. He notes that much work has yet to be done in this sector.
Reconfiguring the system in the wake of an intrusion attempt will also prove to be no trivial process. Musman sees the administrative interface for the system as residing on a designated host machine or via the Internet. Since the system does not exist in one place, and it has the capability to have some nodes designated as being able to reconfigure other nodes, presenting the user with a clear picture of what is going on from a configuration perspective is very important. Communication is key because once one node has changed configuration, the information must be passed on to everyone who needs to know about the alteration and how it will affect interaction with all the other system nodes.
In the long run, Musman hopes that SoSMART will address the current lack of interoperability between security components and intrusion detection systems. Flesher adds that existing tools have a limited response capability and that it is hard to add new responses and cases to existing intrusion detection software.
Musman would also like to see the software become a building block for bigger ideas in the future. He points out that few intrusion detection systems are now in use while large-scale intrusion detection is currently being researched. What makes SoSMART useful is that it can potentially address the issues of scalability, he notes.