Security and Robustness in an Agentbased Network Monitoring

  • Slides: 38
Download presentation
Security and Robustness in an Agent-based Network Monitoring System Plan B Project Koka Muralidhar

Security and Robustness in an Agent-based Network Monitoring System Plan B Project Koka Muralidhar Advisor: Prof. Tripathi University of Minnesota

Outline 1. 2. 3. 4. 5. 6. Motivation Monitoring System Overview Security Robustness System

Outline 1. 2. 3. 4. 5. 6. Motivation Monitoring System Overview Security Robustness System Capabilities and Experiences Conclusions and Future Work

1. Motivation n Develop tools and techniques that help system administrators monitor computing environments.

1. Motivation n Develop tools and techniques that help system administrators monitor computing environments. n Guard against malicious users n n n Attacks and misuse Check for misconfigurations Alert on resource failures

Challenges Involved n Increasing number of components in computing environments: n New hardware/software components

Challenges Involved n Increasing number of components in computing environments: n New hardware/software components are added n n New monitoring tools and policies are required Large amount of monitoring data needs to be collected and digested n n Monitoring data in different formats Delay in administrator’s response to critical events contd…

Challenges Involved (contd…) n A comprehensive monitoring system requires correlation of data from diverse

Challenges Involved (contd…) n A comprehensive monitoring system requires correlation of data from diverse sources related to different aspects of a network system n E. g. user activities, network traffic, file systems …

Goals n Dynamic configurability n n Dynamic extensibility n n Change in configuration of

Goals n Dynamic configurability n n Dynamic extensibility n n Change in configuration of software components, administrative policies Addition of new monitoring functions, tools Active monitoring n Alter detection policies in response to critical events

Goals n Secure n n Robust n n Detect failed components and restore them

Goals n Secure n n Robust n n Detect failed components and restore them without stopping the system Scalable n n System itself should be protected from attacks. Scale as the number of nodes in the network increases Acceptable system performance n Should not interfere with the normal functioning of the host.

Mobile-agent based Implementation n Agents can migrate to the monitored nodes providing local processing

Mobile-agent based Implementation n Agents can migrate to the monitored nodes providing local processing of events Agents can encapsulate policies for event monitoring and filtering New monitoring functionalities can be installed dynamically at remote nodes n Agent policies can be securely controlled remotely n Agents can cooperatively monitor the network n Agent can autonomously adapt and react

2. Mobile Agents in Ajanta Agent-Agent Communication X Y Agent Server 1 Host A

2. Mobile Agents in Ajanta Agent-Agent Communication X Y Agent Server 1 Host A Agent Migration Server- Server protocol Physical Network Y Agent Server 2 Host B

Event Model n Basic Event n Represents a significant change in the state of

Event Model n Basic Event n Represents a significant change in the state of a resource being monitored n n Example: User login event, disk-full event Compound Event n These events are detected by correlation of events from different nodes n Example: Multiple root login attempts across different hosts by an unauthorized user.

Network Monitoring Architecture System Management Servers MA SA Monitor Agent Subscriber Agent Host A

Network Monitoring Architecture System Management Servers MA SA Monitor Agent Subscriber Agent Host A MA AA Agent Server policy Launch Agent Host B MA Agent Server MA IA Agent Server Host F SA AA Agent Migration Agent Server AA SA Agent Server Events Database AA Auditor Agent IA Event Notifications Host E Inspector Agent Host D Host C AA IA MA Agent Server

Subscriber Agent Subscriber Interface Remote Interface Monitor Interface Event Processor Thread Event Queue A

Subscriber Agent Subscriber Interface Remote Interface Monitor Interface Event Processor Thread Event Queue A (1) (3) Check. Event Trigger Table A (B, C) Event Notification (2) A (5) Event Detector B (4) Event Handler trigger C trigger Monitor Table Database Subscriber List

Trigger Dependencies Event Generation Detector Triggering Timer. Event. Detector Timer. Event. Handler Syslog. Event.

Trigger Dependencies Event Generation Detector Triggering Timer. Event. Detector Timer. Event. Handler Syslog. Event. Detector Syslog. Event. Handler XDMEvent. Detector XDMEvent. Handler Syslog. Event XDMEvent Ssh. Stp. Event Ssh. Sftp. Event. Detector Ssh. Sftp. Event. Handler Login. Event. Detector Login. Event. Handler Login. Event Feb 17 15: 12: 39 newton sshd[10899]: [ID 800047 auth. info] Accepted password for koka from 128. 101. 35. 177 port 45827 ssh 2

3. Security n n Name Service Agent Servers n n assumed trusted and secure

3. Security n n Name Service Agent Servers n n assumed trusted and secure Use Java security policy Give permissions based on code base and principal on whose behalf an agent is running Admission Policy – accept agents coming from authorized entities only “Security in the Ajanta Mobile Agent System”, N. Karnik and A. Tripathi, S P & E, 2001

Agent Admission Policy Spec. n Based on the tuple (host/domain, user/agent server) Specify +ve,

Agent Admission Policy Spec. n Based on the tuple (host/domain, user/agent server) Specify +ve, and -ve permissions and wild card characters n # accept agents coming from a specific domain n # don’t accept any agents coming from a specific domain n domain = cs. umn. edu, user = * !ip_addr = 128. 101 or !user = * # accept agents coming from a specific host and a specific user n host = plato. cs. umn. edu, user = urn: ans: plato. cs. umn. edu/koka

Security n Monitor/Subscriber Agents n n Migrate/terminate the agent Modify the agent behavior n

Security n Monitor/Subscriber Agents n n Migrate/terminate the agent Modify the agent behavior n n n E. g. delete detectors Subscribe to events Delete subscription Send false events Might modify agent control policies Solution: Secure Inter-Agent Communication and allowing only authorized entities to communicate with an agent

Inter-Agent Communication A 1 A 2 AS 1 AS 2 Constraints: n One of

Inter-Agent Communication A 1 A 2 AS 1 AS 2 Constraints: n One of the entities could be an agent server n AS 1 should not be able to invoke the RMI on behalf of A 1, if A 1 is not hosted by AS 1. n When A 1 makes the RMI call, it should not be able to disguise its hosting server AS 1. n If A 1 is successful in making an RMI when it is on AS 1, all further invocations of M should fail if either of A 1 or A 2 migrates.

Inter-Agent Communication 1. A 1 sends challenge A 1 AS 1 n n 2.

Inter-Agent Communication 1. A 1 sends challenge A 1 AS 1 n n 2. A 2 signs challenge, sends response 3. A 1 signs response A 2 AS 2 Uses Needham-Schroeder’s challengeresponse based authentication protocol Agents do not carry private keys They ask their hosting servers for temporary private keys Certificates are issued for different validity periods

Method Invocation M (…, Ticket) M (…, Ticket t) { check if t is

Method Invocation M (…, Ticket) M (…, Ticket t) { check if t is valid check if A 1 from AS 1 has permission for M A 1 AS 1 } // Method. . A 2 AS 2

Various Parameters n A 1 cred : agent A 1’s credentials n U 1

Various Parameters n A 1 cred : agent A 1’s credentials n U 1 cert : user U 1’s certificate issued by Name Service (NS) n A 1 loc-cert : location certificate issued by NS n A 1 cc : cascaded certificate issued by agent server AS 1 to agent A 1 n A 1 temp-cert : certificate issued by AS 1 to A 1, part of A 1 cc n AS 1 cert : certificate issued by NS to AS 1, part of A 1 cc n NScert : certificate of NS n KA 1 - - private key of agent A 1

Authentication Protocol n A 1 to A 2: n n (A 1 cred, U

Authentication Protocol n A 1 to A 2: n n (A 1 cred, U 1 cert, A 1 loc-cert, A 1 cc, N 1) N 1 is a nonce that A 2 has to sign A 2 makes the following checks: n n n Validity of U 1 cert using NScert Verify A 1 cred using the public key in U 1 cert Validity of A 1 loc-cert using NScert Validity of A 1 cc i. e. , AS 1 cert is valid and that A 1 temp-cert is signed using public key in AS 1 cert Name in AS 1 cert is the same as the one in A 1 loc-cert

Authentication Protocol n If all the checks are valid, A 2 sends to A

Authentication Protocol n If all the checks are valid, A 2 sends to A 1: (…, N 2, Sig(A 1, N 1)) n n A 1 makes the following checks n n n N 2 is a new nonce to be signed by A 1 Checks similar to A 2 Verifies if the signature is for the nonce N 1 When A 1 wants to invoke method M, it sends the ticket (A 1, Sig(A 2, N 2))

ISSUES n n n Nonce is incremented instead of authenticating every time A 1

ISSUES n n n Nonce is incremented instead of authenticating every time A 1 loc-cert can be verified by going to the Name Service every time If an agent server is compromised. .

Agent Access Control Policy Spec. METHOD URN LOCATION …. § § add. Detector java.

Agent Access Control Policy Spec. METHOD URN LOCATION …. § § add. Detector java. lang. String, ajanta. util. Ticket URN: ans: plato. cs. umn. edu/U 2/AS 2/A 2 URN: ans: plato. cs. umn. edu/U 3/AS 2 URN can be an agent, agent server, or Ajanta domain LOCATION: agent server hosting the agent Wild card characters can be used to simplify policy specification Administrator specifies policies for who can add/modify detectors, subscribe events, modify policies, etc.

4. Robustness n Self-Monitoring … heart beats Automated recovery as much as possible Use

4. Robustness n Self-Monitoring … heart beats Automated recovery as much as possible Use existing event delivery infrastructure n Failures: n n n Detector in an agent Agents Agent Servers/Hosts

Robustness n n Failure events are modeled as regular events Each agent runs an

Robustness n n Failure events are modeled as regular events Each agent runs an Agent. Alive. Detector which generates heart-beat events Failure. Event. Detector determines failures. They can be run by an agent. Failures are handled by the SMS

Robustness Timer. Event Agent. Alive. Event AS 1 A 2 AS 2 Failure. Event

Robustness Timer. Event Agent. Alive. Event AS 1 A 2 AS 2 Failure. Event Install Detector or Agent SMS n n Failure of all detectors in an agent is construed as agent failure Failure to install an agent is construed as agent server failure

Robustness…constraints n n n Any number of Failure. Event. Detectors could be running Agent.

Robustness…constraints n n n Any number of Failure. Event. Detectors could be running Agent. Alive and Failure. Event detectors could run with different frequencies Restoration could take any amount of time Multiple failure events need to be handled simultaneously SMS can be disconnected Don’t install agents/detectors unless it is necessary

Detector Failure ALE (seq = 20) Timer. Event AS 1 A 1 Install Detector

Detector Failure ALE (seq = 20) Timer. Event AS 1 A 1 Install Detector A 2 A 3 AS 2 AS 3 FE (seq = 20) SMS ALE: Agent. Alive. Event FE: Failure. Event Discarded by SMS

Agent Failure. Event. Detector Triggered by Timer. Event AS 1 A 2 A 1

Agent Failure. Event. Detector Triggered by Timer. Event AS 1 A 2 A 1 Install Agent SMS FE: Failure. Event AS 2 FE

Agent Server Failure. Event. Detector Triggered by Timer. Event AS 1 A 2 AS

Agent Server Failure. Event. Detector Triggered by Timer. Event AS 1 A 2 AS 2 Install Agent A 1 SMS FE: Failure. Event FE SMS would not be able to install the agent. Informs the administrator

5. System Capabilities n n n System log monitors Process monitors File Consistency inspectors

5. System Capabilities n n n System log monitors Process monitors File Consistency inspectors Host fingerprint inspectors Integrated Snort

Detectors Examples n n n Monitor users switching accounts Correlate login events network wide

Detectors Examples n n n Monitor users switching accounts Correlate login events network wide Snort to detect port scans Correlate login with Snort Runaway processes, daemons failure, malicious programs System Files consistency

Performance Figure…what can you do to reduce CPU usage n

Performance Figure…what can you do to reduce CPU usage n

Experiences n n n Implementation of Syslog detector Dynamic modification of detectors Termination of

Experiences n n n Implementation of Syslog detector Dynamic modification of detectors Termination of detectors Deletion and addition of detectors Storage model of detectors Need for a feedback mechanism

6. Conclusions n n Mobile-agents can be used to build network monitoring systems System

6. Conclusions n n Mobile-agents can be used to build network monitoring systems System presented is dynamic configurable and extensible, actively monitors networks, secure, robust and has acceptable resource usage

Future Work n n Test the scalability of the system Test the utility of

Future Work n n Test the scalability of the system Test the utility of the system by asking system administrators to use it Develop agents to facilitate software installations Applying data mining concepts

Acknowledgements… n n n Prof. Tripathi Tanvir Ahmed Sumedh Pathak Megan Carney Abhijit Pathak

Acknowledgements… n n n Prof. Tripathi Tanvir Ahmed Sumedh Pathak Megan Carney Abhijit Pathak - Overall Initial Implementation , , File System Monitoring