Intelligent Security Systems Research Laboratory

Lab Projects

Current/Past Projects

1. Intelligent Security Console
2. Cougaar Based Intrusion Detection Systems
3. Immunity-Based Intrusion Detection Systems
4. Security Agents for Network Traffic Analysis

1. Intelligent Security Console (SecCon Architecture)

   
   A screenshot of SecurityConsole

   We have developed an Intelligent Security Console for monitoring a large-scale agent society and behave as an Alert Co-relation tool. The Intelligent Monitoring and Response (M&R) Security Console is a stand-alone architecture for sending and receiving security-related queries (in IDMEF format).Our design goal is to make the Security Console flexible enough so that it can better interact with the agent society and collect events and display them in a desired fashion.

   The important features of the security console are as follows:

   • Allow defining queries using a specific format that allows editing, storing and retrieving of queries. Allow resolution of the query scope by sending capability features to the Security M&R Manager.
   • Provide a flexible query-builder tool to define both the persistent and transient queries by the user and to display the query results in a tabular format showing the relevant details as necessary. Also allows user-defined filters to refine query results.
   • The query results can be sorted and viewed in different views (tree, text and time series). For example, Time Series View displays the variables of a set of Heartbeat messages using a graphical representation.
   • The Alert Messages in response to the Query are Mined for finding frequent Episodes and Association Rules. Thus a Alert Profiler is designed.

2. Cougaar Based Intrusion Detection Systems (CIDS Architecture)

   
   A screenshot of CIDS Architecture

   This project involves in developing a distributed Security Agent framework for monitoring Ultra*Log environment. The purpose is to detect malfunctions, faults, abnormalities, misuse, deviations, intrusions, etc. and take appropriate actions. Accordingly, it simultaneously monitors Ultra*Log node activities at different levels (Node,Agent and PlugIn).The objective is to find correlation among the deviated values (from the normal or defined policy) of monitored parameters to determine specific security violations. The CIDS looks for deviation from the defined normal, based on low-level policy, or examining the past behavior (off-line training). In this agent framework a security node consists of four different agents (Manager agent, Monitor agent, Decision agent and Action agent) and their activities are coordinated through the Manager Agent while sensing, communicating and generating responses. All these functional modules work in coordination to address some specific security issues of the Ultra*Log environment. The current version of CIDS (prototype 1.0) is operational now which provides basic security agent infrastructure.

3. Immunity-Based Intrusion Detection Systems (Immune Agent Architecture)

   
   A Screenshot of Immune Agent Architecture

   The goal of proposed research project is to develop an intelligent multi-agent system for intrusion/anomaly detection and response in networked computers. The approach is inspired by the defense mechanisms of the immune system that is a highly distributed in nature.

   In this approach, immunity-based agents roam around the machines (nodes or routers), and monitor the situation in the network (i.e. look for changes such as malfunctions, faults, abnormalities, misuse, deviations, intrusions, etc.). These agents can mutually recognize each other's activities and can take appropriate actions according to the underlying security policies. Specifically, their activities are coordinated in a hierarchical fashion while sensing, communicating and generating responses. Moreover, such an agent can learn and adapt to its environment dynamically and can detect both known and unknown intrusions.

   The main objective is to design a multi-agent detection system that can simultaneously monitor networked computer's activities at different levels (such as user level, system level, process level and packet level) to make robust decision on intrusions and/or anomalies. The novelty of this intrusion detection system lies primarily in multi-agent architecture, in particular, agent's role, adaptivity, regulation, life cycle, specificity, diversity and dynamic collaboration mechanism. The proposed system is designed to be flexible, extendible, and adaptable that can perform near real-time monitoring in accordance with the needs and preferences of the organization.

4. Security Agents for Network Traffic Analysis

   
   A Screenshot of SANTA

   The SANTA system represents a mobile agent approach to distributed intrusion detection. This security agent framework simultaneously monitor multiple levels (packet, process, system, and user) of networked computers to determine correlation among the observed anomalous patterns, reporting such abnormal behavior to the network administrator and/or possibly taking some action to counter a suspected security violation. In current implementation, IBM's AgletsTM Software Development Kit (ASDK) is used as the base agent architecture, along with Adaptive Resonance Theory (ART-2) neural networks for network pattern classification, and a fuzzy logic controller for decision/action resolution. The feasibility of this mobile security agent system is demonstrated and some preliminary results are reported. Though the long-term plan of this project is to develop immunity-based mobile agent architecture from design principles, the use of IBM's AgletsTM in our current implementation is a proof-of-concept for immunity-based intrusion detection system framework.