A Multi Agent System for Flow-Based Intrusion Detection

The detection and elimination of threats to cyber security is essential for system functionality, protection of valuable information, and preventing costly destruction of assets. This thesis presents a Mobile Multi-Agent Flow-Based IDS called MFIREv3 that provides network anomaly detection of intrusions and automated defense. This version of the MFIRE system includes the development and testing of a Multi-Objective Evolutionary Algorithm (MOEA) for feature selection that provides agents with the optimal set of features for classifying the state of the network. Feature selection provides separable data points for the selected attacks: Worm, Distributed Denial of Service, Man-in-the-Middle, Scan, and Trojan. This investigation develops three techniques of self-organization for multiple distributed agents in an intrusion detection system: Reputation, Stochastic, and Maximum Cover. These three movement models are tested for effectiveness in locating good agent vantage points within the network to classify the state of the network. MFIREv3 also introduces the design of defensive measures to limit the effects of network attacks. Defensive measures included in this research are rate-limiting and elimination of infected nodes. The results of this research provide an optimistic outlook for flow-based multi-agent systems for cyber security. The impact of this research illustrates how feature selection in cooperation with movement models for multi agent systems provides excellent attack detection and classification

MFIRE-2: A Multi Agent System for Flow-based Intrusion Detection Using Stochastic Search

Detecting attacks targeted against military and commercial computer networks is a crucial element in the domain of cyberwarfare. The traditional method of signature-based intrusion detection is a primary mechanism to alert administrators to malicious activity. However, signature-based methods are not capable of detecting new or novel attacks. This research continues the development of a novel simulated, multiagent, flow-based intrusion detection system called MFIRE. Agents in the network are trained to recognize common attacks, and they share data with other agents to improve the overall effectiveness of the system. A Support Vector Machine (SVM) is the primary classifier with which agents determine an attack is occurring. Agents are prompted to move to different locations within the network to find better vantage points, and two methods for achieving this are developed. One uses a centralized reputation-based model, and the other uses a decentralized model optimized with stochastic search. The latter is tested for basic functionality. The reputation model is extensively tested in two configurations and results show that it is significantly superior to a system with non-moving agents. The resulting system, MFIRE-2, demonstrates exciting new network defense capabilities, and should be considered for implementation in future cyberwarfare applications

Agent‐based modeling of malware dynamics in heterogeneous environments

The increasing convergence of power‐law networks such as social networking and peer‐to‐peer applications, web‐delivered applications, and mobile platforms makes today's users highly vulnerable to entirely new generations of malware that exploit vulnerabilities in web applications and mobile platforms for new infections, while using the power‐law connectivity for finding new victims. The traditional epidemic models based on assumptions of homogeneity, average‐degree distributions, and perfect‐mixing are inadequate to model this type of malware propagation. In this paper, we study four aspects crucial to modeling malware propagation: application‐level interactions among users of such networks , local network structure , user mobility , and network coordination of malware such as botnets . Since closed‐form solutions of malware propagation considering these aspects are difficult to obtain, we describe an open‐source, flexible agent‐based emulation framework that can be used by malware researchers for studying today's complex malware. The framework, called Agent‐Based Malware Modeling (AMM), allows different applications, network structure, network coordination, and user mobility in either a geographic or a logical domain to study various infection and propagation scenarios. In addition to traditional worms and viruses, the framework also allows modeling network coordination of malware such as botnets. The majority of the parameters used in the framework can be derived from real‐life network traces collected from a network, and therefore, represent realistic malware propagation and infection scenarios. As representative examples, we examine two well‐known malware spreading mechanisms: (i) a malicious virus such as Cabir spreading among the subscribers of a cellular network using Bluetooth and (ii) a hybrid worm that exploit email and file‐sharing to infect users of a social network. In both cases, we identify the parameters most important to the spread of the epidemic based upon our extensive simulation results. Copyright © 2011 John Wiley & Sons, Ltd. This paper presents a novel agent‐based framework for realistic modeling of malware propagation in heterogeneous networks, applications and platforms. The majority of the parameters used in the framework can be derived from real‐life network traces collected from a network, and therefore, represent realistic malware propagation and infection scenarios for the given network. Two well‐known malware spreading mechanisms in traditional as well as mobile environments were studied using extensive simulations within the framework and the most important spreading parameters were identified.Peer Reviewedhttp://deepblue.lib.umich.edu/bitstream/2027.42/101832/1/sec298.pd

Malicious botnet survivability mechanism evolution forecasting by means of a genetic algorithm

Botnets are considered to be among the most dangerous modern malware types and the biggest current threats to global IT infrastructure. Botnets are rapidly evolving, and therefore forecasting their survivability strategies is important for the development of countermeasure techniques. The article propose the botnet-oriented genetic algorithm based model framework, which aimed at forecasting botnet survivability mechanisms. The model may be used as a framework for forecasting the evolution of other characteristics. The efficiency of different survivability mechanisms is evaluated by applying the proposed fitness function. The model application area also covers scientific botnet research and modelling tasks. Article in English. Kenkėjiškų botnet tinklų išgyvenamumo mechanizmų evoliucijos prognozavimas genetinio algoritmo priemonėmis Santrauka. Botnet tinklai pripažįstami kaip vieni pavojingiausių šiuolaikinių kenksmingų programų ir vertinami kaip viena iš didžiausių grėsmių tarptautinei IT infrastruktūrai. Botnettinklai greitai evoliucionuoja, todėl jų savisaugos mechanizmų evoliucijos prognozavimas yra svarbus planuojant ir kuriant kontrpriemones. Šiame straipsnyje pateikiamas genetiniu algoritmu pagrįstas modelis, skirtas Botnet tinklų savisaugos mechanizmų evoliucijai prognozuoti, kuris taip pat gali būti naudojamas kaip pagrindas kitų Botnet tinklų savybių evoliucijai modeliuoti. Skirtingi savisaugos mechanizmai vertinami taikant siūlomą tinkamumo funkciją. Raktiniai žodžiai: Botnet; genetinis algoritmas; prognozė; savisauga; evoliucija; modeli