Executive Summary SANA

SANA - Security Analysis in Internet Traffic

Date: 30. June 2006

Introduction

The life-environment is changing all the time and mostly all electronic devices are connected in networks. Also nearly all computers are connected in networks and these networks are connected again through the Internet. Especially in academic or company networks, lots of critical information are stored on these computers and so the network is an aim for attacks. These attacks are e.g. Hackers, Viruses, and Worms. In contrast to the Adversaries, the Network Administrators normally try to secure the network against these Intrusions using Intrusion Detection Systems (IDS). These IDS are either Network Intrusion Detection System (NIDS) or Host-based Intrusion Detection System (HIDS). Both have certain disadvantages, e.g. the need for plenty of computational power, the local installation or the need of supervision by an Administrator. Some other facts are that the attacks are getting more and more intelligent and they can camouflage themselves in order to bluff the IDS.

It follows that novel approaches for network security are needed which should provide the following features:

• Distributed: all nodes should be secured and there should not be any central center
• Autonomous: the system and all components should work autonomous
• Adaptive: the ability to identify modified or even novel attacks
• Computational Power should be shared over the whole network

In SANA, we introduce such non-standard approaches for network security and we evaluate if these approaches can increase the amount of security compared with common-used IDS. The IDS in SANA is an artificial Immune System which provides the features explained above.

Biology as Archetype

One promising field in the computer science is to use the biology as archetype. In SANA, we use the Human Body as paradigm.

The Human Body uses an immune system for the defence against these pathogens. It is a massively distributed system, there is not an important central center and central structures like the Lymph-Nodes are highly redundant in the human body. The artificial cells of the immune system work autonomously; and the system is highly adaptive for removing novel pathogens quickly. Additionally, the immune system is self-tolerant and it differs efficiently between safe and unsafe. Because of the massively distributed environment of the immune system, it is hard to attack or to breakdown.

Another important part for the security against Pathogens in the Human Body is the cooperation and collaboration between certain components of the Human Body. The cell communication is like the immune system distributed, efficient and secure. Especially in the self-tolerance and self-management of the immune system, the cell communication plays an important role.

Overview about the Security Architecture in SANA

In SANA, we build up an artificial immune system with artificial cells in order to secure the network against intrusions. The artificial cells are lightweighted, mobile, and autonomous entities which flow through the network and perform certain tasks for the security of the network. Other biological Components – e.g. Lymph-Nodes or Bone Marrow – are also modelled in SANA. Additionally, the artificial cells and all other components work autonomously and do not need a central center for the execution of the security-tasks. In order to receive such a massively distributed system as the human immune system, the artificial cells are highly specialised and there exist cells with different tasks, e.g. Network-Traffic-Checking, Monitoring or Identification of Infected Nodes; and the artificial cells with one tasks differ between each other again – e.g. in Network-Traffic-Checking, the attacks which are known differ between Cells.

Two problems of IDS are that the components either do not work together or work together using a central center as well as the problem of self-positives – evaluation of a good packet as malicious. For the solution of these two problems, SANA uses artificial cell communication so that the artificial cells can cooperate, check each other and the immunological processes of the human immune system can be reused.

Current Status / Results

The artificial immune system and the artificial cell communication are designed in order to obtain the advantages of the human immune system. The artificial immune system is implemented in Java basing on a Network Simulator which simulates a packet-oriented network using the Adversarial Queueing Theory introduced by Andrews et al. The artificial cell communication is currently under implementation and testing. There are different types of artificial Cells with different functions, e.g. evaluation of network-packets, identification of infected nodes or disinfection of infected nodes. Furthermore, the artificial Lymph-Nodes supply the artificial Cells with the required information and activate other needed artificial Cells. The Central Nativity and Training Station (CNTS) releases new artificial Cells in order to keep the cells up-to-date using a evolutionary process.

In SANA, there are different Scenarios which describe a network, an adversarial with a set of modelled attacks – e.g. Worm-Attack – and a defence Structure consisting of SANA and NIDS. The Results of SANA are promising because it enhances current IDS and especially the cooperation between NIDS in important nodes and SANA are promising. SANA alone identifies about 60%-80% of the attacks and SANA with a NIDS identifies about 85%-95% of the attacks. Additionally, SANA adapts to modified attacks and shares the computational power over all network nodes because of the distributed environment. To show these advantages of SANA, a realistic Worm-Attack is simulated: a Worm infects several nodes and starts to send infected packet from these nodes; SANA removes the infected packets, identifies the infected nodes and disinfects the infected nodes; the Worm-Attack is removed and the Network is disinfected.

Next Steps

The next steps in SANA are to finish the implementation of the artificial cell communication, test it and enhance it so that it works properly. Thereafter, the artificial cell communication and additional structures are used for the self-management of the immune system and its components. The goal is to increase the network security and to provide a certain guarantee of security. These goals are met using a self-managed system which adapts to the current situation and to the current intrusions in the system.

Embedding of SANA at the University of Luxembourg

SANA – Security Analysis in Internet Traffic – is the PhD-Project of Michael Hilker under supervision of Prof. Dr. Christoph Schommer. The Project is done in cooperation with Prof. Dr. Aleksander Weron, the Hugo Steinhaus Center, Wroclaw University of Technology, Poland. SANA is embedded in the INTRA-Project – Information Traffic Management and Computer Network Protection – at the University of Luxembourg.

Publications

Please see here.