: Open Theses
: uni gr
OverviewSANA Security Analysis in Internet Traffic is a project currently performed at the University of Luxembourg. The goal is to analyse network traffic and determine how intrusions e.g. Viruses, Worms and Hackers assault the network. Therefore, an artificial immune system is introduced. The human immune system is a nearly perfect system which protects the human body against pathogens.
There are several approaches for network protection using an artificial immune system. Unfortunately, they all have some disadvantages, e.g. the artificial cells do not work autonomous or the artificial cells do not move through the network. Therefore, the artificial immune system in SANA is designed in respect to two main features:
The artificial immune system is implemented in Java. It bases on a network simulator which generates the network traffic. The adversarial of the network traffic injects packets containing attacks and the artificial immune system tries to identify these packets. Furthermore, it is also possible to simulate a network with a NIDS in order to compare the approaches.
The network simulator is designed with the paradigm keep it small and simple. I implemented a simulator in Java using the Adversarial Queueing Theory introduced by Andrews et. al in 1996 and 2001. The network simulator uses for the queueing FIFO and for routing an algorithm which calculates the shortest path to the destination. Furthermore, the simulation provides an adversarial which injects packets over time in order to stress the network. The adversarial inject randomised packets which have a randomised source, destination and with a certain probability are the packets bad. The adversarial also adapts to the situation of the network for a well stressing of the network without overstressing.
Artificial Immune System
The artificial immune system provides in each node an artificial-cell-environment. This environment provides the functionality that the artificial cell can perform all required tasks: accessing system-files, checking of packets, moving of agents, communication/collaboration between agents, etc. This environment also shares the computational power over all artificial cells so that each artificial cell can perform its task. For all components of the artificial immune system exist interfaces so that different types of the components can be implemented easily.
Using this open environment, it is possible to model nearly all immunological processes. An immunological process consists of cells performing some tasks, local cell communication and movement of cells. The movement of cells is implemented so that the artificial cell is packed into one or more packets and then the node sends it to the destination node. The destination node unpacks the packets and starts it again. The local cell communication is realised using a Status Storage in each node. In this Status Storage, each artificial cell can insert messages and read the messages inside it.
The attack-management is also a system which can be easily enhanced. There is a packet-evaluator which evaluates if a packet contains an attack or not. With this packet evaluator, which cannot be accessed by the artificial cells, it is possible to evaluate the decision of the artificial cells. Using the Status Storage and the Packet Evaluators, it is possible to model complex attack- and defence-scenarios. E.g., the second signal two cells must identify a packet as malicious is implemented.
The artificial cells are the main component of the artificial immune system. These cells flow through the network and perform the protection-tasks. Therefore, a Java-Interface is added in order to handle all artificial cells and each new artificial cell is a new Java-Agent-Class which implements the interface. Using the artificial-cell-environment of the artificial immune system, it is possible to add new artificial cells which perform new tasks and, consequently, it is easily possible to enhance the system. Furthermore, an administrator can update and adapt the artificial immune system to new situations and new attacks using new artificial cells.
With these artificial Cells, it is posstible to create a massively distributed system like the immune system.
Currently there are several different artificial cells:
Artificial Cell CommuncationThe artificial Immune System consists of lots of different components e.g. different types of artificial Cells which work autonomously. In order to increase the Network Security, these components should cooperate. For this, a communication is needed which should be efficient, distributed and secure. Therefore, SANA is enhanced by an artificial Cell Communication with different parts:
The whole communication and each part are motivated by the cell communication in the human body. The cell communication is distributed and no central center is used.
VisualisationIn cooperation with Oltjon Sulanjaku (TFE-Student at the University of Luxembourg), we added a 3D-Visualisation of the SANA-Network. This visualisation uses Java, Java3D and WilmaScope in order to display the nodes and connections of the network. The colour and thickness of nodes and connections display different information and using a filter system it is possible to visualise only the important parts of the network.
Scenarios for TestingIn the implementation is an interface for scenarios which are used to test the artificial immune system. A scenario is a Java-Class which implements the interface and in this class all required parameters are set. The topology of the network, the behaviour of the adversarial (e.g. which attacks and how many packets are inserted) and the behaviour of the artificial immune system (e.g. which types of artificial cells, the behaviour of the cells or how many cells are in the network) is defined. Furthermore, there are some immunological processes implemented in the scenarios, e.g. the second signal or a first implementation of the cytokines for cell-communication. Using the Scenario-Interface, it is easy to define novel scenarios because it is nearly a construction-kit.
After defining the scenario, the simulator runs the scenario for a given number of time-steps and stores the collected results in a log-file. Thereafter, the user can interpret the results and analyse how to improve the artificial immune system.
Currently (26. June 2006), there are 16 different scenarios which simulate different networks, e.g. rings, back-bones and connected smaller rings, or which simulate more than one network which are connected by an back-bone. Some of these scenario use the artificial immune system of SANA for network protection and some a NIDS. One Scenario is a modelling of a realistiv Worm-Attack.
Results of SimulationsIn the 14 scenarios, SANA performs well. It identifies about 60%-80% of the attacks and it cooperates with a NIDS without any problems. Furthermore, it performs better than centralised IDS (e.g. a NIDS like SNORT) in nearly all scenarios. An overview of 12 simulations is summarized in this pdf-file.
In this page, the Performance of the Implementation is discussed, especially the Performance with lots of Nodes and artificial Cells.
ApplicationsThe application of the artificial immune system is not to replace existing NIDS. The artificial immune system SANA is an enhancement of current NIDS. SANA runs on each node, e.g. Router, Switches, Personal Computers (PC), Producing-Servers, etc. The NIDS check each packet which is routed over it. With the right placement of a NIDS, e.g. Internet-Gateway, E-Mail Server, etc, the NIDS identifies lots of attacks. Anymore, there exist situations when the NIDS cannot identify an attack, e.g. the packet is not routed over the NIDS (PC2PC communication) or the NIDS is overloaded. Especially the following scenario described how a NIDS cannot protect the whole network: a PC is infected by a Worm and the Worm starts to infect all other PCs; not until the Worm tries to attack the NIDS, the NIDS will not know that the Worm is in the network.
In these cases, SANA will protect the nodes because it protects each node and shares the computational power over all nodes. Consequently, SANA cooperates with NIDS.
Anymore, SANA replaces current Host-based Intrusion Detection Systems (HIDS) because HIDS are too static and adapts too slowly to the current situation in the network. Furthermore, SANA can run with low computational power on network equipment (Router, Switches, et.), which increases the cost of the network equipment just a little.
Student ProjectsThere are Student Projects (SPP-, TFE-, BAC-, DIP-, MAS-, PRC-Level) in the scope of SANA available. More information can be found here.