A major problem in network security is to identify infected network nodes. A node is infected if a Virus or Worm performs an attack on this node and the attack succeeds. Furthermore, a node is infected if a hacker installs a backdoor/root-kit on it. Such a node is a risk for the whole network because Viruses and Worms try to infect other nodes as well and through a backdoor or root-kit, the hacker can control the whole node.
There exist some techniques in order to find such an infected node:
-
Anomaly Detection:
Observing the network traffic and analysing if the traffic contains abnormal traffic, it is sometimes possible to identify an infected node or an infected network-part.
-
Statistically Analysis of Network Traffic:
There are some techniques where the network traffic is statistically observed and analysed. With these techniques, it is possible to determine an infected node or infected network-part.
-
Inference from Network Traffic Analysis:
Nearly all networks run some Network Security System (e.g. NIDS like SNORT). These systems identify packets which contain an attack. With information from the whole network and analysing nearly all information from such a system, it could be possible to identify an infected node or network-part.
-
Trust or Byzantine Behaviour:
If a node runs a service, a watchdog can use this service periodically in order to find out if the service works well. If not, the node is maybe occupied by a hacker or a Virus/Worm infected the node.
All these four approaches have several disadvantages. The two main disadvantages:
-
They need information from the whole network. This result in plenty of additional communication and the capacity of the network is reduced.
-
Furthermore, because all approaches need all information at one place, they collect lots of data and the analysis of this data needs plenty of computational power.
AGNOSCO – Identification of Infected Nodes with artificial Ant Colonies – is a novel approach which identifies the infected nodes in a network. Therefore, if a Network Security System identifies a packet as bad, a bad-confirmation-packet travels back to the source and this bad-confirmation-packet releases lots of pheromones on the connections, cp. an ant carrying a prey. In contrast, a normal confirmation-packet of the network behaves like an ant without a prey and, consequently, does not release any pheromones. AGNOSCO flows through the network and reads/rates these pheromone-values and if the value is above a certain threshold, AGNOSCO follows this track. Thereafter, if AGNSCO is following a track and the value of all connections in a node is below the threshold, AGNSOCO identifies this node as infected. Fortunately, this works fine using the right parameters in a static-environment - static environment means that there are some infected nodes and this does not change.
In a dynamic environment, the identification-process is a little bit more complex. Additionally to the explained process, we have to add two functions: if the pheromone-value in a node is higher than the threshold but the value is below a certain parameter (e.g. 10% of the old pheromone-value), this node is infected with high probability. Furthermore, if AGNOSCO tracks a Node twice, it went into a cycle/loop and all nodes of this loop is infected with high probability. We added these functions to the implementation and AGNOSCO identifies the infected nodes in a dynamic environment reliable and quickly.
For the pheromone-value of a connection, this system uses an affinity-function. This function increases heavily if a bad-confirmation-packet releases pheromones on this connection and decreases if a packet travels over this connection. The decrease is primarily fast in order to correct a mistake and later slow in order to reach a stable value. With the used affinity-function and the used parameters, there originate several pheromone-tracks towards the infected nodes which can be read by AGNOSCO.
Project Status
-
AGNOSCO is designed, described and analysed. Theoretically works the approach fine.
-
AGNOSCO is implemented as a JAVA-Agent-Class in SANA and it identifies the infected node properly and rapidly. The information which node is infected can be used by SANA in order to start a disinfection process or to isolate the node.
-
An article is written about AGNOSCO and submitted to RASC2006.
-
The article is accepted and published through the Proceedings of the international scientific Conference RASC2006.
Next Steps
-
Introduce a functionality that AGNOSCO can limit the time-interval when this node was infected.
-
Think about other Information which can be extracted by AGNOSCO and which can increase the Network Securtiy.
"SANA_Agnosco" is mentioned on: SANA-Project in Detail
