Internet DRAFT - draft-yang-ldims-framework
draft-yang-ldims-framework
INTERNET-DRAFT Yixian Yang
Expires: April 2006 Jian Li
Xinliu Wang
Beijing University of
Posts and Telecom.
Octorber 2005
A Framework for Large-scale Distributed
Intrusion Management System(LDIMS)
draft-yang-ldims-framework-00.txt
Intellectual Property Rights (IPR) statement:
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Status of this Memo
By submitting this Internet-Draft, I certify that any applicable
patent or other IPR claims of which I am aware have been disclosed,
and any of which I become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Copyright
Copyright (C) The Internet Society (2005). All Rights Reserved.
Abstract
Network is now developing into large-scale and speedup, meanwhile,
intrusion methods become more and more complicated. In this network
environment, traditional IDSs can¡¯t insure the security of the
protected systems. IMS is the trend of IDSs evolution. IMS is a
system that combines intrusion detection with urgent response.
In IMS, IDSs associate with other security components, such as
Firewalls, Vulnerability Scanning Systems, Virus Prevention Systems
and network Management Systems.
This document describes a hierarchy framework for Large-scale
Distributed Intrusion Management System (LDIMS), with which a
Yixian Yang, et al. Expires April, 2006 [Page 1]
INTERNET-DRAFT framework for LDIMS Octorber,2005
Large-scale Distributed IMS can be flexibly deployed. layered nodes
constitute this framework. Each node is a simple IMS. This document
gives a four-layer structure for the simple IMS, the four-layer
structure can also be the structure of an independent IMS.
Table of Contents
Status of This Memo ............................................1
Abstract .......................................................1
1.Introduction .................................................3
2.Glossary .....................................................4
3.Architecture .................................................5
3.1 Entire Design ............................................5
3.2 Features .................................................6
4.Four-layer Structure Model ...................................7
4.1 Functional Modules .......................................7
4.2 Four-layer Structure .....................................9
5.Critical Technologies ........................................9
5.1 Agent and Mobile Agent Technology ........................9
5.2 Information Description Mechanism .......................10
5.2.1 Information Description Standard ....................11
5.2.2 Secure Communication Mechanism .....................13
5.3 Communication Mechanism among Agents ....................14
5.4 Interaction among Secure Components .....................18
6. Acknowledgements ...........................................18
7. Informative References .....................................18
8. Authors'Addresses ..........................................19
Yixian Yang, et al. Expires April, 2006 [Page 2]
INTERNET-DRAFT framework for LDIMS Octorber,2005
1. Introduction
Following with the progress of network technologies, network is
developing into large-scale and speedup. Meanwhile, network
intrusions(for example, DDOS) become integrated, automatic and fast.
Traditional IDSs are incapable of processing such intrusions, as a
result, the trend of future IDSs is IMS. IMS is a system in which
IDS can cooperates with other secure components, such as Firewalls,
Network Management Systems, etc.
Based on the network environment, in this document, a framework of a
hierarchy for Large-scale Distributed Intrusion Management Systems is
addressed. This framework provides a mechanism, through which
distributed IDSs and other security components can cooperate
harmoniously. A new four-layer structure of IMS is presented at the
same time. The IMSs adapted to this structure could be large-scale
distributed intrusion management systems (LDIMS) as well as an
independent IMS. There are different functional modules in IMSs, and
layered structure shows how the functional modules cooperate in
harmony to detect intrusions and make responses. Despite that the
forms of IMSs are not always uniform, the operation mechanisms would
accord with the four-layer Structure. According to the structure,
the functional modules would harmonize properly to complete specific
tasks.
Yixian Yang, et al. Expires April, 2006 [Page 3]
INTERNET-DRAFT framework for LDIMS Octorber,2005
2. Glossary
This document uses terminologies that are defined in [DSARCH]. Some
of the definitions provided here are taken from other references in
order to provide additional detail, along with some new terms
specific to this document.
IMS Intrusion Management System, which is an integrated
security system where IDSs associate with other secure
components, such as Firewalls, Vulnerability Scanning
Systems, Network Management Systems, etc.
LDIMS Large-scale Distributed Intrusion Management System.
Distributed The intrusions that take several steps and involve a
Intrusion large number of host computers.
Functional A basic building of the conceptual IMSs.
Module
Layer A function combination that comprises of one or more
functional modules. The layers are data collection,
agent, analysis and management.
OWL Web Ontology Language. A knowledge description language
that is well in semantic description.
KQML Knowledge Query and Manipulation Language. It is a kind
of Communication language exploited by Arpa Knowledge
Sharing Effort. KQML provides grammar for agents¡¯
communication as well as provides execution command for
agents, such as ¡°tell, perform and reply¡±.
Yixian Yang, et al. Expires April, 2006 [Page 4]
INTERNET-DRAFT framework for LDIMS Octorber,2005
3. Architecture
Based on the network environment, in this document, a framework of a
hierarchy for Large-scale Distributed Intrusion Management Systems is
addressed. The features of this framework is "Distributed collection,
Distributed analysis, Dynamic harmonization, Intelligent management".
3.1 Entire Design
The framework is based on hierarchy, which is set up according to the
network topology. The hierarchy consists of leaf nodes, branch nodes
and root nodes. Leaf nodes collect network datagram, system log and
alerts from other security components, then analyze these data .
Branch nodes monitor and manage each child node network, including
detecting distributed intrusions and accomplishing interaction among
security components in the system. Root nodes manage and monitor
activities of the whole network.
Large-scale network often covers several provinces or cities.
in this case, the architecture supposed in this document have four
levels, including two levels of branch nodes.
+---------------+ +-------------+
|root(emergency)| -- | root | state-level
+---------------+ +-------------+ nodes
- - - - - - - - - - - - - - -- - - - - -- - - - - - - - - - -
| |
+--------+ +--------+
| branch | ... | branch | provincial-level
+--------+ +--------+ nodes
- - - - - - - - - - - - - - - - - - - - - - - -- - - - - - - -
| | | |
+------+ +------+ +------+ +------+
|branch|...|branch| |branch|...|branch| city-level
+------+ +------+ +------+ +------+ nodes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| | | | | |
+----+ +----+ +----+ +----+ +----+ +----+ county-level
|leaf|...|leaf| |leaf| ... |leaf| |leaf|...|leaf| nodes
+----+ +----+ +----+ +----+ +----+ +----+
Figure 1: A Sketch Map of the Hierarchy
In this tree-like architecture, Networks can be decomposed into
several Departments. Each department indicates a security
organization and its network. In each department, there is an IMS
that is on duty of the security issues of the local networks. The
combination of a department and the local IMS is defined as a leaf
node of the hierarchy.
Leaf nodes firstly collect data such as system log, network datagram
and alerts sent from other secure components in the local network,
then generate junior alerts by analyzing these collected data.
At last, they make relevant responses ,including transferring the data
Yixian Yang, et al. Expires April, 2006 [Page 5]
INTERNET-DRAFT framework for LDIMS Octorber,2005
or alerts which they can't process to their father nodes for further
process.
Branch nodes may have one or more child nodes, which can be branch
nodes or leaf nodes. Branch nodes receive data and alerts from
child nodes. by analyzing these data and alerts, they make higher
judgment, detect whether there are distributed intrusions. Meanwhile,
branch nodes are in charge of all the child departments, especially
manage the interaction among secure equipments in the local
department.
Root node is the control center of the whole system. In order to
prevent the problem of "single node invalidation", there are two root
nodes, one is the host, the other is ready for emergency. If the host
one broke down, the ready one will take its place. The root node
accomplishes control of the whole system by connecting the lower
nodes. It has many functions, such as collecting the information
from lower nodes, displaying the secure situation of the whole
system, making overall situation early-warning. For example, when one
of the child nodes suffer serious attack, at once, the root node
sends alarm to the lower nodes which it think will suffer attack. As
a result, these nodes can take preventive measures to avoid such
attack.
3.2 Features
This architecture attaches great importance to the suitable organ-
ization, components' harmonization, automatization and intelligenti-
zation of the whole system. Its features are listed below:
o Distributed Allocation In order to find intrusions in the whole
network, for example, large-scale distributed intrusions, it is
necessary to set IDSs in critical network segments and critical
servers, such as routers, Web servers, DNS servers. The
allocation of IDSs in the whole network is possible based on
different cities, different regions, even different provinces.
o Distributed Analysis By analyzing and processing the collected
data on the spot, data quantity and network flow can be
decreased, so ,the system can avoid the problem of "single node
invalidation".
o Interaction among secure components Intrusion management
technology emphasizes on realizing a integrated security system
with its center IDS. In the system, IDSs can communicate with
Firewalls, Vulnerability scanning systems, Virus prevention
systems and Network Management Systems. Consequently, intrusion
detection can combine with urgent response organically.
o System Management Platform It realizes the mutual connection of
secure equipments, and realizes feedback control by analyzing the
information sent by equipments. Meanwhile, the platform supports
distributed allocation and rank management. Not only manage the
IDSs, but also supervise other kinds of secure equipments.
Yixian Yang, et al. Expires April, 2006 [Page 6]
INTERNET-DRAFT framework for LDIMS Octorber,2005
o Retractility and Expansibility The system can be arranged
smartly based on different network environment, and can detect
new kinds of intrusions by extending its detection methods.
4. Four-layer Structure Model
In the tree-like architecture designed above, each node is an
independent IMS. Of course, because of the levels, their specific
functions are different. Leaf nodes' main function is performing
collection, pretreatment and analysis of the collected data. Branch
nodes are concentrating on further analysis of data, alerts
correlation and interaction with local secure components. Root
nodes emphasize particularly on the arrangement and management of the
whole system, furthermore, they can realize overall situation early-
warning. As a whole , each node can match a four-layer model.
4.1 Functional Modules
An intact IMS should contains such functional modules as below:
o Data Collection Module This module collects data for the whole
system by using various sensors. These sensors capture datagram
flowing across the network, collect log from critical host
computers, and get alerts sent by secure equipments.
o Agent Module This module contains many static agents and mobile
agents. OS agents, Network agents and Protocol agents are
responsible for analyzing the data sent by sensors as well as
generating primary alerts. The generated alerts are sent to
upper layer for further procession. Controlled by the
harmonization, interaction module, other agents such as Firewalls
agents, Vulnerability scanning agents realize the interaction
among secure components of the whole system.
o Analysis Module This module make further analysis of the primary
alerts. If they are not intrusions, drop them; if they are
intrusions, create alerts and transfer these alerts to the
Decision-making module; else if they are suspicious but it can't
make decision, submit the alerts and the suspicious value to the
correlation, merging module.
o Correlation, Merging Module The main function of this module is
detecting distributed intrusions. This module correlates and
merges the alerts sent by the analysis module, detect whether
there are distributed intrusions. If there were, it generates
senior alerts, and reports them to the decision-making module.
o Control Module It is used to perform the decisions made by the
harmonization, interaction module. By Cooperating with the
harmonization, interaction module, it accomplishes harmonization
and management of all static agents and mobile agents.
o Decision-making Module It makes decisions based on the alerts
from the analysis module and the correlation, merging module.
Yixian Yang, et al. Expires April, 2006 [Page 7]
INTERNET-DRAFT framework for LDIMS Octorber,2005
It also selects different response strategies based on different
intrusion situations.
o Harmonization, Interaction Module The system designed in this
document using static agents and mobile agents to realize primary
analysis of events and interaction of IDSs with other secure
equipments. This module is responsible for managing and
distributing the agents, as well as allocating tasks advisably.
o Security Response Module Based on the response strategies made
by the Decision-making module, this module takes relevant secure
measures,including ignore, setting warning to the administrator
or stopping the current connect.
o Database Module This module stores data such as intrusion
features, intrusion events for further analysis or evidence
collection.
o Human-computer Interface It is the managing interface for
administrators. Through this interface, administrators achieve
arrangement, authorization of the system, and make some
maintenance of the intrusion feature library.
+----------------+----------------+----------------+
| Human-computer | | Secure |
Management | Interface <--> Decision- <--> Response |
Layer +----------------+ Making +----------------+
| database | | Harmonization, |
| <--> <--> Interaction |
+----------------+----------------+----------------+
^ |
+----------------+ |
| | v
+----------------+----------------+----------------+
Analysis | Analysis -->Alerts Correla-| Control |
Layer | |tion and Merging| |
+----------------+----------------+----------------+
^
+------------+------------+------------+
| | | |
+------------+------------+------------+------------+
| OS agents | Network | Protocol | Mobile |
Agents | | Agents | Agents | Agents |
Layer +------------+------------+------------+------------+
^ ^ ^ ^
| | | |
Data +------------+-----------------------+--------------+
Collection |Log Sensors | Datagram Sensors |Other Sensors |
Layer +------------+-----------------------+--------------+
^ ^ ^
| | |
Data Critical Host Critical Network Firewalls
Source Computers Segments
Figure 2: four-layer structure model
Yixian Yang, et al. Expires April, 2006 [Page 8]
INTERNET-DRAFT framework for LDIMS Octorber,2005
4.2 Four-layer Structure
An intact IMS should be a organic unity that comprises of modules
listed above. In this section, a four-layer IMS structure model
based on intelligent agents is addressed as figure 2.
A layer in this structure is defined as a function combination that
is composed of one or more functional modules. The modules in a layer
associate with each other and accomplish specific tasks.
Data Collection Layer collects data for analysis and receives alerts
from secure components, and then filters these raw data. It Consists
of different kinds of sensors, such as Log sensors, Datagram sensors,
Firewall sensors, etc.
Agent Layer have many kinds of agents, including OS agents, Network
agents, Protocol agents, Firewall agents, Network agents, etc. OS,
Network, Protocol agents make primary analysis of the data from lower
layer and produce alerts, then, these alerts are sent to the analysis
module for further analysis. Other agents' main function is achieving
interaction among IDSs and other secure equipments. For example,
when IDSs have detected intrusion events, they associate with Fire-
walls through Firewall agents, so Firewalls can update interdiction
rules dynamically. Based on the information about IP and ports took
by Firewall agents, in a certain period of time, Firewalls can cut
off the following intrusion events.
Analysis Layer Analysis module analyzes the reported alerts, If they
were not intrusions , drop them; If they were intrusions, make alerts
and transfer these alerts to the Decision-making module; Else if they
were suspicious but it can't make decision, submit these alerts and
the suspicious value to the correlation, merging module. correlation,
merging module correlates and merges the alerts for the purpose of
detecting distributed intrusions. Under the control of the
management layer, control module manages and arranges all of the
agents to perform specific tasks.
Management Layer Besides providing human-computer interface, it
makes decisions and responses to intrusions, managing and harmonizing
all the modules of the structure is also its function.
5. Critical Technologies
Critical technologies used in the LDIMS designed in this document
will be discussed in the following segments.
5.1 Agent and Mobile Agent Technology
Agent and mobile agent technology is brought to the system, the
design of this system is on the basis of "mainly rely on static
agents, mobile agent as supplement". The main function of OS,
Network, Protocol agents is making primary analysis of the data and
produce alerts. So those agents use static agents, of course,
mobile agents are the necessary supplement. Not only can mobile
agents realize the load balance of the system, but also they can
Yixian Yang, et al. Expires April, 2006 [Page 9]
INTERNET-DRAFT framework for LDIMS Octorber,2005
accomplish the process of special data in the system. Other agents'
main function is to perform interaction among secure equipments.
So they are realized mainly by mobile agents.
After the lead-in of agent and mobile agent technology, the next step
is how to dispatch and allocate the agents, so the system can make
good use of the agents. In LDIMS, harmonization, interaction module
performs management and utilization of the agents through control
module. Administrator is in charge of the harmonization, interaction
module and update the agent library. A model of assignments
allocation mechanism for agents is described as figure 3. By
using this mechanism, static agents cooperate with mobile agents
to realize the load balance of the system and accomplish the process
of special data in the system.
(This model use Aglet as the MA, Aglet will be
introduced in detail in the section 4.4.)
+----------------------+
| Human-computer |
| Interface |
+----------------------+
^ ^ compile and
| | update MAs
+------+ +---------+
| |
v |
+------------------------+ v
| Harmonization, | 2 find the +------------+
| Interaction | - - - - - -> | MA Library |
+------------------------+ suitable MA +------------+
1:request ^ ^ 6.request | |
for help | | for remove | 3.copy and|
+---+ +----------+ | 7.remove initialize|
| | | the MA the MA |
+-----|---------------------|--v-----+ |
| +-------+ 5:receive the +-------+ | v
| | Static| MA and finish| Mobile| | 4:move +----------+
| | Agent |<- - - - - - ->| Agent | <- - - - - - -| MA |
| +-------+ the task +-------+ | the MA +----------+
+------------------------------------+
(MA: Mobile Agent)
Figure 3: assignments allocation mechanism model
5.2 Information Description Mechanism
The system use different kinds of IDSs, and the IDSs associate with
many other secure equipments, such as Firewalls, Vulnerability
Scanning Systems, Virus Prevention Systems. Different equipments
(IDSs, Firewalls)and same equipments with different types(Snort and
Real Secure)use different description languages defined by themselves
for network secure information. As a result, it has difficulty in
realizing communication and harmonization among them. Based on the
designed system, a settlement that use OWL as the description
language for network secure information is proposed in this document.
Yixian Yang, et al. Expires April, 2006 [Page 10]
INTERNET-DRAFT framework for LDIMS Octorber,2005
5.2.1 Information Description Standard
Due to the difference among information description languages, we
can't achieve centralized management, centralized monitoring and
dynamic interaction among secure equipments with different types.
In order to solve such problem, the system use OWL language to
achieve communication among secure components.
The well-known information description standard is IDMEF put forward
by IDWG. IDMEF use XML as its description language, but XML is
short in semantic expression, so this document improves IDMEF by
using OWL as its description language. In the distributed
network environment, the uniform expression of network alarm
information based on OWL provides a semantic bridge for the
interaction among secure components.
When the system detected an intrusion, OWL is used to express the
alerts. An example of IDMEF description based on OWL for the DOS
intrusion ¡±Teardrop¡± is listed as below:
<rdf:RDF
xmlns ="http://localhost:8080/IDS#"
xmlns:owl="http://www.w3.org/2002/07/owl#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#"
xmlns:daml="http://www.daml.org/2001/03/daml+oil#"
xmlns:xsd="http://www.w3.org/2000/10/XMLSchema#">
<owl:Ontology
rdf:about="http://loclahost:8080/houses">
<owl:versionInfo>$Id:v 1.0 2004/03/08 14:00:00 $</owl:versionInfo>
<owl:imports rdf:resource="http://www.w3.org/TR/2002/WD-owl-guide-
20021104/IDS.owl"/>
</owl:Ontology>
<IDMEF-Message version=¡±1.0¡±>
< owl:Class rdf:ID="Alert"> </owl:Class>
<owl:Class rdf:ID="Analyzer">
<rdfs:subClassOf rdf:resource="#Alert"> </rdfs:subClassOf>
</owl:Class>
Yixian Yang, et al. Expires April, 2006 [Page 11]
INTERNET-DRAFT framework for LDIMS Octorber,2005
< owl:ObjectProperty rdf:ID="name">
<rdfs:domain rdf:resource="#Analyzer"/>
</owl:ObjectProperty>
<Analyzer rdf:ID="hq-dmz-analyzer01">
<name>analyzer01.bigcompany.com</name>
</Analyzer>
<owl:Class rdf:ID="CreatTime">
<rdfs:subClassOf rdf:resource="#Alert">
</rdfs:subClassOf>
</owl:Class>
< owl:ObjectProperty rdf:ID="time">
<rdfs:domain rdf:resource="#CreatTime"/>
</owl:ObjectProperty>
<CreatTime rdf:ID="0xbc723b45.0xef449129">
<time>2000-03-09T10:01:25.93464-05:00</time>
</CreatTime>
<owl:Class rdf:ID="Source">
<rdfs:subClassOf rdf:resource="#Alert"> </rdfs:subClassOf>
</owl:Class>
< owl:ObjectProperty rdf:ID="name">
<rdfs:domain rdf:resource="#Source"/>
</owl:ObjectProperty>
< owl:ObjectProperty rdf:ID="address">
<rdfs:domain rdf:resource="#Source"/>
</owl:ObjectProperty>
< owl:ObjectProperty rdf: ID="netmask">
<rdfs:domain rdf:resource="#Source"/>
Yixian Yang, et al. Expires April, 2006 [Page 12]
INTERNET-DRAFT framework for LDIMS Octorber,2005
</owl:ObjectProperty>
<Source rdf:ID="a1b2c3d4">
<name>badguy.hacker.net</name>
<address>202.214.231.121</address>
<netmask>255.255.254.0</netmask>
</Source>
<owl:Class rdf:ID="Target">
<rdfs:subClassOf rdf:resource="#Alert"> </rdfs: subClassOf>
</owl:Class>
< owl:ObjectProperty rdf:ID="Address">
<rdfs:domain rdf:resource="#Target"/>
</owl:ObjectProperty>
<Target rdf:ID="d1c2b3a4">
<address>0xde796f70</address> </Target>
</rdf: RDF>
5.2.2 Secure Communication Mechanism
Considering components' isomerism, communication security and the
system's efficiency, a good communication mechanism should accord
with two requirements: 1. Uniform data format for information
description.(The LDIMS system designed in this document uses OWL as
its language.) 2. Secure Communication. An example of secure
communication is listed below:
+-------------------+
| Events Analyzer |
+-------------------+
^ ^
| |
+--------------+ +--------------+
| Sensor A | | Sensor B |
| +----------+ | | +----------+ |
| | SSL | | | | SSL | |
| | +------+ | | | | +------+ | |
| | | OWL | | | | | | OWL | | |
| | +------+ | | | | +------+ | |
| +----------+ | | +----------+ |
+--------------+ +--------------+
Figure 4: secure communication principle based on OWL
Yixian Yang, et al. Expires April, 2006 [Page 13]
INTERNET-DRAFT framework for LDIMS Octorber,2005
Communication between sensors and events analyzer is divided into
Two layers: OWL layer and SSL layer. OWL layer is responsible for
the diversion from data collected by sensors to uniform OWL character
string. SSL layer introduces SSL protocol to the communication. In
the course of communication, first, sensors build SSL secure conver-
sation with analyzer after the identification of both sides.
Secondly, after the RSA encryption of the message in OWL layer, sens-
ors transfer the message to event analyzers through SSL layer. After
receiving the encrypted message, event analyzers decrypt and analyze
the received message, in order to get the raw information.
By the adoption of OWL, the system realizes semantic communication
among secure components. As a result, the whole system becomes an
integrated secure system.
5.3 Communication Mechanism among Agents
Semantic communication among agents is a critical problem for the
realization of LDIMS. With the use of KQML standard whose content
layer select OWL as it¡¯s language, the system realize semantic
communication among intelligent agents.
Bottom layer communication among intelligent agents in the system is
realized by using TCP/IP and UDP Socket. TCP/IP and UDP socket
adopt network unicast, multicast and broadcast to achieve physical
communication among agents. The name service of agents isolates
agent's name from its physical address. so the orientation and
management of agents become simple and reliable.
The three-layer structure of KQML is listed below:
+--------------------------+ +-----------------------+
| Communication Layer |<----|Communication Mechanism|
| | +-----------------------+
| +--------------------+ | +-----------------------+
| | Message Layer |<-------| Communication Logic |
| | | | +-----------------------+
| | +--------------+ | | +-----------------------+
| | |Content Layer|<----------| Communication Content|
| | +--------------+ | | +-----------------------+
| +--------------------+ |
+--------------------------+
Figure 5: three-layer structure of KQML
KQML is divided into three layers: communication layer, message layer
and content layer. The communication layer is responsible for the
coding of lower layer's communication properties. In this layer,
message senders or receivers assign the label for the communication
process. Message layer is the core of KQML. In order to make sure
that agents can response to the message, it defines the protocols for
message transmission as well as the performative embodied in content
layer's massage. The content layer use OWL as its language, its KQML
activity is listed as below:
Yixian Yang, et al. Expires April, 2006 [Page 14]
INTERNET-DRAFT framework for LDIMS Octorber,2005
(performative
:sender <word> //message sender
:receiver <word> //massage receiver
:from <word> //the raw sender recorded in content when
using forward request
:to <word> //the raw receiver recorded in content when
using forward request
:language <word> //language used in content
:reply-with <word> //the label of this message
:in-reply-to <word> //the label of the raw message that
triggers this message
:ontology <word> //entities used in this message
:content <expression> //massage's content
)
An alert message of DOS intrusion "Teardrop" sent from agent1 to
agent2 is list as below, the message is based on KQML/OWL.
( Alert:
:sender Agent1
:receiver Agent2
:language OWL
:ontology local host
:content (
<rdf:RDF
xmlns ="http://localhost:8080/IDS#"
xmlns:owl="http://www.w3.org/2002/07/owl#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#"
xmlns:daml="http://www.daml.org/2001/03/daml+oil#"
xmlns:xsd="http://www.w3.org/2000/10/XMLSchema#">
<owl:Ontology rdf:about="http://loclahost:8080/IDS">
Yixian Yang, et al. Expires April, 2006 [Page 15]
INTERNET-DRAFT framework for LDIMS Octorber,2005
<owl:versionInfo>$Id:v 1.0 2004/03/08 14:00:00 $</owl:versionInfo>
<owl:imports
rdf:resource="http://www.w3.org/TR/2002/WD-owl-guide-
20021104/IDS.owl"/>
</owl:Ontology>
<IDMEF-Message version=¡±1.0¡±>
< owl:Class rdf:ID="Alert"> </owl:Class>
<owl:Class rdf:ID="Analyzer">
<rdfs:subClassOf rdf:resource="#Alert"> </rdfs:subClassOf>
</owl:Class>
< owl:ObjectProperty rdf:ID="name">
<rdfs:domain rdf:resource="#Analyzer"/>
</owl:ObjectProperty>
<Analyzer rdf:ID="hq-dmz-analyzer01">
<name>analyzer01.bigcompany.com</name>
</Analyzer>
<owl:Class rdf:ID="CreatTime">
<rdfs:subClassOf rdf:resource="#Alert"> </rdfs:subClassOf>
</owl:Class>
< owl:ObjectProperty rdf:ID="time">
<rdfs:domain rdf:resource="#CreatTime"/>
</owl:ObjectProperty>
<CreatTime rdf:ID="0xbc723b45.0xef449129">
<time>2000-03-09T10:01:25.93464-05:00</time>
</CreatTime>
<owl:Class rdf:ID="Source">
<rdfs:subClassOf rdf:resource="#Alert">
</rdfs:subClassOf>
Yixian Yang, et al. Expires April, 2006 [Page 16]
INTERNET-DRAFT framework for LDIMS Octorber,2005
</owl:Class>
< owl:ObjectProperty rdf:ID="name">
<rdfs:domain rdf:resource="#Source"/>
</owl:ObjectProperty>
< owl:ObjectProperty rdf:ID="address">
<rdfs:domain rdf:resource="#Source"/>
</owl:ObjectProperty>
< owl:ObjectProperty rdf:ID="netmask">
<rdfs:domain rdf:resource="#Source"/>
</owl:ObjectProperty>
<Source rdf:ID="a1b2c3d4">
<name>badguy.hacker.net</name>
<address>202.214.231.121</address>
<netmask>255.255.254.0</netmask>
</Source>
<owl:Class rdf:ID="Target">
<rdfs:subClassOf rdf:resource="#Alert"> </rdfs:subClassOf>
</owl:Class>
< owl:ObjectProperty rdf:ID="Address">
<rdfs:domain rdf:resource="#Target"/>
</owl:ObjectProperty>
<Target rdf:ID="d1c2b3a4">
<address>0xde796f70</address>
</Target>
</rdf:RDF>
) )
We can see from this massage easily that the sender is agent1, the
receiver is agent2, and the content description language is OWL.
Yixian Yang, et al. Expires April, 2006 [Page 17]
INTERNET-DRAFT framework for LDIMS Octorber,2005
KQML based on OWL can express the properties, relationship among
properties of things clearly,which greatly facilitates the semantic
communication among agents.
5.4 Interaction among secure components
In order to realize the interaction among IDSs and other secure
components, Aglet is brought to the system. Aglet is an MA designed
By IBM. It is developed by using JAVA technology. Aglet comprises
of core, proxy, itinerary, identifier. core have all the internal
variables and methods of the agent, and provides uniform interface
function. Proxy encapsulates the core, prevents the read of Aglet's
private methods. Identifier is the uniform label of that.
+-------------------------------------------------------------+
| +------------------+ +---------------------------+ |
| |IDS +--------+ | Dispatch | +---------+ Dispose | |
| | | MA | ---------------> | MA |-----------> | |
| | |(clone) | <--------------- | | | |
| | +--------+ | Retract | +---------+ | |
| | ^ | | ^ | | |
| | Create | | | | v | |
| | +--------+ | | +---------+ Other Secure| |
| | | class | | | |Secondary| Components | |
| | +--------+ | | | Storage | ( Firewalls,| |
| | | | +---------+ etc) | |
| +------------------+ IMS +---------------------------+ |
+-------------------------------------------------------------+
(note: MA (Mobile Agents)
Figure 6: state diversion fig of MAs
Aglets' activities include Create, Clone, Dispatch, Retract, Deact-
ivate, Activate, Dispose and Messaging. Clone produces an agent equal
to the raw one except the identifier. Aglet model adopts the methods
of event-driving. When one agent want to move, it will call the
Dispatch method, so agent can be sent to the target through ATP(Agent
Transfer Protocol). Each agent has an uniform name. In a word,
Aglet provides a method about how to realize MA with JAVA technology
besides offers API. With the introduction of Aglet, the system
realizes the interaction among IDSs and other secure components
effectively.
6. Acknowledgement
The authors wish to thank Xu Zhu, Huayi Rao, Xiuling Zhu, Shuai Zeng
and Ming Cao, for their detailed inputs.
7. Informative References
[1] RFC-Draft-IDMEF-XML-10. http://www.ietf.org.
Yixian Yang, et al. Expires April, 2006 [Page 18]
INTERNET-DRAFT framework for LDIMS Octorber,2005
[2] H. Debar, D. Curry, B. Feinstein. The Intrusion Detection Message
Exchange Format£¬draft-ietf-idwg-idmef-xml-14.txt, January 2005,
expires July 31, 2005
[3] M. Roesch. Snort-lightweight intrusion detection for networks[C].
In proceedings of the USENIX LISA'99 conference. 1999.
[4] Steven R. Snapp, James Brentano, and Gihan V. Dias et al.,
¡°DIDS- Motivation, Architecture, and an Early Prototype¡±
Proceeding 14th National Computer Security Conference, Washington
D.C., pages 167-176,October 1991.
[5] D. Curry, H. Debar. Intrusion Detection Message Exchange Format
Data Model and Extensible Markup Language (XML) Document Type
Definition[EB/OL].
[6] Kumar Das, "Protocol Anomaly Detection for Network-based
Intrusion Detection", GSEC Practical Assignment Version 1.2f,
August,13, 2001.
8. Authors' Addresses
Yixian Yang
Information Security Center,
Beijing University of posts and telecom.(BUPT),
Beijing, China,100876
Phone:8610-62283366
Email:yxyang@bupt.edu.cn
Full Copyright Statement
Copyright (C) The Internet Society (2005).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Yixian Yang, et al. Expires April, 2006 [Page 19]
INTERNET-DRAFT framework for LDIMS Octorber,2005
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
Yixian Yang, et al. Expires April, 2006 [Page 20]