Sandia trains agent to deal with pesky intruders

Sandia trains agent to deal with pesky intruders

If each Internet node ran one, viruses such as the Love Bug wouldn't have a chance, lab researcher says

By Tony Lee Orr

GCN Staff

Intelligent software agents could in the near future protect computers against attacks and infestations from ILOVEYOU wannabes, government researchers recently said.

The Sandia team has been working on smart agents that can identify and eradicate viruses and system attacks.

Scientists at the Energy Department's Sandia National Laboratories in Albuquerque, N.M., have successfully tested such software by pitting a team of scientists posing as hackers against it, said Steve Goldsmith, the project's lead scientist.

'If every node on the Internet was run by one of the agents, the ILOVEYOU virus would not have gotten beyond the first machine,' he said.

The Love Bug, hidden in e-mail message attachments, hit computers in May.

In March, the Sandia scientists linked three Apple 292-MHz Macintosh PowerBook G3 systems, a 400-MHz PowerBook G3 and a 333-MHz Power G3 Tower on an Ethernet hub. The systems ran Yellow Dog Champion Server Linux Version 1.1.4 from Terra Soft Solutions Inc. of Cupertino, Calif. The lab team also installed its homegrown intelligent software agent on each of the systems.

A four-person team trained to test defenses of government and corporate systems, dubbed the Red Team by scientists on the project, attacked the little network for two days from a mix of Pentium PCs running Red Hat Linux 6.0 from Red Hat Inc. of Durham, N.C.

The lab used a Pentium PC running Microsoft Windows NT to act as a host for sniffer programs. The Red Team used attack programs found in the public domain, such as Nmap, Toast, Saint and Snort, Goldsmith said. The team tried but failed to enter through a node on the hub as if it were operating on the same network as the linked Apple computers.

Sandia in 1997 began developing the software as an R&D project. The software could be ready for release for government and commercial use within a year, Goldsmith said.

Scientists working on the project designed the agent's architecture from the ground up and created it with an adaptive mode so it can be enhanced to deal with new attack methods, Goldsmith said.

'It can detect patterns in IP packets and attack patterns,' Goldsmith said.

The program becomes suspicious of any scans that check out all ports on a network, even if attackers take a long time'up to a year, say'to probe the computer, he said.

Once installed, the program works by continually comparing notes against previously collected information to determine what unusual requests or commands are received from external and internal sources, Goldsmith said.

The multiagent program will pick up and store the memory of faint probes as hackers try to learn enough to take over the computers on a network, he said. The software's pattern recognition system shuts down computers on which Trojan horses have been found and those that have been taken over, he said.

Bar the gateway

When confronted with a denial-of-service attack, the program can shut down a network's gateway, stopping the repetitive requests that bombard a network's server, he said.

'The biggest problem in the computer world is that new stuff is coming along that you don't even know exists,' said Ray Parks, who led the Red Team attack.

'Current defenses work as virus-checkers,' Parks said. 'They recognize only specific virus patterns. But this software will recognize odd attacks. It will turn off services, close ports to alternate means of communication and tighten firewalls.'

The agent's tools would prohibit live programs, such as the ILOVEYOU worm, from entering an e-mail system, Goldsmith said.

Sandia's agent programs integrate security functions with normal network services, Goldsmith said.

No one controls the agent, he said. The algorithm operating each agent is decentralized, making each agent autonomous, yet cooperative, he said.

The agent will even refresh itself, Goldsmith said. 'It replaces old agents by fresh agents periodically,' he said. 'This ensures that hacked systems are flushed eventually and must be re-hacked to be compromised.'

Goldsmith likened the agent to a type of artificial life, in essence a virtual genome.

'Download a genome, and it grows a new agent from scratch,' he said. 'Once it's born, it connects immediately to other agents and becomes a member of the security community. This makes the agent easy to deploy in large numbers on the Internet.'

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.