Using mobile agents for analyzing intrusion in computer networks

Today hackers disguise their attacks by launching them form a set of compromised hosts distributed across the Internet. It is very difficult to defend against these attacks or to track down their origin. Commercially available intrusion detection systems can signal the occurrence of limited known types of attacks. New types of attacks are launched regularly but these tools are not effective in detecting them. Human experts are still the key tool for identifying, tracking, and disabling new attacks. Often this involves experts from many organizations working together to share their observations, hypothesis, and attack signatures. Unfortunately, today these experts have few tools that help them to automate this process. In this project we recognize that human experts will remain a critical part in the process of identifying, tracking and disabling computer attacks. We also recognize that an important part of the discovery, analysis, and defense against new distributed attacks is the cooperation that occurs between experts across different organizations. Many installations do not have the expertise necessary to develop full attack analyses. Our goal is to build automated tools for computer experts and system administrators to: • identify the characteristics of an attack given data from network sensors • develop a hypothesis about the nature and origin of the attack • share that hypothesis with security managers from other sites • test that hypothesis at those other sites and coordinate the results of testing • archive the data necessary for use as evidence in later law-enforcement actions ∗We are grateful to the DOJ for their generous support of this work.