Mitigation of network tampering using dynamic dispatch of mobile agents

Detection of malicious activity by insiders, people with legitimate access to resources and services, is particularly difficult in a network environment. In this research, a novel classification of tampering modes by insiders against Intrusion Detection Systems (IDSs) is developed and addressed using distributed processing approaches. First, several user capability ranks and tampering points are identified to categorize critical exposures. Second, a tampering mode taxonomy including spoofing, termination, sidetracking, alteration of internal data, and selective deception is developed. Third, in response to these tampering modes, the Collaborative Object Notification Framework for Insider Defense using Autonomous Network Transactions (CONFIDANT) is developed and evaluated.; CONFIDANT employs interlocked mobile agents to reduce single point-of-failure exposures and increase barriers against insider tampering. While previous approaches relied upon monolithic architectures or agent frameworks using a centralized control mechanism or common reporting repository, they introduced distinct vulnerabilities. These vulnerabilities are identified in a novel hierarchy of IDS architectures. CONFIDANT realizes a Distributed Control and Dynamic Dispatch (DCDD) architecture using mobile agents for tampering detection, decision making, and alert signaling. It uses three echelons of agent interaction and four autonomous behaviors supporting encapsulation, redundancy, scrambling, and mandatory obsolescence.; The Tampering Mode Exposure (TME) metric weighting scheme is developed to compare CONFIDANT's response to that of the existing frameworks Tripwire and AIDE. Testing is performed to illustrate the mitigation techniques for each tampering mode using the Concordia mobile agent framework. Quantitative as well as qualitative metrics are assessed by dispatching Committees Ci of agents aij where 1 ≤ i ≤ 2, 1 ≤ j ≤ 12 to perform filesystem scans and provide alarm notification. Test results indicate Tripwire's and AIDE's vulnerability to tampering via Pacing, File Juggling, and Altering Internal Data with TME scores of 65 and 59, respectively, out of a possible value of 123. CONFIDANT's DCDD framework achieves a score of 103 through mitigation of several exposures with the exception of Processor Blockading. These results demonstrate viable approaches for mitigating several challenging IDS exposures including many insider tampering risks.