Network Intrusion

NetInt is an agent-based model designed to study computer network security issues. The current version models a network of 2500 computer systems connected via two overlaid topologies: IP address space (or physical space), and remote login space. An agent is associated with each computer system. Each such agent may have a particular set of security policies concerning what needs to be done when intrusions are detected or when the system is believed to be compromised. For example, a security policy may stipulate that upon discovering the system is compromised, all other systems in a local network should be marked as “threatened” or even “potentially compromised”.

The network intrusion model has an additional type of agents: hackers. Our first experiments use a single hacker, but more can be potentially introduced in the near future. The hacker agent is modeled in terms of his/her skills at using standard scanning and sniffing techniques to break into and gain control of machines on the network for later use as zombie machines. Depending on the levels of security of different machines, the hacker may or may not be able to gain access. Initially, the hacker starts with control of a single computer.

Different computers may have different levels of security. This makes it more easy or more difficult for the hacker to gain access to that machine. Once the hacker has access to the machine, he/she may decide to use that access to attack other machines. Alternatively, the hacker may try to limit his/her uses of the machine in an attempt to decrease the likelihood of its break-in being detected.

A computer may be classified as secure (and, as mentioned above, there are several levels of security possible). Alternatively, computers may be classified as not-secure, and there are several types that fall into this category. First, a computer system may be threatened, in the sense that a nearby computer (in either physical or logical space) has been compromised. Second, the system may be compromised at a lower-user level,in which case the attacker does not have (yet) too many privileges. Third and last, a computer may be compromised at the super-user level.

Evolutionary computation has been applied to evolve good hackers. Poor hackers (like the ones in the random initial population) are generally very greedy and start by gaining a lot of machines, but in doing so they make too much noise and get detected and soon loose the machines. Evolved hackers in later generations manage to keep a balance between sniffing and scanning and gain access to machines more slowly, but then they keep control over them in time.

We are currently conducting experiments using co-evolution, where we allow both the network security settings and the hacker behavior parameters to simultaneously evolve.

netint2