ODISET: On-Line Distributed Session Tracing Using Agents

Abstract

In order to get to the root of a security incident it is always necessary to identify its causes. In an attempt to hide the origin of his connection, a malicious user may have jumped from a source into a series of hosts h### H = ,..., h### before breaking into his target host . This connection sequence describes a path that may include loops making it more difficult to find h given due, in part, to the prohibitive amount of cooperation and synchronization that is required in practice. This paper describes a distributed rule-based model that automates this tracing process on-line with a ##### ### # ) worst case scenario. Autonomous agents collaborate on the detection of the origin of a connection using a loop unwinding technique and incorporating public cryptography to create ciphered channels that allow them for secure communication. To meet the challenges of minimum system workload and improved robustness, the prototype features lightweight design and implementation as well as a dynamic port-allocation scheme to prevent sniffing and denial of service attempts. We present the proposed model as well its implementation through the prototype system ODISET and its experimental results.