Hyperactive mobile agent systems for cyber security

Current cyber security research focuses on topics such as intrusion detection and denial-of-service attacks. Less attention is paid to a class of attacks called ‘change-of-service attacks’. In this attack scenario, an attacker is able to infiltrate a system and changes a service instead of just disrupting it (as done during a denial-of-service attack). An example could be changing the SSL service to establish secure connections not with a random session key but with a fixed session key known to the attacker. There exist approaches to detect off-line change-of-service attacks (e.g., alteration of system files) by for example re-checking the hash sum of the executable file. However, there are no approaches out there that can detect on-line change-of-service attacks (e.g., change of the memory image while the process is running).

This research focuses on providing on-line software tampering detection methods for applications while these applications are running (in memory) without the need for software re-writes. The proposed method will utilize a mobile agent system that will allow for security agents to travel between a trusted host and monitored servers to detect tampering of running applications on the servers. The mobile security agents have to attach to the monitored application’s memory and scan a certain code sections for modification. Regular agents are not capable of doing this, so a new class of agents (‘hyperactive agents’) has to be devised.