A performance model to Cooperative Itinerant Agents (CIA): a security scheme to IDS Rafael Páez 1 , Cristina Satizábal 1,2 , Jordi Forné 1 1 Telematics Engineering Department, Technical University of Catalonia, Barcelona (Spain) 2 Engineering and Architecture Department, Pamplona University, Pamplona (Colombia) {rpaez, isabelcs, jforne}@entel.upc.edu Abstract Intrusion Detection Systems (IDS) based on autonomous agents are important security tools to protect distributed networks and they can be considered critical systems. For this reason; we have proposed a security scheme to verify the entities’ integrity inside the IDS architecture named Cooperative Itinerant Agent (CIA). The proposal includes software watermarking and fingerprinting techniques. Moreover, in this paper we infer a formula to calculate the time consumed by a CIA to perform entities’ verification in a determined level of the infrastructure in order to evaluate the agent’s scalability. The parameters of this formula are the network’s throughput and delay. 1. Introduction The Intrusion Detection Systems (IDS) detect suspicious activities and possible intrusions in a system or private network whenever these happen. The different entities that compose the IDS need to be communicated among them; therefore it is important to keep in mind the integrity of the information, the authentication and the access control. The disadvantages of the security in mobile agents are multiplied in IDS, since these security systems are one of the main targets to the malicious users. We have proposed a security scheme named Cooperative Itinerant Agent (CIA) [1] in order to monitor all the IDS entities and improve the security of the system. We have included watermarking and fingerprinting techniques to identify each entity inside the system. The entities which have under its control one or more monitors or transceivers generate a CIA. The CIA is in charge of verifying the marks of entities in a determined level of the infrastructure and informs its finds to its superior entity which performs correlation operations in order to take a decision. This paper is organized as follows: in section 2 we detail the IDS and agent’s classification. Also we describe IDS based on Autonomous Agents, attacks against agents and some countermeasures to protect them. In section 3, we explain the watermarking and fingerprinting techniques and the security scheme named CIA to verify the integrity of IDS entities. To estimate scalability of the system in section 4 we infer the formula to calculate the time execution of a CIA agent in a determined level of the infrastructure.. Finally section 5 concludes. 2. Background 2.1. Intrusion Detection Systems An Intrusion Detection System (IDS) tries to detect, prevent and alert about suspicious activities and possible intrusions in a system or particular network. An intrusion is an unauthorized or non wished activity that attacks confidentiality, integrity and/or availability of the information or computer resources. To reach its goal an IDS monitors the traffic in the network or gets information from another source such as log files. The IDS analyzes this information and sends an alarm to the system administrator. The system administrator decides to avoid, to correct or to prevent the intrusion. Basically an IDS has an events generator, an analyzer or sensor and a response module (Fig. 1). The event generator (operating system, network, application) sends the packets to the events collection module that is communicated with the sensor. The sensor filters the information and discards irrelevant data. The response module decides to send or not the alarm according to the policy held in its database [2]. Second International Conference on Availability, Reliability and Security (ARES'07) 0-7695-2775-2/07 $20.00 © 2007