TCP/IP Intelligent Agents: The Future of Electronic Warfare and Defense

Presented at DEF CON 9 (2001), July 13, 2001, 1 p.m. (50 minutes).

The study of Artificial Intelligence bring many treasures to the development of both offensive and defensive network tools. Code can be designed to make "intelligent" decisions based on a presented data sample. When rules are explicitly laid out by RFC to indicate proper connection handling, these rules can be mapped and recalled. This would allow for an automated handling of network traffic with decision making enforced on next-packet injection.

The DEF CON speech will focus on Intravenous. Information will be shared with regard to overhead handling, event priority, as well as database and sensor/decoder optimizations. Examples in logic considerations will be broken down for simple attack scenarios. The IV specific design constraints and project goals will be discussed, a maillist will be announced for open discussion about the code that has been developed so far, and improvements of the overall design criteria.

First, we will discuss what the word "intelligence" means and how it relates to source code. We will explain the need for code that is not only self-aware, but aware of the environment it runs in. We will briefly discuss the research conducted in the Artificial Intelligence field as it relates to TCP/IP networking and overall Computer Security. Many developers are writing code with AI properties and fail to capitalize on it.

Second, we will discuss the state of tools/exploits today, and where they are headed tomorrow, in lieu of current security tools being seperate and disjoint. Packet sniffers seldom share information with packet crafters and IDS systems seldom share information with network scanners, for example. We will explain the need for agent code to assist in data collection, storage, retrieval and analysis for use within the scope of any tool that either runs interactively or in daemon mode for long periods of time. Discussion of toolsuite integration so that the network auditing and network detection are a more seamless process. Most exploits can be classified in only a handful of categories, most of which the discovery are based on custom scripts and source code analyzers.

We will then explain the future of network assessment. We will explain where "non-intelligent" code falls flat, and how introducing rule bases, knowledge bases and a back-tracking method (memory), can allow an application to deduce plausible scenarios based on the data collected. This, in turn, will allow an application to be able to react to situations based on mathematical probabilities and or metrics to hopefully choose the correct answer(s). Even without correct answers, it can still present the user with empirical data that may lead to a plausible next event.

The Nemesis injection routines will be used in Intravenous. The threat of Nemesis by itself will be discussed with examples sited from published sources, and then will be contrasted with the introduction of AI componsents, that will make up the overall study, Intravenous (an agent concept model).


Presenters:

  • Mark Grimes - Network Security Researcher
    Mark Grimes is a network security researcher whose focus is primarily on enterprise wide, multi-layered network threat, the study of TCP/IP packet pattern analysis, and the interest of machine learning and expert systems. Mark is best known for Nemesis, an eight protocol packet crafting tool suite. There are a number of articles and misc. tools, as well as the concept slides/video of the initial Intravenous concept available at http://www.packetninja.net/ Mark Grimes is currently the Red Team Network Security and Forensics Lead for a Fortune 300 company. He has been the security lead of many high profile commercial, government and military contracts. Mark is also a developer for the ultra secure, multi-architecture OpenBSD Project led by Theo De Raadt.

Links:

Similar Presentations: