Sandia LabNews

Sandia-developed intelligent software agents challenge electronic intruders

Could have stopped the I-Love-You virus

In the movie "The Matrix," malevolent but intelligent security agents — personifications of computer programs able to learn — defend an evil worldwide web.

Now an intelligent software agent wearing a white hat and able to defend itself alone and in groups on today’s World Wide Web has been created at Sandia. (Sandia counts among its credentials the fastest computer in the world [ASCI Red] and the fastest "home-assembled" computer in the world [C-Plant].)

Agents in a collective communicate over secured links on the Internet or an intranet. Malicious agents (with horns) are detected and cut off from the collective. Properly authenticated data is allowed into the collective, but bad information is rejected.

"If every node on the Internet was run by one of these agents, the I-Love-You virus would not have got beyond the first machine," says Steve Goldsmith (6232), lead scientist on the project.

In March, a coalition of these Sandia cyberagents successfully protected five network-linked computers over two full working days of concentrated attack by a four-person hacker force called the Red Team — an expert hacker group, also at Sandia, whose purpose is to test the defenses of governmental and corporate computer systems.

The cyberagent, still in the laboratory stage, actually functions as a multiagent collective — a distributed program that runs on multiple computers in a network.

The program reacts with suspicion to "port scans" that scan all ports — net addresses on a computer that allow entry to different functions — even if the scan takes place over a long period of time, like a year.

The "agent" program works by setting up a supra-net collective that constantly compares notes to determine what unusual requests or commands have been received from external or internal sources. Because of this, the system response is not limited to waiting until someone has figured out a defense and put it into a virus checker.

Says Ray Parks (6237), leader of the Red team, "The biggest problem in the computer world is that new stuff is coming along that you don’t even know exists. Your software doesn’t recognize it. Current defenses work as virus checkers; they recognize only specific virus patterns. But this software will recognize odd attacks. It will turn off services, close ports, go to alternate means of communication, and tighten firewalls."

"We’re less concerned with the teen-aged kid and more with the serious agents from foreign governments or foreign corporations who may take a long time, very gently probing to understand where computers are that they can take over or compromise," says Steve. "On command, they can be made to act as a supercomputer to attack a target, as happened recently, or crack a privacy code intended to protect financial, medical, or other critical data."

What distinguishes these agent programs from others is that they integrate security functions with normal services such as ‘ftp’, ‘WWW,’ and browsers. "They’re all in each agent. This provides intrinsic security to each user," says Steve.

The multiagent program is sensitive enough to pick up and store the memory of very faint probes almost indistinguishable from system noise as hackers try to learn enough to take over the computers in a group. Using a sophisticated pattern-recognition system, it can shut down computers in which "Trojan Horses" (secret programs to be operated at a later date by external hostile control) have been installed. It can remove from the network a computer taken over by a hostile insider. And against a runaway barrage of incoming network requests, like that which recently closed the cyber doors of several American corporations, it can close the gates of the system to prevent it from being flooded with repetitive requests. Among the wary agent’s cybertools are prohibitions on ‘live’ programs such as the I-Love-You virus entering an e-mail system.

The World Wide Web will be particularly vulnerable to countries that do not have adequate on-line protection programs such as the one developed at Sandia, says Steve. "Computers in such countries will become a resource for hackers. If hackers can take up enough nodes, they will have a supercomputer at their disposal that can break commercial codes or mount attacks before people can respond."

Such laggard countries, says Steve, "may not be popular with other countries and may be pressured by the international community to secure their systems." The biological metaphor for such an action would be inoculation, he says.

"Ultimately, consumer-level deployment of intelligent-agent programs will replace other programs," predicts Steve. "Interested consumers or businesses could form secure coalitions against hackers, and they will need to. The home computer is going to be connected to the Internet 24 hours a day, seven days a week with high-speed systems like DSL or cable modem. People will become the target of attacks."

More imaginative uses of intelligent agents involve protecting interplanetary missions that one day may operate robot swarms — cheap multiple robots whose members are expendable — rather than one expensive robot that could render useless the entire mission if it malfunctions. Swarm robots have a vulnerable point: they could be the targets of long-distance hackers. In the case of joint missions, the weakness could make them prey of a nation that might desire failure of the mission for political reasons of its own.

Last modified: May 22, 2000