A Paradigm Shift in Cyberspace Security
Mihai Horia Zaharia, “Gheorghe Asachi” Technical University, Iaşi, România
Cyber-terrorism is common nowadays. There is a complex network of private and public organizations used in supervising the Internet. Even so, the complexity of the system is leading to an increase in the response time due to various bottlenecks in relation to information flow. As a result, a paradigm shift in security auditing in cyberspace is required. An approach based on intelligent agents may decrease the time needed to gather and process the basic information. A multi-agent system with the goal of helping the user, the security expert, and the security officer is presented in this chapter. The system will process local knowledge databases as well as external information provided by social networks, news feeds, and other forms of published information available on the Internet. An executive summary will be automatically generated and presented to the security chief of the organization using the system. Also, the system may provide advice to ordinary users when disputable decisions regarding computing node security must be made.
Keywords
cyberspace; cybersecurity; intelligent agents; information retrieval; data mining
Information in this chapter
Introduction
The term “cyberspace” was introduced into the science fiction community by William Gibson, [1], but with a different meaning than the current one. Today the term usually refers to the common space created by any combination of hardware and software that is at the base of the Internet and offers support for any facility offered to the user. The various faces of cyberspace are similar to the main directions of Internet application development, which are: networked media and search systems, cloud computing, Internet services, trustworthy computing, and the “future Internet.”
Cyberspace consists of hardware, operating systems, communication networks, and applications. There is a supplementary layer composed of the frameworks that allow the execution of applications. When an application is developed, the security aspect of the application may be analyzed at each stage of design and also at the interfaces between layers or tiers. In fact, a security architecture design overlaps with the main design of the application, involving a system security plan, some control specifications, security documentation, and assessment of evidence. All of these are needed for a proper life cycle of the secured application, beginning from the first tests and finishing with long-term maintenance [2]. The security measures can be applied and enforced at any layer, yet the user remains the main weak link in the security management chain.
Cyber-terrorism
Nowadays, there are two types of war that are silently growing. One is the economic war, whose main actors are countries, corporations, and the mob. An important component of this war is related to the cyber-war. Maintaining global equilibrium is difficult enough, but some rules do exist due to the fact that the main purpose is to incorporate the enemy, not to destroy it. The other type of war is more dangerous, because its basis is religious. Typical of this war is the fact that nothing but total destruction of the enemy is accepted [3]. The main idea here is to destroy the enemy, regardless of the cost. This can have a major impact on local economies and sometimes even on the global economy because of globalization.
“Cyber-terrorism” is a relatively new term in the area of computing. It was first defined by Collin [4], who suggested that cyber-terrorism appears at the convergence between the cyberspace and terrorism. Hoffman [5] further clarified the concept. In his view, cyber-terrorism represents a form of violence or a threat of violence that has a political purpose and uses computer-related techniques. The importance of this new threat was partially neglected until the events of September 11, 2001.
After analyzing all the information collected about the September 11 events, the experts proved that the terrorist cells used information technologies to hide and coordinate their activities [6]. Since then, in the United States, cyber-terrorism began to represent a serious problem, and many resources were diverted to create new strategies for fighting it. In this context, US security agencies have found that local organizations such as the ones who fight for the supremacy of white American Christians, for protecting the environment, or for animal rights, have also begun to adopt these new tactics [7]. The fight against information technology(IT)-related criminal activities has escalated, and a new concept of cyber-warfare has emerged.
In Europe, compared to the US and Asia, these problems have been perceived as less important. As a result, mechanisms to fight cyberterrorism have been slow to develop. In Great Britain, cyberwarfare has been considered a problem only since 2008. This was the moment when the UK government began to develop and introduce a set of laws related to information security problems. The concept of digital police emerged in the process [8].
Some authors feel that the new wave of cyber-criminal activity is related to the great changes that appeared after the destabilization of the USSR and the fall of the Berlin Wall [9]. One possible explanation of this phenomenon is that the mass of high skilled IT programmers trained in the former Soviet Union began to be used by the Russian mob. However, this is not enough to justify the new magnitude of the attacks. In fact, the increase in cyber-criminality simply marks the transition from the tactics and techniques of the Cold War, to the arms of the newly adopted information society model.
A shift from the Cold War paradigm to a cyber-warfare paradigm is not a surprise, since war is conducted using current available technologies, and nowadays many highly developed societies are informational. The surprise is that the security measures taken when most of the vital systems were designed have been insufficient. In most cases, the reason is not the lack of procedures or know-how, but the pressure to decrease the costs. Nowadays, this cost optimization to the detriment of security are proving very dangerous, since the new tactics used in modern cyber-warfare can drive a society to an insurmountable level of loss. An example is the economic problems of Japan after the nuclear facilities used in electricity production were closed for other reasons than an attack. The effects on the Japanese economy were disastrous and are still not completely managed.
Cyber-attacks can be targeted to any available level of cyberspace model, depending on the final objective of the attackers. For example, the economic loss caused by the September 11 events was negligible, but the psychological impact was huge. This was a clear guerrilla tactic, where a small force produced significant results. Other types of attacks may target critical economic objectives like the energy system, production systems, or, in the worst case, the military infrastructure. These could lead to immediate results having huge costs.
A particularly insidious kind of attack is the economic one. Here, the cyber-warfare hot spot is shifted in most cases from governmental organizations to corporations. This is because transnational corporations administer funds and research facilities that are often greater than what most countries in the world can afford.
There are, in fact, two overlapping areas of cyber-war. One is related to cyber-terrorism, which is usually specific to Islamic fundamentalist groups or other organizations that use guerilla tactics. The other, broader war is for resources of any kind (raw, but also informational) that have two main objectives: economic and informational. Between the two, the more important one is the informational war, because winning access to raw materials is also, finally, a question of having the right information at the right moment.
A security paradigm shift in cyberspace
Within an organization, different types of risks can be identified: strategic, safety, program management and reputation, supply chain, legal, political, investment, budgetary risk, and, finally, information security risk [2]. It is difficult to justify the request for more organizational resources to be assigned for handling information security risks, since the other risks, in most cases, have the same (or maybe greater) importance. And the organization’s staff must maintain a balance in addressing all the types of risks. Yet there is a need to increase the resources for IT security. In the short term, nothing significant can be done. The only solution is to change the environment and the long-term organizational politics related to informational risks so the increased costs can be distributed over a longer period of time. Yet this approach may still prove insufficient if changes are not made in the paradigm used to control the security risks.
How should the paradigm shift be conducted? The basic ideas are not new.
Under the Federal Information Management Act (FISMA), risk management of information security overlaps many other activities, including the enterprise architecture, capital planning, investment control, and system development [2]. This centralized approach has the advantage of establishing and maintaining a tight control. Yet at the federal level or international corporation level, the organizational complexity is so high that it is almost impossible to have a detailed representation, from the security point of view, about what is happening everywhere. This is due to the human lack of ability to handle large amounts of information without the risk of excluding some critical aspects from analysis. Introducing an intelligent agent into the equation may help experts at any organizational level in maintaining tight control. The agent-based approach can be integrated into FISMA.
Until now, a consistent part of Internet protection strategy was based on users’ presumed knowledge about the subject. But most cyber-attacks that succeed are successful due to users’ lack of knowledge or disregard of security protocols. The human-computer interface already tries to adapt people to computers and also to the use of expert systems. So, creating a cyber-assistant for any user should be more efficient than trying to increase the user’s knowledge regarding the subject.
Intelligent agents in security auditing
The use of artificial intelligence is not new in the field of security. The first uses of an expert system in risk evaluation were related to business needs; the main interest was in sales optimization and it was designed to help the manager [10]. Intelligent agents have already been used for risk assessment with good results [11]. Another application, at the organizational level, of intelligent agents concerns multi-agent self-organization models with applications in operational enterprise management [12]. There are also tools for document flow processing used to help organization managers in decision making [13,14].
In the past decade, new concepts like Agent Based Artificial Immune System (ABAIS) have emerged in security-related research [15]. Regarding Internet security, all of the important techniques from the field of AI have been used. The increase in available computing power gives designers the possibility of analyzing a combination of two or more AI algorithms, in order to improve the response of the system in antivirus detection [16]. Any Internet security solution also includes a firewall. As a result, some research has been done on improving the monitoring of the information flow using intelligent agents. Here, the idea of cooperation among various intrusion detection systems (IDSs) was introduced [17]. Some approaches are intended to make estimations about the global information threat level for a system or organization [18].
The main parties involved in the security cycle are the chief information security officer, the stakeholder review team, and the executive decision maker [19]. An intelligent agent system may be deployed at any of these levels. The centralized approach can be used in expert system implementation as part of an larger information retrieval system, but its limits are especially related to the speed of inserting new rules in the database and also to their diversity. As the IT integration of a society increases, so do its dynamics. An approach based on a local expert system will not give the speed and flexibility required to quickly adapt to the changes in cyberspace.
Security cyber-assistant system
The cyber-assistant system may be used by any category of users, no matter their expertise in information security field. For the common user, the system will interact with its local internet security solution and offer supplementary information (even portions of current laws) when a decision regarding system security or law breaking must be made. A common use of the system may be when the user accesses sites that index media content that is prohibited to free distribution. Also, downloading illegal applications or keys for them may enter in the area of system messages.
For experts, such as the chief of IT-related security or other security staff, the system will act significantly differently. At their level, there are already databases with knowledge and specific security protocols that must be applied. So the system will provide periodic executive summaries generated by combining data mining from local databases with information retrieval from official or unofficial security-related channels.
Of course the system may be used, if legal agreements allow, to report any suspicious activity by a common user. In special cases, laws like the Electronic Communications Privacy Act in US and its variation in the UE or UK give the government full access to people’s communications. User surveillance would be done mostly in organizations, because the normal user of the Internet may reject this option. Yet the advantage of the system in decreasing common user cyber-criminality is enough to justify its consideration.
The proposed system will have two goals. One is to search and retrieve from the Internet any news related to security breaches. The other is to gather or extract facts and rules for the inference engine that supports security management of the organization, or the user.
Regarding first functionality of the system, it may seem unnecessary to search and retrieve information related to security of information, especially of new breaches, when there are a lot of national and international organizations (e.g., CERT) with these goals. Unfortunately, there is another world outside these organizations that is more dynamic and more dangerous: the hacker’s world. Most of the security-related approaches are based on the fixed idea that if enough force is used and enough constraints are enforced, the activity of the hackers can be really controlled. This seems to be a classical military approach. Years of efforts have already proven its lack of efficiency. A more diplomatic solution will be to discreetly intercept the hackers’ social networks where the latest news related to security breaches appears. With this time advantage, a contingency plan within the organization can be developed. As a result, the system must search (using intelligent agents) any underground network that can be accessed or intercepted using an application.
This is possible because the idea is not to discover the real origin of information, the agent will have no problem using http or https over the anonymizer proxies that are used in most cases by the underground. The simulation of a browser signature in order to trick a target system that a real user is behind the request is already a common task. The second source of information, but with lower quality and a high volume of data, is related to the social networks. The ENCHELON system uses the same approach, but no organization can afford its operational costs [20]. As a result, new, cheaper ways of performing the same task must be found (e.g., like using intelligent agents). A filtered file containing a digest of all news will be provided by joining all the data extracted from any source.
As is previously mentioned the other goal of the system will be to help the security officer in better handling the increased flow of news, laws, and regulations related to his work. To do this, an intelligent agent will be placed at the output of any information source. This is necessary because, otherwise, the problem of translating natural language will make the solution unfeasible. The agent will have a dictionary with key terms and some knowledge about the format of the document. In this case, there is a good chance that the most important facts are isolated and extracted from the document. This will lead to an executive summary of the critical information.
In Figure 26.1, the structure of an intelligent agent that will provide the officer with the needed information is presented. As can be seen, the structure is very simple. The agent can be executed without problems on any type of computing node, including mobile devices.
The informational flow that must be analyzed by the main system (see Figure 26.2) is the document library, which contains all the security policies, laws, and regulations used by the company. A quick index table of all the documents will be created.
In Figure 26.2, the main structure of system is presented. It is created around the intelligent agent framework. The framework will provide dedicated agents to do information retrieval, interfacing with users, data mining, and other tasks needed to maintain the system’s scalability, such as the agent for load balancing or the agent for communication security.
The other module is the communication one. In this approach, a communication agent and a communication module are proposed as separate entities in order to increase security, since this solution will involve supplementary security check points in the communication workflow. For the same reason, access to the rest of the system will be not direct but through a separate system interface module. The user interface will provide all that is needed to maintain and set the application to its administrator.
The administrator of the system will configure each dedicated agent according to the data stream that must be acquired. Then the agent begins to search the Internet to find the desired data stream. When the agent comes to a node and finds something, it will search the master list to see if that source is already being processed. If the answer is no, the agent will clone itself and move on to another location. The clone will remain locally and begin to mine information from the data stream. From time to time, each miner will report the newly acquired information to the central base of the system.
The original agent is deployed at the central base and has the role of continuously gather the reports that come from each active clone on the internet. From time to time, it will generate a report specific to the managed resource. All these reports are then combined by a different agent that also handles the knowledge data base index and begins to cross-reference the received reports with the existing knowledge. This removes most of the redundancy, and the news that remains contain links to internal organizational knowledge.
In the case of a common user, the cost of having access to a system such as the one just presented for the corporation is not feasible. Yet there is the possibility that the market will come up with a business that makes this type of system available to common users. Each user would pay on a regular basis for the information that his or her own interface agent will provide. The user would also be able to to customize his or her intelligent agent and give it, if necessary, access to his or her own knowledge. Producers of Internet solution software have already adopted the idea of creating a network of knowledge about attacks. Their approach is simple, based on a combination of a centralized knowledge database that provides minimum help for the user and operator-based help. This software gives the user the possibility of setting new rules, but most users do not have the required skills. So the most advanced providers (such as Norton) automatically update the knowledge database about the threats and the “safe applications list.”
The proposed approach has the flexibility of the AI methods. It would give the user interface agent, shown in Figure 26.3, the possibility to gather knowledge about the user’s habits on the Internet and also to improve the help offered to the user.
There would be three types of users according to their skill levels in computer security. The basic level user would have fully automated support from the agent. The intermediate level user would be able to select security sources for analysis and set some rules. The third level user would have full access to the interface allowing him or her to customize all the functions of his or her interface agent.
The system will require a central base where the main knowledge repository is located. The advantage of the approach is that transnational corporations and federal administrations would not need to maintain centralization. The local central nodes will be located at the regional nodes, and, by the use of some dedicated intelligent agents, a distributed database can be maintained at the upper levels of the organization.
The information retrieval agent presented in Figure 26.4 has the most complex job in the system. It analyzes the data streams and extracts the basic information, minimizing redundancy as much as possible. In case of mobile node, which has fewer computing resources, the optional modules may not be loaded in order to avoid system overload.
From the point of view of law enforcement, the system will provide two types of enforcement. One is passive, or indirect, enforcement. This is due to the paradigm shift already discussed. From the outside point of view, there are small differences between a security expert and a user coupled with a cyber-assistant that helps the user virtually in each decision related to the security of the user’s system. Of course, the user may choose to ignore the suggestion from the system. This situation may be neglected if the system provides quotes from current laws regarding the problem in question. Experience shows that, in most cases, the users neglect the law because they either don’t know it or don’t understand the consequences. If the percentage of users that fully comply with Internet regulations increases, the activity of a real hacker will be much easier to detect.
The other form of enforcement is an active and direct. If the system dynamically retrieves news from various sources that are also used by hackers to disseminate the latest knowledge about detected security weaknesses or the latest methods for attacking a system or a class of applications, then the reaction speed of a security officer will be significantly improved.
Summary
In this chapter, the concept of cyber-terrorism was analyzed in the context of global political changes. In the context of globalization, many societies have begun to adopt the information society paradigm. This will lead to an exponential increase in Internet complexity. Also, the classical form of war is changing, adapting to the new informational environment. In this context, a paradigm shift in assuring cyber-security is proposed. A multi-agent system may offer the solution for this paradigm change. This is possible because the increasing computing power and available broadband needed by this approach is beginning to be available in most situations at the cyberspace level. Finally, a system based on intelligent agents that provide a security cyber-assistant to help the common user or the information security staff in handling the increasing informational flow regarding security problems is proposed.
References
1. Prucher J. Brave new words: The Oxford Dictionary of Science Fiction Oxford University Press New York: Oxford University Press; 2007.
2. Gantz SD, Philpott DR. FISMA and the risk management framework-The new practice of federal cyber security Waltham: Syngress; 2013.
3. Gerdes A. Al-Qaeda on Web 2.0: Radicalization and recruitment strategies. In: Dudley A, Braman J, Vincenti G, eds. Investigating cyber law and cyber ethics: Issues, impacts and practices. York: Information Science Reference; 2012.
4. Collin B. CJC Publications CJI-Archives. [Internet]. [retrieved 2013 Jun 10]. Retrieved from: <http://www.cjimagazine.com>: <www.cjimagazine.com/archives/cji4c18.html?id=415>; 1997.
5. Hoffman B. Inside terrorism New York: Columbia University Press; 1998.
6. Colarik AM. Cyberterrorism: Political and economic implications London: Idea Group, Inc; 2006.
7. Hoffman B. Inside terrorism New York: Columbia University Press; 2010.
8. Mitra A. Digital security: Cyber terror and cyber security New York: Infobase Publishing; 2010.
9. Gragido W, Pirc J. Cybercrime and espionage: An analysis of subversive multivector threats Burlington: Syngress; 2013.
10. McGregor GC. The risk advisor expert system. Proceedings of 4th Portuguese Conference on Artificial Intelligence Berlin Heidelberg: Springer; 1989; p. 297–307.
11. Shikha Selvarani R. An efficient method of risk assessment using intelligent agents. Second International Conference on Advanced Computing & Communication Technologies (ACCT) New York: IEEE CPS; 2012; p. 123–126.
12. Gorodetskii VI. Self-organization and multiagent systems: II Applications and the development technology. Journal of Computer and Systems Sciences International archive. 2012;51(3):391–409.
13. Godlewska M. Agent system for managing distributed mobile interactive documents. Transactions on Computational Collective Intelligence VI 2012;121–145.
14. Delias P, Doulamis A, Matsatsinis N. What agents can do in workflow management systems. Artificial Intelligence. 2011;35(2):155–189.
15. Ramakrishnan S, Srinivasan S. Intelligent agent based artificial immune system for computer security-A review. Artificial Intelligence Review. 2009;32(1–4):13–43.
16. Wang X-B, Yang G-Y, Li Y-C, Liu D. Review on the application of artificial intelligence in antivirus detection systems. IEEE Conference on Cybernetics and Intelligent Systems Washington: IEEE; 2008; p. 506–509.
17. Sanz-Bobi MA, Castro M, Santos J. IDSAI: A distributed system for intrusion detection based on intelligent agents. Fifth International Conference on Internet Monitoring and Protection Washington: IEEE; 2010; p. 1–6.
18. Hall A. Creating an expert system risk assessment tool for precursor analysis In RAMS. Proceedings Reliability and Maintainability Symposium New York: IEEE CPS; 2011; p. 1–4.
19. Bayuk JL, Healey J, Rohmeyer P, Sachs MH, Schmidt J, Weiss J. Cyber security policy guidebook Hoboken: John Wiley & Sons, Inc; 2012.
20. O’Neil J. Enchelon: Somebody’s listening Tarentum: World Asociation Publisher; 2005.