Multi-agent system for security auditing and worm containment in metropolitan area networks

Abstract

Security auditing and worm containment is used to guarantee the network security in metropolitan area networks. Multi-agent system for security auditing and worm containment in MAN (MSAWCM) is presented to audit user's accesses and provide a first-class automatic reaction mechanism that automatically applies containment strategies to prevent clean host from being infected by blocking the propagation of the worms MSAWCM uses broadband access server as information gathering agent that uses hardware packet filter (HPF) to get packet from MAN. It adaptively studies and audits the accessing in the whole network and dynamically changes the working parameters to detect the unknown worms. MSAWCM integrates worm detection system (WDS) and network management system (NMS). Reaction measures can be taken by using SNMP interface to control BAS as soon as the WDS detect the active worm. MSAWCM is very effective in blocking random scanning worms that are very noisy and tend to waste a lot of network bandwidth and crash routers. Simulation results indicate that high worm infection rate of epidemics can be avoided to a degree by MSAWCM blocking the propagation of the worms.