A framework for distributed intrusion detection using interest driven cooperating agents (original) (raw)

An Architecture of a Distributed Intrusion Detection System Using Cooperating Agents

Proceedings of the International Conference on Computing and Informatics (ICOCI ’06), pp. 1-6. Computer and Security Track, June 6-8, 2006, Kuala Lumpur, Malaysia. Paper ID: 007, 2006

An Intrusion Detection System (IDS) is a security mechanism that is expected to monitor and detect intrusions into the computer systems in real time. The currently available intrusion detection systems have a number of problems that limit their configurability, scalability, and efficiency. There have been some propositions about distributed architectures based on multiple independent agents working collectively for intrusion detection. However, these distributed intrusion detection systems are not fully distributed as most of them centrally analyze data collected from distributed nodes resulting in a single point of failure. In this paper, we propose a distributed architecture with autonomous and cooperating agents without any central analysis component. The agents cooperate by using a hierarchical communication of interests and data, and the analysis of intrusion data is made by the agents at the lowest level of the hierarchy. This architecture provides significant advantages in design of an IDS in terms of scalability, flexibility, extensibility, fault tolerance, and resistance to compromise. We have developed a proof-of-concept prototype, and conducted experiments on the system. The results show the effectiveness of our system in detecting intrusive activities in any network of workstations.

A Distributed Intrusion Detection System Using Cooperating Agents

Proceedings of the 3rd International Conference on Information Processing (ICIP’09), August 7 – 9, Bangalore, 2009, Editors: L.M. Patnaik and K.R. Venugopal, pp. 559 – 568. , 2009

The current intrusion detection systems have a number of problems that limit their configurability, scalability and efficiency. There have been some propositions about distributed architectures based on multiple independent agents working collectively for intrusion detection. However, these distributed intrusion detection systems are not fully distributed as most of them centrally analyze data collected from distributed nodes which may lead to a single point of failure. In this paper, a distributed intrusion detection architecture is presented that is based on autonomous and cooperating agents without any centralized analysis components. The agents cooperate by using a hierarchical communication of interests and data, and the analysis of intrusion data is made by the agents at the lowest level of the hierarchy. This architecture provides significant advantages in scalability, flexibility, extensibility, fault tolerance, and resistance to compromise. A proof-of-concept prototype is developed and experiments have been conducted on it. The results show the effectiveness of the system in detecting intrusive activities.

An architecture for intrusion detection using autonomous agents

1998

Abstract The intrusion detection system architectures commonly used in commercial and research systems have a number of problems that limit their configurability, scalability or efficiency. The most common shortcoming in the existing architectures is that they are built around a single monolithic entity that does most of the data collection and processing. In this paper, we review our architecture for a distributed intrusion detection system based on multiple independent entities working collectively.

Agent-Based Approach for Distributed Intrusion Detection System Design

Computational Science – ICCS 2006, 2006

The aim of this paper is to propose an architecture of distributed Intrusion Detection System (IDS). It is assumed that IDS system will detect and track dissemination and activity of the Internet worms. A general architecture for such a distributed multiagent system is proposed and the tasks, techniques and algorithms to be used are sketched.

An adaptive distributed Intrusion detection system architecture using multi agents

International Journal of Electrical and Computer Engineering (IJECE), 2019

Intrusion detection systems are used for monitoring the network data, analyze them and find the intrusions if any. The major issues with these systems are the time taken for analysis, transfer of bulk data from one part of the network to another, high false positives and adaptability to the future threats. These issues are addressed here by devising a framework for intrusion detection. Here, various types of co-operating agents are distributed in the network for monitoring, analyzing, detecting and reporting. Analysis and detection agents are the mobile agents which are the primary detection modules for detecting intrusions. Their mobility eliminates the transfer of bulk data for processing. An algorithm named territory is proposed to avoid interference of one analysis agent with another one. A communication layout of the analysis and detection module with other modules is depicted. The inter-agent communication reduces the false positives significantly. It also facilitates the iden...

Agent-Based Distributed Intrusion Alert System

Lecture Notes in Computer Science, 2004

Intrusion detection for computer systems is a key problem in today's networked society. Current distributed intrusion detection systems (IDSs) are not fully distributed as most of them centrally analyze data collected from distributed nodes resulting in a single point of failure. Increasingly, researchers are focusing on distributed IDSs to circumvent the problems of centralized approaches. A major concern of fully distributed IDSs is the high false positive rates of intrusion alarms which undermine the usability of such systems. We believe that effective distributed IDSs can be designed based on principles of coordinated multiagent systems. We propose an Agent-Based Distributed Intrusion Alert System (ABDIAS) which is fully distributed and provides two capabilities in addition to other functionalities of an IDS: (a) early warning when pre-attack activities are detected, (b) detecting and isolating compromised nodes by trust mechanisms and voting-based peer-level protocols.

Intrusion detection using autonomous agents

2000

AAFID is a distributed intrusion detection architecture and system, developed in CERIAS at Purdue University. AAFID was the first architecture that proposed the use of autonomous agents for doing intrusion detection. With its prototype implementation, it constitutes a useful framework for the research and testing of intrusion detection algorithms and mechanisms. We describe the AAFID architecture and the existing prototype, as well as some design and implementation experiences and future research issues.

Distributed Intrusion Detection using Mobile Agents

DIDMA (Distributed Intrusion Detection using Mobile Agents) is a novel architecture in the field of IDS (Intrusion Detection Systems), utilizing an agent-based approach in order to realize a distributed framework. The novelty in this architecture is the employment of mobile agents as its auditing components. This novel approach overcomes certain problems associated with traditional designs in IDS. In particular, problematic areas such as high-speed networks, not visible traffic, and fail-open architecture have been successfully managed. Moreover, the fault tolerant decentralized design of DIDMA clearly demonstrated resilience against active attacks.

An Architectural Framework for Distributed Intrusion Detection using Smart Agents

2004

Intrusion Detection Systems (IDS) have been developed to solve the problem of detecting the attacks on several network systems. In small-scale networks a single IDS is sufficient to detect attacks but this is inadequate in large-scale networks, where the number of packets across the network is enormous. In this paper, we present an Architectural Framework considering the large-scale network environment. We designed and implemented a Distributed Intrusion Detection system that relies on Smart Agents which monitor network traffic and report intrusion alerts to a central management node. Distribution is handled through the introduction of multiple sensors and the use of Smart Agents who are responsible for reporting and rate limiting of messages. Finally, we extended the IDMEF (Intrusion Detection Message Exchange Format) data model to support digital signatures and to strengthen the authentication of the system.