Theodor Richardson, Goran Trajkovski
Network Intrusion Detection Systems (NIDS) are designed to differentiate malicious traffic from normal traffic on a network system to detect the presence of an attack. Traditionally, the approach around which these systems are designed is based upon an assumption made by Dorothy Denning in 1987 stating that malicious traffic should be statistically differentiable from normal traffic ; however, this statement was made regarding host systems and was not meant to be extended without adjustment to network systems. It is therefore necessary to change the granularity of this approach to find statistical anomalies per host as well as on the network as a whole. This approach lends itself well to the use of emergent monitoring agents per host that have a central aggregation point with a visualization of the network as a whole. This paper will discuss the structure, training, and deployment of such an agent-based intrusion detection system and analyze its viability in comparison to the more traditional anomaly-based approach to intrusion detection.
Subjects: 7.1 Multi-Agent Systems; 7. Distributed AI
Submitted: Sep 14, 2007