Asynchronous alert correlation in multi-agent intrusion detection systems

  • Authors:

  • Vladimir Gorodetsky;Oleg Karsaev;Vladimir Samoilov;Alexander Ulanov

  • Affiliations:

  • SPIIRAS, St.Petersburg, Russia;SPIIRAS, St.Petersburg, Russia;SPIIRAS, St.Petersburg, Russia;SPIIRAS, St.Petersburg, Russia

  • Venue:
  • MMM-ACNS'05 Proceedings of the Third international conference on Mathematical Methods, Models, and Architectures for Computer Network Security
  • Year:
  • 2005

Quantified Score

Hi-index 0.00

Visualization

Abstract

This paper presents conceptual model, architecture and software prototype of a multi-agent intrusion detection system (IDS) operating on the basis of heterogeneous alert correlation. The latter term denotes IDS provided with a structure of anomaly detection–like classifiers designed for detection of intrusions in cooperative mode. An idea is to use a structure of classifiers operating on the basis of various data sources and trained for detection of attacks of particular classes. Alerts in regard to particular attack classes produced by multiple classifiers are correlated at the upper layer. The top-layer classifier solves intrusion detection task: it combines decisions of specialized alert correlation classifiers of the lower layer and produces combined decision in order to more reliably detect an attack class. IDS software prototype operating on the basis of input traffic is implemented as multi-agent system trained to detect attacks of classes DoS, Probe and U2R. The paper describes structure of such multi-layered intrusion detection, outlines preprocessing procedures and ‘data sources, specifies the IDS multi-agent architecture and presents briefly the experimental results received on the basis of DARPA-98 data, which generally confirm the feasibility of the approach and it's certain advantages.