A Multi-Agent Architecture for Intrusion Detection
24
6 th Int. Conf. On Knowledge-Based Intelligent Information & Engineering Systems (KES 2002) Podere d’Ombriano, Crema, Italy Amparo Alonso Betanzos Bertha Guijarro Berdiñas Juan A. Suárez Romero A Multi-Agent Architecture for Intrusion Detection Laboratory for Research and Development in Artificial Intelligence Department of Computer Science Faculty of Informatics University of A Coruña, Spain
-
Upload
juan-a-suarez-romero -
Category
Technology
-
view
1.709 -
download
2
description
Presentatation at KES 2002
Transcript of A Multi-Agent Architecture for Intrusion Detection
6th Int. Conf. On Knowledge-Based Intelligent Information & Engineering Systems (KES 2002)
Podere d’Ombriano, Crema, Italy
Amparo Alonso BetanzosBertha Guijarro Berdiñas
Juan A. Suárez Romero
A Multi-Agent Architecture for Intrusion Detection
Laboratory for Research and Development in Artificial Intelligence
Department of Computer Science
Faculty of Informatics
University of A Coruña, Spain
2
Intrusion Detection
• Detect individuals who:– Use a system without authorization– Misuse a system
• Desired features– Fault tolerant– Resistance to attacks– Adaptable and configurable
Agents!
3
AAFID
• Autonomous Agents For Intrusion Detection
AgentJJ
AgentGG
TransceiverEE
Userinterface
MonitorAA
Filter
MonitorBB
TransceiverCC
TransceiverDD
AgentFF
AgentHH
AgentII
4
AAFID - Drawbacks
• A rigid information flow
AgentJJ
AgentGG
TransceiverEE
Userinterface
MonitorAA
Filter
MonitorBB
TransceiverCC
TransceiverDD
AgentFF
AgentHH
AgentII
5
AAFID - Drawbacks
• Weak fault tolerance
AgentJJ
AgentGG
TransceiverEE
Userinterface
MonitorAA
Filter
MonitorBB
TransceiverCC
TransceiverDD
AgentFF
AgentHH
AgentII
6
• Design lines for a more flexible architecture– Based on AAFID
• Use of agents
• Includes the functionality of AAFID’s agents
– Extends AAFID• New types of agents
• Use of dynamic relationships
Our proposal
This needs more This needs more knowledgeknowledge!!
7
Two types of knowledge
• Knowledge domain– Agents do tasks– Each task needs different knowledge
• Social knowledge– Agents collaborate among them with dynamic
relationships– They need to know which ones are the agents to
communicate with– Performed through an Agent Communication
Language
8
Proposed Architecture
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
9
Information Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
10
Information Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
• Provide information to system– From several sources– In standard format– Isolating protected hardware and software from
the system
• Different levels of information– Collaborative and dynamic groups of agents
11
Prevention Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
12
Prevention Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
• Preclude or severely handicap the likelihood of a particular intrusion’s success
• Actually, the most deployed aspect of security– Firewalls, PKI, …
• Integrate these elements– Agentification
13
Detection Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
14
Detection Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
• Find attempts or successful intrusions
• System implements different detection techniques
• Groups with hierarchical structure– Different monitoring levels– Compose complex detection techniques
combining individual agents
15
Response Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
16
Response Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
• Deal with detected intrusions
• Provide different response policies
17
Evidence-Search Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
18
Evidence-Search Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
• Collect evidences regarding an intrusion to be used in a court
• Legal problems– Privacy– Different legislations
• Conflict with response agents– Collaboration
19
Interface Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
20
Interface Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
• Allow communication between users and the
system– “Users” can be humans or other systems
• Integrate users as “agents”– Learn from users
21
Special Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
22
Special Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
• Perform a variety of tasks
– Maintenance
– Utilities
– …
23
Conclusions• Intrusion Detection is a challenge research field
• AAFID– First system that uses agents– Rigid
• Proposed architecture– Seven classes of agents– Dynamic cooperation– Use of both domain and social knowledge
• Currently we are working in the development of detection agents
6th Int. Conf. On Knowledge-Based Intelligent Information & Engineering Systems (KES 2002)
Podere d’Ombriano, Crema, Italy
Amparo Alonso BetanzosBertha Guijarro Berdiñas
Juan A. Suárez Romero
A Multi-Agent Architecture for Intrusion Detection
Laboratory for Research and Development in Artificial Intelligence
Department of Computer Science
Faculty of Informatics
University of A Coruña, Spain
T h a n k y o u f
o r
y o u r a t t
e n d a n c
e !
