![Page 1: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/1.jpg)
6th Int. Conf. On Knowledge-Based Intelligent Information & Engineering Systems (KES 2002)
Podere d’Ombriano, Crema, Italy
Amparo Alonso BetanzosBertha Guijarro Berdiñas
Juan A. Suárez Romero
A Multi-Agent Architecture for Intrusion Detection
Laboratory for Research and Development in Artificial Intelligence
Department of Computer Science
Faculty of Informatics
University of A Coruña, Spain
![Page 2: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/2.jpg)
2
Intrusion Detection
• Detect individuals who:– Use a system without authorization– Misuse a system
• Desired features– Fault tolerant– Resistance to attacks– Adaptable and configurable
Agents!
![Page 3: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/3.jpg)
3
AAFID
• Autonomous Agents For Intrusion Detection
AgentJJ
AgentGG
TransceiverEE
Userinterface
MonitorAA
Filter
MonitorBB
TransceiverCC
TransceiverDD
AgentFF
AgentHH
AgentII
![Page 4: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/4.jpg)
4
AAFID - Drawbacks
• A rigid information flow
AgentJJ
AgentGG
TransceiverEE
Userinterface
MonitorAA
Filter
MonitorBB
TransceiverCC
TransceiverDD
AgentFF
AgentHH
AgentII
![Page 5: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/5.jpg)
5
AAFID - Drawbacks
• Weak fault tolerance
AgentJJ
AgentGG
TransceiverEE
Userinterface
MonitorAA
Filter
MonitorBB
TransceiverCC
TransceiverDD
AgentFF
AgentHH
AgentII
![Page 6: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/6.jpg)
6
• Design lines for a more flexible architecture– Based on AAFID
• Use of agents
• Includes the functionality of AAFID’s agents
– Extends AAFID• New types of agents
• Use of dynamic relationships
Our proposal
This needs more This needs more knowledgeknowledge!!
![Page 7: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/7.jpg)
7
Two types of knowledge
• Knowledge domain– Agents do tasks– Each task needs different knowledge
• Social knowledge– Agents collaborate among them with dynamic
relationships– They need to know which ones are the agents to
communicate with– Performed through an Agent Communication
Language
![Page 8: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/8.jpg)
8
Proposed Architecture
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
![Page 9: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/9.jpg)
9
Information Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
![Page 10: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/10.jpg)
10
Information Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
• Provide information to system– From several sources– In standard format– Isolating protected hardware and software from
the system
• Different levels of information– Collaborative and dynamic groups of agents
![Page 11: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/11.jpg)
11
Prevention Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
![Page 12: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/12.jpg)
12
Prevention Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
• Preclude or severely handicap the likelihood of a particular intrusion’s success
• Actually, the most deployed aspect of security– Firewalls, PKI, …
• Integrate these elements– Agentification
![Page 13: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/13.jpg)
13
Detection Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
![Page 14: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/14.jpg)
14
Detection Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
• Find attempts or successful intrusions
• System implements different detection techniques
• Groups with hierarchical structure– Different monitoring levels– Compose complex detection techniques
combining individual agents
![Page 15: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/15.jpg)
15
Response Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
![Page 16: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/16.jpg)
16
Response Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
• Deal with detected intrusions
• Provide different response policies
![Page 17: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/17.jpg)
17
Evidence-Search Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
![Page 18: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/18.jpg)
18
Evidence-Search Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
• Collect evidences regarding an intrusion to be used in a court
• Legal problems– Privacy– Different legislations
• Conflict with response agents– Collaboration
![Page 19: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/19.jpg)
19
Interface Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
![Page 20: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/20.jpg)
20
Interface Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
• Allow communication between users and the
system– “Users” can be humans or other systems
• Integrate users as “agents”– Learn from users
![Page 21: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/21.jpg)
21
Special Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
![Page 22: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/22.jpg)
22
Special Agents
Information
SpecialIn
terf
ace
HARDWARE
SO
FTW
AR
E
Prevention Detection Response Evidences
• Perform a variety of tasks
– Maintenance
– Utilities
– …
![Page 23: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/23.jpg)
23
Conclusions• Intrusion Detection is a challenge research field
• AAFID– First system that uses agents– Rigid
• Proposed architecture– Seven classes of agents– Dynamic cooperation– Use of both domain and social knowledge
• Currently we are working in the development of detection agents
![Page 24: A Multi-Agent Architecture for Intrusion Detection](https://reader033.vdocuments.site/reader033/viewer/2022051610/5482b74db4af9f910d8b4823/html5/thumbnails/24.jpg)
6th Int. Conf. On Knowledge-Based Intelligent Information & Engineering Systems (KES 2002)
Podere d’Ombriano, Crema, Italy
Amparo Alonso BetanzosBertha Guijarro Berdiñas
Juan A. Suárez Romero
A Multi-Agent Architecture for Intrusion Detection
Laboratory for Research and Development in Artificial Intelligence
Department of Computer Science
Faculty of Informatics
University of A Coruña, Spain
T h a n k y o u f
o r
y o u r a t t
e n d a n c
e !