Trust-Based Classifier Combination for Network Anomaly Detection

We present a method that improves the results of network intrusion detection by integrating several anomaly detection algorithms through trust and reputation models. Our algorithm is based on existing network behavior analysis approaches that are embodied into several detection agents. We divide the processing into three distinct phases: anomaly detection, trust model update and collective trusting decision. Each of these phases contributes to the reduction of classification error rate, by the aggregation of anomaly values provided by individual algorithms, individual update of each agent's trust model based on distinct traffic representation features (derived from its anomaly detection model), and re-aggregation of the trustfulness data provided by individual agents. The result is a trustfulness score for each network flow, which can be used to guide the manual inspection, thus significantly reducing the amount of traffic to analyze. To evaluate the effectiveness of the method, we present a set of experiments performed on real network data.

[1]  Michal Pechoucek,et al.  Trust model for open ubiquitous agent systems , 2005, IEEE/WIC/ACM International Conference on Intelligent Agent Technology.

[2]  Achim Rettinger,et al.  Learning Initial Trust Among Interacting Agents , 2007, CIA.

[3]  Karl Aberer,et al.  A Probabilistic Framework for Decentralized Management of Trust and Quality , 2007, CIA.

[4]  K. Suzanne Barber,et al.  Belief Revision Process Based on Trust: Agents Evaluating Reputation of Information Sources , 2000, Trust in Cyber-societies.

[5]  Jaideep Srivastava,et al.  A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection , 2003, SDM.

[6]  Jordi Sabater-Mir,et al.  Reputation and social network analysis in multi-agent systems , 2002, AAMAS '02.

[7]  Jiri Matas,et al.  On Combining Classifiers , 1998, IEEE Trans. Pattern Anal. Mach. Intell..

[8]  Michal Pechoucek,et al.  High-Performance Agent System for Intrusion Detection in Backbone Networks , 2007, CIA.

[9]  Zhi-Li Zhang,et al.  Reducing Unwanted Traffic in a Backbone Network , 2005, SRUTI.

[10]  Ben Rothke,et al.  Network Security: The Complete Reference , 2003 .

[11]  Michal Pechoucek,et al.  Trust Modeling with Context Representation and Generalized Identities , 2007, CIA.

[12]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[13]  David G. Stork,et al.  Pattern Classification , 1973 .

[14]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[15]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[16]  M. Pechoucek,et al.  Network Intrusion Detection by Means of Community of Trusting Agents , 2007, 2007 IEEE/WIC/ACM International Conference on Intelligent Agent Technology (IAT'07).

[17]  Sarvapali D. Ramchurn,et al.  DEVISING A TRUST MODEL FOR MULTI-AGENT INTERACTIONS USING CONFIDENCE AND REPUTATION , 2004, Appl. Artif. Intell..

[18]  Nicholas R. Jennings,et al.  An integrated trust and reputation model for open multi-agent systems , 2006, Autonomous Agents and Multi-Agent Systems.

[19]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[20]  Yao-Hua Tan,et al.  Trust in Cyber-societies: Integrating the Human and Artificial Perspectives , 2000, Lecture Notes in Computer Science.

[21]  Audun Jøsang,et al.  Simplification and analysis of transitive trust networks , 2006, Web Intell. Agent Syst..

[22]  Christophe Diot,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM.

[23]  Sarit Kraus,et al.  MLBP: MAS for large-scale biometric pattern recognition , 2006, AAMAS '06.

[24]  Jordi Sabater-Mir,et al.  Review on Computational Trust and Reputation Models , 2005, Artificial Intelligence Review.

[25]  Rino Falcone,et al.  Principles of trust for MAS: cognitive anatomy, social importance, and quantification , 1998, Proceedings International Conference on Multi Agent Systems (Cat. No.98EX160).

[26]  David G. Stork,et al.  Pattern Classification (2nd ed.) , 1999 .

[27]  Felix A. Fischer,et al.  Cooperative Information Agents XI , 2008 .

[28]  Shigeo Abe DrEng Pattern Classification , 2001, Springer London.

[29]  Vipin Kumar,et al.  Chapter 3 MINDS-Minnesota Intrusion Detection System , .

[30]  Munindar P. Singh,et al.  Detecting deception in reputation management , 2003, AAMAS '03.

[31]  Shu-Ching Chen,et al.  Network intrusion detection through Adaptive Sub-Eigenspace Modeling in multiagent systems , 2007, ACM Trans. Auton. Adapt. Syst..