Enhancing network survivability using intelligent agents
暂无分享,去创建一个
This thesis examines the application of fuzzy logic and intelligent agents to intrusion detection and response. The aim is to build an agent-based system that imitates the ability of the human mind both to reason about the ongoing network attacks—mainly flooding DoS and scanning worms—and to adopt an appropriate response in spite of the uncertainties that are involved in this process. However, agents employ more accurate observation and speedy analysis than that which a human could do. As the result, they can make decisions that satisfy the cost and benefit criteria encoded in the survivability policy and are able to launch timely context sensitive responses.
A new architecture called Fuzzy Adaptive Survivability Architecture (FASA) is described. FASA uses fuzzy intrusion detection engines that combine the information about the possible anomalies in network variables and relate them to the known network-level attacks. Automated traffic analysis is the only effective method for stopping the excessive network traffic caused by flooding DoS and scanning worms. A new approach for automated traffic analysis is also proposed. FASA collects all suspicious flows in the Suspicious Flow Table (SFT). It then identifies the common features of the malicious network flows and filters all similar flows if the collateral damage of this response is not excessive. The appropriate criteria and the algorithm that selects such desirable responses are also proposed.
We have implemented FASA as a multiagent system using Belief-Desire-Intention (BDI) agents to study the performance of our approach. Our experiments with the KDD cup 1999 data set show that FASA can generate highly granular analysis of attack events and that this high granularity can be translated into improved detection performance. Moreover, this granular detection in conjunction with information about the severity of the ongoing attack event and its context enables FASA to overcome the uncertainties of response generation. We have demonstrated the automated response capability of FASA by a real-world worm traffic mitigation scenario. The data set for this scenario is collected from a real network at the campus of University of New Brunswick.