Abstract This paper describes a large-scale distributed intrusion detection (ID) architecture based on intrusion detection system (IDS) agents and collaborative attack strategy analysis. This architecture couples distributed IDS agents performing local event analysis with cooperative global ID. Other agent-based approaches have highlighted several advantages over monolithic architectures. This approach specifically focuses on cooperative IDS agents working together by analyzing the intruder’s attack strategy and separating local event processing from global analysis. We believe that focusing on the intruder's intent (attack strategy) provides a theme that will help distributed IDS to work together. Furthermore, strategy analysis creates an opportunity for IDS agents to pro-actively look ahead for data most pertinent to current case development. This look ahead adaptive auditing behavior focuses limited system resources on collecting and auditing those events which are most likely to reveal intrusions.
[1]
H. S. Teng,et al.
Adaptive real-time anomaly detection using inductively generated sequential patterns
,
1990,
Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.
[2]
Eugene H. Spafford,et al.
A PATTERN MATCHING MODEL FOR MISUSE INTRUSION DETECTION
,
1994
.
[3]
Aurobindo Sundaram,et al.
An introduction to intrusion detection
,
1996,
CROS.
[4]
Matt Bishop,et al.
Goal-Oriented Auditing and Logging
,
1996
.
[5]
Kendall Scott,et al.
UML distilled - applying the standard object modeling language
,
1997
.
[6]
Gary W. Hoglund,et al.
The “ESSENSE” of intrusion detection: a knowledge-based approach to security monitoring and control
,
1994,
IEA/AIE '94.
[7]
Eugene H. Spafford,et al.
Defending a Computer System Using Autonomous Agents
,
1995
.