Information Technology Reference
In-Depth Information
Asynchronous Alert Correlation in Multi-agent Intrusion
Detection Systems
Vladimir Gorodetsky, Oleg Karsaev, Vladimir Samoilov, and Alexander Ulanov
SPIIRAS, 39, 14-th Liniya, St.Petersburg, 199178, Russia
{gor, ok, samovl, ulanov}@mail.iias.spb.su
Abstract.
This paper presents conceptual model, architecture and software pro-
totype of a multi-agent intrusion detection system (IDS) operating on the basis
of heterogeneous alert correlation. The latter term denotes IDS provided with a
structure of anomaly detection-like classifiers designed for detection of intru-
sions in cooperative mode. An idea is to use a structure of classifiers operating
on the basis of various data sources and trained for detection of attacks of par-
ticular classes. Alerts in regard to particular attack classes produced by multiple
classifiers are correlated at the upper layer. The top-layer classifier solves intru-
sion detection task: it combines decisions of specialized alert correlation classi-
fiers of the lower layer and produces combined decision in order to more relia-
bly detect an attack class. IDS software prototype operating on the basis of in-
put traffic is implemented as multi-agent system trained to detect attacks of
classes
DoS
,
Probe
and
U2R
. The paper describes structure of such multi-
layered intrusion detection, outlines preprocessing procedures and `data
sources, specifies the IDS multi-agent architecture and presents briefly the ex-
perimental results received on the basis of DARPA-98 data, which generally
confirm the feasibility of the approach and it's certain advantages.
1 Introduction
Currently, intrusion detection task is of great concerns and the subject of intensive re-
search (
[2], [4], [10], [11],
[
12], [13], [14], etc.).
The contemporary studies show that ad-
vanced approaches to Intrusion Detection Systems (IDS) design are focused on data
fusion
ideas assuming use of multiple data sources and multiple classifiers operating
in various feature representation spaces with the subsequent combining of their deci-
sions [1]. Unfortunately, several specific properties of the intrusion detection system
input make the above mentioned decision combining task very difficult. Among these
properties, temporal nature, high-frequency dynamics and asynchronous character of
input are of the primary importance. Other important issue of IDS input that is ig-
nored in the most of research is information ageing resulting from the temporal nature
and variety of frequencies of input data streams arriving from various sources.
The paper is devoted to the
heterogeneous
alert
correlation
approach to intrusion
detection. The introduced term denotes an approach assuming that IDS is composed
of a structure of classifiers and each classifier of this structure is trained for detection
of attacks of a particular class, e.g. an attack of the class either
DoS
, or
Probe
, or
