[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to main content
Springer Nature Link
Log in

Asynchronous Alert Correlation in Multi-agent Intrusion Detection Systems

  • Conference paper
Computer Network Security (MMM-ACNS 2005)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 3685))

  • 889 Accesses

Abstract

This paper presents conceptual model, architecture and software prototype of a multi-agent intrusion detection system (IDS) operating on the basis of heterogeneous alert correlation. The latter term denotes IDS provided with a structure of anomaly detection–like classifiers designed for detection of intrusions in cooperative mode. An idea is to use a structure of classifiers operating on the basis of various data sources and trained for detection of attacks of particular classes. Alerts in regard to particular attack classes produced by multiple classifiers are correlated at the upper layer. The top-layer classifier solves intrusion detection task: it combines decisions of specialized alert correlation classifiers of the lower layer and produces combined decision in order to more reliably detect an attack class. IDS software prototype operating on the basis of input traffic is implemented as multi-agent system trained to detect attacks of classes DoS, Probe and U2R. The paper describes structure of such multi-layered intrusion detection, outlines preprocessing procedures and ‘data sources, specifies the IDS multi-agent architecture and presents briefly the experimental results received on the basis of DARPA-98 data, which generally confirm the feasibility of the approach and it’s certain advantages.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Bass, T.: Intrusion Detection and Multisensor Information Fusion: Creating Cyberspace Situational Awareness. Communication of the ACM 43(4), 99–105 (2000)

    Article  Google Scholar 

  2. http://www.ll.mit.edu/IST/ideval/data/1998/1998_data_index.html

  3. Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: IEEE Symposium on Research in Security and Privacy (2002)

    Google Scholar 

  4. Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion-Detection Alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  5. Gorodetsky, V., Karsaev, O., Samoilov, V.: On-Line Update of Situation Assessment: Generic Approach. International Journal of Knowledge-Based & Intelligent Engineering Systems. IOS Press, Netherlands (2005) (Accepted for publication)

    Google Scholar 

  6. Gorodetsky, V., Karsaev, O., Samoilov, V.: Direct Mining of Rules from Data with Missing Values. Studies in Computational Intelligence. In: Lin, T.Y., Ohsuga, S., Liau, C.J., Hu, X.T., Tsumoto, S. (eds.) Foundation of Data Mining and Knowledge Discovery, pp. 233–264. Springer, Heidelberg (2005)

    Google Scholar 

  7. Gorodetsky, V., Karsaev, O., Samoilov, V., Konushy, V., Mankov, E., Malyshev, A.: Multi-Agent System Development Kit. In: Unland, R., Klusch, M., Calisti, M. (eds.) Multi-Agent Technology and Software Tools, Whitestein Publishers (2005) (Accepted for publication)

    Google Scholar 

  8. Gorodetsky, V., Karsaev, O., Samoilov, V.: On-Line Update of Situation Assessment Based on Asynchronous Data Streams. In: Negoita, M.G., Howlett, R.J., Jain, L.C. (eds.) KES 2004. LNCS (LNAI), vol. 3213, pp. 1136–1142. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  9. Gorodetski, V., Skormin, V., Popyack, L.: Data Mining Technology for Failure Prognostics of Avionics. IEEE Transactions on Aerospace and Electronic Systems 38(2), 388–403 (2002)

    Article  Google Scholar 

  10. Lazarevic, A., Ertoz, L., Kumar, V., Ozgur, A., Srivastava, J.: A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection. In: 3rd SIA Conference on Data Mining, San Francisco, CA (2003)

    Google Scholar 

  11. Morin, B., Debar, H.: Correlation of Intrusion Symptoms: An Application of Chronicles. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  12. Pietraszek, T.: Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 102–124. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  13. Song, T., Ko, K., Alves-Foss, J., Zhang, C., Levitt, K.: Formal Reasoning About Intrusion Detection Systems. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 278–295. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  14. Valdes, A., Skinner, S.: Probabilistic Alert Correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  15. Wooldridge, M., Jennings, N.R., Kinny, D.: The Gaia Methodology for Agent-Oriented Analysis and Design. Journal of Autonomous Agents and Multi-Agent Systems 3(3), 285–312 (2000)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. SPIIRAS, 39, 14-th Liniya, St.Petersburg, 199178, Russia

    Vladimir Gorodetsky, Oleg Karsaev, Vladimir Samoilov & Alexander Ulanov

Authors
  1. Vladimir Gorodetsky
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Oleg Karsaev
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vladimir Samoilov
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Alexander Ulanov
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. St. Petersburg Intitute for Informaticsand Automation, 39, 14-th Liniya, 199178, St. Petersburg, Russia

    Vladimir Gorodetsky

  2. Computer Security Research Group, St. Petersburg Institute for Informatics and Automation, 39, 14 Liniya, 199178, St.-Petersburg, Russia

    Igor Kotenko

  3. US Air Force, Binghamton University (SUNYI), 13902, Binghamton, NY, USA

    Victor Skormin

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Gorodetsky, V., Karsaev, O., Samoilov, V., Ulanov, A. (2005). Asynchronous Alert Correlation in Multi-agent Intrusion Detection Systems. In: Gorodetsky, V., Kotenko, I., Skormin, V. (eds) Computer Network Security. MMM-ACNS 2005. Lecture Notes in Computer Science, vol 3685. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11560326_28

Download citation

  • DOI: https://doi.org/10.1007/11560326_28

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-29113-8

  • Online ISBN: 978-3-540-31998-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation