Randomly roving agents for intrusion detection

Agent based intrusion detection systems (IDS) have advantages such as scalability, recon gurability, and survivability. In this paper, we introduce a mobile-agent based IDS, called ABIDE (Agent Based Intrusion Detection Environment). ABIDE is comprised of various types of agents, all of which are mobile, lightweight, and specialized. The most common form of agent is the DMA (Data Mining Agent), which randomly moves around the network and collects information. The DMA then relays the information it has gathered to a DFA (Data Fusion Agent) which assesses the likelihood of intrusion. As we show in this paper, there is a quanti able relationship between the number of DMA and the probability of detecting an intrusion. We study this relationship and its implications. NRL CHACS Tech. Report 5540-TM/02/003. An abbreviated version of this paper appears under the same title in: Proc. 15th IFIP WG 11.3 Working Conference on Database and Application Security, Niagra on the Lake, Canada, July 2001, Kluwer Press contact author: [email protected] zpresent address: Mitretek Systems, 7525 Colshire Dr., McLean, VA 22102 ITT Industries