Exploring Agent-Based Decentralized Distributed IDS
We will develop new detection systems which will detect distributed attacks spread over a large network - which is complicated by the need of special mechanisms to correlate and aggregate data related to intrusion activity from multiple hosts. The approach is intended to be applicable for either a single host or a network-based system. It builds on preliminary results to be published[1].
An intruder of multiple hosts in a network (in what we call a distributed attack, vs. an attack confined to a single host) may be able to keep intrusion activity below the trigger threshold of intrusion monitors running on individual network hosts, even if the aggregate intrusion activity would trigger an alert. To address this situation, we will investigate a distributed IDS that will correlate and aggregate the intrusion activity data collected from multiple points of a network. While most current distributed IDSs distribute monitoring by using individual host and network monitors and a centralized controller component, in contrast, we will investigate a completely decentralized distributed IDS with the goal of reliability, scalability, and the capability of operating in a heterogeneous environment. We will use mobile agents - software components that can migrate to all network hosts, and autonomously execute the tasks of detecting intrusions. Mobile agents will be moved to locations requiring processing of intrusion related data (vs. moving large amounts of audit data to a centralized node), and passively observe a subset of runtime events in hosts or in the network. A primary goal is reducing network bandwidth usage (as a result of data collection), and making IDSs more scalable as adding more hosts does not increase network load. Other goals include reducing false positives and negatives, and detecting new (previously unknown) attacks. The main research challenge will be the collection and aggregation of intrusion activity data from multiple hosts and their subsequent mathematical analysis, to allow reporting of confirmed intrusions (rather than reporting of standard audit log data).
1. P. Kannadiga, M. Zulkernine, DIDMA: A Distributed Intrusion Detection System Using Mobile Agents, submitted to Special Track on Agents, Interactions, Mobility, and Systems (AIMS) in 20th ACM Symp. on Applied Computing (SAC 2005), Santa Fe, New Mexico, March 2005.