A Snort-based agent for a JADE multi-agent intrusion detection system

Abstract

We describe the design of a misuse detection agent, one of the distinct agents in a multi-agent-based intrusion detection system. This system is being implemented in JADE, a well-known multi-agent platform based in Java. The agent analyses the packets in the network connections using a packet sniffer and then creates a data model based on the information obtained. This data model is the input to a rule-based inference engine agent, which uses the Rete algorithm for pattern matching and the rules of the signature-based intrusion detection system, Snort. Specifically, an implementation in Java language – the Drools-JBoss Rules – was used and a parser was implemented that converts Snort rules into Drools rules. The use of object-oriented techniques, together with design patterns, means that the agent is flexible, easily configurable and extensible.