Multi agent system for network attack classification using flow-based intrusion detection

Abstract

Intrusion Detection (ID) is essential for protecting contemporary computer networks from a range of threats. Modern ID techniques must cope with increasingly sophisticated attacks as well as rapidly rising network line speeds. Signature based ID is forced to sample sparsely, increasing the likelihood of malicious traffic entering the network without scrutiny. Con sequently, flow-based ID is gaining attention as an effective complement. ID systems are furthermore often characterized as either network-based or host-based. The autonomous multi agent design paradigm is a scalable, attractive alternative for its potential to leverage the strengths of both architectures: the broad perspective and visibility into distributed malicious activity provided by network-based ID, and the comprehensive view of the local node provided by host-based ID. This paper therefore develops an architecture for a new multi agent, flow-based intrusion detection sysem. The architecture is designed in two iterations of increasing complexity. These innovative ID designs use a "repuation" system to permit agents to dynamically find nodes that are most effective for classifying malicious network activity. Furthermore, each system design includes the development of an innovative classifier that uses multi objective evolutionary algorithms to aid in the search for effective operational parameter values. Evaluation using an extensive agent simulation framework highlights the conditions under which the reputation system provides a significant classification benefit.