An architecture of a distributed intrusion detection system using cooperating agents

An intrusion detection system (IDS) is a security mechanism that is expected to monitor and detect intrusions into the computer systems in real time. The currently available intrusion detection systems have a number of problems that limit their configurability, scalability, and efficiency. There have been some propositions about distributed architectures based on multiple independent agents working collectively for intrusion detection. However, these distributed intrusion detection systems are not fully distributed as most of them centrally analyze data collected from distributed nodes resulting in a single point of failure. In this paper, we propose a distributed architecture with autonomous and cooperating agents without any central analysis component. The agents cooperate by using a hierarchical communication of interests and data, and the analysis of intrusion data is made by the agents at the lowest level of the hierarchy. This architecture provides significant advantages in design of an IDS in terms of scalability, flexibility, extensibility, fault tolerance, and resistance to compromise. We have developed a proof-of-concept prototype, and conducted experiments on the system. The results show the effectiveness of our system in detecting intrusive activities in any network of workstations.