A collaborative architecture for intrusion detection systems with intelligent agents and knowledge-based alert evaluation

Current reactive and standalone network security products are not capable of withstanding the thriving of diversified network threats. As a result, a security paradigm where integrated security devices or systems collaborate closely to achieve enhanced protection and provide multilayer defenses is emerging. We present a collaborative architecture design for multiple intrusion detection systems to work together to detect real-time network intrusions. The architecture is composed of three parts: collaborative alert aggregation, knowledge-based alert evaluation and alert correlation. The architecture is aimed at reducing the alert overload by correlating from multiple sensors to generate condensed views, reducing false positives by integrating network and host system information and correlating events based on logical relations to generate global and synthesized alert report. The first two parts of the architecture have been implemented and the implementation results are presented in this paper.