Collective intrusion detection in wide area networks

We present in this paper a collective approach for intrusion detection in wide area networks. We use the multi-agent paradigm to model the proposed distributed system. In this system, an agent, which plays several roles, is situated on each node of the net. The first role of an agent is to perform the work of a local intrusion detection system (IDS). Periodically, it proceeds to exchange security data within its local neighbouring. The agent neighbouring consists of IDS agents of local neighbour nodes. The goal of such an approach is to consolidate the decision, regarding every suspected security event. Unlike previous works having proposed distributed systems for intrusion detection, our system is not restricted to data sharing. It proceeds in the case of a conflict to a negotiation between neighbouring agents in order to produce a consensual decision. So, the proposed system is fully distributed. It does not require any central or hierarchical control, which compromises its scalability, specially in wide area networks such as Internet. Indeed, in this kind of networks, some attacks like distributed denial of service (DDoS) require fully distributed defence. Experiments on our system show its potential for satisfactory DDoS attack detection.