International Journal of Computational Intelligence and Information Security, June 2013 Vol. 4, No.

6 ISSN: 1837-7823

Securing Enterprise Networks: A Multiagent-Based Distributed Intrusion Detection Approach

Nwaocha, Vivian Ogochukwu1 and Inyiama, H. C.2 Computer Science Department University of Nigeria, Nsukka Abstract
There is an ever-growing reliance on computer networks for business transactions globally. While these networks have facilitated the provision of critical services in medical, financial and educational institutions in particular, yet they have equally served as means for diffusing network attacks. These threats take many forms, but all result in loss of privacy to some degree of malicious destruction of information or resources that can lead to large monetary losses. One of the most prevalent threats is the Distributed Denial of Service (DDoS) network attacks which prevent legitimate users from accessing network services. Detecting intrusions is a difficult task in any networked environment, especially in an enterprise network which naturally lends itself to a distributed exploitation of its resources by employees and third parties. In such a scenario, the identification of a potential attack requires that information is gathered from different sources. Besides, current solutions lack a fundamental dynamic feature required in order to ensure both flexibility of the architecture and robustness in the event of changes in network and traffic status. Besides, DDoS attacks are spreading at a very high rate and are not easily contained by existing intrusion detection systems. Although, distributed intrusion detection systems have been developed to counter these threats, they still have the drawback of using up huge network resources. It is against this backdrop that this paper presents a model of a Multiagent-Based Distributed Intrusion Detection System (MABDIDS) which detects intrusions efficiently by means of small-sized mobile agents. As a proof of concept, a prototype of the proposed system is implemented and tested. The outcome of the tests revealed that compared with existing solutions, the proposed system provides superior performance in terms of detection rate and saves network resources. Keywords: Distributed Intrusion Detection System, Enterprise Network, Intrusion Detection System, Mobile Agent, Mobile Agent Platform, Multiagent System

1. Introduction
Today, there is an ever-growing reliance on computer networks for business transactions. Hence, several educational institutions, government agencies, health care facilities, banking, financial institutions and private residencies offer vital services through the global network, known as the Internet [1]. However, with the free flow of information and the high availability of many resources, managers of enterprise networks have to understand all the possible threats to their networks. These threats take many forms, but all result in loss of privacy to some degree and possibly malicious destruction of information or resources that can lead to large monetary losses [2]. It is obvious that the Internet is critical for delivering educational contents to diverse students in remote geographical areas globally and is regarded by everyone as an indispensible IT infrastructural service. This media facilitates health care delivery, financial and other essential services. On the other hand, the convenience of the Internet, comes at the expense of several security risk exposures. It is therefore vital that the appropriate level of network security is maintained in an enterprise network to ensure its high availability. In particular, institutions constantly face unique challenges keeping their servers and networks secure from cyber-criminals while accommodating the influx of student and faculty-owned devices. A recent analysis of online transaction data highlighted to what extent some of these establishments have already been compromised. While the Internet has facilitated the provision of critical services in educational and financial institutions in particular, yet it has also served as a means of diffusing network attacks. These establishments have had to face

International Journal of Computational Intelligence and Information Security, June 2013 Vol. 4, No. 6 ISSN: 1837-7823 the challenge of keeping their network secure several network attacks, particularly DDoS attacks, while accommodating the influx of clients and employee devices. Due to its prevalent usage in cyber-crimes, DDoS attack threatens not only critical online services but also the civil society at large. As emergency and essential services become reliant on the Internet as part of their communication infrastructure, the consequences of DDoS attacks could even become life-threatening. Although the methods and motives behind DDoS attacks have evolved over time, the fundamental goal of attacks to deny legitimate users of some resource or service still prevails. Todays network must be able to promptly detect and respond to intrusions attacks to maintain network availability, thus ensuring that services are uninterrupted. Hence, in order to ensure the optimal operation of networks and systems, it is critical that individuals and organisations protect their systems from network intrusions, such as DDoS attacks. As a result, numerous security tools have been developed. Amongst these tools, Intrusion Detection Systems (IDSs) are becoming the most widely used security tool for deterring, or otherwise minimizing intrusions. Although intrusion detection systems are vital in securing any system, their effectiveness come only from knowing the attack methods and subsequently properly planning, deploying, monitoring, and responding to these attacks. In other words, knowing the attack methods, allows for the appropriate security to emerge. Therefore, in order to overcome the limitations in the existing IDSs and handle DDoS attacks appropriately, this paper presents a Multi-Agent-Based Distributed Intrusion Detection System. 1.1. Statement of the Problem Distributed Denial of Service (DDoS) attacks present a remarkable challenge. While an extensive research has been undertaken in the field of Intrusion Detection Systems to mitigate these attacks, yet the existing solutions are not able to cope with the complex and distributed nature of these attacks. They are inefficient and are flawed with the following drawbacks: High false negative alerts; Delayed response to attack ; High network overloads; Lack robustness and Limited extensibility 1.2 Objectives of the Study Following from the limitations of the existing system, this research seeks to design and implement an efficient Multiagent-based Distributed Intrusion Detection System (MABDIDS) for mitigating DDoS attacks.

1.3 Research Methodology This paper adopts the multiagent-based distributed intrusion detection approach in developing an effective solution for securing the enterprise networks.

2. Literature Review
The application of multiagents and mobile agents in intrusion detection systems has emerged as an interesting paradigm for research and has been explored by several researchers. This section discusses works related to these areas of research. 2.1.1 Centralised Intrusion Detection Systems Using Distributed Data Collection

Generally, in a centralised intrusion detection system, there is a single machine that monitors data flow at a strategic point in the network, collecting and analyzing data from the log files. Consequently, an attacker gains considerable access to the entire network by destabilizing the single host. In order to overcome this limitation, the distributed data collection for intrusion detection systems was introduced. The NADIR system performs distributed data collection by employing the existing service nodes on Los Alamas National Laboratorys Integrated Computer Network (ICN) to collect audit information, which is then analyzed by a central expert system. This work presents many interesting results and considerations regarding the collection, storage, reduction and processing of data in large computer networks. However and as expected, the system causes network overhead due to transferring huge amount of intrusion-related data towards the central unit. 51

International Journal of Computational Intelligence and Information Security, June 2013 Vol. 4, No. 6 ISSN: 1837-7823 The EMERALD project proposes a distributed architecture for intrusion detection that employs entities called service monitors. The latter are dynamically deployable, highly distributed, and independently tunable. They provide localized real-time analysis of infrastructure and services. The approach covers the misuse of individual components and network services within a single domain and includes service analysis. The objective of the service analysis is to streamline and decentralize the surveillance of a domains network interfaces for activities that may indicate misuse or anomalies in operations. EMERALD enables domain-wide analysis covering the misuse visible across multiple services and components, and enterprise-wide analysis covering coordinated misuse across multiple domains. The project also defines several layers of monitors for performing data reduction in a hierarchical fashion. Although the monitors provide distributed network status analysis, most of the detection intelligence is placed in a central system. Further, all the decision making regarding the deployment of the monitors takes place in the central system, thus resulting in potential delays and processing overhead. In 2003, a scheme is proposed where lightweight agents travel between monitored systems in a network of distributed systems, obtain information from data-processing agents, classify and correlate information, and report the information to both a user interface and a database, via mediators. In such systems, the agents had zero detection and analysis capabilities. A new Mobile Agent Distributed Intrusion Detection System (MADIDS) was proposed to process the great flow of intrusion detection data transfer in high-speed networks [3]. MADIDS system consists of specialized agents: Event generation agents, event analysis agents, event tracking agents, and agent server. Event generation agents are distributed into every place in the network to collect interested intrusion data. It submits a portion of the data to the event analysis agent residing on the same host or passes the data directly to the agent server if the network load permits. Event analysis agents analyze the collected data and pass the results to a local event tracking agent which in turn tracks the intrusion. The agent server is a central supervision unit that receives data from event generation/analysis agents and allocates the analysis/tracking tasks to the suitable agents. It monitors and dynamically balances the load of each agent. In this system, agents had no intrusion detection or response responsibilities.

2.1.2.

Intrusion Detection Using Autonomous Agents

The application of autonomous agents in intrusion detection has equally been investigated. Agents are taught how to identify intrusive behaviors using Genetic Programming. Nevertheless, it was discovered that this setup imposes overhead on the system in both time and space as it consumes memory and CPU time. Besides a long time is required to train the agents takes before the agents can be considered ready for deployment. The approach described in propose an architecture for a distributed intrusion detection system based on multiple independent entities called Autonomous Agents for Intrusion Detection (AAFID) framework. Agents are used mainly as a means for structuring the intrusion detection collection component into a set of lightweight software components, which can be easily reconfigured. On a given host, they look for interesting events and report their findings to a single transceiver that oversees their operations. The transceivers, in turn, report their results to one or more monitors that are responsible for the network. Among the several issues that are associated with this framework, there is adaptability. The system is incapable of dynamically controlling the agents population at run-time and agents appear to be static once they are deployed to a transceiver, although they can be replaced through reconfiguration. In a more recent research, Nwaocha and Inyiama, 2011 proposed intrusion detection and prevention system based on small, autonomous, and intelligent intrusion detectors as sensors. Their study was inspired by the principle of operation of nervous systems. In their work, data collection and analysis elements are operated by autonomous agents based on risk assessment and managed on the basis of the autonomic computing theory with self-management properties. The main purpose of using autonomic computing was to create computing systems capable of managing themselves to a far greater extent when given high-level objectives, and to provide set of prevention rules that will attempt to stop the attack before it happens depending on risk analysis and risk assessment. Thus confirming the validity of the alerts and identifying the false positive alerts, by measuring the risk caused by the detected threat, thus determining whether it is a normal activity or not. This work was however limited to the host-based intrusion and although they had proposed the use of mobile agents they did not implement it in their system.

52

International Journal of Computational Intelligence and Information Security, June 2013 Vol. 4, No. 6 ISSN: 1837-7823 2.1.3. Intrusion Detection Systems Based on Mobile Agents and Fully Distributed Architectures

One well-known example of applying distributed agent design methodology in the intrusion detection domain is the Distributed Intrusion Detection System (DIDS) [Snapp et al. 1991]. DIDS was an attempt to build a distributed system based on monitoring agents that reside at every host in the network. A centralized data analysis component called the DIDS director agent is solely responsible for the analysis of the network traffic data collected by each monitor. DIDS architecture presents both advantages and disadvantages. On one hand, the system utilizes the real-time traffic information from various sources, namely, data from various host monitors, to assess the security status of its residing network. However, as a drawback, the systems scalability is poor for large networks, as an increasing number of host monitors also significantly increase the work load of the DIDS director agent. Additionally, the data flow between host monitors and the director agent may generate significantly high network traffic overheads. A mobile agent-based architecture and model consists of a large number of small mobile agents that perform the tasks of monitoring, decision-making, notification and reaction to attempted intrusions [45]. Each agent observes a small aspect of the entire system. When an agent considers an activity suspicious, it advises the other agents about it. Thereafter, an agent (or a group of agents) with a higher level of specialization for that type of suspected intrusion is activated. Once there is a consensus among a large number of agents about the existence of an intrusion, a message is then sent requesting the intervention of a human operator, who will launch a group of reactive agents. In this system, specialized agents can be added whenever a new form of attack is identified or removed dynamically from the system. The system suffers from massive detection latency since an agent by itself has no authority to identify an attack but a majority vote among specialized agents is required before further actions are taken. Cooperative Security Managers (CSM) are employed to perform distributed intrusion detection that does not need a hierarchical organization or a central coordinator. The design requires that a CSM be run on every host attached to the network. A CSM consists of local intrusion detection component responsible for detecting local and proactive intrusions, a security manager that correlates data collected by its own hosts IDS and other CSMs, the intruder-handling that determines what action to do when an attack is detected, a graphical user interface that allows the security administrator to communicate with each CSM, a command monitor that accepts commands from the user and sends them to the IDS for analysis, and a communication handler that provides the communication between CSMs using TCP. However, the CSMs are stationary agents, cannot be updated or reconfigured dynamically, and result in overhead on the host performance since they run on the host for all times. In [47], a social insect-based mobile agent framework, named Artificial Network Termite Colony (ANT), was developed using static internal agents and mobile agents. The approach is based on the use of a chemicallike information that represents an abnormal behavior. ANT relies on the raising and lowering of pheromone fields, which represent criteria to guide simple agents towards collectively exhibiting complex problem-solving behavior. Pheromones are spread to pheromone servers via short lived mobile agents, while other defensively minded agents prowl the network performing system checks, sensing the gradient of the pheromone field, and deciding whether to take a defensive action or move onward in a direction where the field is stronger. Our own approach is similar to this work in the sense that the agent population increases when intrusions are detected and decreases after the attack(s) are terminated. However in ANT, agents are specialized and their detection procedures cannot be updated dynamically. Another research presents a fully distributed architecture where data collection and information analysis are performed locally without referring to the central management unit. For instance, the designed architecture in comprises two components: IDS agents and a stationary secure database (SSD). The agent is responsible for detecting intrusions based on local audit data and participating in cooperative algorithms with other IDS agents to decide if the network is being attacked. Each agent has a local audit trail, a misuse detection module, an anomaly detection module, and a local database. The local audit trail collects audit data and passes it to the misuse detection module and anomaly detection module for further analysis. The local database warehouses all information necessary for the IDS agent such as signature files and users patterns. The SSD acts as a trusted database for the agents to obtain latest misuse signatures. It contains global signatures of known misuse attacks and stores patterns of each user normal activity in a non-hostile environment. The system requires that an IDS agent resides on every host, thus resulting in large number of IDS agents in the network. A large number of upand-running agents results in both network and host overhead. The agent processes that execute on each host consume CPU time and the large number of agents causes intensive message passing among the agents resulting in network bandwidth consumption. Moreover, the proposed system does not fit dynamic environment, where computers are dynamically added or taken off the network, since the implementation of the system 53

International Journal of Computational Intelligence and Information Security, June 2013 Vol. 4, No. 6 ISSN: 1837-7823 administration will be far more complex. A more recent development in the domain of distributed IDS architectures is MINDS [Ertoz et al. 2004]. The MINDS system analyzes data collected directly by sensors distributed throughout the network, tapping information directly from the routers. It combines an unsupervised anomaly detection data mining algorithm, which assigns to each of the collected network connections a score reflecting how anomalous it is, and an association pattern analysis-based module, which generates a summarization report of those network connections that are ranked highly anomalous. Although MINDS seems to solve both anomaly and misuse detection problems, it requires human efforts to assist in its data mining techniques for their proper functioning. That is, the summarized anomalous data information needs to be supplied to a human analyst who is then responsible for manually performing the unsupervised anomalous data labeling process. Another distributed agent-based IDS called Distributed Hybrid Agent Based Intrusion Detection and Real Time Response System [Vaidehi and Ramamurthy 2004] analyzes anomalies to detect and identify the Denial of Service (DoS) and data theft attacks, in addition to analyzing intrusion signatures capable of detecting wardriving-based hacks. It also attempts to respond to intrusions in real time by sending out alerts to the designated network administrator when network intrusions are detected. One of its main drawbacks is the design complexity of its comprising agents, in that each agent must take on almost all of the work load of network traffic sniffing, data parsing, and intrusion detection. This makes the architecture inherently less light weighted. In addition, its data mining techniques are less powerful since they are capable of detecting only a limited number of network attacks. In Helmer et al. [2003], an IDS prototype entirely comprised of mobile agents was developed. In this architecture, the mobile agents travel among monitored systems in a network of distributed systems, obtain information from designated data-cleaning agents that reside at each host, classify and correlate the supplied information, and finally report the analysis results to a designated administrator through a user interface and several databases. One of its main advantages is its support for the runtime addition of new capabilities into the mobile agents. However, one of its main disadvantages is the overhead in time required to transmit the mobile agents code and required data among the monitored hosts in the residing network, which reduces the systems ability to respond to network intrusions in real time. All of these architectures, having both their advantages and disadvantages, attempt to achieve the common goal of effective intrusion detection, while at the same time minimising the adverse side effects of realistic constraints, such as the limited availability of processing power at hosts, and the scalability issues inherent in distributed system design.

3.1 System Design

The architecture of the proposed system (MABDIDS), consists of a set of distributed, autonomous but collaborating agents. Hence, the entire architecture of the proposed model of the Multiagent-based Distributed Intrusion Detection System (MABDIDS) is presented in Figure 3.1. The framework consists of the following components: Main Machine for Intrusion monitoring and detection Mobile Agent Platform Mobile Agents for Intrusion Detection Authentication Tool Utility Tool

54

International Journal of Computational Intelligence and Information Security, June 2013 Vol. 4, No. 6 ISSN: 1837-7823

User Interface

Detection Engine (Snort) Message Handler Mobile Agent Platform Interface Mobile Agent Platform

Database

MAP interface

Mobile Agent Platform (MAP) Aglet Context Sniffer Lightweight Briefcase Snort Message Handler

MAP interface

Mobile Agent Platform (MAP) Aglet Context Sniffer Lightweight Snort Message Handler

Briefcase

Mobile Agent Platform (MAP) Aglet Context Sniffer Lightweight Briefcase Snort Message Handler

Figure 3.1 The General Architecture of MABDIDS

4.3.1

The Intrusion Detection Controller The intrusion detection controller is the foundation of the distributed framework. It monitors the network segments and serves as the main intrusion detection and processing unit. Its key functions are as follows:

i. ii. iii. iv.

acting as a correlating unit for multiple log files sent by dispatched agents; providing and updating rule sets and severity lists for each of the agents; interfacing the IDS to the system administrator, and supervising and tracking existing mobile IDS agents, as well as instructing different agents about the speed of dumping that they should use depending on the security level. The intrusion detection controller comprises further of the following: an intrusion detection system (IDS) which serves as a detection engine; a user interface; a database and a message handler. 55

International Journal of Computational Intelligence and Information Security, June 2013 Vol. 4, No. 6 ISSN: 1837-7823

4.3.1.1 Detection Engine The detection engine analyses the log files of raw data gathered. The main role of the detection engine is to gather and correlate IDS data from the multiagent-based distributed intrusion detection system. Hence, it links events across the network and provides a heuristic analysis of the aggregated data.

4.3.1.2 User Interface The user interface provides the graphical user interface (GUI) for the system administrator. Through the user interface, the system administrator is able to do the followings: Initialise the number of start-up agents (parent IDS Agents) and arm each with a visit

list for agent hopping. Assign an initial rule set for each agent that will be used by the detection engine to

test for intrusions. This set can be updated later by the MIDP. Attacks should be categorized according to the severity levels of each. The user

interface enables the system administrator to customize the system security concerns by assigning dangerous attacks high severity levels and less harmful attacks with lower severity level.

4.3.1.3 Database The database comprises of a secure trusted storage for the mobile agents to obtain severity lists. This database contains

latest information about attacks in order to update their

two types of information: signatures (rule set) and severity level associated with each attack (severity list). A severity level defines the response mechanism that agents should use when particular attacks are detected. For instance, level 1 (most severe attack) means that the agents should send all logged network traffic plus the alarm file while level 2 implies that the agent should send a representative of the logged traffic and the alarm file. The entire list is presented in table 4.1. The database also contains credentials of existing agents in the system. This information includes: the agent ID, its child ID (if exists), its parent ID (if exists), the agent visit list, the agent proxy, and the host at which the agent is currently residing.

56

International Journal of Computational Intelligence and Information Security, June 2013 Vol. 4, No. 6 ISSN: 1837-7823

Severity level 1 2 3

Description Send the entire log file and alerts generated Send a summary of all log files and alerts generated Send only the alert file while saving the dump file at the current host

Inform the intrusion detection manager about a potential attack while saving the dump and alert files at the current host.

Inform the intrusion detection manager about a potential attack while saving the dump file only at the current host.

Ignores the potential attack while saving the dump file only at the current host.

Table 4.1 List of Severity Rules 4.3.1.4 Message Handler The message handler enables the Intrusion Detection Manager (IDM) to respond to messages sent to it. The intrusion detection manager identifies and interprets the following key messages: NEW_AGENT, MANUAL_UPDATE, ATTACK_DETECTED, DISPOSAL_REQUEST, CREATE_AGENTS_REQUEST, AGENT_INFO_REQUEST, and HOST_INFO_REQUEST. 4.3.2. Mobile Agent Platform (Tahiti Server) The mobile agent platform (MAP) is commonly referred to as the Tahiti server; it has a graphical user interface (GUI) and is responsible for creating, interpreting, executing, dispatching, cloning and terminating agents. The platform is responsible for accepting requests made by network users, generating mobile IDS agents, and dispatching agents into the network to perform intrusion detection. The platform is a small server program that is deployed on each host within the network and is responsible for managing the mobile agent life cycle. The MAP has a MAP interface that acts as a graphical user interface (GUI) agent manager. The MAP interface enables end users to monitor existing agents in the MAP platform and manually carry out the following agent functions: create, dispatch, dispose, retract, and clone, among others. 4.3.3. Mobile IDS Agent Each mobile IDS agent is composed of a sniffer, lightweight snort, a briefcase and message handler. The mobile IDS essentially carries out three important tasks: sniffing the network traffic, carrying out intrusion detection, and executing cloning mechanisms when intrusions are detected. Sniffing and intrusion detection proceed in parallel. This implies that the agent creates two threads: the first one starts the sniffing process and afterwards, the second thread is created to run a lightweight mobile IDS. The execution of the cloning strategy is triggered only when an alert is logged into the alert file.

57

International Journal of Computational Intelligence and Information Security, June 2013 Vol. 4, No. 6 ISSN: 1837-7823

5. Performance Evaluation
The overall performance of the proposed MABDIDS was evaluated. Forty machines that were connected via a switch were used for this assessment. For a realistic testing environment, attacks were interjected into a volume of network traffic. Specifically flooding attacks were simulated by means of the well known tool Metasploit10 version 3.5.1.

6. Conclusion and Future Research

The system potentially reduces the enormous amount of distributed log data moved among the inner nodes of a conventional IDS. Having mobile IDS agents visit hosts and doing intrusion detection locally is well suited to the ability of mobile agents to move the computation to the data, thus reducing network load. Roaming the internal network, agents are capable of detecting attacks launched from within the network since the IDS will be capable of monitoring local traffic. Additionally, the developed architecture implements a robust and faulttolerant IDS based on agent mobility. There is no single vulnerable point of failure. Agents roam the network continuously and thus are less suspicious to direct attacks. They can clone for redundancy or replacement and operate independently and autonomously from where created. The architecture is flexible since it is built on the concept of Severity on Demand. It is hoped that further work will be carried out in the area of exploring the possibility of the extension of mobile IDS agent, and extension to the system architecture.

References
[1] Natasha Gilani, Uses of Computer Networking, eHow Contributor 2012. [2] Cisco Press, Threats in an Enterprise Network, 2005. [3] Helmer, G., Wong, J., Honavar, V., Miller, L., and Wang, Y., "Lightweight agents for intrusion detection," Journal of Systems and Software, v 67, n 2, p 109-122, Aug 15, 2003. [4] Guangchun, L., Xianliang, L., Jiong, L., and Jun, Z., "MADIDS: A Novel Distributed IDS Based on Mobile Agent," ACM SIGOPS Operating Systems Review, Volume 37, Issue 1, Pages: 46 53, January 2003. [5] Hochberg, J., Jackson, K., Stallings, C., McClary, J. F., DuBois, D., and Ford, J., "NADIR: An automated system for detecting network intrusion and misuse," Computer & Security, 12(3): 235-248, May 1993. [6] Porras, P. A., and Neumann, P., "EMERALD: Event monitoring enabling responses to anomalous live
th

disturbances," Proceedings of the 20 National Information System Security Conference, 1997. [7] Crosbie, M., and Spafford, E., "Defending a computer system using autonomous agents," Proceedings of the
th

18 National Information Systems Security Conference, Cot 1995. [8] Crosbie, M., and Spafford, G., "Active defense of a computer system using autonomous agents," Technical Report 95-008, COAST Group, Department of Computer Sciences, Purdue University, West Lafayette, IN 47907-1398, Feb 1995.

58

International Journal of Computational Intelligence and Information Security, June 2013 Vol. 4, No. 6 ISSN: 1837-7823 [9] Spafford, E., and Zamboniy, D., "Intrusion detection using autonomous agents," Computer Networks, 34(4):547-570, October 2000. [10] Balasubramaniyan, J., Garcia-Fernandez, J., Isacoff, D., Spafford, E., Zamboniy, D., "An Architecture for Intrusion Detection using Autonomous Agents," Proceedings of the Computer Security Applications Conference, 1998. [11] White, G., Fisch, E., and Pooch, U., "Cooperating security managers: A peer-based intrusion detection system," IEEE Network Magazine, IEEE Press, Volume 10, Issue 1, 1996. [12] Barrus, J., and Rowe, N., "A distributed autonomous-agent network-intrusion detection and response system," Proceeding of the 1998 Command and Control Research and Technology Symposium, 1998. [13] Smith, A., "An Examination of an Intrusion Detection Architecture for Wireless Ad Hoc Networks," Proceedings of the 5th National Colloquium for Information System Security Education, May 2001. [14] Bernardes, M., Moreira, E., "Implementation of an Intrusion Detection System Based on Mobile Agents," Proceedings of the International Symposium on Software Engineering for Parallel and Distributed Systems, 2000. [15] White, G., Fisch, E., and Pooch, U., "Cooperative security managers: A peer-based intrusion detection system," IEEE Network Magazine, IEEE Press, pages 20-23, Jan. 1996. [16] Fenet, S., and Hassas, S., "A distributed intrusion detection and response system based on mobile autonomous agents using social insects communication paradigm," Electronic Notes in Theoretical Computer Science 63, 2001. [17] Vigna, G., Cassell, B., and Fayram, D., "An Intrusion Detection System for Aglets". [18] Nwaocha, V.O. and Inyiama, H.C., " Precluding Emerging Threats from Cyberspace: An Autonomic Administrative Approach". Vol. 1, No. 3, 100-104, 2011.

59