20IO 3rd International Conerence on Advanced Computer Theor and Engineering (CT

A Multi-Agent-Based Distributed Intrusion Detection System

Weijian Huang
School of Information Science and
Electrical Engineering
Hebei University of Engineering
Handan, China
huangweijian0808@sina.com
YanAn Wei Du
School of Information Science and
Electrical Engineering
Hebei University of Engineering
Handan, China
xufanfffff@163.com
School of Information Science and
Electrical Engineering
Hebei University of Engineering
Handan, China
Hd_dudu@163.com
Abstract-Distributed intrusion detection system as the
supplement of frewall can provide more efective protection
means. This article describes the development trend of
Distributed Intrusion Detection System, Shortcomings of
Distributed Intrusion Detection System, and describes in detail
the advantages, the Structure and the Principle of work of
Distributed Intrusion Detection System based on multi-agent
technology. It proved the superiority of A Multi-Agent-Based
Distributed Intrusion Detection System. Distributed Intrusion
Detection System based on multi-agent technology can
efectively improve the detection accuracy and detection speed,
and enhance the system's own security. A Multi-Agent-Based
Distributed Intrusion Detection System can cooperate with the
frewall and the network management tool to constitute a
three-dimensional defense system.
Keywords- Distributed Intrusion Detection System; network
securit; multi-agent
I. INTRODUCTION
Along with the rapid development of computer network
technolog and Interet, the computer network has brought
the huge convenience to the people. But the Interet is open
system for the general public, it does not consider
Information confdentiality and security of the system
completely. So interet exists Security risks, network
securit situation has become more critical. Intrusion
detection system can analyze and monitor customer and
system activity, identif and refect the activity patters
attacks activity patters that have known by Management
personnel. Distibuted Intrusion Detection System collect
information on several key points of the computer network
or computer system and analyze this information. It can
discover signs of attack and violation behaviors of network
or system security policy according to the collected
information. Distributed Intrusion Detection System can
make up for lack of a frewall. It provides real-time network
security intrusion detection and takes the appropriate
protective measures. Distributed Intrusion Detection System
based on multi-agent technology can effectively improve the
detection accuracy and detection speed, and enhance the
system's own security. A Multi-Agent-Based Distributed
Intrusion Detection System can cooperate with the frewall
and the network management tool to constitute a three
dimensional defense system.
II. DISTRIBUTED INTRUSION DETECTION SYSTEM
DEVELOPMENT TRENDS AND PROBLEMS
A. Development Trends
Along with computer network's swif development, the
network security problem is becoming more and more
important. Using frewalls to protect network security is not
enough, because the intruder might try to fnd open channels
behind the frewall. Moreover, as a result of the performance
limitations, the frewall can not normally provide an
efective intrusion detection capability. Intrusion detection
system is a new network security technology in recent years
[1, 2]. It is a combination of hardware and sofware and it
can make up frewall's insufciency, and provide effective
intrusion detection and take necessary protective measures
for the protected network [2, 3].
Intrusion detection is a new and rapidly developing area
and it has become an important issue in network security [2,
3]. Intrusion detection methods and products are constantly
being researched and developed. Intrusion detection
technology has begun to show its important value of
offensive and defensive instance in the network.
Host-based or network-based Intrusion Detection System
is almost powerless for complex attacks. Distributed
intrusion detection system can curb devastating effects of
this attack.
B. Problems
Intrusion detection system must comply with the safety
and integrity of the principle and parallelism Principle.
Intrusion Detection System is very diffcult to meet the three
principles, so Intrusion Detection System still has many
defects and hazards [1]:

Intrusion detection system can't test the entire packet
very well.

Signature database updates is not timely.

Detection method is single.

Different Intrusion Detection Systems can not
interoperate.

Intrusion Detection Systems and other network
securit products can not interoperate.
978-1-4244-6542-2/$26.00 2010 IEEE V3-141
2010 3rd International Conference on Advanced Computer Theor and Engineering (ICACTE)

Intrusion detection systems' architecture needs to be
improved.
III. A MULTI-AGENT-BASED DISTRIBUTED INTRUSION
DETECTION SYSTEM
A. Advantages
A Multi-Agent-Based Distributed Intrusion Detection
System's advantages are as follows [1, 4]:

Distributed Intrusion Detection System based on
multi-agent technology has a good independent,
stong fexibilit, good scalability. It uses Agent's
autonomy and system structure to ensure Intrusion
Detection System scale extensible. Intrusion
Detection Module is designed by a unifed
famework and its rules can be extended.

It uses a top-down control mechanism which can
work layer by layer to prevent the spread of damage.
Upper entit can control lower entity. Entities in the
same layer can send transaction information with
each other.

Resilience of the system is very stong. Each Agent
has a System image inspection system to ensure its
safety. Once an Agent lost its fnction, it will send
an initiative message to the upper, and the upper
Agent will do Restoration work.

It uses the analysis of Agent for application sofware
to protect a number of important applications. It uses
data integrit analysis technology to make detection
more accurate.
B. Framework
#1 #g91
,.
eW1 Se
f-
LM
@@C#0W+
.: .:
e
t- f
e
t
#1 Wg91
t
- -
j
f
eW1 e
f
;
LW 0S1+
e e
.: .:
= =

#1 WgS1
eW1 e
l
S
LW e10t +
S
U U
t
t t
t
#1 #1 #1
L0eC0W L0cCW L0McC0W
.:
eW1 eW1 eW1
e
e LW e LW e LW
tt
@@C&0W 0S1* e1W0z *
-

i i i
;:
U
@@C& 0n gS1m0@+ e1W0z
9N91m0g+ 'akt ..
Figure I. A Multi-Agent-Based Distributed Intrusion Detection System's
framework [5]
The fgure describes a Multi-Agent-Based Distributed
Intrusion Detection System's famework. The system
consists of a number of Agents that have diferent fnctions
in the network to form a Uniform level of system. These
agents can either work independently or work together.
Data collection agent has three categories [4, 5]: data
collection agent based on host, data collection agent based on
network, data collection agent based on applications. The
main job of data collection agent is to collect raw data [4, 5].
These raw data includes the State and behavior of system,
network and user activity. Data collection agent flters and
re-organizes the raw data collected, then transmitters to data
analysis agent.
Data analysis agent has three categories [4, 5]: data
analysis agent based on host, data analysis agent based on
network, data analysis agent based on applications. Data
analysis agent's main job is to do a comprehensive analysis
with the data that data collection agent sent to. Data analysis
agent can detect the intrusion involving multiple hosts,
networks and applications. Data analysis agent is the key to
the whole Intrusion Detection System [4, 5]. The accuracy of
Data analysis agent directly affects the performance of whole
system.
Communication agent's main task is in charge of related
agent's communications. Communication agent can not
detect and control. Communication Agent is responsible for
transmission of all information fow [4, 5].
Center agent monitors in the high-level the whole
system's operation. System administrator use center agent to
manage the entire Distributed Intrusion Detection System.
C Working principle
Fil
Sener
Worktton
Netrk
Eis
Worktton
Figure 2. A Multi-Agent-Based Distributed Intrusion Detection System's
principle of work
V3-142
2010 3rd International Conerence on Advanced Computer Theor and Engineering (CT
The fgure describes a multi-agent-based Distributed
Intrusion Detection System's principle of work. Distributed
Intrusion Detection System based on multi-agent technology
uses the architecture of Distributed Intrusion Detection
System and uses a variet of advanced intrusion analysis and
detection technology comprehensively. These intrusion
analysis and detection technologies include patter matching,
Protocol analysis, anomaly detection, key surveillance,
content resume, network audit and so on[ 4, 5]. Intrusion
Detection System based on multi-agent technology can
monitor and analysis of network communication and provide
real-time intrusion detection and the corresponding
preventive methods. It can create comprehensive network
securit protection.
In specifc deployment Data collection agent should be
fexible confgured according to actual situation, such as
network rate, the data encryption, network for switching
and so on[4, 5]. Data analysis agent uses misuse detection
technology based on the expert system ,State analysis and
attacking tree analysis to make the proper response to
attack[4, 5]. Data analysis agent can achieve high detection
rate, low false alarm and timely response [4, 5].
Communication agent is a multi-agent-based Distributed
Intrusion Detection System's key parts. Communication
agent can not detect and control attack, so communication
agent must set reliable security mechanism. Center agent
can determine the condition that data analysis agent can't
judge, unity allocate and manage the entire Agent in the
system, display the alarm information and respond to
treatment.
IV. SUMMARY
In the current state of computer security, the security
protection based on frewalls and encryption technology is
very important and we must develop Distributed intrusion
detection technology in order to improve the system's
securit status. A Multi-Agent-Based Distributed Intrusion
Detection System can improve the detection accuracy and
detection speed, and enhance the system's own security.
ACKNOWLEDGMENT
The work is supported by the project of the Social
Science Foundation of Hebei Province under Grant No.
HB09BSH006.
REFERENCES
[I] Yixue Wang, A Sort of Multi-Agent Cooperation Distributed Based
Intrusion Detection System, Modem computer,2008.
[2] Jianchun Jiang, Hengtai Ma,Dangen Ren,Network Security Intrusion
Detection, Joural of Sofware,2000.
[3] JMarin,D.Ragsdale,and JSurdu, A hybrid approach to the profle
creation and intrusion detection, Proc.of DARPA Information
Survivability Conference&Exposition 11,2001.
[4] Ming Tan,Xiaolong Hu,Liancheng Liu, Based on multi-examination
technology invasion examination system model, Computer project
and design,2008
[5] Ming Xiao, Distributed Intrusion Detection System Design,
Electronic Science and Technology University,2002.
[6] Yunfang Chen, Distributed Intrusion Detection System Key
Technology Research, Lanzhou University,2008.
[7] Yufeng Zhong, An architecture of Distributed Intrusion Detection
System, Applied science and technology,2008.
[8] Jie Zhu, Distributed Intrusion Detection System, Central South
University,2006
[9] Ying Liu, Yong Hou,The Deployment of Distributed intrusion
Detecting System, Offce Automation Magazine,2007
V3-143