Multi-Agent Systems for Integrated Host and Network-Based Intrusion Detection
Project Summary

Complex Distributed Systems (e.g., computer systems, communication networks, power systems) are equipped with sensors and measurement devices that gather and store, a variety of data that is useful in monitoring and controlling the operation of such systems. For instance, system logs gathered by multiple computers connected to a network contain information t hat is useful in detecting anomalies and intrusions. Analysis of such system log s over time can lead to discovery of useful knowledge to detect intrusions on the basis of observed activity. An example of an attack involving more than one subsystem would be a combined NFS and rlogin attack wherein an attacker would determine an NFS file handle for an .rhosts file or /etc/hosts.equiv file (assuming that the appropriate file systems are exported by the UNIX system), using the NFS handle rewrite the file to gain login privileges to the attacked host. To detect and respond to such multistage or concerted attacks, the intrusion detection system must have support for gathering and operating on data and knowledge sources from the entire observed system.

This research is aimed at developing, implementing, and evaluating multi-agent systems for integrated host and network based monitoring of large distributed computer and communication networks for intrusions. A system of stationary and mobile software agents will:

Anticipated results of this research include new algorithmic and systems solutions for monitoring of large distributed systems in general, and detection of coordinated or concerted attacks on distributed computing systems in particular.

The proposed research will be closely integrated with education and training of graduate and undergraduate students in Computer Science at Iowa State University.



Additional Information

