Adaptive Agent-Based Intrusion Response
Abstract
A new methodology has been developed for adaptive, automated intrusion response (IR) focusing on the role of software agents in providing that response. The majority of intrusion response systems (IRSs) react to attacks by generating reports or alarms. This introduces a window of vulnerability between when an intrusion is detected and when action is taken to defend against the attack. This window of vulnerability has been reduced through an agent-based system that adaptively responds to intrusions. Multiple IDSs monitor a computer system and generate intrusion alarms. Interface agents maintain a model of each IDS based on the number of false positives/negatives previously generated. It uses this model to generate an attack confidence metric and passes this metric along with the intrusion alarm to the Master Analysis agent. The Master Analysis agent classifies whether the incident is a continuation of an existing incident or is a new attack. If it is a new attack, the Master Analysis agent creates a new Analysis agent to develop a response plan to the new attack. If the incident is a continuation of an existing attack, the Master Analysis agent passes the attack confidence metric and intrusion alarm to the existing Analysis agent handling the attack.
Document Details
- Document Type
- Technical Report
- Publication Date
- May 01, 2001
- Accession Number
- ADA412951
Entities
People
- Curtis A. Carver Jr
Organizations
- Texas A&M University