Attack abstraction using a multiagent system for intrusion detection

In security environments many complicated and interrelated software elements, such as firewalls, network scanners, event distributors and authentication tools, should work cooperatively. The proposed model consists of Multiagent Intrusion Detection System (MIDS) for gathering attack information. It provides a software environment that can afford a generalization/specialization process in order to accomplish attack abstraction. Such a model is designed to detect attacks of several protocols, such as Port Activity, SMTP, HTTP, and FTP. The system changes can be obtained by applying an appropriate security auditing policy. As such MIDS includes four agents; 1) Signature Agent (SA), 2) Network Events Agent (NEA), 3) Vulnerability Scan Agent (VSA) and 4) Intrusion Detection Agent (IDA). These agents are running on each host to be monitored.