Autonomous Agents for Intrusion Detection
The Autonomous Agents for Intrusion Detection Group is composed of a number of students and faculty within the CERIAS at Purdue University who are interested in studying novel distributed methods of Intrusion Detection.

Purpose of the Group

We address the problem of intrusion detection from a different angle: instead of a monolithic Intrusion Detection System (IDS) design, we propose a distributed architecture that utilizes small independent entities, known as Agents, to detect anomalous or malicious behavior. We think our design has advantages over other architectures in terms of scalability, efficiency, fault-tolerance, and configurability.

Our purpose is to study the approach mentioned above by building systems that use it and measuring their performance and detection capabilities. By doing this, we expect to be able to discover the capabilities and limitations of the agent-based approach when applied to real systems.

Current status

The first complete specification of the AAFID architecture has been finished and proposed in a paper. On the implementation front, the second release of the system implemented using the AAFID architecture, called AAFID2, has been released to the public.

The AAFID2 prototype

New!!! The second release of the AAFID2 prototype has been released to the public! (Sep 7, 1999)

The latest implementation of a system that adheres to the AAFID architecture is called AAFID2. It is the second implementation of such a system, and the first one to be made available, both to the sponsors of the project and to the public.

AAFID2 is implemented completely in Perl5, which makes it easy to install and run it, and to port it to different systems. It has only been tested on Unix machines, but we are in the process of porting it to Windows NT as well.

The purpose of AAFID2 is to make it easy to experiment with the AAFID architecture. To that end, it has been made extremely flexible and configurable. It was developed using the object-oriented programming features of Perl5, which makes code reuse easy. The base infrastructure of AAFID2 includes most of the essential facilities for developing new entities, be them monitors, transceivers, agents or filters. AAFID2 also includes a code generation tool for developing new agents.

More information can be found in the announcement.

Documentation and publications

The following papers constitute the documentation of the project:
* An Architecture for Intrusion Detection using Autonomous Agents
Jai Balasubramaniyan, Jose Omar Garcia-Fernandez, E. H. Spafford, and Diego Zamboni, Department of Computer Sciences, Purdue University; Coast TR 98-05; 1998.
This paper documents the AAFID architecture, describes some of the experiences with the prototypes that have been developed, and some thoughts for future development.

* A framework and prototype for a distributed Intrusion Detection System
Diego Zamboni and E. H. Spafford. Department of Computer Sciences, Purdue University; Coast TR 98-06; 1998.
This paper documents the implementation of AAFID2, including design and implementation decisions, and some preliminary performance measurements. Note: This paper is not yet available.

* AAFID2 Users Guide
Diego Zamboni and E. H. Spafford. Department of Computer Sciences; 1998.
This is the users guide for the AAFID2 prototype. It includes how to use the programs included in the prototype, as well as how to develop new agents for use with the system. Note: The latest version of this document is available with the distribution of the AAFID2 prototype.

Near-term goals

Currently, our main objective is to get user feedback from people who use the AAFID2 prototype and use it to correct any problems or make improvements to the prototype. We are also in the process of developing as many new agents as possible, both to provide a good base functionality with the prototype distribution and to test the agent-development facilities included with AAFID2.

Related information

For more information about the origins of the AAFID project, about intrusion detection and agents, we suggest the following links:
  1. Defending a system using autonomous agents. Mark Crosbie and Eugene Spafford
  2. Network Intrusion Detection. B Mukherjee, L Todd Heberline, Karl Levitt
  3. Classification and Detection of Computer Intrusions. Sandeep Kumar
  4. COAST Intrusion Detection Pages
  5. COAST Intrusion Detection Bibliography
  6. Intrusion Detection Mailing List Archive


Members of the Group

The Autonomous Agents for Intrusion Detection Group is composed of the following COAST students and faculty:

CERIAS Autonomous Agents for Intrusion Detection Group
Last modified: Tue Sep 7 01:01:48 EST 1999

Return to COAST homepage