The Autonomous Agents for Intrusion Detection Group is composed of a number of students and faculty within the CERIAS at Purdue University who are interested in studying novel distributed methods of Intrusion Detection.

Purpose of the Group

We address the problem of intrusion detection from a different angle: instead of a monolithic Intrusion Detection System (IDS) design, we propose a distributed architecture that utilizes small independent entities, known as Agents, to detect anomalous or malicious behavior. We think our design has advantages over other architectures in terms of scalability, efficiency, fault-tolerance, and configurability.

Our purpose is to study the approach mentioned above by building systems that use it and measuring their performance and detection capabilities. By doing this, we expect to be able to discover the capabilities and limitations of the agent-based approach when applied to real systems.

Current status

Development has stopped indefinitely on AAFID. As a research platform, it was invaluable in identifying characteristics that are necesary in an intrusion detection system, and in providing ground work for other projects, such as ESP.

The AAFID2 prototype is now considered unsupported.

The AAFID2 prototype

The second release of the AAFID2 prototype has been released to the public! (Sep 7, 1999)

The latest implementation of a system that adheres to the AAFID architecture is called AAFID2. It is the second implementation of such a system, and the first one to be made available, both to the sponsors of the project and to the public.

AAFID2 is implemented completely in Perl5, which makes it easy to install and run it, and to port it to different systems. It has only been tested on Unix machines, but we are in the process of porting it to Windows NT as well.

The purpose of AAFID2 is to make it easy to experiment with the AAFID architecture. To that end, it has been made extremely flexible and configurable. It was developed using the object-oriented programming features of Perl5, which makes code reuse easy. The base infrastructure of AAFID2 includes most of the essential facilities for developing new entities, be them monitors, transceivers, agents or filters. AAFID2 also includes a code generation tool for developing new agents.

More information can be found in the announcement.

You can also download the latest AAFID prototype directly from here via FTP or HTTP (1MB file). The PGP signature of this file can be found here(link removed). The signature was generated with this public key(link removed).


Documentation and publications

The following papers constitute the documentation of the project:
Intrusion detection using autonomous agents (HTTP: PDF).
Eugene H. Spafford and Diego Zamboni, Computer Networks, 34(4):547-570, October 2000.
This is the latest paper about the AAFID project. It documents the architecture and the implementation of the project.
An Architecture for Intrusion Detection using Autonomous Agents (HTTP: PostScript, PDF).
Jai Balasubramaniyan, Jose Omar Garcia-Fernandez, E. H. Spafford, and Diego Zamboni, Department of Computer Sciences, Purdue University; Coast TR 98-05; 1998.
This paper documents the AAFID architecture, describes some of the experiences with the prototypes that have been developed, and some thoughts for future development.
AAFID2 Users Guide
Diego Zamboni and E. H. Spafford. Department of Computer Sciences; 1998.
This is the users guide for the AAFID2 prototype. It includes how to use the programs included in the prototype, as well as how to develop new agents for use with the system. Note: The latest version of this document is available with the distribution of the AAFID2 prototype.

Related information

For more information about the origins of the AAFID project, about intrusion detection and agents, we suggest the following links:
  1. Defending a system using autonomous agents. Mark Crosbie and Eugene Spafford
  2. Network Intrusion Detection. B Mukherjee, L Todd Heberline, Karl Levitt
  3. Classification and Detection of Computer Intrusions(link removed). Sandeep Kumar
  4. COAST Intrusion Detection Pages
  5. COAST Intrusion Detection Bibliography(link removed)

Sponsors


Members of the Group

The Autonomous Agents for Intrusion Detection Group is composed of the following CERIAS students and faculty:

  • Gene Spafford, Director
  • Mikhail Atallah, Faculty
  • Joshua Gray, Undergraduate student
  • Mahesh Tripunitara, Graduate student
  • Diego Zamboni, Graduate student
CERIAS Autonomous Agents for Intrusion Detection Group