The DEMIAN system approach to intrusion detection

摘要

This paper presents a small multi-agent system for intrusion detection, the DEMIAN system, which contributes with a new knowledge specification approach to model the behaviour and the communication of intrusion detection agents. A new detection language, with special focus on simplicity, usability and maintenance, was specified to model DEMIAN monitoring agents. A new correlation language, with a functional and analytical foundation, was defined to model the high-level threat analyst agent. Finally, all communication activities between agents were separated from monitoring and threat analysis tasks and modelled in an independent and interoperable way. This new approach to model the communication between agents integrates main standardization efforts on agent communication languages and intrusion detection formats: FIPA―ACL standard for Agent Communication Language and the Intrusion Detection Working Group IDMEF format. This integration is one of the main accomplishments of our work. In DEMIAN, we don't need to define a unique modelling language that supports all possible aspects of an attack language. With our approach, its possible to specify the behavior of different types of agents with different languages, and maintain the system fully integrated as long as all agents communicate with the same language and understand the same vocabulary.