Computers & Security (2005) 24, 387e398

www.elsevier.com/locate/cose

CIDS: An agent-based intrusiondetection system

D. Dasgupta*, F. Gonzalez, K. Yallapu, J. Gomez, R. Yarramsettii

Intelligent Security Systems Research Laboratory, Division of Computer Science,The University of Memphis, Memphis, TN 38152, United States

Received 1 July 2003; revised 6 October 2004; accepted 21 January 2005

KEYWORDSSecurity agents;Cougaar;Plugin;Intrusion detection;Decision support

Abstract The paper describes security agent architecture, called CIDS, which isuseful as an administrative tool for intrusion detection. Specifically, it is an agent-based monitoring and detection system, which is developed to detect malfunctions,faults, abnormalities, misuse, deviations, intrusions, and provide recommendations(in the form of common intrusion detection language). The CIDS can simultaneouslymonitor networked-computer activities at multiple levels (user to packet level) inorder to find correlation among the deviated values (from the normal or definedpolicy) to determine specific security violations. The current version of CIDS (CIDS1.4) is tested with different simulated attacks in an isolated network, and some ofthose results are reported here.� 2005 Elsevier Ltd. All rights reserved.

Introduction

With the growing use of Internet applications andautomated scripts, it has become very difficult tokeep track of all cyber activities. While it is hard totrack each and every application, in particularmost exploitable ones such as Active scripting(Jscript, VBScript), ActiveX, Outlook, OutlookExpress, etc. it is possible to monitor their effectson the system and its resources. Moreover, itis necessary to efficiently analyze monitored

* Corresponding author.E-mail address: dasgupta@memphis.edu (D. Dasgupta).

0167-4048/$ - see front matter � 2005 Elsevier Ltd. All rights resedoi:10.1016/j.cose.2005.01.004

network data for faster attack detection andresponse.

Intrusion/anomaly detection (Anderson, 1980;Axelsson et al., 1996; Denning, 1987; Dunlap andDasgupta, 2002; Krugel and Toth, 2001; Roesch,1999; Chari and Cheng, 2003) is an important partof network security. There are many intrusiondetection systems (IDS) commercially available. Adetailed survey and taxonomy of practical IDSs maybe found in the literature (Allen et al., 2000; Debaret al., 1999). Some are anomaly based and othersare signature based. Security researchers alsoformed working groups to develop common frame-work, methodology and description language forintrusion detection systems (Lee and Stolfo, 2000;

rved.

388 D. Dasgupta et al.

Porras et al., 1998; Intrusion Detection MessageExchange Format). Recent works on building nextgeneration intrusion detection systems highlightnew areas of research, which include artificialintelligence (Dasgupta and Gonzalez, 2002;Gomezand Dasgupta, 2002; Lane and Brodley, 1999;Warrender et al., 1999), data mining (Lee et al.,2000; Lee and Stolfo, 1998), statistical techniques(Denning, 1987; Porras and Neumann, 1997), agentframeworks (Asaka et al., 1999a; Helmer et al.,2002), etc. There are many approaches used inagent technologies such as autonomous agents(Balasubramaniyan et al., 1998; Barrus and Rowe,1998; Crosbie and Spafford, 1995), intelligentagents (Carver et al., 2000; Helmer et al., 1998)and mobile agents (Asaka et al., 1999b; Bernardesand Santos, 2000; Dasgupta, 1999; Jansen et al.,1999; Jansen et al., 2000; Jazayeri and Lugmayr,2000; Krugel and Toth; Queiroz et al., 1999; Brianand Dasgupta, 2001) for distributed intrusiondetection.

For example, an intrusion detection using auton-omous agents uses hierarchical architecture, calledAAFID (Balasubramaniyan et al., 1998). This archi-tecture is composed of agents at the lowest level,which perform data collection and analysis tasks etransceivers and monitors constitute the majorcomponents of the IDS. Each host has an agentperforming the monitoring activity and reportingany abnormality to the transceivers. Transceiversare used to control these agents and they report theresults to the monitors. These monitors then per-form high-level correlation among several hosts andthus to the entire network. An extension to AAFIDwork uses intelligent agents, and is capable ofdetecting attacks in a timely manner.

Work reported in (Brian and Dasgupta, 2001)applies mobile agents for network traffic analysis.It describes the mobile agent architecture, whichis used in a project called SANTA. Here, theapplication of agents can be seen at several levelsdown the hierarchy. Each agent performs individ-ual tasks. The IDS uses on-line learning and sub-sequent detection of different kinds of attacks.Also, it describes the application of ART-2 neuralnetworks for decision support modules needed tomake appropriate decisions. One of the mobileagents collects the data from the network, whichis used to analyze the network traffic by SANTA.

This paper describes an autonomous agent sys-tem (called CIDS), which uses intelligent decisionsupport modules for robust detection of anomaliesand intrusions. The CIDS (Cougaar1-based intrusion

1 COUGAAR stands for cognitive agent architecture, which isopen source software available at www.cougaar.org.

detection System) provides a hierarchical securityagent framework, where a security node consistsof four different agents (manager agent, monitoragent, decision agent and action agent). However,the activities of these agents are coordinatedthrough the manager agent during sensing, com-municating and generating responses. Each agentperforms unique functions in coordination to ad-dress various security issues of the monitoredenvironment.

The decision agent consists of multiple intelli-gent decision support modules (such as fuzzyinference module, classifier system, knowledgebase) and a bidding system in order to take a robustdecision in case of any abnormalities/intrusions.Since the differences between the normal andabnormal activities are not distinct, but ratherfuzzy, the Fuzzy Inference module can reducefalse alarms in determining intrusive activities.So the purpose of the fuzzy inference module is touse imprecise and heuristic knowledge to deter-mine appropriate response.

In our current implementation, the action agentreports the state of the monitored environment inidmef (Intrusion Detection Message Exchange For-mat). Accordingly, the action agent generatesidmef objects that represent intrusion/anomalousstate, diagnosis and recommended actions. Thepurpose is to send these objects to other systemmanagement agents in order to take necessaryaction, which may include: killing a process, dis-abling the access to a user who is a potentialintruder, alerting the administrator about the in-trusion, etc.

Cougaar: a cognitive agent architecture

The Cougaar software was initially developed un-der DARPA sponsorship for the purpose of MilitaryLogistics and is now available as open source(Cougaar). Cougaar is an excellent software archi-tecture that enables building distributed agent-based applications in a manner that is powerful,expressive, scalable and maintainable. Cougaar isa large-scale workflow engine built on component-based, distributed agent architecture. The agentscan communicate with one another througha built-in asynchronous message passing protocol.Cougaar agents cooperate with one another tosolve a particular problem, storing the sharedsolution in a distributed fashion across the agents.Cougaar agents are composed of related functionalmodules, which are expected to dynamically andcontinuously rework the solution as the problemparameters, constraints, or execution environ-ment change.

CIDS: An agent-based intrusion detection system 389

Agents are the prime components in the Cou-gaar architecture. An agent consists of two majorcomponents: a distributed blackboard (calledPlan) and Plugins. Each blackboard contains ele-ments such as tasks, assets and plan elements.Plugins are self-contained software components(compute engine) that can be loaded dynamicallyinto agents. Plugins interact with the agent in-frastructure according to a set of rules and guide-lines (as binders), and provide unique capabilitiesand behavior to complete given tasks. Pluginscome and talk to the plan through the blackboardto perform agent operations and operate bypublishing and subscribing objects on the plan.Plugins bring functionality to the agent, while thesociety of agents (Node) provides structure andorder of operations. Agents can also have specialPlugins called plan service plugins (PSP). Program-mers can develop HTML/standalone JAVA userinterfaces that communicate with PSPs. Althoughin the latest cougaar versions, the PSPs arereplaced with servlets. Also in the new versionsof cougar, the communication among the agents isencrypted making it secure.

Cougaar-based security agentinfrastructure

The Cougaar framework provides a nice baseagent architecture, which we used to develop

a distributed security agent system, called CIDS.In CIDS, a security node consists of four differentagents (as shown in Fig. 1), Manager agent, MonitorAgent, Decision Agent and Action Agent, wherea number of such nodes form a security community.The advantage of having an individual agent foreach functional module is to make future modifi-cations easy. According to software engineeringprinciples, it is advisable to have different func-tionalities modularized in a way for simplifieddevelopment of a large software project.

In each node, the control flow mainly occurs be-tween theManager and subordinate agents to assigntasks and feedback accomplishments, while thedata flow occur among subordinate agents to trans-fer data. The control flow and data flow withina node and among various nodes use the same mes-sage passing mechanism that is provided by Cou-gaar. In the Java implementation, a particular classof objects is reserved for control flowandadifferentclass of objects is reserved for the data flow.

Security node society

The communication among communities is accom-plished through Manager Agents. The purpose ofthese connections is to share information amongdifferent security nodes in a network (Fig. 2). Thecommunications among various nodes use thesame message passing mechanism that is providedby the cougaar framework.

Servlet

CoordinatorPlugIn

TakeDecision

Get Info Exe.

DataCollector

Servlet

AnomalyDetection

PlugIn

MessageReceiver/Server

PSPPlugIn

Action1

Actionn

Action2

PSPPlugIn

ClassifierDecision

Control

Information

Manager Agent

MessageReceiver/Server

MessageReceiver/Server

Monitor Agent ActionAgentMessage

Receiver/Server

Decision Agent

ActiveMultilevel

DomainKnowledge

FuzzyControllerDecision

BiddingSystem

Figure 1 Security node with four agents.

390 D. Dasgupta et al.

Manager

Node 2

Node 1 Node 3

ManagerManager

Figure 2 Security agent community with three nodes.

Fig. 2 shows a symmetric arrangement of mul-tiple security nodes, where one security node(with four agents) may be placed in each host inthe subnet. However, the flexible security agentarchitecture may also allow asymmetric configu-rations, in particular, putting a Monitor agent inone host and the remaining three agents indifferent hosts(s). The purpose may be to reducethe load on the crucial monitored machine and/ordepending on the need and preference of theorganization.

Sequence of operations

In order to explain the operation of the multi-agent security system, we consider three differentscenarios to illustrate the sequence of activationof these four agents under various operatingconditions.

Example scenario

1. The user makes a request to start monitoringthrough the web interface (PSP in the ManagerAgent). The Manager Agent receives the userrequest and sends the command (task) to theMonitor Agent (Fig. 3).

2. The Monitor Agent starts collecting multi-levelinformation from the target system and tries todetect deviations from the normal.

3. If any deviation is detected, information ondeviated parameters are sent to the DecisionAgent.

4. The Decision Agent processes the anomaliesand uses fuzzy inference engine to classifydifferent anomalies/attacks through rules(generated previously using normal profile).

5. The Action Agent receives the messages andcreates appropriate IDMEF objects.

Detailed description andimplementation

We implemented the proposed security agentcommunity on cougaar framework, where eachnode consists of four agents to accomplish securitymission.

Decision ActionMonitor

Manager

Diagnosis and Recommendation

TARGET SYSTEM

IDMEFObjects

AnomalyDetected

User Interaction

Start

1

2

3 4

5

Figure 3 Example scenario e sequence of activationof different agents.

CIDS: An agent-based intrusion detection system 391

Manager (or master) agent

This agent coordinates the work of other securityagents. It sends tasks to subordinate agents, andsynchronizes the information flow. The ManagerAgent also coordinates with other nodes (in thesecurity society). The manager agent is integratedby a sender messenger Plugin and a coordinatorPlugin to communicate with other manager agentsin the community, we also developed an HTML/JAVA user interface that sends and receives in-formation from outside (Fig. 1). The messagingfunctionality is implemented by the sender mes-senger Plugin that sends the commands to theintended Plugin in a specified agent.

This agent is responsible for controlling theother three agents and also to be in touch withother agents in other nodes. The manager in onenode may be asked to perform a particular task bya manager in another node. In current implemen-tation, it can send START/STOP signals to theMonitor Agent, commands to set the buffer sizeof the components in the different agents or setthe desired action level in the Action Agent. Asnapshot of the Manager agent control panel isshown in Fig. 4.

Monitor agent

This agent collects information from the targetsystem at multiple levels: packet level, process

level and system level and determines the corre-lation among the observed parameters in order todetermine intrusive activities (Bass, 1999). Forexample, at user level e searches for an unusualuser behavior pattern; at system level e looks atresource usage such as CPU, memory, I/O use etc.;at process level e checks for invalid or unauthen-ticated processes and priority violations; at packetlevel e monitors number, volume, and size ofpackets along with source and type of connections.

This allows the detection module to characterizethe normal behavior and detect anomalies ordeviations from the normal profile and report them.

The Monitor agent is responsible for collectingthe data from the system at regular intervals andanalyzes them to detect deviations. The datacollection is done by running shell scripts andchecking various system files. Two Plugins imple-ment the monitor agent functionality: Data Col-lector and Anomaly Detection. A PSP Monitor anda Messenger Plugin provide communication capa-bilities with other agents and the user.

Decision agent

This agent is involved in making decisions based onthe information received from other (specifically,Monitor Agent) agents. In particular, it determinesthe type of security violations that may occurbased on underlying security policies and recom-mends what to do when violations are detected.

Figure 4 Snapshot of Manager agent control panel.

392 D. Dasgupta et al.

Specifically, there are different decision sup-port modules, which are specialized in dealingwith various anomalous situations. To accomplishthis task, the agent uses decision modules (imple-mented by Plugins) such as Fuzzy Classifier System(FCS) and Knowledge Base (KB). In order to decidethe final response, a bidding system is imple-mented, where each module generates a bid alongwith its suggested action; the action with thelargest bid is selected. It may be possible to useweight vector to differentiate the importance androle of each module. Also the bid value mayrepresent the confidence of the decision in takinga particular response. However, the final decisionis passed to the Action/Response agent.

Domain knowledge PluginThis Plugin provides a knowledge base of knownattacks, which are stored as a set of conditioneaction rules. The rules represent the expert andcommon sense knowledge as well as some systemlevel policies. The Decision Agent receives thestate of the system represented by the parametervalues sent by the monitor, whenever a deviationoccurs. It also receives control signal from themanager agent.

A classifier system is an adaptive learningsystem that evolves a set of action selection rulesto cope with the environment. The conditioneaction rules are coded as fixed length strings

(classifiers) and are evolved using a genetic search.These classifiers are evolved based on the securitypolicy e this rule set forms a security model withwhich the current system environment needs to becompared.

Fuzzy inference PluginAs the difference between the normal and theabnormal activities are not distinct, but ratherfuzzy, this module can reduce the false signal indetermining intrusive activities. The purpose ofthis Plugin is to use imprecise and heuristicknowledge to generate the appropriate response.The imprecise knowledge is represented usingfuzzy logic; this allows representing vague con-cepts as ‘small’, ‘high’, etc. A fuzzy knowledgebase and a fuzzy inference engine provide thefollowing functionalities of this Plugin.

The Fuzzy Inference Plugin receives the moni-tored parameters and deviation indicators fromthe monitor agent. The values for these parame-ters are normalized between 0.0 and 1.0. Thefuzzy knowledge is kept in XML files (such as fuzzymembership functions, fuzzy variables and fuzzyrules). The fuzzy engine loads fuzzy knowledgebefore it starts the reasoning process. The fuzzyreasoning applies the fuzzy rules over the moni-tored values and deviation indicators and producesa diagnosis and recommendation, which are thensent to the action agent.

Figure 5 Display of different views of the fuzzy decision module. This interface has three panels: decision, rule, anddata.

CIDS: An agent-based intrusion detection system 393

Figure 6 Illustration of affect of attacks on monitored parameters.

The fuzzy inference component uses a set ofrules (knowledge base) to identify the kind ofanomaly and suggests a possible response. Also,the fuzzy inference module provides a set of toolsthat makes the knowledge specification processeasier: linguistic variables definition with differentmembership functions, arbitrary complex condi-tions for the rules and the possibility of evolvingthe rules from training data (Fig. 5).

Fuzzy rules:Rules:

R1: IF x is HIGH and y is LOW THEN action3R2: IF x is MEDIUM HIGH and y is MEDIUM THENaction3R3: IF x is MEDIUM and y is MEDIUM LOW THENaction1

Variables values: x is 0.7 and y is 0.3Degree of Membership:

x in HIGH is 0.2, x in MEDIUM HIGH 0.7 and, xin MEDIUM is 0.3y in LOW is 0.4, y in MEDIUM LOW is 0.8 and, yin MEDIUM is 0.4

Rules truth values: R1Z 0.2, R2Z 0.4 and,R3Z 0.3

Chosen Rule: R3

Conclusion: action3

Action/response agent

The Action Agent receives the diagnosis of anomalyfrom the Decision Agent. It uses this information tobuild IDMEF objects that represent the state of thesystem, the diagnosis of the anomaly and recom-mends a possible course of action. These IDMEFobjects have the information, which is useful forsecurity administration while taking an appropri-ate response.

Whenever there is an anomaly in the monitoredenvironment, the Action Agent currently providesstatus (like CurrentState, Recommended actionetc.) to the administrator in the form of an IDMEFobject so that necessary action can be takenagainst the intrusive activities.

The User Interface (HTML/JAVA) in the ActionAgent shows the logical representation of theIDMEF objects at a given time. Here is an exampleof Heartbeat Object that is a specific kind of IDMEFobject that reports the current state of the system

Table 1 Monitored parameters in CIDS

Network level Process level System level

LOCAL_SENT_BYTES REMOTE_RECIEVED_PACKETS PROCESSES_ZOMBIEDLOCAL_RECEIVED_BYTES PROCESSES USED_PHYSICAL_RAMLOCAL_SENT_PACKETS PROCESSES_ROOT USED_SWAP_RAMLOCAL_RECEIVED_PACKETS PROCESSES_USER LOGINSREMOTE_SENT_BYTES PROCESSES_BLOCKED FAILED_LOGINSREMOTE_RECEIVED_BYTES PROCESSES_RUNNING REMOTE_LOGINSREMOTE_SENT_PACKETS PROCESSES_WAITING CPU_USERS

394 D. Dasgupta et al.

Figure 7 Statistical values collected by CIDS after 1000 s (100 samples).

Experimentation and evaluation of CIDS

The implementation process started with a verybasic structure and progressively became the fullyfunctional system. A number of prototypes were

developed with added capabilities. The currentversion of CIDS (CIDS 1.4) is built on Cougaar 8.8and compatible with Java 1.3, which can monitormachines in LINUX/UNIX environment. In order totest the performance of CIDS 1.4, we conducteda number of experiments with various port scansand simulated attacks.

The CIDS allows the monitoring of parametersat different levels (process, user, network) oftarget computer networks as shown in Fig. 6.Table 1 shows 21 parameters that can be moni-tored using CIDS.

Testing

Twoattackswereperformedon the target host, a PRB(probe)attackusing thenmap scantoolandU2R(user-to-remote) attack by using a secure shell (ssh) hackingtool. The total number of data samples collected was1800 (300 for the PRB attack and 400 for the U2Rattack). Fig. 7 shows the statistical values of the datacollected by CIDS after 1000 s (100 samples).

The training data were preprocessed i.e., thecollected data were normalized, and the fuzzy

Table 2 Binarization class ordering used in the CIDSexperimentation

Index Class

1 PRB2 U2R3 Normal

CIDS: An agent-based intrusion detection system 395

Figure 8 GUI showing the monitored parameters and the graph for test1.

space shown in Fig. 5 was used for all monitoredparameters. Different classes of attack in the datawere sorted, and Table 2 shows the binarizationordering applied to the training classes.

Method: using a simple port scanner writtenwith )nix sockets at time of run the networktraffic is 14e19 K. The test scanned the first 6000ports on the target machine (Fig. 8).

StartZ 13:06:52, EndZ 13:07:35

Found ports 22, 80, 111, 1024, 1115, 1117, 5555,5556, 5557, 5558, 6000 open

In this case, we noticed that during the scan-ning, the number of received packets is spiking andthe number of send packets is also spiking at thesame time. This is a clear indication of a port scan.

The fuzzy rules for the evolutionary algorithmparameters were fixed as shown in Table 3, and thenumber of samples used per individual was fixed to100%. This percentage is appropriated becausedata samples are very small (1800).

The proposed approach evolved the classifiersystem shown in Table 3 in a sample run. Theexperimental results reported here correspond tothis classifier system.

Table 3 Evolved classifier system in a sample run

Classifiersystem

Fuzzy rules

PRB General IF REMOTE_RECIEVED_PACKETS is high AND CPU_USERS is low OR USED_SWAP_RAM is mediumTHEN RECORD is PRBIF LOCAL_SENT_BYTES is low OR REMOTE_RECIEVED_PACKETS is not high THEN RECORD is notPRB

PRB Checking IF PROCESSES_BLOCKED is low OR PROCESSES_WAITING is not high THEN RECORD is PRBIF PROCESSES_BLOCKED is high AND DEVIATION is low THEN RECORD is not PRB

U2R General IF PROCESSES_RUNNING is medium-low OR PROCESSES_ROOT is medium THEN RECORD is U2RIF (PROCESSES_RUNNING is not medium-low OR CPU_USERS is medium) AND PROCESSES_ROOT isnot medium THEN RECORD is Normal

U2R Checking IF PROCESSES_ROOT is not medium AND PROCESSES_RUNNING is medium-low THEN RECORD isNormalIF PROCESSES_ROOT is medium OR REMOTE_RECIEVED_PACKETS is high ORPROCESSES_RUNNING is not medium-low THEN RECORD is Normal

396 D. Dasgupta et al.

We calculated the effectiveness of the evolvedclassifier over the training dataset as shown inTable 4.

The detection rate is low (compare to the kdd-cup data set) because the training data set was notcleaned, i.e., there were some samples that wereclassified in the training data set as attack classesbut they correspond to normal behavior (when theattack was stopped temporarily to distribute theattack in time) or because they belong to the fuzzyregion of normaleabnormal (when the attack isstarting or ending). Amazingly the false alarmsrate was zero.

When CIDS was executed with the evolvedclassifier rules, the results were amazing. Undernormal conditions the systems did not generatefalse alarms. Fig. 9 shows the decision moduleunder normal conditions.

When attacks are launched, the decision mod-ule raises an alarm. Table 3 shows the rules used todetect PRB and U2R attacks. Clearly, the fuzzy rulecorresponds with the behavior shown for theparameters monitored. When the U2R attack wasexecuted, the decision module raised an alarm andshowed the rule used to detect the attack. Fig. 9

Table 4 Performance of the evolved classifier overthe training data set

Detection measure Performance (%)

Detection rate 83.33False alarms rate 0.0

shows the monitoring and decision modules undera U2R (User-to-Root) attack. Although this attack ishard to detect, the monitored parameters underthis attack behave almost the same as undernormal conditions, the classifier system was ableto detect it in almost 90% of the cases.

Conclusions

In this paper, we described the design and imple-mentation of an agent-based system (called CIDS)for intrusion detection. We reported some exper-imental results which can detect a wide variety ofanomalies and intrusive activities. The importantfeatures of the CIDS include the following:

� A four-agent security node infrastructure isimplemented on the Cougaar framework withunique functionality for each agent.

� The CIDS is a modular design, which allows easyinclusion of new detection, decision and actionPlugins, independently.

� A swing based GUI provides a user-friendlyinterface that can run on the same computer orremotely. The monitored parameters, thenormalized values and the detected deviationsare displayed in textual and graphical forms. Italso provides tools to generate automaticallythe normal profile (of the monitored environ-ment) and for updating the knowledge base ofthe decision module.

Figure 9 CIDS decision module under normal behavior.

CIDS: An agent-based intrusion detection system 397

� The tool can be used not only as an anomaly/intrusion detection tool, but also as a monitor-ing tool, since the data gathering and visuali-zation can help to evaluate the behavior of anymonitored network.

� Experiments with the current prototype showthat it could detect various types of probingand DoS attacks successfully. However, theseare only example tests, they are neitherexhaustive nor demonstrate the capabilitiesof a full-fledged CIDS.

Acknowledgements

This work was supported by the Defense AdvancedResearch Projects Agency (no. F30602-00-2-0514).The views and conclusions of this work in no wayreflect the opinions or positions of the DefenseAdvanced Research Projects Agency or the U.S.Government.

References

Allen J, et al. State of the practice of intrusion detectiontechnologies. Technical report (no. CMU/SEI-99-TR-028);January 2000.

Anderson JP. Computer security threat monitoring and surveil-lance. Technical report. James P Anderson Co., FortWashington, PA; April 15, 1980.

Asaka M, Taguchi A, Goto S. The implementation of IDA: anintrusion detection agent system. In: Proceedings of the11th FIRST Conference; June 1999a.

Asaka M, Okazawa S, Taguchi A, Goto S. A method of tracingintruders by use of mobile agents. INET’99; June 1999b.

Axelsson S, Lindqvist U, Gustafson U, Jonsson E. An approach toUNIX security logging. Technical report, IEEE Network; 1996.

Balasubramaniyan J, Fernandez JO, Isacoff D, Spafford E,Zamboni D. An architecture for intrusion detection usingautonomous agents, COAST. Technical report 98/5. PurdueUniversity; June 1998.

Barrus J, Rowe NC. A distributed autonomous-agent network-intrusion detection and response system. Proceedings of thecommand and control research and technology symposium,Monterey, CA; June 1998.

Bass T. Multisensor data fusion for next generation distributedintrusion detection systems. Invited paper, 1999 IRISnational symposium on sensor and data fusion. The JohnsHopkins University Applied Physics Laboratory; 24e27 May1999.

Bernardes MC, dos Santos Moreira E. Implementation of anintrusion detection system based on mobile agents. In:International symposium on software engineering for paral-lel and distributed systems; 2000 p. 158e64.

Brian H, Dasgupta D. Mobile security agents for network trafficanalysis. In: Proceedings of the second DARPA InformationSurvivability Conference and Exposition II (DISCEX-II),Anaheim, California; June 13e14, 2001.

Carver CA, Hill JMD, Surdu JR, Pooch UW. A methodology forusing intelligent agents to provide automated intrusionresponse. IEEE Systems, Man, and Cybernetics InformationAssurance and Security Workshop, West Point, NY; June2000.

Chari SN, Cheng P-C. BlueBox: a policy-driven host-basedintrusion detection system. ACM Transactions on Informationand System Security May 2003;6(2):173e200.

Cougaar: a cognitive agent architecture. Open source softwareavailable from the website (www.cougaar.org).

Crosbie M, Spafford E. Defending a computer systemusing autonomous agents. Proceedings of the 18thnational information systems security conference; October1995.

Dasgupta D. Immunity-based intrusion detection systems:a general framework. Proceedings of the 22nd national in-formation systems security conference (NISSC). !http://issrl.cs.memphis.edu/nissc-99.pdfO; October 18e21, 1999.

Dasgupta D, Gonzalez F. An immunity-based technique tocharacterize intrusions in computer networks. IEEE Trans-actions on Evolutionary Computation June 2002;6(3).

Debar H, Dacier M, Wepspi A. A revised taxonomy for intrusiondetection systems. Technical report, Computer Science/Mathematics; 1999.

Denning DE. An intrusion-detection model. IEEE Transac-tions on Software Engineering February 1987;SE-13(2):222e32.

Dunlap GT, Dasgupta D. An administrative tool for distributedsecurity task scheduling. Proceedings of the third annualinternational systems security engineering association con-ference, Orlando; March 13e15, 2002.

Gomez J, Dasgupta D. Evolving fuzzy classifiers for intrusiondetection. In: Proceeding of third annual informationassurance workshop; June 17e19, 2002.

Helmer GG, Wong JSK, Honavar V, Miller L. Intelligent agentsfor intrusion detection. In: Proceedings of IEEE informa-tion technology conference, Syracuse, NY; September1998. p. 121e4.

Helmer GG, Wong JSK, Honavar V, Miller L. Lightweight agentsfor intrusion detection. Journal of Systems and Software;November 27, 2002.

Intrusion Detection Message Exchange Format. ExtensibleMarkup Language (XML) Document Type Definition. IntrusionDetection Working Group. IETF Internet Draft ‘draft-ietf-idwg-idmef-xml-01.txt’. By David A. Curry (Internet SecuritySystems, Inc.). 2000-07.

Jansen W, Mell P, Karygiannis T, Marks D. Applyingmobile agents to intrusion detection and response. NationalInstitute of Standards and Technology ComputerSecurity Division, NIST Interim Report (IR) e 6416; October1999.

Jansen, W, Mell P, Karygiannis T, Marks D. Mobile agents inintrusion detection and response. Proceedings of the 12thannual Canadian information technology security sympo-sium, Ottawa, Canada; June 2000.

Jazayeri M, Lugmayr W. Gypsy: a component-based mobileagent system. In: Eighth euromicro workshop on parallel anddistributed processing, Greece; January 2000.

Krugel C, Toth T. Applying mobile agent technology to intrusiondetection. Distributed systems group, Technical UniversityVienna, Argentinierstrasse 8, A-1040 Vienna, Austria; April30, 2002.

Krugel C, Toth T. Sparta e a security policy reinforcement toolfor large networks, submitted to I-NetSec 01, 2001.

Lane T, Brodley CE. Temporal sequence learning and datareduction for anomaly detection. ACM Transaction onInformation and System Security August 1999;2(3).

398 D. Dasgupta et al.

Lee W, Stolfo SJ. Data mining approaches for intrusiondetection. In: Proceedings of the seventh USENIX securitysymposium. USENIX; 1998.

Lee W, Stolfo S. A framework for constructing features andmodels for intrusion detection systems. ACM Transactions onInformation and System Security November 2000;3(4).

Lee W, Stolfo S, Mok K. Adaptive intrusion detection: a datamining approach. Artificial Intelligence Review December2000;14(6):533e67. Kluwer Academic Publishers.

Porras PA, Neumann PG. Emerald: event monitoring enablingresponses to anomalous live disturbances. In: Proceedings ofthe twentieth national information systems security confer-ence; October 1997.

Porras P, Schnackenberg D, Staniford-Chen S, Stillman M, FelixWu. The common intrusion detection framework architec-ture (CIDF). Position paper at the Information survivabilityworkshop, Orlando FL; October 1998.

Queiroz JD de, Costa Carmo LFR da, Pirmez L. An autonomousmobile agent system to protect new generation networkedapplications. In: Second annual workshop on recent advan-ces in intrusion detection, Rio de Janeiro, Brazil; September1999.

Roesch M. Snort: lightweight intrusion detection for networks.Proceedings of LISA ’99: 13th systems administration

conference, Seattle, Washington, USA; November 7e12,1999.

Warrender C, Forrest S, Pearlmutter B. Detecting intrusionsusing system calls: alternative data models. In: Proceedingsof the IEEE symposium on security and privacy; May 1999.

Dr. Dipankar Dasgupta is a Professor of Computer Science atthe University of Memphis. His research interests are broadly inthe area of scientific computing, tracking real-world problemsthrough interdisciplinary cooperation. His areas of specialityinvolves building robust cyber defense systems by applyingintelligent agents, genetic algorithms, neural networks, FuzzyLogic and immune system techniques in the area of computersecurity. He published more than 100 papers in book chapters,journals, and international conferences. He edited two books:one is on Genetic Algorithms and the other entitled ‘‘ArtificialImmune Systems and Their Applications’’ published by Springer-Verlag, 1999. Dr. Dasgupta is a senior member of IEEE, ACM andregularly serves as panelist, keynote speaker and programcommittee member (5e6 per year) in many InternationalConferences.

F. Gonzalez, K. Yallapu, J. Gomez, R. Yarramsettii aregraduate students who worked on CIDS project.