COAST Autonomous Agents for Intrusion Detection Project

The Autonomous Agents for Intrusion Detection Group is composed of a number of students and faculty within the CERIAS at Purdue University who are interested in studying novel distributed methods of Intrusion Detection.

Purpose of the Group

We address the problem of intrusion detection from a different angle: instead of a monolithic Intrusion Detection System (IDS) design, we propose a distributed architecture that utilizes small independent entities, known as Agents, to detect anomalous or malicious behavior. We think our design has advantages over other architectures in terms of scalability, efficiency, fault-tolerance, and configurability.

Our purpose is to study the approach mentioned above by building systems that use it and measuring their performance and detection capabilities. By doing this, we expect to be able to discover the capabilities and limitations of the agent-based approach when applied to real systems.

Current status

The first complete specification of the AAFID architecture has been finished and proposed in a paper. On the implementation front, the second release of the system implemented using the AAFID architecture, called AAFID2, has been released to the public.

The AAFID2 prototype

The second release of the AAFID2 prototype has been released to the public! (Sep 7, 1999)

The latest implementation of a system that adheres to the AAFID architecture is called AAFID2. It is the second implementation of such a system, and the first one to be made available, both to the sponsors of the project and to the public.

AAFID2 is implemented completely in Perl5, which makes it easy to install and run it, and to port it to different systems. It has only been tested on Unix machines, but we are in the process of porting it to Windows NT as well.

The purpose of AAFID2 is to make it easy to experiment with the AAFID architecture. To that end, it has been made extremely flexible and configurable. It was developed using the object-oriented programming features of Perl5, which makes code reuse easy. The base infrastructure of AAFID2 includes most of the essential facilities for developing new entities, be them monitors, transceivers, agents or filters. AAFID2 also includes a code generation tool for developing new agents.

More information can be found in the announcement.

Documentation and publications

The following papers constitute the documentation of the project:

An Architecture for Intrusion Detection using Autonomous Agents: Jai Balasubramaniyan, Jose Omar Garcia-Fernandez, E. H. Spafford, and Diego Zamboni, Department of Computer Sciences, Purdue University; Coast TR 98-05; 1998.
This paper documents the AAFID architecture, describes some of the experiences with the prototypes that have been developed, and some thoughts for future development.
A framework and prototype for a distributed Intrusion Detection System: Diego Zamboni and E. H. Spafford. Department of Computer Sciences, Purdue University; Coast TR 98-06; 1998.
This paper documents the implementation of AAFID2, including design and implementation decisions, and some preliminary performance measurements. Note: This paper is not yet available.
AAFID2 Users Guide: Diego Zamboni and E. H. Spafford. Department of Computer Sciences; 1998.
This is the users guide for the AAFID2 prototype. It includes how to use the programs included in the prototype, as well as how to develop new agents for use with the system. Note: The latest version of this document is available with the distribution of the AAFID2 prototype.

Near-term goals

Currently, our main objective is to get user feedback from people who use the AAFID2 prototype and use it to correct any problems or make improvements to the prototype. We are also in the process of developing as many new agents as possible, both to provide a good base functionality with the prototype distribution and to test the agent-development facilities included with AAFID2.

Related information

For more information about the origins of the AAFID project, about intrusion detection and agents, we suggest the following links:

Defending a system using autonomous agents. Mark Crosbie and Eugene Spafford
Network Intrusion Detection. B Mukherjee, L Todd Heberline, Karl Levitt
Classification and Detection of Computer Intrusions. Sandeep Kumar
COAST Intrusion Detection Pages
COAST Intrusion Detection Bibliography
Intrusion Detection Mailing List Archive

Members of the Group

The Autonomous Agents for Intrusion Detection Group is composed of the following COAST students and faculty:

Gene Spafford, Director
Mikhail Atallah, Faculty
Tom Daniels, Graduate student
Joshua Gray, Undergraduate student
Benjamin Kuperman, Graduate student
Mahesh Tripunitara, Graduate student
Diego Zamboni, Graduate student

CERIAS Autonomous Agents for Intrusion Detection Group

Last modified: Tue Sep 7 01:01:48 EST 1999

Return to COAST homepage