Intelligent architecture based on MAS and CBR for intrusion detection

The agents used in the intrusion detection architectures have multiple characteristics namely delegation, cooperation and communication. However, an important property of agents: learning is not used. The concept of learning in existing IDSs used in general to learn the normal behavior of the system to secure. For this, normal profiles are built in a dedicated training phase, these profiles are then compared with the current activity. Thus, the IDS does not have the ability to detect new attacks. We propose in this paper, a new architecture based intrusion MAS adding a learning feature abnormal behaviors that correspond to new attack patterns detection. Thanks to this feature to update the knowledge base of attacks take place when a new plan of attack is discovered. To learn a new attack, the architecture must detect at first and then update the basic attack patterns. For the detection step, the detection approach adopted is based on the technique of Case-Based Reasoning (CBR). Thus, the proposed architecture is based on a hierarchical and distributed strategy where features are structured and separated into layers.