A Hybrid Approach to Intrusion Detection and Prevention for Business Intelligence Applications

In this paper, an application-based intrusion detection and prevention (ID/IP) system coupled with data mining and mobile agent technologies is introduced. Under this approach, the ID/IP system consists of a core engine with data sensor, detector, configuration device and alert and response device as its main components. The data sensors posting as designated agents are to gather information from their respective sources in real time. The information gathered by the respective agent is fed into the detector where correlation methods and data mining techniques are employed to analyze and identify any intrusive activity or event. Since information is gathered from various sources by the respective agent, different type of profiles representing normal behavior such as network traffic, users, systems, applications, transactions, alarms and alerts can be built, and deviation from these profiles are considered to be intrusion. A rating model is then used to evaluate the intrusive activities. When an intrusion or attack is detected by the detector and evaluated to have a rating below the threshold value, the configuration device changes the status of the ID/IP system to alert mode and signal the alert and response device to take the necessary actions. Subsequently, mobile response agents are used to carry out response mechanisms at the target and the source