A large scale distributed intrusion detection framework based on attack strategy analysis

This paper describes a large-scale distributed intrusion detection (ID) arc hitecture based on intrusion detection system (IDS) agents and collaborativ e attack strategy analysis. This architecture couples distributed IDS agent s performing local event analysis with cooperative global ID. Other agent-b ased approaches have highlighted several advantages over monolithic archite ctures. This approach specifically focuses on cooperative IDS agents workin g together by analyzing the intruder's attack strategy and separating local event processing from global analysis. We believe that focusing on the iat ruder's intent (attack strategy) provides a theme that will help distribute d IDS to work together. Furthermore, strategy analysis creates an opportuni ty for IDS agents to pro-actively look ahead for data most pertinent to cur rent case development. This look ahead adaptive auditing behavior focuses l imited system resources on collecting and auditing those events which are m ost likely to reveal intrusions. (C) 1999 Elsevier Science B.V. All rights reserved.