An Agent Based Intrusion Detection System with Internal Security

Intrusion Detection Systems (IDS) are software or hardware products that automate the analysis process of traffic on a network or a host. and they are a complementary security tool in computer networks; it can be deployed at different points depending on the application, host or network segment to be monitored. Accordingly to its location, the IDS must be parameterized in a different way, for example, an IDS located in a Demilitarized Zone (DMZ) must be more flexible than an IDS located inside the internal network to reduce false alarms or to avoid system overload, allowing intrusions without generating an alarm. Likewise the IDS can receive different kinds of attacks if it is located in a DMZ or in the intranet zone. Due to the increasing rate of attacks, Intrusion Detection Systems has become a complementary and mandatory security tool to any organization, and in addition it is useful to perform forensic analysis procedures in order to complement the IDS use. An IDS performs passive monitoring and captures information to be analyzed subsequently, it can launch an alarm to a server or send an email warning about possible intrusions but it cannot modify its environment, otherwise it is named Intrusion Prevention System (IPS). An IPS responds in real time if an intrusion is detected, the IPS takes an action modifying its environment; it could modify the firewall by closing a suspicious connection, or reconfigure the router, etc. In the last two decades many research studies about technologies, architectures, methodologies and technologies have been proposed in order to increase the IDS effectiveness. One of them is the agent technology. Agents offer many advantages to IDS like scalability, independence, solution to complex tasks, reduction of network traffic, etc. For these reasons, agents are appropriate but they have inherent security drawbacks and they must be tackled. There are four risk scenarios: agent against agent, agent against platform, others against agent and platform against agent. The most difficult problem to face is the last one because the platform can be accessed by the agent code and it could eventually modify it. The internal security of a system is treated in few research works and it is a critical situation because it is a barrier for attackers, and one of their first challenges is to cheat or attack defence systems. In previous studies (Páez et al., 2005), many IDS architectures based on agents were analyzed, and it was possible to conclude that it was necessary to propose techniques to protect internally an agent based IDS, by securing its different entities. The new IDS’s