An Ontology-based Multiagent Architecture for Outbound Intrusion Detection

Even when the benefits of using knowledge representation and management techniques have been already acknowledged by the intrusion detection community, little has been done to enable security technologies with them. We present an ontology-based multiagent architecture that implements Outbound Intrusion Detection, an intrusion detection approach concerned not with protecting local hosts from being compromised, but with guaranteeing that they are not used to compromise others. The specific aim is to identify automated attack tools which constitute not only a growing threat but also a rich and unexplored security information source. An underlying attacker-centric ontology supports the architecture at the signature generation, signature matching, and agent-communication levels. Agents are organized into teams that execute on trusted sub-environments called agent cells which are in turn organized in a non-hierarchical structure. Cells perform two independent misuse detection strategies whose output is further correlated to provide a third, more accurate security diagnosis. This architecture contemplates antivirus-like signature and ontology deployment over the Internet.