An Ontology-supported Outbound Intrusion Detection System

Outbound intrusion detection is a systems vigilance approach that aims at limiting the effects of a security threat by collectively scrutinizing outgoing traffic and local system activity. This paper summarizes the design and implementation of FROID, an outbound intrusion detection prototype built with agent technology that exploits the semantic power of ontologies in order to enable collaboration mechanisms among agent colonies responsible for the generation and identification of attack program signatures. The system supports cascade monitoring and a peerto-peer multiagent organization. Entities and interactions are captured by means of an attacker-centric ontology, which provides agents with a common interpretation of the environment. The ontology also stores the representation of process and network traffic signatures built using entropy analysis information. Signatures are matched through a data structure based on the internals of the Snort network intrusion detection tool. The prototype employs FIPA-compatible agent technology as well as data representation model built with the OWL ontology definition semantic-Web language. We show the benefits of using an ontological model to support intrusion detection and explore the possibilities of a selfish, collaborative approach to computer monitoring.