Distributed Intrusion Detection System Using P2P Agent Mining ...

Vol 5. No. 2, March, 2012 ISSN 2006-1781African Journal of Computing & ICT© 2012 Afr J Comp & ICT – All Rights Reservedwww.ajocict.netDistributed Intrusion Detection SystemUsing P2P Agent Mining SchemeO. OriolaDepartment of Computer ScienceAdekunle Ajasin UniversityAkungba Akoko, Nigeriaoluwafemioriola@yahoo.com+2348136902165A.B. Adeyemo & A.B.C. RobertDepartment of Computer ScienceUniversity of IbadanIbadan, NigeriaABSTRACTWith the continuous increase in number of network attacks, distribution/variation of attacks sources and their complexity, large andinformation-critical organizations are mostly affected. There is therefore no doubt the need to develop a system that will detect andcombat such attacks. That system is called Distributed Intrusion Detection System. The present Distributed Intrusion Detection Systemsare often faced with challenges such as insider threat detection, problem of fault tolerance, peer-to-peer threat detection and vulnerability,poor intelligence and lack of in-depth evidence. Therefore, in this work, we study intrusion detection in distributed networks. Weconsider agent and data mining independently and their mutual benefits. Finally, we present a theoretical concept and framework basedon peer-to-peer computing for integrating multi-agent system and distributed data mining in symbiont manner for the purpose ofdistributed intrusion detection.Keywords: Intrusion Detection, Peer-to-Peer Architecture, Distributed Data Mining, Multi-Agent Systems1. INTRODUCTIONNetwork-based computer systems play increasingly vital rolesin modern society, they have become the targets of criminalswho are called hackers or intruders. According to a recentsurvey by CERT, the rate of cyber attacks has been more thandoubled every year in recent times while Zone-H report by [2]put the global website defacement at about one million andfive hundred in 2010.This speed of attack-spread as well as the complexity affirmsthe need for complex and up-to-date security responsemechanisms. In distributed environment, the challenge ofsecurity is much greater [17] [26]. This is largely due to theheterogeneous nature of network data that is spread across thevarious subsystems that make up the entire network.African Journal of Computing & ICT Reference Format:O. Oriola, A.B. Adeyemo & A.B.C. Robert (2012). DistributedIntrusion Detection System Using P2P Agent Mining Scheme. Afr J.of Comp & ICTs. Vol 5, No. 2. pp 3-12-.© African Journal of Computing & ICT March, 2012- ISSN 2006-1781So, researchers and information technology securityprofessionals devised specialized and more appropriatetechniques for the domain. In the field of data mining,distributed data mining is theorized and applied while in that ofagent technology, the focus is on multi-agent system.The security of a computer system is compromised when anintrusion takes place. This affects negatively the integrity,confidentiality or availability of a system and networkresources [15]. According to [10], Distribution IntrusionDetection System (DIDS) is defined as multiple IntrusionDetection Systems (IDSs) spread over a large network, all ofwhich communicate with each other, or with a central serverthat facilitates advanced network monitoring, incident analysisand instant response to attacks. These IDSs are either misuse,anomaly or hybrid based which combines misuse or anomalyfeatures.2. CHALLENGES OF DISTRIBUTED INTRUSIONDETECTIONIntrusion detection is faced with numerous challenges some ofwhich have been solved in single IDS but for DIDS, a lot ofimprovements are needed.3

Vol 5. No. 2, March, 2012 ISSN 2006-1781African Journal of Computing & ICT© 2012 Afr J Comp & ICT – All Rights Reservedwww.ajocict.netThese problems are highlighted below after a taxonomicreview of existing works based on data sharing, the nature ofthe data analysis, and security and trust features.2.1 Data SharingIn a distributed IDS system, each agent shares its data withother agents in the system. However, there are wide varietiesof sharing schemes that have been developed. These schemesinclude: centralized data reporting on one side and completelydecentralized sharing on the other. The most extremecentralization is represented by systems in which acommercial vendor collects security information from a widevariety of customers, each running the vendor’s agent software[33] [34].The vendor typically has multiple machines handling the datacollection and analysis load that this widespread deploymentincurs. When the vendor detects a possible Internet attack,customers receive alerts and advice from the professionalsecurity experts who manage the system. This approach hastwo primary shortcomings. First, the central management andprocessing of data represents a single point of failure orvulnerability. Second, it results in a scalability bottleneck, anddue to the volume of incoming data, these systems often haveslow response time to new threats. The most commondistributed IDS approach is one in which all agents report datato a central server controlled at a domain or enterprise level[7] [12].This is fundamentally the same as in the previouscentralization approach, but on a different scale, and thispossesses most of the advantages and disadvantages of theselarger-scale systems. These are usually oriented towardsenterprise security, and are generally unsuitable for use amongindependent peers on the Internet due to the central control. Toaddress the scalability problem of a centralized system, manytechniques use a hierarchical structure as in [24]. Data ispassed up a hierarchy tree and is processed at each level tosearch for intrusions and to reduce the amount of informationthat must be passed to the higher level. This helps addressscalability and allows a system to be deployed across largeenterprise-scale networks, but it limits the kinds of intrusionsthat can be detected at the highest levels.This also helps address the single point of failure problemsince the lower tiers can typically continue to function withreduced detection capabilities if a higher node in the hierarchyfails. Between the hierarchical approach and the fullydistributed approach lie projects such as [14], which uses ahybrid hierarchically-distributed approach? Each agentpublishes “interests” to the network, which are distributedthrough a hierarchical structure. Agents share data with othernodes who are interested, and all analysis occurs locally at theagent level. Instances of completely distributed solutions arerarer and not well developed. Gossiping, multicast, orsubscription-based data sharing techniques have beenproposed [17], but none of these have yet been implemented ina distributed IDS system.2.2 Nature of Data AnalysisAlthough distributed IDS systems are usually independent ofthe techniques used to detect individual security events, theways in which these security events are used can vary greatly.Since most systems work in heterogeneous environments, andsince the security relationship between, for instance, a portscan and a buffer overflow attack may not be obvious, howdoes a system turn event detection into a response? Expertsystem is a common approach [18], relying on rule sets toprocess and respond to events.These rules can attempt to define security policies, normalbehaviour, and/or anomalous behaviour, and alerts or actionsare generated based on how events match against the rules butnew attacks are poorly detected. Many systems [4] [28] usethreshold scheme. Each security event increases the globalalert level. The amount of the increase can be based on anynumber of factors, such as the particular event that wasobserved and its relation to other events in time or space.When the alert level exceeds a certain threshold, genericincreased security measures are deployed, or an administratoris alerted. However, long periods of time without securityevents can cause the alert level to decrease.Also, [1] proposed a hybrid architecture involving ensembleand base classifiers for intrusion detection. They evaluatedthree fuzzy rule-based classifiers to detect intrusions in anetwork. Results were then compared with other machinelearning techniques like decision trees, support vectormachines and linear genetic programming. Further, theymodelled Distributed Soft Computing-based IDS (D-SCIDS)as a combination of different classifiers to model lightweightand more accurate heavy weight. They demonstrated theimportance of feature reduction to model lightweight intrusiondetection systems. Agent and data mining were combined inworks which include JAM Intelligent static Association rules[29] agents Meta-Learning Classifier, Approach of Mobile andClassification algorithms [16] Static Agents Geneticalgorithms, MSAIDS Mobile agents Modified Apriori [27]algorithm and DMAS-IDS Intelligent distributed Multi-ClassSupervised [25] agents Classification algorithm.In [5], a novel distributed multi-agent IDS architecture, calledMAD-IDS was presented. MAD-IDS integrated the mobileagent methodology and the data mining techniques toaccommodate the special requirements in distributing IDS.Although, they demonstrated that the data mining techniquesand in particular the unsupervised clustering algorithm and thegeneric association rule mining are capable of discoveringanomalous connections, as well as, generating an informativesummarize but their system was not generic as it was meant todefend against probe.4

Vol 5. No. 2, March, 2012 ISSN 2006-1781African Journal of Computing & ICT© 2012 Afr J Comp & ICT – All Rights Reservedwww.ajocict.netAn alternative graph-based approach in which connectionsbetween machines are logged and constructed into a graph ofnetwork activity has also been studied [28]. These graphs wereanalyzed by an expert system to detect possible intrusions.According to [6] [21], no single technique could detect alltypes of malicious activity - each detects some kind of attacksand leaves the rest.2.3 Security and TrustSecurity and trust are crucial aspects of any distributed system.However, in most proposed distributed IDS systems, theseissues are given a much lower priority than other designconsiderations. In all cases, a complete solution for trust andsecurity is not provided, but sometimes a concrete solution toa limited aspect of the problem is presented. One issue is thatof message authentication, allowing agents to ensure thatmessages come from who they claim to come from. Smallerscale,centrally controlled systems such as [12] can rely upon alogin mechanism, such as Kerberos. Their agents onlyacknowledged logged-in systems, providing a measure of trustto the validated agents. However, this solution is onlyappropriate for systems with a central login authority.This solution, like the signed message approach, is unable toprotect against a legitimate agent sending malicious data. Theissue of trust can be left to individual agents in the system [12][24]. Each agent decides whether or not to trust higher levelagents in the system hierarchy. The agent then subscribes toexchange information from those monitors it chooses to trust.Several projects [19], [31] suggest the possibility of using a“web of trust” among peers, but this approach has not yet beenexplored.3. STATE OF THE ART3.1 Multi-Agent SystemA multi-agent system (MAS) is a system that is composed ofmultiple interacting and intelligent agents. Multi-agentsystems can be used to solve problems that are difficult orimpossible for a single agent to solve. Intelligence mayinclude some methodic, functional, procedural or algorithmicsearch, find and processing approaches.The agents in a multi-agent system have several importantcharacteristics [32] such as• Autonomy: the agents are at least partiallyautonomous• Local views: no agent has a full global view of thesystem, or the system is too complex for an agent tomake practical use of such knowledge• Decentralization: there is no designated controllingagent (or the system is effectively reduced to amonolithic system) [22]The main feature which is achieved when developing multiagentsystems, if they work, is flexibility, since a multi-agentsystem can be added to, modified and reconstructed, withoutthe need for detailed rewriting of the application. Thesesystems also tend to be rapidly self-recovering and failureproof,usually due to the heavy redundancy of components andthe self-managed features. Despite these merits, MAS islimited in terms of knowledge representation and discovery,in-depth data analysis and machine learning.3.2 Distributed Data MiningIn a typical distributed environment analyzing distributed datais a non-trivial problem because of many constraints such aslimited bandwidth (e.g. wireless networks), privacy-sensitivedata, distributed compute nodes, only to mention a few. Thefield of Distributed Data Mining (DDM) deals with thesechallenges in analyzing distributed data and offers manyalgorithmic solutions to perform different data analysis andmining operations in a fundamentally distributed manner thatpays careful attention to the resource constraints [8]. It offersadvantages like machine learning, in depth data analysis andknowledge discovery ability. However, it lacks intelligence,social ability (communication, cooperation, adaptation, etc)and mobility required in complex scenario like distributedintrusion detection.3.3 Agent Mining Interaction and Its BenefitsThe emergence of agent-mining interaction is driven bymutual needs from agent and data mining [35]. Agent-mininginteraction has potential to complement each other and createsuper-intelligent systems that cannot be reached by respectiveefforts. This fosters the birth of agent-mining symbiosis andagent-mining systems.In agents and data mining interaction and integration, thefollowing aspects of mutual benefits are enjoyed: autonomyof data sources, interactive distributed data mining, dynamicselection of sources and data gathering, high scalability tomassive distributed data, multi-strategy distributed datamining system, collaborative data mining, new data miningcan be added to the system and out-of-data techniques deleteddynamically. Also, data mining related agent and other agentscan interact at run time with ease unlike in non-agent datamining where interaction must be decided at design timefavouring data mining driven agent rule / algorithm/optimizersand parameter tuning of algorithm agents through data mining.The interaction and integration (symbiosis) between agentsand data mining are comprehensive, multi- dimensional, andinter-disciplinary. To affirm agent mining as a better approachfor system enhancement, studies are carried out onmethodologies, principles, techniques and applications of theintegration and interaction between agents and data mining in[36].5

Vol 5. No. 2, March, 2012 ISSN 2006-1781African Journal of Computing & ICT© 2012 Afr J Comp & ICT – All Rights Reservedwww.ajocict.net3.4 Peer-to-Peer ComputingPeer-to-Peer (P2P) computing, a recently developed networkarchitecture for distributed systems, is currently receiving everincreasing attention of both academia and industry. It wasoriginally proposed "for the sharing of computer resources(content, storage, processor cycles) by direct exchange, ratherthan requiring the intermediation or support of a centralizedserver or authority [3] while providing the network nodes withidentical roles, when any node may act both as client andserver. P2P computing has become a driving force for manynew ideas and opportunities in design and implementation ofmodern large scale applications composed of highlyautonomous entities.The biggest asset of peer-to-peer systems is not the ability toput everything everywhere but the ability to put anythinganywhere. Its feature advantages include: no centralcoordination, equal privileged of each node, robustness,resource sharing, scalability, fault tolerance meaning there isno single point of failure.C. This suggests the need for specialized distributeddata mining system supported by intelligent multiagentsystem for effective intrusion detection mostespecially distributed intrusion detection.D. This, however, is possible with integration ofenhanced distributed data mining system and multiagentsystem.Table 1: Clustering AnalysisMetrics K-Means EMPercentage AccuracyCorrectlyClassified47.4169 63.2616Exemplars 8,903 11,878IncorrectlyClassifiedExemplars 9,873 6,8984. DISTRIBUTED INTRUSION DETECTION SYSTEM4.1 Preliminary WorksThe outcome of the proposed DIDS emanated from the workson agent based DIDS in [9] [13] [19] [20] and the results ofour preliminary analysis [21] on KDD Cup 99 dataset usingKMeans and Expectation Maximization (EM) ClusteringAlgorithms, Multilayer Perceptron Neural Networks (MLP)and Radial Basis Function Neural Networks (RBF), C4Decision Tree algorithm, Naive Bayes Tree (NBTree)algorithm and Classification and Regression Tree (CART)algorithm presented in figure 1, figure 2, table 1, table 2, andtable 3 respectively.The following hypotheses are drawn:A. From the results in table 1, figure 1 and figure 2,Clustering algorithms, K Means and ExpectationMaximization, were used to clustered the datasetinto five clusters. K-Means performed poorlyconsidering the percentage detection or accuracythat is less than 60% and the amount of data thatwere correctly classified. However, there wasoverlap among the clusters showing that the networkattacks have similar features. The percentageaccuracy recorded was 63.26%. This is a furtherboost to [11] that data mining algorithms are notintelligent enough to distinguish complex patterns.B. Results in table 2 and table 3 show that classifiershave varying predictive accuracy for differentattacks model with multilayer perceptron neuralnetworks, radial basis function neural networks,naive bayes tree, CART and C4.5. The leastpercentage accuracy recorded is about 80%. Thedecision trees also generated some rules which canbe simplified with association and meta rule miningto serves as criteria for intrusion detection andresponse.Fig 1. KMeans Cluster of KDD Cup data4.2 Concept and FrameworkThe main goal to be achieved with this work is to develop anew concept and framework for distributed intrusion detectionsystem that will rely on multi-agent system and distributeddata mining symbiont. This concept for interaction will bebased on peer-to-peer architecture to address the issues of datasharing, data analysis, security and trust in the DIDS.On the framework of the proposed DIDS, the system has threelevels of composition. The first level which is the lowest levelrepresents the core of the system. It is at this level that theinteraction and integration of multi-agent system anddistributed data mining is established.6

Vol 5. No. 2, March, 2012 ISSN 2006-1781African Journal of Computing & ICT© 2012 Afr J Comp & ICT – All Rights Reservedwww.ajocict.netThis establishment is described by the unified modellinglanguage in figure 3 that presents the activities of agents anddata mining. The analogy shows cooperative and symbioticcharacteristics that exist among agents and data mining withthe target of achieving a common purpose. This process is aniterative one involving search procedure.Table 2: Artificial Neural Networks AnalysisData Metrics MLP (Hidden RBF (Iteration)TypeLayer)1 2 1 2Time(s) 237.81 357.84 12.39 12.88Accuracy(%) 97.7135 98.9862 86.4754 90.0129DoSTP Rate 0.977 0.99 0.865 0.9FP Rate 0.036 0.006 0.105 0.085Time(s) 137.91 212.6 11.01 10.58Accuracy(%) 98.8906 99.168 94.792 94.7304Figure 2. EM Cluster of KDD Cup dataThe second level which precedes the topmost level of systemcomposition is made up of dedicated and specialized agentsthat cooperate and communicate in continuous fashion togenerate host based and network based intrusion detectionsystem. They lack mobility feature. The organization of thisagent is perfectly decentralized, no dedicated central server.All of them are important in their own wise. This ability isenshrined in peer-to-peer scheme.The second level which precedes the topmost level of systemcomposition is made up of dedicated and specialized agentsthat cooperate and communicate in continuous fashion togenerate host based and network based intrusion detectionsystem. They lack mobility feature. The organization of thisagent is perfectly decentralized, no dedicated central server.All of them are important in their own wise. This ability isenshrined in peer-to-peer schemeAt the highest level of composition, different intrusiondetection systems are involved. They cooperate, communicateand move about to detect and report threat. The p2porganization of the intrusion detection systems offersscalability advantage. The system on the overall enables peerto-peerthreat and vulnerability detection, insider threatdetection, fault tolerance and recovery and intrusionprevention.ProbeR2LU2RTP Rate 0.989 0.992 0.948 0.947FP Rate 0.015 0.028 0.009 0.419Time(s) 116.97 176.59 10.82 10.63Accuracy(%) 98.3184 98.5706 87.2478 90.639TP Rate 0.983 0.986 0.872 0.906FP Rate 0.033 0.033 0.043 0.039Time(s) 98.61 154.76 10.22 10.17Accuracy(%) 99.6934 99.7274 99.3186 99.3186TP Rate 0.997 0.997 0.993 0.993FP Rate 0.397 0.397 0.993 0.9937

Vol 5. No. 2, March, 2012 ISSN 2006-1781African Journal of Computing & ICT© 2012 Afr J Comp & ICT – All Rights Reservedwww.ajocict.netTable 3: Decision Tree AnalysisData Metrics Simple C4.5 NBTreeTypesCARTDoS Time to 10.71 1.05 31.81ModelSize of Tree 13 68 64Accuracy 100 100 100TP Rate 1 1 1FP Rate 0 0 0Probe Time to 1.22 0.17 10.82ModelSize of Tree 13 19 10Accuracy 99.7952 99.0964 100TP Rate 0.988 0.991 1FP Rate 0.007 0.007 0R2L Time to 1.87 0.35 13.52ModelSize of Tree 9 3 12Accuracy 100 99.8471 99.5413TP Rate 1 0.998 0.995FP Rate 0 0.002 0.005U2R Time to 0.04 0.01 4.000ModelSize of Tree 3 9 2Accuracy 72.7273 72.7273 62.634TP Rate 0.727 0.727 0.636FP Rate 0.152 0.152 0.303The experimental study of the proposed DIDS is currentlybeing carried out with a view to develop the variouscomponents of the system and implement the system in JavaAgent Development Environment. In future, the issues ofknowledge and cost management in the context of agentmining based DIDS can be examined. The scheme can as wellbe extended to Intrusion Response System.ChangeProcessData PreprocessingAgent ReactiveActivityProcessData Mining Activity5. CONCLUSIONThe process of securing network resources mostly indistributed network system at this information critical erarequires a well articulated and complex system. Although, theuse of agent and data mining is not new in distributedintrusion detection system, however, there interaction forintrusion is novel. So, an attempt has been made in this paperto present these two distinct areas in incorporating terms todetect and prevent attacks. The theoretical concept proposedfor the DIDS is peer-to-peer agent mining integration.Agent ProactiveActivityDeriveGoalKnowledgeBaseFig 3. UML Activity Diagram of the Proposed Agent andData Mining InteractionFig.3. UML Activity Diagram of the Proposed Agent andData Mining Interaction8

Vol 5. No. 2, March, 2012 ISSN 2006-1781African Journal of Computing & ICT© 2012 Afr J Comp & ICT – All Rights Reservedwww.ajocict.netLevel 3Level 2Level 1HIDSAgentNIDSTrustAssuranceAgentData AnalysisAgentData MiningHIDSMobility,Cooperation&CommunicationCooperation &CommunicationHIDSSecurityAgentNIDSData SharingAgentData MiningAgentFig. 4. Schematic Diagram of the System CompositionREFERENCES[1] A. Abraham , R. Jain, J. Thomas and S.Y. Han , “D-SCIDS: Distributed soft computing intrusion detectionsystem,” Journal of Network and Computer Applications,Vol. 30, 2007, pp 81–98.[2] M. Almeida and B. Mutina (2011) Defacement Statistics2002-2010. http://www.zone-h.org. Accessed May 5,2011.[3] S. Androutsellis-Theotokis and D. Spinellis, “A Survey ofPeer-to-Peer Content Distribution Technologies,” ACMComputing Surveys, vol. 36, No. 4, 2004, 335–371.[4] J. Barrus and N.C. Rowe, “A distributed autonomous-agentnetwork-intrusion detection and response system,” InCommand and Control Research and TechnologySymposium, pages 577–586, Monterey, CA, June 1998..[5] I. Brahmi, S.B.Yahia, and P. Poncelet “MAD-IDS: NovelIntrusion Detection System using Mobile Agents and DataMining approaches,”2010.[6] S.T. Brugger, “Data Mining Methods for NetworkIntrusion Detection,” Unpublished Ph. D. ThesisUniversity of California, Davis, 2004 [7] V.Chatzigiannakis., G. Androulidakis, M. Grammatikou andB. Maglaris, “A distributed intrusion detection prototypeusing security agents,” In 11th Workshop of theHPOVUA, June 2004.[8] J.C. Da Silva, C. Giannella, R. Bhargava, H. Karguptaand M. Klusch, “Distributed Data Mining and Agents,”9th international workshop on cooperative informationagents (CIA 2004)[9] M. Eid, H. Artail, A. Kayssi and A. Chehab, "Trends inmobile agent application. Journal of Research and Practicein Information Technology,37(4), 2005.[10] N. Einwechter (2001) "An Introduction to DistributedIntrusion Detection Systems,”http://online.securityfocus.com/infocus/1532. AccessedMay 6, 2011.[11] V. Engen, “Machine learning for network based Intrusiondetection: An investigation into discrepancies in findingswith the kdd cup ’99 data set and multi-objective evolutionof neural network classifier ensembles for imbalanceddata. Unpublished Ph.D. Thesis of BournemouthUniversity, 2010.[12] D. Frincke, D. Tobin, J. Mcconnell, J. Marconi and D.Polla, “A framework for cooperative intrusion detection”In 21st National Information Systems SecurityConference, pages 361– 373, October 1998.[13] C. Fung, “Collaborative Intrusion Detection Networksand Insider Attacks,” Journal of Wireless MobileNetworks, Ubiquitous Computing, and Dep endableApplications, volume: 2, number: 1, 2011, pp. 63-74[14] R. Gopalakrishna andE.H. Spafford, “A framework fordistributed intrusion detection using interest drivencooperating agents,” 2001.9

Vol 5. No. 2, March, 2012 ISSN 2006-1781African Journal of Computing & ICT© 2012 Afr J Comp & ICT – All Rights Reservedwww.ajocict.net[15] R. Heady, G. Luger, A. Maccabe, and M. Servilla, “Thearchitecture of a network level intrusion detectionsystem,” Technical report, Computer Science Department,University of New Mexico, August 1990.[16] G. Hulmer, J.S.K.Wong, V.G. Honavar, and L. Miller,“Automated Discovery of Concise Predictive Rules forIntrusion Detection,” Journal of Systems and Software,60(3) , 2002, 165–175.[17] G. Hulmer, J.S.K.Wong, V.G. Honavar, L. Miller and Y.Wan, “Lightweight Agents for Intrusion Detection,”Journal of Systems and Software 67 (03), 2003, pages109-122.[18] K.A. Jackson, D.H DuBois and Stallings. An expertsystem application for network intrusion detection. In 14thNational Computer Security Conference, Washington, DC,October 1991.[19]R. Janakiraman, M. Waldvogel, and Q. Zhang, “Indra: Apeer-to-peer approach to network intrusion detection andprevention,” In Proceedings of IEEE WETICE 2003, Linz,Austria, June 2003.[20] S.A. Onashoga, A.D. Akinde,and A.S. Sodiya, “AStrategic Review of Existing Mobile Agent-BasedIntrusion Detection Systems,” Issues in Informing Scienceand Information Technology. Volume 6, 2009.[21] O. Oriola and A.B. Adeyemo, “Framework for anIntelligent Rule-based Network Intrusion DetectionSystem,” Kaspersky Students’ Conference on IT Securityfor the Next Generation and World Cup, 2010.[22] L. Panait and S. Luke, “Cooperative Multi-AgentLearning: The State of the Art. Autonomous Agents andMulti-Agent Systems,” 11(3), 2005, 387-434[23] Peer-to-Peer Research Group, (August 2011),http://www.irtf.org/charter?gtype=rg&group=p2prg.[24] P.A. Porras and P.G. NeumanN, “EMERALD: Eventmonitoring enabling responses to anomalous livedisturbances,” In Proc. 20th NISTNCSC NationalInformation Systems Security Conference, 1997, pages353–365.[25] M.L. Shyu and V.A. Sainani, “Multiagent-based IntrusionDetection System with the Support of Multi-ClassSupervised Classification,” chapter 8, pages 127–142.Springer- Verlag US, Data Mining and Multi-agentIntegration edition, 2009.[26] S.R. Snapp, J. Brentano, G.V. Dias, T.L Goan, L.T.Heberlein, C. Ho, K.N. Levitt, B. Mukherjee, S.E.Smaha, T. Grance, D.M. Teal, and D. Mansur, “DIDS:Distributed Intrusion Detection System - Motivation,Architecture, and An Early Prototype,” ComputerSecurity Laboratory Division of Computer Science,University of California, Davis Davis, California 95616,1997.[27] A.S. Sodiya, “Multi-Level and Secured Agent-basedIntrusion Detection System,” Journal of Computing andInformation Technology, 14(3):217–223, 2006.[28] S. Staniford-Chen., S. Cheung, R. Crawford., M. Dilger,J. Frank, J. Hoagi, K. Levitt, C. Wee, R. YiP, and D.Zerkle,”GrIDS – A graph-based intrusion detectionsystem for large networks,” In Proceedings of the 19thNational Information Systems Security Conference,1996.[29] S. Stolfo, A.L. Prodromidis, S. Tselepis, W. Lee, D.W.Fan, and P.K. Chan, “JAM: Java [2] Agents for Meta-Learning over Distributed Databases, newport beach,California,” In Proceedings of the 3rd InternationalConference on Knowledge Discovery and Data Mining,,1997, pages 74–81.[30] Successful Real-Time Security Monitoring, Riptech whitepaper, September 2010.[31] V. Vlachos, S. Androutsellis-Theotokis, and D. Spinellis,“Security applications of peer-to-peer networks,”Comput. Networks, 45(2), 2004, 195–205.[32] M. Wooldridge, “An Introduction to MultiAgentSystems,” John Wiley & Sons Ltd, paperback, 366pages, ISBN 0-471-49691-X, 2002.[33] Deepsight website.(2010) http://www.securityfocus.com/.Accessed May 8, 2011.[34] Dshield website (May, 2011) http://www.dshield.org/Accessed May 8, 2011.[35] Zhang C., Zhang Z. and Cao L. 2008. Agent and DataMining: Mutual Enhancement by Integration. The SixthIntl. Joint Conf. on Autonomous Agents and Multi-AgentSystems[36] C. Zhang, L. Cao. (2007) F-Trade: An Agent-MiningSymbiont for Financial Services. The Sixth Intl. JointConf. on Autonomous Agents and Multi-Agent Systems(AAMAS 07).10