A Multi-agent Case-Based Reasoning Intrusion Detection System Prototype

The number of actors, costs, and incidents in terms of internet criminality is rising each year as many devices in our daily routines become increasingly connected to the internet. 'Security by design' is gaining increased awareness in software engineering, but it is not to be expected to catch all security issues as the range of potential security issues and the creativity of the attackers are both seemingly endless. Thus, we propose a multi-agent case-based reasoning system to detect malicious traffic in a computer network. We mainly rely on the commonly used UNSW_NB15 data set including 82332 training cases with mostly numeric attributes, but the application design is open to operate with other data sources, such as NSL-KDD and CICIDS-2017 as well. Purpose. The aim of the proposed system is to detect malicious network traffic and alert the security engineer of a company to take further actions such as blocking the source IP address of the potential attacker. Findings. We were able to successfully detect seven out of ten attacks with an average true-positive rate of 82,56% and leave the remaining attacks (Analysis, Backdoor, Worms) for further investigation and improvements. Implications and value. The results are close to other research results with room for improvement. Due to the nature of a multi-agent framework, this application could be integrated into other existing intrusion detection systems and serve as an add-on.