A self-organising multi-agent system for decentralised forensic investigations

As network-based threats continue to evolve more rapidly, detecting and responding to intrusion attempts in real-time requires an increasingly automated and intelligent response. This paper provides an agent-based framework for the analysis of cyber events within networks of varying sizes to detect complex multi-stage attacks. Agents are used as intelligent systems to explore domain specific and situational information showing the benefit of adaptive technologies that proactively analyse security events in real time. We introduce several algorithms to encapsulate and manage the traditional detection technologies and provide agent-based performance introspection as a mechanism to identify poorly performing systems. Our evaluation shows that the algorithms can reduce the amount of processing needed to analyse a security event by over 50% and improve the detection rate by up to 20% by introducing corrective systems to reduce false alarm rates in error-prone environments. (C) 2018 Elsevier Ltd. All rights reserved.