Building agents for rule-based intrusion detection system

In this paper we describe the development and testing of an agent-based intrusion detection system for Linux platform. We take a dual-approach to intrusion detection: pre-emptory and reactionary. With the pre-emptory approach, a network-based agent is implemented to monitor all packets entering the network and detect a known attack-based on a pre-defined rule. The reactionary approach is realized through a separate host-based agent to routinely check specific log files in order to detect system anomalies caused by successful attacks, Once a possible intrusion attempt has been detected by either one of the agents, it attempt to block the attack, records the attack details in a system log file. E-mails the system administrator, displays a warning through a gaphical learning window. The agents operate in the background of user applications and system software without any noticeable performance effect on them. (C) 2002 Published by Elsevier Science B.V.