2008IEEE/WIC/ACMInternationalConferenceonWebIntelligenceandIntelligentAgentTechnology

Integrating Partial Models of Network Normality via Cooperative Negotiation:

An Approach to Development of Multiagent Intrusion Detection Systems
Francesco Amigoni

Fabrizio Basilico
Nicola Basilico
Stefano Zanero
Dipartimento di Elettronica e Informazione
Politecnico di Milano
Piazza Leonardo da Vinci 32, 20133 Milano, Italy
francesco.amigoni@polimi.it, fabrizio.basilico@gmail.com, {basilico,zanero}@elet.polimi.it
Abstract

identify previously unseen attacks.

In this paper, we suggest the use of agents for addressing one of the main problems in developing anomaly-based
intrusion detection systems: the definition of a model of
system normality that can be used to detect anomalous
deviations. In particular, we are concerned with network
normality models for network-based IDSs. The definition
of an exhaustive network normality model has eluded several attempts and is still an open problem. In intrusion detection literature, since the seminal works of Denning [7]
several techniques to define good normality models for
network-based IDSs have been proposed, including statistical anomaly detection [14], information-theoretic methods
such as the Parzen Window method, supervised [12] and
unsupervised [20, 21] learning algorithms. We propose the
idea that, instead of using a single all-comprehensive model
of system normality, which is hardly achievable in practice,
several partial models of normality, each one specific for an
aspect of the system, can be employed. For example, when
considering network intrusion detection systems, a partial
model can represent normality with respect to the number
of open TCP connections, while another partial model can
represent normality with respect to the destinations of transmitted packets. Each partial model, thus, can be used to
detect deviations with respect to its specific view of the network and to output an attack probability accordingly. Since
attack probabilities produced with different partial models
are likely to be different, in this paper we propose to embed
the partial models in autonomous agents and to harmonize
the attack probabilities they produce by using cooperative
negotiation to reach an agreed-upon attack probability that
represents the global view of the system. We remark that
cooperative negotiation is not to be intended as the right
way to develop a normality model for an IDS, but as a way
that provides flexibility in managing the composition of partial models.

Using agents for developing intrusion detection systems

can provide several advantages, including configurability,
adaptability, scalability, and robustness. Almost all works
in agent-based intrusion detection have considered agents
as elements that perform specific tasks in the intrusion detection process. In this paper, we propose a novel way of
using agents to solve one of the most pressing problems in
intrusion detection: the definition of an accurate model of
network normality. We consider agents as associated to
partial models of network normality that harmonize their
conflicts via cooperative negotiation. Experimental results
show that the proposed approach is promising.

1. Introduction
Intrusion detection refers to techniques that, observing
the activities of a computer system, are able of identifying possible attempts at compromising the confidentiality, integrity, or availability of its resources or services.
These attempts are usually called intrusions, and any system for their identification is an Intrusion Detection System (IDS) [4]. IDSs can be broadly divided in two classes.
A misuse detection system uses a knowledge base of descriptive patterns of intrusions and looks for sequences of
events that match these patterns. Conversely, anomaly detection systems model normality: they embed a model of
the normal behavior of a system and look for significant
deviations from such a model. While alarms raised by misuse detection systems precisely identify intrusions that occured, anomaly detection systems output an attack probability which is usually directly proportional to the degree of
detected anomaly. Anomaly detection systems are widely
studied because of their potentialities, for example they can
9780769534961/08$25.002008IEEE
DOI10.1109/WIIAT.2008.323

498
531

Although the use of autonomous agents for developing configurable, adaptable, scalable, and robust intrusion detection systems has been advocated in recent literature [6, 10, 19], our approach is significantly different. In
all the above cases, agents are elements that perform some
tasks in the intrusion detection process, for example collecting data over a network, while in our case agents are associated to partial models of network normality. This is one
of the main original contributions of this paper. The experimental results we obtained with a prototype are promising
and show the potential of our approach for developing better intrusion detection systems. About this point, we explicitly note that, differently from most papers on agent-based
intrusion detection systems, we provide a quantitative analysis of our prototype.

atively perform two steps. In the first step (), each agent
individually exploits its partial model to analyze sk and to
produce an attack probability value, according to steps (a)(c) above. As already discussed, these values are likely to
be different for different agents since they are computed according to different views of network normality. In the second step (), the agents perform a collective iterative process, a cooperative negotiation, to reach an agreement on a
global value for attack probability. The final agreement can
be seen as a shared global diagnosis of the network state sk ,
to which all agents (i.e., all partial models) contributed. The
two steps () and () are then repeated for the next network
state sk+1 .
The proposed multiagent IDS is reported in Figure 1.
Agents M1 , M2 , . . . , Mn embed partial models. The mediator is a sort of system supervisor; its role will be explained
in the next section. The extractor agent provides an abstraction level on the network data. It reads, pre-processes, and
publishes network data in a shared memory area that other
agents can access to read current network state. The synchronization between data publishing and data reading is
enforced by the mediator.

2. The Proposed Multiagent IDS

In this section, we present the proposed architecture and
its most important feature: the use of cooperative negotiation to integrate partial models.

2.1

General Architecture

A partial model describes the normal behavior of the network considering only a limited number of factors. Therefore, it represents an approximated view of normality, obtained considering only some specific aspects. From the
anomaly detection point of view, a partial model can be used
to identify only a limited set of anomalies, namely the network activities that deviate from its partial view of normality. Hence, our approach translates the problem of building
a comprehensive model of network normality into the problem of building several partial models and combining them
together. This can introduce advantages, including ease of
design, because partial models are simpler than complete
ones, and modularity, since partial models can be added and
removed without affecting the existing ones.
A partial model is used to produce an attack probability following this pattern of activities. (a) Read the current
state sk (at time k) of the network; for example, read the
packets transmitted over the network in a recent time interval. (b) Analyze the state sk , using the approximated
view of normality the partial model provides to find anomalies. (c) Produce an attack probability for state sk , namely
the probability that the identified anomalies reflect an intrusion. Since starting from the same state sk different partial
models will produce different attack probabilities, a combination of such models is needed to obtain a global attack
probability, namely a global diagnosis of the network state.
We associate each partial model to an agent. Hence, the
resulting multiagent system includes different partial models. Given a state sk of the monitored network, agents iter-

."&/'(01
2%&%

+,&(%-&'(

!"#$%&'(

!)

34%("#1
5"5'(61
%("%
2%&%
!*

."7'&$%&$'*
8'*&('9

Figure 1. Architecture of our multiagent IDS

2.2

Cooperative Negotiation

In this section, we describe how agents cooperatively negotiate over the attack probability. The negotiation protocol
we used is similar to that in [8] and basically extends the
classic alternating-offers protocol [17] with the introduction
of a mediator. The mediator acts as a central coordinator between agents {Mi } and synchronizes their activities during
the negotiation process. The following sequence of (iterated) activities is denoted as negotiation session at state sk :
1. Given the state sk of the network at a time k (as provided by the extractor agent), each agent Mi computes
an initial offer p0i for the attack probability using its
partial model (step () above).

532
499

2. This offer is sent to the mediator, together with a value

Wi called importance of agent Mi . Importance is a
value in (0, 100] that expresses the degree of confidence of an agent in the proposed attack probability
value. The more an agent believes its proposal reflects
the real attack probability value, the larger its importance.
3. The mediator receives all the offers and the importance
values from the agents and computes the current agreement at using a function A(), called agreement function, whose arguments are the received offers and the
importance values. The agreement at is a global value
for the attack probability.
4. The mediator sends its counter-offer at to all agents,
together with W , namely with the average importance
of agents.
5. Each agent receives the mediators feedback and computes its new offer pt+1
for the attack probability using
i
a function Fi () called negotiation function; its arguments are the previous offer pti made by the agent and
the counter-offer at received from the mediator (the
current agreement).
6. Each agent sends its new offer to the mediator and
the process iterates from step 3 until an agreement is
reached, namely until all the offers are equal (iteration
of activities 3-6 constitutes the step () above).

has been defined as the weighted average of the attack probability values offered by agents, where the weights are the
importance values (n is the number of agents taking part to
the
negotiation): at = A(pt1 , W1 , pt2 , W2 , . . . , ptn , Wn ) =
Pn
t
i=1 pi Wi
P
. From the above formula, it can be seen that in
n
i=1 Wi
our cooperative negotiation framework, the influence of an
agent on the current agreement is directly proportional to its
importance value. Importance is constant during a negotiation session, since its value depends only on the current
observed state. In the proposed architecture, importance
has been computed according to the following principle:
the more evidently an anomaly has been identified using a
partial model, the more important will be the agent associated to that model. Importance of an agent Mi is computed
according to Figure 2. Given an attack probability p produced using the partial model of Mi in the current state sk ,
if p ! pl then the agent is in a low-level alarm phase and
its importance is equal to Wmin . Analogously if p " ph . If
pl ! p ! ph importance is computed as a linear interpolation of Wmin and Wmax .
100
Importance

Wmax

Another negotiation session occurs at time k + 1 after the

next state sk+1 of the network has been read by the extractor
agent.
Since all the interactions go throughout the mediator,
agents can be completely unaware of the presence of the
others, reducing communication overhead and improving
modularity. This introduces flexibility in managing the
composition of the system, since adding or removing an
agent, even at runtime, does not affect the other agents.
Conversely, not using a mediator brings to a large number
of exchanged messages and to reduced modularity, since an
agent should communicate with all others. The bottleneck
introduced by the mediator is negligible for few agents. For
a large number of agents, more complex mechanisms could
be used, for example a hierarchy of mediators. Note that,
although iteration of activities 3-6 above could in principle
be centrally performed by the mediator, our distributed approach enables the development of more decentralized and
modular systems, for example by allowing agents to change
their Fi ()s at runtime according to their partial models or
to be run on different computers to improve performances
(however, we have not yet fully explored these possibilities).
The cooperative negotiation protocol described above
does not impose any negotiation strategy to the agents, that
is indeed related to the implementation of functions A() and
Fi (). The agreement function A(), used by the mediator,

Wmin

Pl

Ph

Probability

Figure 2. Importance function

The negotiation function Fi (), used by agent Mi
for computing its new offers, is defined as: pt+1
=
i
Fi (pti , at ) = pti +i (at pti ). The value at pti can be considered as a measure of the disagreement between agent Mi
and the system. The parameter i (0, 1) is called agreement coefficient. It quantifies the willingness of agent Mi to
adapt its offer to the counter-offer received from the mediator. A value close to 1 for i means that agent Mi , making
its new offer, will favor the community benefits against its
own (i.e., it will tend to the current agreement). Vice versa,
a value close to 0 for i means that agent Mi is almost no
caring about community benefits (i.e., it will stay with its
last offer). We calculate the agreement coefficient for an
agent Mi as a function of the relative importance associated
to that agent. Specifically: i = 1 e(W /Wi ) . The larger
Wi with respect to the average importance W , the less agent
Mi will be willing in adapting its offer to the counter-offer.
Note that the implementation of functions A() and Fi ()s
533
500

we used is justified by its simplicity and that other ways to

implement them could be used. The study of how to define
good A() and Fi ()s for a given application is still an open
issue.
The cooperative negotiation mechanism just described
has been proved to be connectively stable, according to [3].
This means that it is guaranteed that agents will eventually
reach a stable agreement on attack probability in a negotiation session, regardless of their initial proposals (i.e., of the
partial models they embed) and of their number. In our experimental setting, we verified that an agreement is usually
reached in less than 500 ms.

opening new connections is unlikely to show sudden and

significative variations in time. This is, at an abstract level,
the partial definition of normality that the Syn-Flags partial
model represents. Requests for new connections are packets
in which the flag SYN (synchronization) is activated. The
model considers the number yk of SYN packets in the current state sk (i.e., counted in the time interval Ik ). Given
(yk1 , yk2 , . . . ykL ), namely the observations in the L
previous states, sample mean Y and sample variance S 2 are
computed over such vector, and an estimator of a normal
probability distribution f (x) is determined. Using this estimator, the Syn-Flags agent computes a probability value for
yk . If yk is a regular value, with respect to the L previous
ones, its probability does not significantly differ from the
probability of the expected value f (Y ). Thus, attack probability at sk is computed as: patt = (f (Y ) f (yk ))/f (Y ).
This attack probability is the initial offer of the Syn-Flags
agent in the negotiation session at state sk .
The second model we implemented is Reset-Flags. This
model can be used to report anomalies in the number of
aborted connections. Irregular closing of connections is signalled by packets in which the flag RST is activated. In a
regular context, the number of these events is very small.
Similarly to the previous case, for each state sk , Reset-Flags
agent measures rk , that is the number of RST packets in
the interval Ik . The agent then evaluates the regularity of
rk , with respect to the L previous observations stored in
the vector (rk1 , rk2 , . . . rkL ). In this case, a normal
distribution does not fit with the observed data because the
samples concentrate around zero. Therefore, a cumulative
distribution function is used for computing attack probability at sk :

3. Experimental Results
In this section, we describe the experimental validation
of our multiagent IDS. Specifically, we describe the implemented prototype and its experimental evaluation.

3.1

The Prototype Multiagent IDS

We first describe the implementation of the extractor

agent. The state of the network produced by the extractor agent is a set of network events, like transmissions of
TCP/IP packets, recorded in a given time interval. The
current state sk represents network events occurring within
the interval Ik = [k , k + T ), while the next state sk+1
will be related to the interval Ik+1 = [k+1 , k+1 + T ) =
[k + t, k + t + T ). Therefore, the network states to
be analyzed by agents are produced by the extractor agent
using a temporal sliding window mechanism. This mechanism is defined by two parameters: the width of the time
interval T and the offset t. The values of these parameters
are set at the system level, in order to achieve global synchronization among agents. This simplifying assumption,
based on the use of a mediator, guarantees that all agents
consider the same current state in producing their initial attack probability values, that are the starting point of cooperative negotiation sessions.
In order to develop a prototype of the system, we implemented three agents embedding three simple partial models
that are described in the following. The models have been
intentionally designed as simple as possible, in order to focus our study on the effectiveness of cooperative negotiation
to compose models rather than on their individual capabilities. In this sense, our purpose is to show the potential of
our approach rather than to stress its absolute performance
by finding the best combination of partial models for network intrusion detection.
The first model considers the amount of requests for
opening new connections and is called Syn-Flags. Its definition starts from a simple principle about networks normal
behavior: in a regular context, the amount of requests for

patt =

|{ri (rk1 , rk2 , . . . rkL ) | ri ! rk }|

|(rk1 , rk2 , . . . rkL )|

In this function, (0, 1) represents the sensitivity of the

model. This parameter improves the models practical effectiveness by scaling the real measure rk .
The last model is Port-Ranking and relates to the distribution of packets port numbers. The Port-Ranking partial
view of normality is based on the following principle: in a
regular context the set of the most used ports is unlikely to
show significative changes in time. The use (score) of a port
p is defined as the number of packets transmitted towards p.
The model computes a rank of the H most used ports, by
analyzing the state sk . Rank of H most used ports at sk is
defined as an ordered list of ports associated to their scores
(i.e., their use). Port-Ranking agent compares this rank with
the rank at sk1 in order to determine a cost ck . This cost
reflects the amount of variations that has been observed in
the rank of the H most used ports moving from sk1 to sk .
Given the ranks at sk1 and sk the cost ck is calculated as:

534
501

3.3

if, moving from sk1 to sk , a port p has changed its

position in the rank, the (absolute value of) difference
between its new and its old scores is added to the cost,
if a new port pnew appeared in sk rank or an old port
pold disappeared from the rank at sk1 , the score of
the appeared or disappeared port is added to the cost.

The experimental evaluation we conducted has been devoted to validate the viability of our approach and not to
assess its absolute performance. Due to space limitations,
we report only a small portion of our experimental results.
We first present the results obtained employing all the
three partial models, each one associated to an agent. Attacks are considered to be identified when attack probability is larger than 0.8. Results show 62.26% true positive
and 0.89% false positive rates. These are good, especially
when considering the very simple partial models used. The
attacks that have not been identified are mainly attacks that
cannot be identified by our three partial models. An example is an httptunnel attack performed with low frequency
connections that does not produce any anomaly in the network data. However, these attacks could be identified by
adding other partial models. Although our results may seem
worse than some others shown in literature, the comparison
is not easy because of a number of reasons. For example,
the system in [6] has been reported to achieve a true positive
rate of 83.33% with no false positives. However, these results have been obtained with a training data set (during the
learning of the fuzzy classifier rules, see next section) and
with only two possible attacks. To the best of our knowledge, we are not aware of any performance result of that
system over a testing data set. We explicitly note that this is
a common situation for agent-based IDSs for which quantitative experimental evaluations are hard to find in published
papers. For example, the recent work in [16] presents anecdotical experimental results that show the ability of the system to distinguish different attacks, but do not present any
complete assessment of system performance, as we try to
do in this paper.
As a second experiment, we present the performance of
the system when varying the number of agents. Given a
configuration, its performance can be described by pairs of
false positive and true positive rates over the data set, each
of them computed for a different value of probability threshold. These results can be graphically represented with a
ROC curve. The larger the area under a ROC curve, the
better the performance of the corresponding configuration.
ROC curves for different system configurations are plotted
in Figure 4. Performance improves when increasing the
number of agents in the system: the configurations of the

An example of cost calculation is shown in Figure 3. The

more different the rank at sk from the rank at sk1 , the
larger ck . In a regular context the cost ck is expected to
be small. Therefore, Port-Ranking agent evaluates ck regularity with respect to the vector (ck1 , ck2 , . . . ckL ) of
L previous costs. Similarly to Reset-Flags agent, a cumulative distribution function is employed to compute the attack
probability.
Rank at state sk1
P ORT
SCORE
E
210
O
165
Q
130
A
105
T
60

Rank at state sk
P ORT
SCORE
Q
175
120
O
F
95
E
80
G
75

|SCORE(sk , E) SCORE(sk1 , E)| = |80 210| = 130

|SCORE(sk , O) SCORE(sk1 , O)| = |120 165| = 45
|SCORE(sk , Q) SCORE(sk1 , Q)| = |175 130| = 45
SCORE(sk1 , A) = 105
SCORE(sk1 , T ) = 60
SCORE(sk , F ) = 95
SCORE(sk , G) = 75
ck = 130 + 45 + 45 + 105 + 60 + 95 + 75 = 555

Figure 3. Calculation of cost ck

3.2

Experimental Evaluation

Implementation Details

The prototype has been coded in JAVA using JADE and

has been tested over a DARPA data set of pre-recorded network data [13]. Network data are provided with groundtruth tables reporting the actual attacks and their time
stamps. By means of these tables an evaluation of the prototype has been performed by comparing the attacks it identified with the attacks reported in the ground-truth tables,
obtaining a measure of the effectiveness of our multiagent
IDS. In our experiments we used the first and second week
of the test phase of the 1999 DARPA data set. This portion of the data set contains a representative sample of attacks. All experiments have been performed on a Pentium
4 1.7 GHz computer equipped with 1 GB RAM and Windows XP. Parameters values, reported in Table 1, have been
chosen after some experiments on portions of the data set.
We also verified that small variations of these values do not
introduce significative changes in the system behavior.

System parameters
T
180s
t
60s
pl
0.3
ph
0.8

L
H

Wmin
Wmax

Models parameters
Syn-Flags
Reset-Flags
600
600
0.4
15
20
70
90

Port-Ranking
600
5
0.4
10
50

Table 1. Values for parameters

535
502

system with two agents perform worse than the complete

configuration with three agents. The combination of more
partial models via cooperative negotiation leads to a better
approximation of normality since different factors, represented by the different partial views, are taken into account.
This is a desirable property of our approach.

Agents cannot communicate with each other. Each agent is

specialized in detecting a particular anomaly in the data. A
transceiver checks the state of a host by integrating the reports produced by the agents it supervises. When the state
indicates a potential attack, the transceiver issues an alarm.
However, some attacks can be identified only by integrating information relative to different hosts: this is done by
monitors, global components that supervise the activities of
more transceivers.
Another agent-based IDS is PAID (Probabilistic AgentBased Intrusion Detection) [10]. In this architecture, there
are three types of agents. System-monitoring agents process the raw data and publish the results of their observations. Intrusion-monitoring agents, the most important components of the architecture, embed Bayesian networks. Each Bayesian network refers to a particular attack and relates some anomalies in the network behavior,
which can be detected from the results provided by the
system-monitoring agents, with the probability of the attack. The third type of agents, the registry agent, manages the publish-subscribe mechanism. The structure of the
intrusion-monitoring agents shares some similarities with
our approach. However, adding a new agent to PAID seems
more difficult (e.g., some Bayesian networks may need to
be modified) than adding an agent to our system.
A somewhat similar architecture is ABDIAS (AgentBased Distributed Intrusion Alert System) [9], in which
agents manage portions of a global Bayesian network and
communicate to form a system-level view.
CIDS (Cougaar-Based Intrusion Detection System) [6]
is an agent-based IDS that can identify intrusions and propose recommendations. In each node of the network, four
agents are present. The first agent, called Manager agent,
coordinates the activities of other agents in the node and
communicates with other Managers to share information at
a network-level. The second agent, the Monitor agent, analyzes data collected over the network to detect anomalies
as deviations from the normal profile. Anomalies are sent
to the third agent, called Decision agent, that is in charge
of deciding whether these anomalies are due to an intrusion
and, in this case, which action the system should execute
to face the situation. Decision agents use several decision
modules, including fuzzy inference systems and knowledge
bases, that bid for the action to be performed. The action
with the largest bid is selected. Finally, the fourth agent, the
Action agent, actually executes the repairing action. The bid
mechanism used by the Decision agents is simpler than our
cooperative negotiation mechanism and is oriented to select
an action and not to estimate the global attack probability.
FAST (Fuzzy Adaptive Survivability Tool) [18] is similar to CIDS. The system includes a Detection agent that uses
a fuzzy inference mechanism to estimate the alert level.
CAMNEP [16] is a multiagent IDS for high speed back-

-./01232,4.56789:;37.5
-./01232,4.56789:;37.5,<73=.93,528.37;37.5
>.9?12,4.56789:;37.5@,A2B23!C1;8B,;5D,E.:3!A;5F758
>.9?12,4.56789:;37.5@,GH5!C1;8B,;5D,A2B23!C1;8B
>.9?12,4.56789:;37.5@,GH5!C1;8B,;5D,E.:3!A;5F758
I;B21752

#
!"*
!"(
!"&
!"$
!,
!

!"#

!"$

!"%

!"&

!"'

!"(

!")

!"*

!"+

Figure 4. Performance in different configurations

In order to asses that using cooperative negotiation is not
a pointless complication, a further evaluation is presented.
The system running in complete configuration (with all the
three agents) has been compared with a system in which
partial models are navely combined through weighted average. In this second system, the initial attack probabilities
of the agents are just averaged (with weights Wi ) and the
result is taken as the global attack probability returned by
the system. Figure 4 shows that cooperative negotiation introduces a significant improvement in the identification of
attacks.

4. Related Works
Agents are employed in IDSs in two broad ways. On the
one hand, they are used as a technology for implementing
IDSs. Examples are the use of mobile agents for collecting and processing information around a network [11]. On
the other hand, agents are used as a paradigm for developing IDSs and their architectures. In this case, IDSs are designed by associating agents to key elements of the systems.
Since the system proposed in this paper follows this second
approach, in the remainder of this section we concentrate
on the most significant systems that use agents mainly as a
design concept. We note that the main difference between
these systems and ours is that we associate agents to partial models and not to structural elements of the IDS (like
data processing and monitoring elements).
AAFID (Autonomous Agents for Intrusion Detection) [19] is one of the earliest agent-based IDSs. Each host
on the network has a number of agents collecting and analyzing data to generate reports that are sent to a transceiver.

536
503

bone networks that appears to follow an approach similar

to ours. Each agent embeds a different anomaly detection
method and uses a trust modeling technique to classify network traffic flows by integrating anomaly values produced
by others. However, differently from our case, anomaly values are simply averaged to obtain a global evaluation of the
network traffic.
Finally, we remark that in literature cooperatively negotiating agents have been used to address several applications,
including resource allocation (e.g., [5, 15]) and modelling
of complex physiological systems [1, 2].

[5] J. Bingam and L. Du. Cooperative negotiation in a multiagent system for real-time load balancing of a mobile cellular network. In Proc. AAMAS, pages 568575, 2003.
[6] D. Dasgupta, F. Gonzalez, K. Yallapu, J. Gomez, and
R. Yarramsettii. CIDS: An agent-based intrusion detection
system. COMPUT SECUR, 24(5):387398, 2005.
[7] D. Denning. An intrusion-detection model. IEEE T SOFTWARE ENG, 13(2):222232, 1987.
[8] N. Gatti and F. Amigoni. A cooperative negotiation protocol for physiological model combination. In Proc. AAMAS,
pages 656663, 2004.
[9] A. Ghosh and S. Sen. Agent-based distributed intrusion alert
system. In Proc. IWDC, volume LNCS 3326, pages 240
251, 2004.
[10] V. Gowadia, C. Farkas, and M. Valtorta. PAID: A probabilistic agent-based intrusion detection system. COMPUT
SECUR, 24(7):529545, 2005.
[11] G. Helmer, J. Wong, V. Honavar, and L. Miller. Lightweight
agents for intrusion detection.
J SYST SOFTWARE,
67(2):109122, 2003.
[12] W. Lee, S. Stolfo, and K. Mok. Mining in a data-flow environment: Experience in network intrusion detection. In
Proc. KDD, pages 114124, 1999.
[13] R. Lippmann, J. Haines, D. Fried, J. Korba, and K. Das.
Analysis and results of the 1999 DARPA off-line intrusion
detection evaluation. In Proc. RAID, pages 162182, 2000.
[14] M. Mahoney and P. Chan. Learning nonstationary models of
normal network traffic for detecting novel attacks. In Proc.
KDD, pages 376385, 2002.
[15] R. Mailler, V. Lesser, and B. Horling. Cooperative negotiation for soft real-time distributed resource allocation. In
Proc. AAMAS, pages 576583, 2003.
[16] M. Rehak, M. Pechoucek, K. Bartos, M. Grill, P. Celeda,
and V. Krmicek. CAMNEP: An intrusion detection system
for high-speed networks. Progress in Informatics, 5:6574,
2008.
[17] A. Rubinstein. Perfect equilibrium in a bargaining model.
Econometrica, 50(1):97109, 1982.
[18] M. Shajari and A. Ghorbani. Application of belief-desireintention agents in intrusion detection & response. In Proc.
PST, pages 181191, 2004.
[19] E. Spafford and D. Zamboni. Intrusion detection using autonomous agents. COMPUT NETW, 34:547570, 2000.
[20] S. Zanero. Analyzing TCP traffic patterns using self organizing maps. In Proc. ICIAP, volume LNCS 3617, pages
8390, 2005.
[21] S. Zanero. Unsupervised Learning Algorithms for Intrusion
Detection. PhD thesis, Politecnico di Milano, Milano, Italy,
2006.

5. Conclusions
In this paper we have presented an original approach to
the development of IDSs that is based on the integration
of several different partial models, representing specific aspects of the normality of a network. Partial models are harmonized by embedding them in agents and by letting these
agents cooperatively negotiate over the attack probability.
The experimental results are encouraging and make us confident that using more sophisticated partial models will lead
to systems that may compete with more traditional IDSs.
Note that, while in principle cooperative negotiation can be
substituted by an equivalent process centralized in the mediator, our approach is more flexible because it facilitates
the changes to the composition of the system. For example, adding a new partial model (e.g., Port-Ranking) to the
system is straightforward and does not require any modification to the other partial models, as shown in experimental
results, while adding a new partial model to a centralized
system is more complex.
Future work can address different aspects. For example,
real use of our agent-based IDS, beyond better partial models and a deeper analysis of their correlation, requires to
address some real-time and scalability issues. Another direction of work is the improvement of the cooperative negotiation mechanism, for allowing the agents to reach a shared
agreement with some guarantee on the time bounds within
which this agreement will be reached.

References
[1] F. Amigoni, A. Beda, and N. Gatti. Combining multi-sensor
rate-adaptive pacing algorithms via multiagent negotiation.
IEEE T INF TECHNOL B, 10(1):1118, 2006.
[2] F. Amigoni, M. Dini, N. Gatti, and M. Somalvico. Anthropic
agency: A multiagent system for physiological processes.
ARTIF INTELL MED, 27(3):305334, 2003.
[3] F. Amigoni and N. Gatti. A formal framework for connective stability of highly decentralized cooperative negotiations. AUTON AGENT MULTI-AG, 15(3):253279, 2007.
[4] R. Bace. Intrusion detection. Macmillan Publishing, 2000.

537
504