This document discusses different architectures for intrusion detection systems (IDS), including centralized, distributed, and agent-based architectures. Centralized IDS have limitations around coverage of attacks and response time. Distributed architectures improve on this by collecting data locally and reporting to central locations. Agent-based IDS distribute the computation cost by using independent, intelligent agents that cooperate to secure the network. Two examples of agent-based IDS are described: Autonomous Agents for Intrusion Detection (AAFID) and Multi-Agent System-based Network Security Management Architecture (MANSMA).

1. Architecture and Implementation of IDS/IPS
Centralized Architecture
 The first generation of IDSs
 These host-based IDSs
 Run on the target system in order to monitor and analyze the operating
system and host activities and to detect malicious activities.
IDS
Architecture
Centralized Distributed Agent Based
Based on where data source are collected and
analyzed

2.  The next generation of IDSs in which the intrusion monitoring, analysis and
detection are moved from the target system to a separate system
 Most of current IDSs are centralized systems
 With a centralized architecture, all of the monitoring, detection, and
response activities are controlled directly by a central console.
Centralized intrusion detection have two major limitations
(1) Existing commercial solutions to network intrusions cannot cover all possible
attacks on the network accurately (i.e., they drop packets, but generate a huge
number of false alarms) and
(2) Existing approaches are unable to respond to attacks in a timely manner. As a
result, a distributed intelligent agentbased system is proposed to overcome these
shortcomings of conventional systems.

3. Distributed Architecture
 The partially distributed (i.e. hierarchical) architecture is proposed so that
data collection is implemented locally in each subnet and is then reported to
one or more central locations
 A typical hierarchical IDS architecture, in which a subnet IDS console
collects reports from local sensors and then sends reports to the higher level
IDS console (e.g., enterprise-level IDS console).
 This higher level IDS consol might send all reported information to another
higher level IDS console that manages the detection and response among a
set of cooperating networks
Figure 5.3 shows a fully-distributed architecture.

4. Agent Based
 Agent based approach is used for hierarchical IDSs, they are also utilized for
implementing fully distributed IDSs where data is collected and analyzed at
a number of locations which is directly proportional to the number of
monitored components

5. 
Intelligent Agents
 Instead of applying an individual IDS to defend the network, agents offer a
new approach for the implementation of IDSs in which several independent
and intelligent processes cooperate in securing the network.
 Such an agent-based IDS framework has many advantages, consisting of –
o The distribution of the computation cost
o The reduction in the amount of information sent over the network
o The platform independence
o The asynchronous operation
o The ease of updating
 Some other benefits using the agent-based approach are efficiency, fault
tolerance, extensibility, scalability, and resilience to degradation.

6.  intelligent agents allows the complex IDS to be implemented in a highly
modular manner and provides a possibility for the IDS to do an active
defense instead of reporting intrusions passively.
 In an agent-based system, the individual agents are designed to manage a
particular task and work together to fulfill the requirements of the whole
system
 The main drawbacks of agent systems include the overhead of a large
number of processes and the lack of viable research in understanding and
addressing agents’ potential security problems.
 Some typical examples regarding the agent-based intrusion detection.
o Autonomous Agents for Intrusion Detection (AAFID)
o Multi-agents System-based Network Security Management
Architecture
o Hummingbird
o Multi-agent-based IDS
o Adaptive Hierarchical Agent-based Intrusion Detection System
o Fuzzy Adaptive Survivability Tools (FAST)
Autonomous Agents for Intrusion Detection (AAFID)
 A distributed IDS
 Developed by the Center for Education and Research in Information
Assurance and Security (CERIAS) at the Purdue University
 The agents in AAFID are organized in a hierarchical fashion for data
collection and analysis, and there are four components included in the
system architecture, namely-
o Agents
o Filters
o Transceivers
o Monitors
 Filters provide a subscription-based service to agents with two main
functions, namely data selection and data abstraction.
 Each data source has only one filter
 A transceiver receives findings reported by agents

7.  Agents do not communicate directly with each other in the AAFID
architecture and their operations are monitored by the transceivers on host
entities.
 The transceiver has the ability to start, stop or send configuration commands
to agents and can also perform data reduction on the data received from
different agents.
 The transceivers report their results to one or more monitors
 Monitors have access to network-wide data, they are able to perform higher-
level intrusion detection
 Monitors can also be organized in a hierarchical fashion so that one monitor
may in turn report to the other higher level monitor
 In case an monitor is down or fails to do operations, the transceiver can send
its report to more than one monitor, thus providing the redundancy and
resistance to the failure of one of the monitors.
Multi-agentsSystem-based Network Security ManagementArchitecture(MANSMA)
 Boudaoud et al. apply Belief- Desire-Intention (BDI) agents for intrusion
detection and propose an architecture called MANSMA
 Consisting of two layers, namely the Manager Layer and the Local Layer.
 The Manager Layer is used to manage the global security of a large network
 The Local Layer is to manage the security of a domain.
 There are three types of agents identified in the Manager Layer, namely-
o Security Policy Manager Agent (SPMA)
o Extranet Manager Agent (EMA)
o Intranet Manager Agent (IMA).
 The SPMA maintains the global security policy that is determined by a
human administrator
 The EMA takes the control of IMAs and manages the distributed Extranet
 Each IMA manages the security of a local network and is able to control
specified agents
 The security of a domain is managed in the Local Layer, where three types
of Local Agents (LAs) are defined including –

8. o Extranet LA
o Intranet LA
o Internet LA
 The main functions of LAs contain monitoring specified activities and
sending report to the Manager Agents
 Also define three functions for each agent, namely –
o Event Filtering
o Interaction
o Deliberation
 Event filtering function filters detected security events according to the
event class specified in the detection goal of the agent.
 The detection goal for each agent determines a set of event classes to be
observed.
 Interaction function allows agents to communicate and exchange their
analysis and knowledge
 Deliberation function determines the agent’s capability to built knowledge
and experience and to reason according to its mental attitudes.