| This work describes a novel methodology for tailorable, adaptive, and hierarchical intrusion detection (ID) systems. The Adaptive Hierarchical Agent-based Intrusion Detection (AHA! ID) methodology employs agents and a variety of problem-solving strategies to address the complexities of detecting intrusions in large-scale, resource-constrained environments. The methodology offers explicit support for tailored and adaptive intrusion detection, providing improved intrusion detection and greater resistance to evasion and subversion.; This methodology employs a hierarchical arrangement of ID components. The lowest levels in this hierarchy are lightweight intrusion analysis tools. The higher-level, supervisory components provide adaptive control and synthesis of the analysis preformed by lower-level components. The benefits of this hierarchical arrangement are that it provides both distributed analysis and centralized control. The AHA! ID methodology is tailorable in that provides system administrators with the ability to assign relative values to various information resources.; This methodology provides three means of adaptation. First, adaptation is provided through adjustments to the amount of system resources devoted to the task of detecting intrusive activities. Second, adaptation is provided through the dynamic invocation of new combinations of low-level analysis tools in response to changing circumstances. Finally, adaptation is provided as the manager components learn about their constituent low-level analysis tools and adjust the confidence metric associated with them.; The tailorable and adaptive nature of the AHA! ID methodology provides improved intrusion detection and better resistance to evasion and subversion. In addition, the hierarchical organization of ID components within the AHA! ID methodology provides for distributed analysis and scalable performance in realistic resource constrained environments. |
