2.7 Recent Advances in Intrusion Detection

 AAFID and EMERALD were frameworks that allowed intrusion detection

systems scale up to the domain and enterprise levels. There have been other significant

contributions to the field of intrusion detection that apply to specific components of

intrusion detection.

2.7.1 Mobile Agent Technology

 In keeping with the move away from centralized systems, mobile agent

technologies for intrusion detection attempt to address the issues of having a single point

of failure, scalability, and re-configurability of the system.

 SPARTA (Security Policy Adaptation Reinforced through Agents) [15] is one

such system. Each host on the system has a local event generator, a storage component,

and a mobile agent platform installed. This mobile agent platform is responsible for

moving the state and the code of the agents between different hosts and for providing an

execution environment for them. The system also provides protection against security

risks involved when utilizing mobile code. The SPARTA detection algorithm uses an

attack pattern language called EQL. Definition of attack patterns using EQL allows the

reduction of data transferred, while still retaining enough information for analysis.

Mobile agents locally select interesting information and only move parts of the data

across the network. For agent authentication, SPARTA uses a public key infrastructure.

 IDA [3] is another mobile agent framework. IDA employs sensors on every host

to monitor system logs. When an intrusion is suspected, the manager devises a tracing

route and deploys a tracing agent to the hosts on that part of the network. When the

tracing agent arrives at a host, it activates an information-gathering agent. This

information gathering agent extracts information pertaining to the intrusion from the