A misuse detection agent for intrusion detection in a multi-agent architecture

We describe the design of a misuse detection agent, one of the different agents in a multiagent-based intrusion detection system. This system is being implemented in JADE, a well-known multiagent platform based in Java. The agent analyzes the packets in the network connections using a packet sniffer and then creates a data model based on the information obtained. This data model is the input to a rule-based agent inference engine, which uses the Rete algorithm for pattern matching, and the rules of the signature-based intrusion detection system Snort. Specifically, an implementation in Java language - the Drools-JBoss Rules- was used, and a parser was implemented that converts Snort rules to Drools rules. The use of object-oriented techniques, together with design patterns, means that the agent is flexible, easily configurable and extensible.