Abstract

Daily access to Internet, increase in number of users, and newly discovered violations of policies, have become much more frequent over the last few decades as technology advances. Learning how to recognize these new violations as well as facing these new violations are two parallel concepts. There exist approaches that detect these violations often called intrusions or anomalies. A large body of knowledge focuses on developing new algorithms for anomaly detection, determining accurate thresholds for decision making upon detection, and combining different sources of data for increased performance. In this thesis, we propose a multi-agent anomaly detection system, in which agents collaborate with each other to detect anomalies in an effective way. We use multiple agents to set a cost on communication between them, and to make the final decision based on the combined results of all agents. Unlike other approaches, since our proposed approach is flexible in terms of the number of agents, so it will not fail while using fewer agents, or some agents fail to perform.
The key elements in our approach are in using system call based datasets, deciding on the number of agents, and their methodologies, as well as the cost for communication between the agents. The final result of the system might ignore agents if they are not providing feedback that will result in higher accuracy of anomaly detection. We analyze the results by plotting a Receiver Operating Characteristic (ROC) curve and focusing on the Area Under the Curve (AUC) using different thresholds. We make the final decision based on the most suitable threshold for agents.