Effective Multimodel Anomaly Detection Using Cooperative Negotiation

  • Alberto Volpatto
  • Federico Maggi
  • Stefano Zanero
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6442)


Many computer protection tools incorporate learning techniques that build mathematical models to capture the characteristics of system’s activity and then check whether live system’s activity fits the learned models. This approach, referred to as anomaly detection, has enjoyed immense popularity because of its effectiveness at recognizing unknown attacks (under the assumption that attacks cause glitches in the protected system). Typically, instead of building a single complex model, smaller, partial models are constructed, each capturing different features of the monitored activity. Such multimodel paradigm raises the non-trivial issue of combining each partial model to decide whether or not the activity contains signs of attacks. Various mechanisms can be chosen, ranging from a simple weighted average to Bayesian networks, or more sophisticated strategies. In this paper we show how different aggregation functions can influence the detection accuracy. To mitigate these issues we propose a radically different approach: rather than treating the aggregation as a calculation, we formulate it as a decision problem, implemented through cooperative negotiation between autonomous agents. We validated the approach on a publicly available, realistic dataset, and show that it enhances the detection accuracy with respect to a system that uses elementary aggregation mechanisms.


Anomaly detection cooperative negotiation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Carr, J.: Inside Cyber Warfare: Mapping the Cyber Underworld. O’Reilly Media, Inc., Sebastopol (2009)Google Scholar
  2. 2.
    The SANS Institute: Zero-day vulnerability trends (September 2009),
  3. 3.
    Fishwick, P.A.: An integrated approach to system modeling using a synthesis of artificial intelligence, software engineering and simulation methodologies. ACM Trans. Model. Comput. Simul. 2(4), 307–330 (1992)CrossRefzbMATHGoogle Scholar
  4. 4.
    Fishwick, P.A., Zeigler, B.P.: A multimodel methodology for qualitative model engineering. ACM Trans. Model. Comput. Simul. 2(1), 52–81 (1992)CrossRefzbMATHGoogle Scholar
  5. 5.
    Denning, D.E.: An Intrusion-Detection Model. IEEE Transactions on Software Engineering 13(2), 222–232 (1987)CrossRefGoogle Scholar
  6. 6.
    Lee, W., Stolfo, S.J.: A framework for constructing features and models for intrusion detection systems. ACM Transactions on Information and System Security 3(4), 227–261 (2000)CrossRefGoogle Scholar
  7. 7.
    Kruegel, C., Toth, T., Kirda, E.: Service-Specific Anomaly Detection for Network Intrusion Detection. In: Proceedings of the Symposium on Applied Computing (SAC 2002), Spain (March 2002)Google Scholar
  8. 8.
    Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the detection of anomalous system call arguments. In: Proceedings of the 2003 European Symp. on Research in Computer Security, Gjøvik, Norway (October 2003)Google Scholar
  9. 9.
    Kruegel, C., Robertson, W., Vigna, G.: A Multi-model Approach to the Detection of Web-based Attacks. Journal of Computer Networks 48(5), 717–738 (2005)CrossRefGoogle Scholar
  10. 10.
    Mutz, D., Valeur, F., Kruegel, C., Vigna, G.: Anomalous System Call Detection. ACM Transactions on Information and System Security 9(1), 61–93 (2006)CrossRefGoogle Scholar
  11. 11.
    Maggi, F., Matteucci, M., Zanero, S.: Detecting intrusions through system call sequence and argument analysis. IEEE Transactions on Dependable and Secure Computing 99(PrePrints) (2008)Google Scholar
  12. 12.
    Criscione, C., Maggi, F., Salvaneschi, G., Zanero, S.: Integrated detection of attacks against browsers, web applications and databases. In: European Conference on Computer Network Defence - EC2ND 2009 (2009)Google Scholar
  13. 13.
    Helmer, G., Wong, J.S.K., Honavar, V.G., Miller, L., Wang, Y.: Lightweight agents for intrusion detection. J. Syst. Softw. 67(2), 109–122 (2003)CrossRefGoogle Scholar
  14. 14.
    Jennings, N.R.: An agent-based approach for building complex software systems. Commun. ACM 44(4), 35–41 (2001)CrossRefGoogle Scholar
  15. 15.
    Spafford, E., Zamboni, D.: Intrusion detection using autonomous agents. Computer Networks 34(4), 547–570 (2000)CrossRefGoogle Scholar
  16. 16.
    Ghosh, A., Sen, S.: Agent-based distributed intrusion alert system. In: Sen, A., Das, N., Das, S.K., Sinha, B.P. (eds.) IWDC 2004. LNCS, vol. 3326, pp. 240–251. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  17. 17.
    Dasgupta, D., Gonzalez, F., Yallapu, K., Gomez, J., Yarramsettii, R.: CIDS: An agent-based intrusion detection system. Computers & Security 24(5), 387–398 (2005)CrossRefGoogle Scholar
  18. 18.
    Gowadia, V., Farkas, C., Valtorta, M.: PAID: A probabilistic agent-based intrusion detection system. Computers & Security 24(7), 529–545 (2005)CrossRefGoogle Scholar
  19. 19.
    Rehak, M., Pechoucek, M., Celeda, P., Novotny, J., Minarik, P.: Camnep: agent-based network intrusion detection system. In: AAMAS 2008: Proceedings of the 7th International Joint Conference on Autonomous Agents and Multiagent Systems, Richland, SC, International Foundation for Autonomous Agents and Multiagent Systems, pp. 133–136 (2008)Google Scholar
  20. 20.
    Allan, R.J.: Survey of agent based modelling and simulation tools. Technical report, STFC Daresbury Laboratory, Daresbury, Warrington WA4 4AD (May 2010)Google Scholar
  21. 21.
    Amigoni, F., Basilico, F., Basilico, N., Zanero, S.: Integrating partial models of network normality via cooperative negotiation: An approach to development of multiagent intrusion detection systems. In: WI-IAT 2008, Washington, DC, USA, pp. 531–537. IEEE Computer Society, Los Alamitos (2008)Google Scholar
  22. 22.
    Lippmann, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 DARPA off-line intrusion detection evaluation. Comput. Networks 34(4), 579–595 (2000)CrossRefGoogle Scholar
  23. 23.
    Song, Y., Stolfo, S., Keromytis, A.: Spectrogram: A Mixture-of-Markov-Chains Model for Anomaly Detection in Web Traffic. In: Proc. of the 16th Annual Network and Distributed System Security Symposium, NDSS (2009)Google Scholar
  24. 24.
    Kittler, J., Hatef, M., Duin, R.P., Matas, J.: On combining classifiers. IEEE Transactions on Pattern Analysis and Machine Intelligence 20, 226–239 (1998)CrossRefGoogle Scholar
  25. 25.
    Amigoni, F., Gatti, N.: A formal framework for connective stability of highly decentralized cooperative negotiations. Autonomous Agents and Multi-Agent Systems 15(3), 253–279 (2007)CrossRefGoogle Scholar
  26. 26.
    Robert Hansen (RSnake): XSS (Cross Site Scripting) Cheat Sheet (June 2009),
  27. 27.
    Robert Hansen (RSnake): SQL Injection cheat sheet (June 2009),
  28. 28.
    Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: A survey. ACM Computing Surveys (CSUR) 41(3), 15 (2009)CrossRefGoogle Scholar
  29. 29.
    Cretu-Ciocarlie, G.F., Stavrou, A., Locasto, M.E., Stolfo, S.J.: Adaptive anomaly detection via self-calibration and dynamic updating. In: RAID 2009: Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, pp. 41–60. Springer, Heidelberg (2009)Google Scholar
  30. 30.
    Maggi, F., Robertson, W., Kruegel, C., Vigna, G.: Protecting a moving target: Addressing web application concept drift. In: RAID 2009: Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, pp. 21–40. Springer, Heidelberg (2009)Google Scholar
  31. 31.
    Rehák, M., Staab, E., Fusenig, V., Pěchouček, M., Grill, M., Stiborek, J., Bartoš, K., Engel, T.: Runtime monitoring and dynamic reconfiguration for intrusion detection systems. In: RAID 2009: Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, pp. 61–80. Springer, Heidelberg (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Alberto Volpatto
    • 1
  • Federico Maggi
    • 1
  • Stefano Zanero
    • 1
  1. 1.Dipartimento di Elettronica e InformazionePolitecnico di MilanoItaly

Personalised recommendations