A hybrid and learning agent architecture for network intrusion detection

Learning is an effective way for automating the adaptation of systems to their environment. This ability is especially relevant in dynamic environments as computer networks where new intrusions are constantly emerging, most of them having similarities and occurring frequently. Traditional intrusion detection systems still have limitations of adaptability because they are just able to detect intrusions previously set in system design. This paper proposes HyLAA a software agent architecture that combines case-based reasoning, reactive behavior and learning. Through its learning mechanism, HyLAA can adapt itself to its environment and identify new intrusions not previously specified in system design. This is done by learning new reactive rules by observing recurrent good solutions to the same perception from the case-based reasoning system, which will be stored in the agent knowledge base. The effectiveness of HyLAA to detect intrusions using case-based reasoning behavior, the accuracy of the classifier learned by the learning component and both the performance and effectiveness of HyLAA to detect intrusions using hybrid behavior with learning and without learning were evaluated, respectively, by conducting four experiments. In the first experiment, HyLAA exhibited good effectiveness to detect intrusions. In the second experiment the classifiers learned by the learning component presented high accuracy. Both the hybrid agent behavior with learning and without learning (third and fourth experiment, respectively) presented greater effectiveness and a balance between performance and effectiveness, but only the hybrid behavior showed better effectiveness and performance as long as the agent learns.