A Multi-agent-based Approach to Improve Intrusion Detection Systems False Alarm Ratio by Using Honeypot

In this paper we propose a new architecture, which is composed of distributed cooperative agents to reduce the false alarm ratio of the intrusion detection systems (IDS) in a twofold contribution. The first contribution lies in reducing the false alarm rate of the attack detection in an agent-based architecture by using honeypot network as the closer level of investigation. The connection is retrieved to the original destination in case of false alarm recognition, while the actions are hidden to the user. Such a scheme significantly decreases the alarm rate and provides a higher performance of IDS. The second contribution applies the game theoretic analysis in the sense that the contributing agents are led to perform the best they could in order to achieve their goals. The Shaply value is computed to find the actual contribution of each agent in the coalition he belongs to. The Equilibrium Point is found and consequently the winner coalition is formed. In this paper the architecture of the proposed system is described, a theoretical analysis of agents' behavior is given and its possible extensions are explained.