REDUCING THE FALSE ALARM RATE OF NETWORK ATTACKS WITH THE USE OF HONEY POTS TOGETHER WITH AGENT-BASED INTRUSION DETECTION SYSTEM

When traditional firewall and intrusion detection systems (IDS) are used to detect possible attacks from the network, they often make wrong decisions and abort the safe connections. In this paper a novel system is presented which is based on distributed agents and a pseudo-network called honey pot. Utilizing the honey pot scheme, this system is capable to avoid many wrong decisions made by IDS. In this system alarming adversaries, initially detected by the IDS, will be forwarded to a honey pot network for a more close investigation. If, as a result of this investigation, it is found that the alarm decision made by the IDS is wrong, the connection will be guided to the original destination. This action is hidden to the user. The policy of attack detection via honey pot or IDS will be dynamically updated and adapted based on the previous records of adversaries. Such a scheme significantly decreases the alarm rate and provides a higher performance of IDS. In this paper the architecture of the proposed system is described, a theoretical analysis of its behaviour is given and its possible extension and implementation are explained.