Abstract
In distributed intrusion detection systems, self monitoring is a subject of current research. One possibility is that each intrusion detection system is checked periodically by others, and then corrupted intrusion detection systems can be identified. In this paper, we employ both an immunity-based diagnosistic model and mobile agents for the self-monitoring. The immunity-based diagnosis, which was proposed by one of the authors in 1990, is performed by the mutual tests among units and the dynamic propagation of active states. In simulated distributed intrusion detection systems, we compare three methods: (1) a simple majority vote on host-to-host communication, (2) the immunity-based diagnosis on host-to-host communication, and (3) the immunity-based diagnosis with mobile agents. Some simulation results show that the immunity-based diagnosis can work better than the majority vote. We also clarify advantages and disadvantages of using mobile agents in comparison with the host-to-host communication.
