DIDFAST.PN: DISTRIBUTED INTRUSION DETECTION AND FORECASTING MULTIAGENT SYSTEM USING POSSIBILISTIC NETWORK Farah Jemili Laboratoire RIADI, ENSI, Manouba University Manouba 2010, Tunisia Jmili_farah@yahoo.fr Montaceur Zaghdoud Laboratoire RIADI, ENSI, Manouba University Manouba 2010, Tunisia Montaceur.zaghdoud@ensi.rnu.tn Mohamed Ben Ahmed Laboratoire RIADI, ENSI, Manouba University Manouba 2010, Tunisia Mohamed.benahmed@riadi.rnu.tn ABSTRACT This paper proposes a Distributed Intrusion Detection and Forecasting Multiagent System using Possibilistic Networks. System architecture is composed by two interconnected layers of intelligent agents. The first layer is concerned by intrusion detection. On each host of a distributed computers system, an intelligent agent using possibilistic network is charged by detecting intrusion eventuality. The second layer is based upon one intelligent agent which is charged by intrusion forecasting task based on possibilistic network prediction. Agents of these two layers communicate using messages. When new intrusion is detected on the first layer, the agent responsible of this host informs the forecasting agent placed in the second layer. This latter computes conditional possibilities of intrusion appearance on each host of the distributed system, and informs the administrator of the concerned host about possible ultimate intrusion. KEYWORDS Intrusion, Detection, Forecasting, Multiagent, Distributed System, Possibilistic Network. 1. INTRODUCTION Intrusion detection can be defined as the process of identifying malicious behavior that targets a network and its resources [8]. Malicious behavior is defined as a system or individual action which tries to use or access to computer system without authorization (i.e., crackers) and the privilege excess of those who have legitimate access to the system (i.e., the insider threat). The proliferation of heterogeneous computer networks has serious implications for the intrusion detection problem. Foremost among these implications is the increased opportunity for unauthorized access that is provided by the network’s connectivity. The use of distributed rather than centralized computing resources also implies reduced control over those resources. Moreover, multiple independent computers are likely to generate more audit data than a single computer, and this audit data is dispersed among the various systems [6]. Nowadays, completely protect a network from attacks is being a very hard task. Even heavily protected networks are sometimes penetrated, and an Intrusion Detection and prevention System (IDPS) seems to be essential and is a key component in computer and network security.