Multi-Agent Systems for Scalable Internet of Things Security Phillip Kendrick John Moores University Department of Computer Science Liverpool, United Kingdom P.G.Kendrick@2012.ljmu.ac.uk Martin Randles John Moores University Department of Computer Science Liverpool, United Kingdom M.J.Randles@ljmu.ac.uk Natalia Criado King’s College Department of Informatics London, United Kingdom Natalia.Criado@kcl.ac.uk Abir Hussain John Moores University Department of Computer Science Liverpool, United Kingdom A.Hussain@ljmu.ac.uk ABSTRACT Providing effective and scalable real-time security to Inter- net of Things devices can be a challenging task given the lim- ited computational capacity of the devices and the amount of network traffic that can be viewed at any given time. Multi- Agent Systems have proven to be a valuable tool within the areas of cyber security, distributed networks and legacy sys- tems because of their scalable and flexible architecture. In this paper we present a novel implementation of a Com- pletely Decentralised Multi-Agent System for use within, or to support, Internet of Things networks through the dis- tributed processing of security events to offload the compu- tational cost of data processing from Internet of Things de- vices. The concepts of conditions and effects are introduced to allow agents to describe digital evidence found in an ab- stract language instead of sharing individual pieces of data to mitigate concerns of data leakage in extended networks. Emphasis is placed upon the scalable architecture design al- lowing domain experts to independently create agents spe- cific to a particular technology or application process which will automatically work with other existing agents without further configuration. Keywords Multi-Agent System; Internet of Things; Cyber Security; Scalable Systems 1. INTRODUCTION A Multi-Agent System (MAS) [27] can be distinguished from traditional software by its distributed and autonomous deployment model. Traditional approaches to cyber secu- Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full cita- tion on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re- publish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. Cambridge University of Cambridge, London UK c 2016 ACM. ISBN 000-0000-00-00/00/00. . . $00.00men DOI: 00.000/000 0 rity have typically processed the entire contents of a net- work through a single Intrusion Detection System (IDS) [10, 25, 23]. With the ever increasing amount of traffic flowing through networks, IDSs require expensive and high- performance hardware to manage the computationally ex- pensive task of processing data in real time. With the lim- ited capacity of most Internet of Things (IoT) [26, 16] de- vices, a more scalable approach is required to deliver the required level of security to devices without the capability to process or store large amounts of data. In this paper, a distributed MAS is proposed to offload the computational cost from the IoT devices to specialised agents located on different networks to perform an in-depth, intelligent and automatic analysis of the network traffic flowing to IoT de- vices. Computational gains are made by automating tech- niques commonly used in manual network forensics [2]; by utilising agents that can search for digital evidence intelli- gently by considering what is already known about an attack and searching for additional information in the areas where it is most likely to be found. Network forensics is a valuable process most commonly performed manually by trained practitioners who will anal- yse the cause and spread of an attack after the fact. In this paper, the forensic process is automated and adapted for use within the IoT environment where domain-specific factors such as having a multitude of independently created devices, a variety of different protocols and devices spread across a large network must be considered. By giving agents the tools to perform network forensics autonomously, we will be able to collect and analyse data faster, avoiding problems such as data degradation and concerns about leaking private information. By giving agents the ability to follow one line of investigation over another, when it is supported by previ- ously collected evidence, agents will avoid performing unnec- essary and unimportant data collection thereby making the system more efficient than traditional brute force attempts to analyse the entire contents of a given network. These pro- cesses will be facilitated through the use of a decentralised communications protocol well suited for the task. It is uncommon for traditional security systems to take advantage of the points discussed above. Instead, detection normally takes place on a constant stream of network traffic