Off-campus Eastern Washington University users: To download EWU Only theses, please use the following link to log into our proxy server with your EWU NetID and password.

Non-EWU users: Please talk to your local librarian about requesting this thesis through Interlibrary loan.

Date of Award

Spring 2003


Access perpetually restricted to EWU users with an active EWU NetID

Document Type

Thesis: EWU Only

Degree Name

Master of Science (MS) in Computer Science


Computer Science


Demand for intrusion detection systems (IDSs) has increased significantly due to the exponential increase of malignant activities and the shortage of trained network administrators. It is mandatory that an IDS aid network administrators in responding quickly to security threats in order to prevent or minimize damage to computer networks. Conventionally, knowledge-based or rule-based approaches are dominantly used for lntmsion detection tasks. Knowledge construction, especially for probabilistic knowledge, usually requires a large collection of significant representative samples. However, this is not always feasible due to the complex structures of input spaces of intrusive activities (this is the cause of the "base-fallacy problem''). This is further complicated by the accelerated rate of appearance of new malicious activities. Reviewing the taxonomy of detection approaches (anomaly and signature-based), various sensors (host-based and network-based), and system architecture (stand-alone and distributed), we believe that the ideal IDS should be distributed, intelligent (i.e. perceptual and adaptive) and heterogeneous. Consequently, artificial intelligence approaches are taken within the application domain of intrusion detection in general. LTl particular, a multi-agent system distributed over a computer network consisting of agents with various behaviors is studied. We also consider soft computing approaches due to their ability to handle perceptual information. The results from these agents are aggregated as a group decision. This provides fewer false-positives and improved classification compared to many IDSs that use a single detection method.