The Hive Mind at UC Davis

The Hive Mind approach to intrusion detection provides event correlation over an infrastructure comprised of one or more administrative enclaves, each made of a collection of device level nodes. These represent the devices in the network being monitored. Swarming sensor agents modeled after biological elements such as ants, wasps, termites, crows, and/or immune systems. These roam from node to node, searching for security relevant activity, leaving markers to communicate with other wandering agents.

The Hive Mind interposes logic-based rational agents between humans and the swarm, providing a basis for communication, interaction, and shared initiative. The goal is to augment, not replace, more traditional security mechanisms. For example, the Hive Mind should be effective where computing power is highly limited, e.g., where host-based IDSs would be impossible or in highly distributed systems without well-defined monitoring points making network-based detection infeasible. The Hive Mind could then be used in parallel with traditional firewall and intrusion detection systems.

The result of this will enable GENI to support experiments where there is communication between internal nodes (sensors or routers).  In the context of networking, such experiments might be used to test if bandwidth usage can be improved through the communication of capacity and usage information between routers.  In the context of security, such experiments might be used to test the tradeoffs among different approaches to exchanging security information between sensors, and where that information might affect firewall rules or pro-active, forensic logging efforts.

Prototypes of the Hive Mind are currently implemented and running on the ProtoGENI and DETER testbeds.

This project is funded by the National Science Foundation and the GENI Project Office under grant # CNS-0940805. More documentation is located on our page on the GENI wiki.