A. J. Rocke and R. F. DeMara, 
"A Collaborative Object Notification Framework for Insider Defense," revision 
pending to Journal of Autonomous Agents and Multi-Agent Systems, revised and 
resubmitted November 24, 2004 and available as UCF Tech. Rpt. UCF-ECE-0409 
online at 
http://netmoc.cpe.ucf.edu:8080/internal/yearReportsDetail.jsp?year=2004&id=0409 

Abstract:
File Integrity AnalyzersFile Integrity Analyzers serve as a component of an 
Intrusion Detection environment by performing filesystem inspections to verify 
the content of security-critical files in order to detect suspicious 
modification. Existing file integrity frameworks exhibit single point-of-failure 
exposures.
The Collaborative Object Notification Framework for Insider Defense using 
Autonomous Network Transactions (CONFIDANT) framework aims at fail-safe and 
trusted detection of unauthorized modifications to executable, data, and 
configuration files. In this paper, an IDS architecture taxonomy is proposed to 
classify and compare CONFIDANT with existing frameworks. The CONFIDANT file 
integrity verification framework is then defined and evaluated.
CONFIDANT utilizes three echelons of agent interaction and four autonomous 
behaviors. Sensor agents in the lowest echelon comprise the sensor level to 
generate an assured report to companion agents of computed MD5 file digests. At 
the control level, beacon agents verify file integrity based on the digests from 
sensor-level agents assembled over time. Upper echelon transactions occur at the 
response level. Here watchdog behavior agents dispatch probe agents to implement 
the alarm signaling protocol. CONFIDANT has been implemented in the Concordia 
agent environment to evaluate and refine its agent behaviors. Evaluation shows 
that CONFIDANT mitigates single point-of-failure exposures that are present in 
existing frameworks.