Centralized Orchestration for Agent-Based Host Intrusion Detection System with Threat Intelligence

Gede Ananda, Sawali Wahyu, Muhamad Hadi Arfian, Nugroho Budhi Santoso

Abstract


Cyber threats such as malware injection, web shell exploitation, phishing, and lateral movement increasingly challenge host-level security mechanisms. Conventional Host-Based Intrusion Detection Systems (HIDS) are commonly deployed in stand-alone configurations, resulting in limited cross-host visibility, delayed incident response, and lack of integration with external threat intelligence. This study proposes an agent-based HIDS architecture with centralized orchestration and real-time threat intelligence integration to improve detection accuracy and response efficiency. The system is developed using an experimental approach based on the NIST SP 800-61 Rev.2 incident handling framework, covering preparation, detection and analysis, containment and recovery, and post-incident evaluation. Each host deploys a lightweight agent that monitors file system activities, generates cryptographic hash values, and sends artifact metadata to a centralized orchestration server. The server performs parallel validation using external threat intelligence services and executes automated containment actions. Experimental results in a multi-host virtual environment show a False Positive Rate (FPR) of 3.2%, Mean Time to Detect (MTTD) of 4.8 seconds, and Mean Time to Respond (MTTR) of 6.5 seconds, with a 38% improvement compared to manual monitoring. These findings indicate that centralized orchestration combined with threat intelligence integration enhances detection precision, scalability, and incident response effectiveness in HIDS

Keywords


Agent-Based Security; Host-Based Intrusion Detection; Malware Detection; Threat Intelligence; Incident Response.

Full Text:

References


European Union Agency for Cybersecurity (ENISA), “ENISA Threat Landscape 2024,” 2024.

M. Baz, “SEHIDS: Self-Evolving Host-Based Intrusion Detection System for IoT Networks,” Journal of Network and Computer Applications, vol. 198, 2022.

M. Smiliotopoulos, G. Kambourakis, and S. Gritzalis, “Lateral Movement Detection: A Survey,” Comput. Secur., vol. 127, 2023.

Y. Dong and Y. Li, “PHP Web Shell Detection Based on Abstract Syntax Tree and Deep Forest,” Journal of Information Security and Applications, vol. 75, 2024.

G. Khraisat and A. Alazab, “A Critical Review of Intrusion Detection Systems in IoT Environment,” IEEE Internet Things J., vol. 8, no. 6, 2021.

S. Thakkar and R. Lohiya, “A Review on Intrusion Detection System for Network Security,” Int. J. Comput. Appl., vol. 174, no. 7, 2022.

A. Satılmış, S. Akleylek, and G. Yüce Tok, “Lightweight Agent-Based Intrusion Detection Architecture,” Security and Communication Networks, 2023.

A. Nuswantoro, R. Prasetyo, and M. Hidayat, “Privilege Escalation Detection Using Integrated HIDS and SIEM,” Indonesian Journal of Computing and Cybernetics Systems, vol. 18, no. 2, 2024.

M. Mollahosseini, S. Homayoun, and M. Dehghantanha, “Reducing Incident Response Time Using Automated Security Orchestration,” Future Generation Computer Systems, vol. 129, 2022.

A. Al-Sabaawi, “Performance Analysis of Cryptographic Hash Algorithms,” International Journal of Information Security Science, vol. 9, no. 2, 2020.

M. Mat, N. Rahman, and Z. Ismail, “Advanced Persistent Threat Detection: A Systematic Review,” ACM Comput. Surv., vol. 56, no. 3, 2024.

A. Sharma, S. Gupta, and R. Kumar, “A Critical Review of Intrusion Detection Systems in IoT,” Journal of Information Security and Applications, vol. 71, 2023.

S. Memon, M. U. Khan, and A. Abbas, “Host-Based Intrusion Detection System Using Support Vector Machine,” Appl. Soft Comput., vol. 112, 2022.

D. Park, J. Kim, and S. Lee, “Host-Based Intrusion Detection Model Using Siamese Network,” IEEE Access, vol. 9, 2021.

Y. Pang, H. Wang, and J. Liu, “Web Shell Detection Using GAN-Based Data Augmentation,” Comput. Secur., vol. 114, 2022.

A. Razaq, M. Rehman, and S. Khan, “Hybrid Ensemble Learning Model for IoT Intrusion Detection,” Sensors, vol. 22, no. 4, 2022.

S. G. et al. Singh, “Machine Learning for Cloud-Based Privilege Escalation Attack Detection,” IEEE Transactions on Cloud Computing, vol. 12, no. 1, 2024.

L. Lima, R. Souza, and P. Fernandes, “Distributed Host-Based Intrusion Detection in Containerized Environments,” Future Internet, vol. 16, no. 1, 2024.

P. Krishnapriya and R. Singh, “APT Detection Challenges in Cloud and Fog Environments,” Journal of Cloud Computing, vol. 13, no. 2, 2024.

A. Pinto, R. Pires, and J. Barbosa, “Survey on Intrusion Detection Systems Based on Machine Learning Techniques for the Protection of Critical Infrastructure,” Comput. Secur., vol. 123, 2023.

M. Rehman and S. Manickam, “SHA-256-Based Malware Detection Approaches,” Procedia Comput. Sci., vol. 132, 2018.

National Institute of Standards and Technology, “Computer Security Incident Handling Guide (SP 800-61 Rev.2),” 2020.

W. Stallings, Cryptography and Network Security: Principles and Practice, 8th ed. Pearson, 2018.

A. et al. Ahmad, “Security Orchestration and Automated Incident Response: State-of-the-Art Review,” IEEE Access, 2023.

S. Zhao, H. Wu, and Q. Zhang, “Automated Threat Intelligence Integration for Endpoint Protection,” IEEE Trans. Dependable Secure Comput., 2025.




DOI: https://doi.org/10.30591/jpit.v11i2.10390

Refbacks

  • There are currently no refbacks.


Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

JPIT INDEXED BY

  
  

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.