The paper considers approaches to distribute functions of a corporate network protection system between a set of informational modules – agents, that will ensure mobility, adaptability and fault tolerance of a multi-agent protection system. The analysis of classes of MAS agents by their functionality is conducted. The integration of MAS in corporate networks is based on the distribution of corporate network components between agents which are responsible for their protection. Internal and external information flows caused by user and attacker actions are used to reproduce network activity processes. By involving sets that simulate the behavior of a regular user, an attacker and a component, the set of MAS agents has been extended to include the following sets: user agent; intruder agent; agent component. The modeling of the MAS agents was conducted with using of the Unified Modeling Language, in particular, the state diagram is constructed and the algorithms of classical agents are described in details: protection agent and counteraction agent, and new ones: user agent, intruder agent, component agent.

It is noted that the proposed approach has a number of advantages, namely: the components of a typical corporate network are distributed across several nodes, so MAS agents will also operate on different nodes, which will ensure the saving and mobility of computing resources; the use of MAS will allow to adapt to changes in the network architecture easily; the creation of new agents provides flexibility of the solution and high scalability; due to the distributed work of agents, the fault tolerance of the system increases: it is harder to attack and disable than systems with a single security server. Management of the entire corporate security system (СSS) can be organized centrally by combining multiple agents using an integration information bus.

This paper is included in the program of the Second Scientific Conference "Digital Transformation, Cyber Security and Resilience DIGILIENCE 2020 and will be published in the post-conference volume.