Study On Artificial Immune System For Intrusion Detection

Artificialimmunesystemsareacollectionofartificialparadigmsinspiredbyimmunesystem mechanisms and theoretical immunology. Some artificial immune system modelsand algorithms show excellent information processing and particular problem solving ca-pabilities in practical applications. Although there are inspiring achievements of artificialimmune system in intrusion detection, there are still some unsolved problems. On theone hand, the research is not fully intrusion detection oriented. On the other hand, thereare limitations with artificial immune systems themselves. Meanwhile, there are novelwireless networks which bring novel challenges.We conduct research on hot topics in the field of artificial immune systems, to im-prove existing algorithms and design novel systems. We focus on novel algorithms andsystems suitable for applications in intrusion detection. We analyze and evaluate the run-ning efficiency and the detection performance of the proposed algorithms and systems.The aim is to make related artificial immune systems capable to satisfy the requirementsof novel networks, and provide useful, accurate, efficient and low-cost intrusion detectiontechnique for novel networks. The main work and achievements are as follows:(1)Negative selection algorithmFirstly, we summarize the performance evaluation methods of one class classifiers.This provides with unified and objective metrics for research and comparisons. We usethe proposed metrics to test and compare the performance of a series of one class classi-fiers, including NSA. Secondly, we try to improve the capability of the detectors of bothbinary NSA and real-valued NSA, to make them cover the nonself region better. In theresearch of binary NSA, we propose a variable sized r-contiguous bits matching rule. Therule successfully introduces the idea of variable sized detectors to binary NSA. The NSAwith variable sized r-contiguous bits matching rule is called Variable r Negative SelectionAlgorithm (VrNSA). The results of the experiments show that the new rule improves therunningefficiencyanddetectionperformanceofNSA.Intheresearchofreal-valuedNSA,we improve the detector description of V-detector and propose a detector generation algo-rithm without limitation of position of detector center. The capability of the detectors tocover the edges is enhanced. Thus the coverage of the detectors is increased. The results of experiments on benchmark intrusion detection dataset show that the performance of thealgorithm improves significantly after modification.(2)Dendritic cell algorithm suitable for anomaly detection based on data streamFirstly, we propose a DCA based data fusion (DCADF) model. The proposed modelis compared with common data fusion model on system architecture, functions and sys-tem characteristics. The system characteristics of the proposed model are analyzed. Pos-sible application scenarios are introduced. The proposed data fusion method is validatedwith concrete simulation testing. The results indicate that the proposed model is feasible.Secondly, inspired by the controlling of lifespan of dendritic cells in the human immunesystem and the latest achievements in immunology, we make modifications to DCA. Wepropose real-time Dendritic Cell Algorithm (rtDCA). RtDCA performs online analyzing,outputting dynamic anomaly metrics. RtDCA is implemented and tested. The propertiesof rtDCA are studied with small scale dataset. The performance of rtDCA is evaluatedwithlargescaledataset. TheexperimentsindicatethatrtDCArunsintheformofreal-timealgorithm. The detection result is good. RtDCA can be used in real-time intrusion detec-tion based on data streams. Finally, we propose a rtDCA based denial of service detectiontechnique. The implemented detection system is tested with large-scale synthetic dataset.We get high detection rate and low false alarm rate.(3)Integration of artificial immune system based misuse detection and anomaly de-tectionWe propose to combine different artificial immune systems to build integrated ar-tificial immune system (IAIS). The danger model is re-analyzed. We find that negativeselection and the danger model are not innately contradictory to each other. In the dangermodel, the negative selection mechanism and the danger evaluation mechanism functionindifferentpositions. Thetwomechanismsarenecessarymechanismsofaholisticsystem.Based on this new understanding, we build an intrusion detection system by combiningNSA and rtDCA. NSA detects structural features and rtDCA detects behavioral features.We validate the system on benchmark intrusion detection dataset and conduct compar-isons among different approaches. The experiment show that the IAIS detects intrusionsbased on data stream. The detection performance of IAIS is excellent. And IAIS is ableto detect novel intrusions.(4)Discussion of unified artificial immune system for intrusion detection of novel networksTosatisfytherequirementofnovelnetworks,weintroduceanideaofbuildingholisticartificial immune system by combining independent artificial immune system algorithms.Wecallsuchasystemunifiedartificialimmunesystem(UAIS).Weproposetoconductre-search on UAIS with interdisciplinary cooperation. The key challenges in building UAISare discussed. The countermeasures to these challenges are presented. By focusing onhigh system level properties and combining various immune mechanisms, we present anUAIS prototype. UAIS has two unique aspects that differentiate it from other ongoingworks in artificial immune system. First, it is a holistic architecture. Instead of focus-ing on independent artificial immune system algorithms, we introduce a holistic systemarchitecture inspired by the human immune system. Second, UAIS is an open adaptivearchitecture that can learn and evolve over time. UAIS can be used to implement efficientandwelldeployedprotectionsystem, makingsurethatnovelnetworksfunctionsnormally.