| Modern computer systems are plagued by security vulnerabilities. Whether it is the UNIX buffer overflow or bug in Microsoft Internet Explorer, our applications and operating systems are full of security flaws on many levels. However, the conventional solution for computer security can not satisfy the need of people any more. In that way, people turn to develop a novel tool for computer security such as Intrusion Detection System, which detect the usage pattern of computer source in order to protect the computer system. The tool is seen as a good complement to traditional solution for computer security of "Firewall" and "Electronically Encryption", so it is a powerful guarder for computer source.To date, there are mainly three categories of Intrusion Detection Systems: technologically, signature and anomaly-based Intrusion Detection System; according to the source of data, host and network-based Intrusion Detection System; according to the implement framework, centralized and distributed Intrusion Detection System.In this paper, an approach of intrusion detection based on immune theory at system level is put forwarded. Inspired from the theory of natural immune system, the paper explains the discrimination task of intrusion as the problem of distinguishing "self" from "nonself" by detector. There are compelling similarities between the problems faced by immune systems and by computer security. Just like lymphocyte, detector has a limited life-span, which is experienced a dynastic process from immature to mature. After the detector becomes mature, it has two options: one is to be memory detector if it detects any abnormal in a certain time span; otherwise it is to die.In this paper, the fox of research is putted on the resource of a host. In detail, we pain main attentions on the system call sequence of privileged process here. This paper integrates the signature-based and abnormal-based detection method. Linux is a popular operating system, the source code and kernel of which can be easily got, therefore, it is used as the research platform. All of experiments are done on it. Here, we mainly observe the Sendmail process on a personal computer, hoping to give a clear view of the method.Firstly, some unique system call sequences of length k were got. These short sequences of system call were produced randomly and were used as detectors in this paper. Secondly, many data were collected when Sendmail process is running in a controlled normal experiment environment, which were used to train and attained a comparatively perfect neural network based on BP algorithm. The network was used to build a normal profile or database of normal behavior. After that, a detector was compared with all of the sequences of system call in the normal database and was discarded if it matched any one in the database. The rest of these detectors became the mature ones. The whole process was called as negative selection. At last, we made a dynastical selection. In the phase, those who had detected the most abnormal would be memory detectors, the other ones who can not do it after a life-span will die. In this way, more and more the latest appropriate detectors who can adapt to the change of computer environment will be gained.In our experiments, three known attacks had been launched to the object host and collected the normal and abnormal data for computing the rate of false positive and false negative. We got a satisfying result which indicates the method introduced in this paper advisable and valuable. Of course, it should be improve in the future.
|
PDF Full Text Request