| A good Network-based Intrusion Detection System (NIDS) should be robust, scaleable and efficient. But at present NIDS needs a long detecting time, cann't recognize the unknown intrusions and has high false positive (FP) ratio. Artificial Immune System (AIS) owns advantaged predominance in network intrusion detections, because it satisfies these requirements: being distributed, self-organized and light-weighted. This paper adopts these features to construct effective network-based IDS.Although previous works used negative selection algorithm to handle troubles in NIDS, its main limitation was severe scaling problem. The job of negative selection stage should be restricted to tackle a more modest task rather than generate competent detectors. Clonal selection algorithm (CSA) can be used to tackle such problem for NIDS, but CSA couldn't identify new self-antigens when learned self and non-self behaviors suddenly altered due to legal "self" changed. This resulted in high false positive (FP) ratio when new antigens were monitored. CSA preserves memory detectors for infinite life, large amount of co-stimulations required if it yielded high TP ratio. So it couldn't fit dynamic network environments soundly.After investigating of negative selection, affinity mature and memory detector evolution mechanisms, it is Embedded Negative Selection Operator Clonal Selection Algorithm (ENCSA) presented combined with negative selection, clonal selection and memory detector gene library evolution. Negative selection operator improves the whole detection performance; it not only deletes immature detectors showed poor self-tolerance to new detector, but also is good for the construction of effective mature detectors. Gene library evolution policies avoid wasting system calculation resources and enhance memory detectors'utilization by delivering eliminated memory detectors to gene library for standby.In order to shorten binary coded data features'code length and cut detection response time, real coded data form was adopted in prototype experiments. Enlighten by Genetic Algorithm, new affinity calculation expression is defined, which is closer to real environments and convenient for ENCSA to cope with. Finally, we discuss two important parameters, namely, immature detectors'toleration period (T) and mature detectors'lifespan (L), which affect ENCSA's behaviors. Satisfactory TP and FP ratio are obtained by setting these parameters to appropriate values. On memory detector library updating stage, ENCSA uses affinity mature mechanisms to reduce the amount of co-stimulations, and cuts down high FP ratio.With the same parameters and training conditions, comparing with CSA, the results show that ENCSA gains higher TP ratio and lower FP ratio. ENCSA contributes to the overall detection performance. |
PDF Full Text Request