Research On Distributing Strategy Of Detector Based On Biological Immunological Theory

Information protection differs from traditional security technique, while it emphasizes the whole lifecycle's defence and recovery of information system. As a significant link of information protection, intrusion detection system can deal with the problem properly that traditional security technique can not. Intrusion detection system has a lot of similarities with the biological immune system, so it makes the immune system offer a natural research template for intrusion detection. Especially the immune system demonstrates good characteristics in information processing, such as distribution, variety, adaptability, memory ability, fault-tolerant ability, dynamic stability etc., and these characteristics are just what we expected to get in the intrusion detection system.This dissertation lucubrates the Real-valued Negative Selection Algorithm, and compares it with original Negative Selection Algorithm which employs binary detector. The"Boundary Dilemma"of Real-valued Negative Selection Algorithm has been discussed, and a new algorithm that A Region-based Real-valued Negative Selection Algorithm is proposed.The detect rate of intrusion detection system is mainly decided by detector coverage to non-self space, while the negative selection algorithm is mainly adopted by generation of system detector, but the detector generated by the algorithm has a lot of superposition which influences seriously the overlay space of the detector and imperfect coverage to non-self space, so the detect rate is reduced. In this dissertation, adaptively generating detector algorithm and detector distributing strategy based on biological immune is studied, and an algorithm Randomized Real-valued Negative Selection Algorithm is presented for the above questions. This algorithm takes as input a set of detector randomly distributed in the self/non-self space and changes iteratively the position of detector to maximize the coverage of the non-self space and to minimize the coverage of the self samples overlap. The maximization of the non-self coverage is done through an optimization algorithm proved to be of convergence properties (Monte Carlo integration and simulated annealing).Finally, an intrusion detection system is built based on the improved algorithm, Darpa 1998 offline dataset of MIT is used as experiment data of system. Since sensitivity and specificity can be balanced using different self threshold, ROC curve is used to compare the performance of the algorithm. By analyzing the results of experiment, we can conclude that detector generated by the algorithm can cover the non-self space nicely and decrease the coverage of the self samples overlap, thereby detect rate of system is increased.