Research On Detector Performance In Intrusion Detection System Based On Immune

Along with the rapid development of network technology, the network environment and attack methods of hackers become more and more complex. The traditional intrusion detection system can not adapt to this ever-changing network. The Artificial Immune System (AIS) is a new computation theory inspired by biological immune system. The good characteristic of AIS with distributivity, robustness and self-organization makes the Intrusion Detection System (IDS) based on AIS been a hot spot in the research of network security. This dissertation takes detector in intrusion detection system based on immune as research object, focuses on the theme of detector performance, and discuesses the methods of improving performance of detector.From the perspective of improving the coverage performance of detector, a self region based real-valued detector generation algorithm is proposed inspired by self-tolerance mechanism of biological immune system. This algorithm uses information of self region to train the detectors for improving the detector training efficiency; constructs detectors with an aggressive interpretation which can improve the coverage performance of detector on the boundary of self and nonself region; employs a mixed search method which combines the advantage of random search and evolutionary search. This search method can improve the coverage performance of detector in nonself region, which can cover nonself region completely using the fewest detectors. The experimental results on several datasets show that this algorithm can improve not only the coverage performance of detector but also the training efficiency.From the perspective of improving the recognition and distribution performance of detector, a principal component weighted real-valued negative selection algorithm is proposed inspired by performance improving mechanism of antibody cell in biological immune system. This algorithm uses principal components extracted by principal component analysis to construct the low dimensional shape space for improving the recognition ability of detector, and employs weighted Euclidean distance as the matching rule to training detectors in principal component shape space for improving the distribution ability. The experiments compare this algorithm with traditional real-valued negative selection algorithm on several datasets with different dimension. Experimental results show that this algorithm can supply the deficiency of real-valued detector generation algorithm in high dimensional space, and improve the detection performance of detector in high dimensional space.Aiming at the limitations of real-valued detector in knowledge utilization and mixed data processing, a neighborhood representation is proposed inspired by the phenomenon that biological immune system can change antigenic determinant for adapting to complex environment. This algorithm which takes advantage of the aggregation property of data uses fully adjacent but mutually disjoint neighborhoods in shape space to present self/detector, and trains detectors using a special matching rule similar as Hamming distance from a view of similarity between self samples and candidates. The neighborhood detectors generated by neighborhood negative selection can overcome the negative effect of dimension of shape space, and have a good ability of processing mixed data. However, the continuous attribute division method of neighborhood negative selection cannot adapt to the ever-changing network environment, and furthermore would result in the undeterminable search scope. To solve this problem, a self adaptive neighborhood negative selection algorithm is proposed. This algorithm employs entropy-based discretization to split the continuous attributes according to the network environment. In this case, neighborhood detector can adapt to the ever-changing network environment. Experiments are carried out to compare neighborhood representation and real-valued representation with the purpose of proving the advantage of neighborhood representation.To provide rich and reliable knowledge to detector, an extraction method of processing object of detector is proposed. Based on netflow, this method uses Cash Register Model to store sketch of netflow firstly, and then extracts feature vectors, finally the feature vector set is taken as the processing object for detector to detect anomaly. At last of this part, real-valued negative selection algorithm is run on different feature vector sets to testify that this extraction method can improve the performance of detector via providing more rich knowledge.The research on the performance of detector in intrusion detection system based on immune mechanism and its improving methods can not only promote the overall performance of intrusion detection system, but also make the intrusion detection system more practicable.