Immunity-based Intrusion Detection System

In recent years, immune-based intrusion detection has become a key research area in intrusion detection system, exploring natural immunological theories, mechanisms and principles for detecting and reacting to intrusions. Information protecting systems can be viewed generally as the problem of learning to distinguish self from nonself. An IDS should protect the computers or networks from unauthorized intruders and malice codes, which is analogous to the immune system's protecting the body (self) from invasion by inimical microbes (nonself). Supported by the National High Technology Research and Development Program (863 Program), the research topic of this thesis is dedicated to negative selection model and its application to intrusion detection.After reviews of artificial immune system and the basic immunological material necessary for this dissertation, positive and negative detection approach are compared, by both theoretical analyses and experiments. It comes to the conclusion that negative approach can achieve better results at low cost. As great amount of packets pass through network EDS, negative detection approach is more feasible for it.Comprehensive formalization and new analysis of the negative selection model are developed. The coding schemes of self and their characteristics are described in detail based on definition of self, including pattern distribution, detection rule and detection scheme. Furthermore, the presentation and functions of detector set for intrusion detection are investigated, such as size and generation retries of detector set. In addition, the effects of non-complete training sets and multiple representations on the model are also discussed.As the basis of studying detector generation in EDS, several new algorithms are presented. Inspired by evolution computing, the thesis firstly analyzes rcb template and rcb greedy algorithm. Gene algorithm is also covered as a detector generation algorithm. As to rch detection rule, rch exhaustive algorithm and its improvement are illustrated for the first time.Based on detector generation rules, detection holes under rcb and rch are analyzed. A new detection hole counting algorithm is developed, with sound time and space complexity. Moreover, a novel algorithm is presented with the ability of checking whether a nonself pattern is a hole or not.After discussion of distributed negative selection model, an immune-based multi-agent system is introduced for protecting networking computers. The multi-agent detection system can simultaneously monitor the activities of computers at different levels in order to find intrusions. The proposed intrusion detection system is designed to perform real-time monitoring in accordance with the preferences.An immune-based IDS prototype IIDS is designed and implemented, which is an anomaly network EDS for LANs. IIDS is highly distributed and robust. IIDS is tested with data setsgenerated by a realistic context, and the experimental results disclaim its effectiveness in detection of network attacks as supposed.