Study On Intrusion Analysis Based On Artificial Immune System

The purpose of Artificial Immune System is to extract special information processing mechanisms contained in biological immune system, and then to study and design the corresponding models and algorithms, which could be used to solve many kinds of complex problems. Artificial Immune System is a novel intelligent computing research field after Artificial Neural Network and Evolutionary Computation, and it is an emergent interdisciplinary research field generated by life science and computer science. The basic function of biological immune system is to recognize self and non-self, and then to classify and eliminate non-self. Biological immune system has immune recognition, immune memory, immune regulation, immune tolerance, immune surveillance and other characteristics. It is a self-adaptive, self-learning, self-organization, parallel and distributed complex system. By deeply researching into the information processing mechanisms within biological immune system, many effective models and algorithms can be designed and established, and it is of great significance to solve many important and complex problems in national economy and social development. Intrusion Detection System is one of the most important parts in network security research field. Since biological immune system is a very effective self-protected system, which effectively recognizes known and unknown antigens, it brings many inspirations for intrusion detection system. Therefore, new intrusion detection mechanism based on biological immune system becomes more and more remarkable, which is an important force to improve current network security research. Inspired by the power recognition capability of immune system, we focus the study on the data analysis and pattern recognition techniques based on the principle of immune system in this dissertation, and then develop the intrusion detection methods based on artificial immune system. Just like the popular intrusion detection method based on the machine learning and data mining, we proposed some new algorithms such as dynamic clustering analysis, abnormal detection and classification analysis based on the artificial immune system, which may be used to establish the intrusion model intelligently and recognize the abnormal activities in the computer network. Experimental results show that these methods are feasible and efficient. The main contributions of this dissertation are summarized as fellow: 1. We introduce some biological immune mechanisms as the basis of this dissertation, including immune memory, immune recognition, adaptive immune response and so on. The coding mode and operation in the artificial immune system are discussed and some artificial immune models related to the intrusion detection are analyzed also. 2. Because some unknown intrusion mode may be included in the network connection feature dataset, the number of clusters could not be assigned pre-clustering, which means that we need dynamic clustering analysis algorithm to establish the intrusion model from the connection dataset. In order to improve the algorithm efficiency without sacrificing the clustering precision, we present a concept called as Clustering Feasible Solution (CFS) and design an algorithm to get CFS from dataset through artificial immune network. The probability and conditions to get CFS are discussed at the same time. 3. Dynamic clustering algorithms based on CFS through intelligent optimization method such as Genetic Algorithm (GA) and Tabu search are presented in this paper. After analysis these new algorithms, a two-stage dynamic clustering algorithm framework based on the 'data-reduction and optimization'was discussed in this section. The reduction algorithm and corresponding parameters (such as the count of clusters) are the key factors to efficiency of these new dynamic clustering algorithms. A simple method estimating the number of clusters is presented in this section, which is based on artificial immune network. Some reduction algorithms and their characteristics are analyzed at the end of this section. 4. A novel abnormal detection algorithm based on artificial immune clustering is presented in this paper, and a new outlier measure of selection the top-n abnormal item from dataset based on distance is employed in this algorithm, which make it easy to get better tradeoff between detection rate and false positive rate according to security policies chosen by user. Because this method could label the abnormal activities with out training dataset, this method could be applied in different network system and application environments. Experiment results prove that the new algorithm has low false positive rate and high detection rate. 5. After analyzing the classification based on the represent points as the results of clustering algorithm with uniform granularity and distance function, the problem of this classification caused by that clustering result is inconsistent with apriori knowledge ispointed out. In order to solve this problem to improve the classification accuracy and the generalized ability, a self-adaptive clustering algorithm used different granularities is presented in this section. Experimental results show that the new method overcome the problem to some extends, and this method has good results applying in intrusion detection compared with RBF-ANN and BP-ANN.