Research On Immunity Based Real Value Coded Intrusion Detection System

In information security areas, detecting unknown intrusion activities becomes more and more important at present, traditional anomaly detection systems face problems on following aspects: updating normal profiles; dynamic real-time detection; distributed detection. New intrusion detection approach based on Biological Immune System principle provides solutions to settle many difficulties that traditional anomaly intrusion detection encountered. But nowadays immune intrusion detection techniques are in their early stage.Binary coded immune intrusion detection system is investigated in detail and algorithm of improving its detector set is proposed, redundant information of detector set are reduced. However, binary code and rcb matching rule are difficult to deal with long strings effectively, so hard to adapt to applications involving many features and hard to adapt to real-time intrusion detection under dynamic changing circumstance. Therefore, immune intrusion detection approach based on real value code is proposed, and following researches and innovative works are carried out.Real value code is relative systemically transplanted to immune intrusion detection system for the first time. Self set representation, detector representation are defined; hyper-sphere and hyper-rectangle models are built to construct the pattern space. A new detector generating method -- multimodal evolution is demonstrated, it creates detectors with variable coverage, and a certain type of fitness function is used to guide the detectors evolving towards those small detection holes close to self set or among self entities, overcoming the disadvantage that random generating method cannot cover non-self areas efficiently in high dimensional space. Detection granularity characteristics of real value code are analyzed and get the conclusion that the less the value used to normalize an attribute, the less the information loss, so better detection granularity would be acquired.Hyper-sphere and hyper-rectangle system are constructed. Experiments on DARPA99 network data set and Wine data set indicate that, hyper-sphere system gets better performances than hyper-rectangle system on aspects including detection rate, false alarm rate, stability, time cost, adaptability to incomplete training set and uniformity of coverage on non-self space; multimodal evolution generating method performs better than random generating method on aspects of detection rate, stability, uniformity of coverage on non-self space; random generating method can't be applied to Wine data set containing 13 features. Experiments on KDD Cup'99 data set show hyper-sphere system of multimodal evolution functions well in high dimensional pattern space, and its time cost is approximately linear with dimensions and training set size.The approaches of using distribution characteristics of data set to improve detection precision are developed for hyper-sphere system of multimodal evolution. Gauss distribution model is built to describe distribution of patterns in data space firstly, and a parameter of clustering level is specified to represent the degree that data clusters are close to Gauss cluster on shapes; Algorithm of generating synthetic data sets according to given clustering level is provided; Clustering characteristics of real data sets are analyzed. Experiments indicate that better detection ability are gained for data sets of better clustering characteristics (less clustering level); more detectors or lower tolerant level can to some extent compensate for bad clustering characteristics of data sets.Based on above works, an extended hyper-sphere model for self space construction– VRSSM (variable radius of self sphere model) is developed, it implements different tolerant level in different areas of pattern space according to the clustering characteristics there, so self hyper-spheres will be set to variable radius in detector generating procedure, locating the boundary between self and non-self more accurately. Analysis indicates that detection ability is affected by clustering characteristics of data set and average attribute deviation between self and non-self; VRSSM effects rely on clustering characteristics and data point density difference among different areas of space. Experiments show synthetic data sets and DARPA99 network data sets follow the hypothesis of VRSSM, higher detection rate and lower false alarm rate are produced.Following dynamic real-time detection mechanisms for hyper-sphere system of multimodal evolution are established: strengthened initial training; clonal selection and gene library, they ensure detectors cover by higher probability those areas containing more intrusion activities; memories, they ensure detectors set keeps its ability to recognize intrusions encountered before while updating continuously. Dynamic extension of VRSSM (Dynamic VRSSM) is proposed. Positive memory is used to denote dense areas of normal activities by Dynamic VRSSM in order to calculate tolerant level of different positions online. Analysis indicates that real network intrusion detection system has a suitable activation threshold of 1. Hyper-mutation probability of clonal selection should not be too high or too low, an appropriate value can be found by trial experiment. Emulation tests on network data set (DARPA99 and KDD Cup'99) show those dynamic real-time detection mechanisms are effective and Dynamic VRSSM is feasible.A distributed cooperative architecture prototype combining both distributed tolerance and central tolerance is presented. Integrating hyper-sphere representation based on real value code, detector generating based on multimodal evolution, VRSSM, dynamic real-time detection mechanism and Dynamic VRSSM, a single node experiments platform is fulfilled, giving a proof for validities of above theories and models.