Study On Dendritic Cell Algorithm And Its Application To Intrusion Detection In Supervisory Control System

Computer supervisory control systems have been widely applied in hydropower stations to guarantee the safe and economic operation of hydropower stations. However, the current network security situation is becoming increasingly serious, the network security issues of the computer supervisory control systems are particularly important. Passive safety protection technologies are difficult to meet the high-end requirements for network security of computer supervisory control systems in hydropower stations, intrusion detection, as an initiative safety technology is concerned. In traditional intrusion detection technologies, there are some ubiquitous problems such as large computing scale and poor ability to recognize unknown intrusions. The distributed real-time self-protection mechanisms of the biological immune system may provide new ideas for the researches in intrusion detection. Inspired by biological immune mechanisms developing intrusion detection systems based on artificial immune has become the research hotspot, but most of the researches are based on the self/nonself recognition mode, belong to the category of adaptive immunity, require a lot of training, and result in a lot of false positives and false negatives. The studies of danger theory make the research focus convert from adaptive immunity to innate immunity. Dendritic cells, as typical antigen presenting cells of the innate immune system, can fuse and process variety of environment signals, and associate the signals with the antigens, then obtain the anomaly indicators of antigens through analyzing. Dendritic Cell Algorithm (DCA) is a kind of data fusion algorithm derived from the mechanisms of dendritic cells. DCA has many advantages, such as smaller computing scale and stronger identifying ability, and doesn’t need a large number of training samples, but it also has some limitations, and there is still great improving space in the algorithm design and application.In this thesis, intrusion detection system, biological immune system, artificial immune system, danger theory and other related domain knowledge are introduced firstly, then the biology mechanisms of dendritic cells, the basic principle and the algorithm flow of DCA are detailed, the characteristics and limitations of DCA are analyzed, and some improvements of DCA are put forward, finally the improved algorithms are applied to the intrusion detection system.To perform the intrusion detection in real time, continuously detect abnormal behaviors as soon as they occur, a real-time analysis algorithm is designed to improve the offline analysis of the classical DCA. When an antigen has been presented by sufficient dendritic cells, it will be immediately assessed and output, thus the purpose of real-time or near-to real-time analysis can be achieved. Sufficient assessments can reduce the influence of the errors, the antigen and signal pool of temporal correlation is designed to eliminate the mutual interference of the antigens and signals which are far apart. The results of the experiments show that the real-time analysis algorithm proposed has the considerable detection accuracy.To improve the anomaly detection performance of DCA in unordered data sets, considering that with the context changing multiple times in quick succession there will be a sudden drop in accuracy, Multiplying and Merging Dendritic Cell Algorithm (MMDCA) is proposed. Firstly the data set is multiplied n times, i.e., n instances are generated for each type of antigen, then each instance is assessed, and finally the n assessments of each type of antigen will be merged to get the final result. The algorithm implies the biological mechanisms that the state of the antigen is determined by the context, multiplying will result in the relatively stable context, and merging can combine most correct judgments so as to reduce the influence of the errors. Experiments show that MMDCA has considerable detection accuracy and stable detection performance in the unordered data set.In order to overcome the blindness of context evaluation in the classical DCA, how the weight matrix of DCA influences the detection results is analyzed, the concept of Tendency Factor (TF) is put forward and two kinds of DCA which can adjust false positives and false negatives are proposed. The first one is voting DCA, TF is involved in the dendritic cell (DC) state transition to assess the context fairly, and through the fine adjustment of TF false positives and false negatives of the detection results are controlled; the other one is scoring DCA, in DC state transition phase the evaluation of the context is ignored, instead, the antigen is directly given a score, then according to the distribution of average scores of antigens the anomaly threshold value can be adjusted to control false positives and false negatives. Experiments show that the two algorithms can effectively realize controlling the results, the scoring DCA may realize more intuitive control.To compensate for the lack of antigen evaluation evidence in disordered environment, a joint algorithm combining DCA with Positive Selection Algorithm (PSA) is designed, the detection results of DCA will be divided into three parts:determinate normal, determinate anomaly and undetermined antigens, with the aid of the specificity of antigen recognition of PSA, the undetermined antigens will be detected for the second time. The detectors in PSA are derived directly from determinate antigens detected by DCA, thus the training process of the detectors can be omitted. Using variable radius is both to make detectors cover space as large as possible and to cut down the detection ability of the impure detectors. Experiments show that the combination of DCA and PSA can effectively reduce false positives and false negatives.Then the improved algorithms are applied to intrusion detection. In order to meet the strict network security requirements of the computer supervisory control systems in hydropower stations, an intrusion detection model combining innate immunity and adaptive immunity is designed. In KDD99Data Set different attacks are detected respectively and multiple attacks are detected synthetically by the improved editions of DCA. Experiments show that for most of the attacks the algorithms have good detection effect, when combining with the adaptive immunity the detection accuracy is further improved, indicating that combining innate immunity and adaptive immunity can build more perfect defense systems.In addition, in order to verify the adaptability of DCA in other areas, the proposed algorithms are tested using Mechanical Analysis Data Set, and experiments show that DCA can be applied to vibration anomaly detection field.Finally, a summary of the whole work is presented, further exploration and research of information processing mechanisms of the biological immune system, designs of more effective immune algorithms, more applications in engineering fields are expected.