Anomaly intrusion detection and threat evaluation using artificial immunity model and fuzzy logic

This dissertation proposes a computer immunology model to detect anomaly intrusions from user and program behavior profiling based on a hierarchical fuzzy threat evaluation mechanism. The sequential data of commands from users and system calls from programs is used to construct finite automata which are identified with behavior profiles. The self and non-self behaviors from natural immune systems have been applied in this research to measure both the similarity and deviation of a case with the behavior profile. The values of fuzzy memberships can be calculated using a hierarchical fuzzy reasoning system by comparing test data with the finite automaton.; This dissertation also presents a new fuzzy risk analysis approach to identify a case as a linguistic term. The threat as fuzzy memberships can be converted into a generalized fuzzy number with the weight value. Then the synthesized number is compared with linguistic terms denoted as fuzzy numbers to measure the similarities one by one. The linguistic term that has the highest similarity with the synthesized fuzzy number is regarded as the final threat level to the system.; The computer immunology model is applied to detect masqueraders and intrusion scenarios from manipulating privileged processes to explore system vulnerabilities. Using truncated commands (without arguments) analysis, it improves upon seven other methods used to detect simulated masqueraders. Using enriched commands with arguments, this model can detect simulated masquerader data in a very short time interval. The immunology model also succeeds in detecting program anomaly behavior patterns and correctly identifying intrusion scenarios. A new experiment is described to detect intruders with the data set collected in a real computer system. The experimental results show that the computer immunology model is very effective and efficient to detect anomalies with real masquerader data. Some future research directions are discussed including user behavior profiling in GUI-based systems, and applying neural network and data mining to anomaly intrusion detection.