An immunological model of distributed detection and its application to computer security

This dissertation explores an immunological model of distributed detection, called negative detection, and studies its performance in the domain of intrusion detection on computer networks. The goal of the detection system is to distinguish between illegitimate behaviour ( nonself), and legitimate behaviour (self). The detection system consists of sets of negative detectors that detect instances of nonself; these detectors are distributed across multiple locations. The negative detection model was developed previously; this research extends that previous work in several ways.; Firstly, analyses are derived for the negative detection model. In particular, a framework for explicitly incorporating distribution is developed, and is used to demonstrate that negative detection is both scalable and robust. Furthermore, it is shown that any scalable distributed detection system that requires communication (memory sharing) is always less robust than a system that does not require communication (such as negative detection). In addition to exploring the framework, algorithms are developed for determining whether a nonself instance is an undetectable hole, and for predicting performance when the system is trained on non-random data sets. Finally, theory is derived for predicting false positives in the case when the training set does not include all of self.; Secondly, several extensions to the model of distributed detection are described and analysed. These extensions include: multiple representations to overcome holes; activation thresholds and sensitivity levels to reduce false positive rates; costimulation by a human operator to eliminate autoreactive detectors; distributed detector generation to adapt to changing self sets; dynamic detectors to avoid consistent gaps in detection coverage; and memory, to implement signature-based detection.; Thirdly, the model is applied to network intrusion detection. The system monitors TCP traffic in a broadcast local area network. The results of empirical testing of the model demonstrate that the system detects real intrusions, with false positive rates of less than one per day, using at most five kilobytes per computer. The system is tunable, so detection rates can be traded off against false positives and resource usage. The system detects new intrusive behaviours (anomaly detection), and exploits knowledge of past intrusions to improve subsequent detection (signature-based detection).