Research On File System Based On Immune System

With the information having become more common in the 21st century, the information security problem is becoming a hot subject in the competitions between countries. Intrusion Detection (ID), a kind of initiative defence, is an important security technology of protecting information systems like firewall or data encryption techniques. ID is the identification of attempted or ongoing attacks on a computer system or network[1] and it is the methodology able to detect intrusions. The methodology can be divided into two categories: anomaly intrusion detection and misuse intrusion detection. But they all have drawbacks. The first is difficult to build profiles of normal software behaviors, and the second cannot detect the novel intrusions. There are several intelligent approaches introduced to information security including artificial neural network, data mining, data fusion and artificial immunity. This dissertation focuses on the research of artificial immune system in the host-based misuse intrusion detection.From the viewpoint of information, biological immune system is a compelling example of massively parallel information-processing system. It is Multi-layered, distributed, adaptive, robust and anomaly detecting. The theory that the immune system can protect body from invasion provides a fire-new approach to build a robust intrusion detection system.In this thesis, three topics are mainly talked about:1.. Referring the researches of computer immune system at home and abroad, this paper begins with the analyzing of biological immune system. Based on some principles of imperfect detection, negative selection, negative selection and immune memory are simulated.2. The primary immunological function of Major Histocompatibility Complex (MHC) molecules, which bind and present antigenic peptides on the surfaces of cells for binding by the antigen specific T-cell receptors of lymphocytes, is introduced. Then, the method about the implementation of MHC molecules' function byanalyzing process management is considered. It is mainly proposed that the amended protected files trigger the computer immune response and the system calls modifying the protected files are extracted as the antigenic peptides to bind the detectors.3. A new idea to extract the behavior profiles of intruding process is proposed. When some abnormal behavior is detected, the counterfeited system call model which has the same input/output interface as the genuine system call model is dynamically loaded without modified by anything to the protected files. Meanwhile, we can get the "non-self behavioral characteristics without arising the intruder's suspicion, andthen train the more effective detectors with the characteristics.