An Intrusion Detection Model Based On Immune And Rough Sets Theory

With the application of computer becoming more and more wide, sorts of security matters emerge endlessly. In order to solve the problem, many kinds of measures protecting the security of computer system have been adopted now, but all the measures belong to static measures and can not adapt to the complicated environment of application. Intrusion detection system has become the research hotspot because it can provide dynamic protection for computer system.Many approaches have been suggested and various systems have been modeled to detect intrusions from anomalous behavior of system calls as a result of an attack, but these methods need complete system call data to build the normal behavior model. Besides, it cannot detect the known intrusion quickly and meet the requirements of real-time detection.Aiming at the problems existed in above methods or models, an intrusion detection model based on immune and rough sets is presented in this paper. The model uses the mechanism that differentiates between "self and "non-self inspired by immune system to detect intrusion. A little data is extracted from normal system call sequences and is transformed to decisive table, afterward, the decisive table is reduced and simple rules that present normal behavior mode be extracted from reduct by rough sets theory. These rules can be used to detect anomalous behavior.In order to realize the quick detection, the concept of quick detection method inspired by immune memory of immune system and artificial immune of immunology is presented.The model presented in this paper is not only able to extract a set of detection rules with the minimum size from part of record of system call sequences, but also can detect the known intrusion quickly. Preliminary experiments suggest this method is feasible and effective.