Design And Implementation Of Anomaly Recognition In Computer Immune System

Computer security is a popular topic in the field of computer. Many new techniques and products of computer security have been presented, but most of them are far from being quit effective. However, the problems caused by computer security are more and more complex. Resent years a new technology by imitating natural immune system to protect the computer has been put forward, that is computer immune system, which provides a new approach to solve the problem of computer security. By imitating natural immune system we have designed a general computer immune system model (GECISM), which consists of some agents, and every agent imitates the function and mechanism of different immune cells. The agents as a whole can protect the host by cooperation. The paper mainly expatiates the study on the structure of MC Agent, and all researches are under the Linux operating system. MC Agent is the interface between GECISM and the outside environment. It's main role is to detect unusual program behavior, and the detections are based on the system call sequences produced by the processes. System call collector, rule base and detector are main components of MC Agent. System call collector is realized by putting a patch into the kernel of Linux operating system. The paper describes in detail how does MC Agent collect system calls and partition the system call sequences into short system call sequences, and the analyzing of system call sequence is presented. The method is presented in the paper about how to applying Data Mining approaches into collections of short system call sequences to generate intrusion detection rules, and the course and results of the experiments based on C4.5 algorithm and CART algorithm are shown. The rules in the rule base of MC Agent are a group of if-then sentences, by using them whether a short system call sequence is normal or abnormal can be judged. At last, the paper illuminates how does the detector of MC Agent detect anomaly program based on the rules, and presents the results and analyzing of the experiments.