| Information Security is a worldwide practical problem, and intrusion detection is an important defense technique in network security system, which can find unauthorized access and illegitimate using by legal users, take active actions, and protect itself from outside and inside intrusions. This technique is a complement of passive actions, such as system scanner or firewall. There are several methods to realize this important technique, such as probability and statistics, neutral network, expert system, model reasoning, etc. Although we have designed and realized many systems using these methods, there are also many problems. Most of them are not robust, adaptable, scalable, and efficient. The immune-based detection technology is one kind of abnormal-based detections, and the salient characteristic is that it can fit in with the needs of network security.This thesis explores an immunological model of intrusion detection system, after a thorough study of the existing intrusion detection technologies. Then this model is applied in the Immune-based Intrusion Detection System. The goal of this system is to distinguish between illegitimate behavior (non-self) and legitimate behavior (self). The system consists of sets of negative detectors that detect instances of non-self.Firstly, analyses are derived for the detection model. We analyze the requirements of network system and the characteristics of natural immune system, and get the similarities between them. In detail, we get that natural immune system has the characteristics of unique antibody sets, distributed, adaptability and approximate binding. And what network security needs are robustness, configurability, extendibility, global analysis, adaptability and efficiency.Secondly, an upgraded immune-based model is given, which is the improvement of the original model. The extensions include: memory to implement signature-based detection; co-stimulation by administrators to eliminate auto-reactive detectors; dynamic detectors to avoid consistent gaps in detection coverage, and so on. Additionally, tow algorithms of creating valid detectors are analyzed and compared.Thirdly, the model is applied to network intrusion detection. The IDS is realized, which monitors TCP traffic in a broadcast local area network. We have done several intrusion empirical tests and analyzed the test data and results. And the results demonstrate that the system detects real intrusions with little system cost, exploits knowledge of past intrusions to improve subsequent detection, and has alarms about new intrusion behaviors. |
PDF Full Text Request