An Intrusion Detection Based On Immune Theory

With the development of network technology and its applications, the problem on network security becomes more important. Intrusion detection system having active defense ability, it became an essential tool in the filed of information security. Current intrusion detection system can not meet the demand of network development in detecting capability , self adaptability and flexibility. Therefore, to study new intrusion detection technology and its detecting method is very necessary.We studied immune intrusion detection system deeply, especially in immune detector's structure and detecting algorithm, designed and realized an immune intrusion detection system called Immune-Snort.Also we have studied immune process, the clone-choosen algorithm as well as the diversity mechanism and memory mechanism of adaptive immune system of human body。We researched the immune intrusion detection system model which are presented by researchers, and analyzed their advantages and disadvantages. And we presented one kind of new detector structure. This new method can completely reflects the attacking data characteristic and improves the system's detecting capability greatly.Aiming at the shortcoming that the current detector structure used the unitary data characteristic, which makes massive failure and mistake report and enormously influences the performance of detection system, we proposed a method using the vulnerability and its corresponding data packet to select characteristic set. This new method can solve the problem of data packet's strong randomness,wide detection range and the quickly-change data. It can also strengthen the pertinence of detection and increase the accurate rate of judgments. Three kinds of vulnerability classification models can analyze data from different layers, we use the tree shape encoding mode to carry out gene code and arrange them according to the order, composed to a 2 byte gene code. We detected attack by comparing the gene code. This method can entirely exhibits the attack's principle, location and threatening degree. It can be able to not only improve detection rate, but also be beneficial for administrator to analyze.Regarding the shortcoming that the current intrusion detecting system can detect few new model attacks, we use diversity and remembering mechanism in immune principle, and proposed to build the vulnerability and its corresponding immune memory data packet characteristic set and immune antibody data packet characteristic set. The immune antibody set uses an improved CLOPE cluster-algorithm, combining with vulnerability classification model, to find out the optimum vulnerability antibody attribute value's classification and get the required gene re-organize variable and scheme. This new method can perfect antibody set and detect unknown attack. In experiment, we compared the designed Immune-Snort with Snort, got the results that Immune-Snort have better detecting performance, lower misreport rate and more simply realization.