Design And Implementation Of Intrusion Detection System Based On Artificial Immune Theory

Intrusion detection methods based on artificial immune principles have become more and more popular in the field of network security research.With the features of distributed, self-organized, light-weighted and multi-layered protection which are not supported by traditional network intrusion detection systems,intelligent intrusion detection methods inspired by biological immune principles have the ability of detecting intrusion behaviors more effectively.A novel host intrusion detection system model,which combines NSA and danger theory, is proposed in this dissertation based on the research of the information processing mechanisms within the biological immune systems and the work of former researchers.First of the dissertation, We introduce a dynamic update strategy of V-detectors into the V-detector negative selection algorithm and apply the improved V-detector negative selection algorithm, called Dynamic V-detector Algorithm (DVA), to network intrusion detection. The dynamic update strategy of V-detectors makes the algorithm more adaptive and robust for high dimension data especially when the training data is inadequate to cover all the intrusion data. Therefore, DVA can get higher detection rate and lower false alarm rate, and the results are more stable than the original one. Simulation results show that DVA outperforms the original V-detector algorithm in dealing with intrusion detection problems.Second of the dissertation, in order to overcome high false detection rate on the traditional intrusion detection, we will make danger theory and the traditional negative selection algorithm combined to build a new host intrusion detection model. The model tests signal data to identify a hazardous area, only the abnormal antigens within the hazardous area would arouse alarm. Here, we define system resources occupied by the watched process as signal data, and define the system call sequence brought by the watched process. In order to obtain data required for our system testing, we focused on RPC daemon, collecting a pair of signal data and antigenic data.Finally, we will present the theoretical model implemented as an intrusion detection system, the system will use client / server architecture. For multi-host and multi-stream features that are needed by the systems, the system communicates between client and server by SCTP protocol. The client is mainly responsible for the collation and sending data, and the data server is mainly responsible for accepting and detecting data. Server includes: the response module for client connection requesting, the data receiver module, the signal data detection module and antigen data detection module. This work was supported by the National Natural Science Foundation of China (Grant No. 60703107) and the National High Technology Research and Development Program (863 Program) of China (Grant No. 2006AA01Z107).