Intrusion Detection Based On Immune Principle Technology Research

Intrusion detection based on immunological principles is a hot point in the field ofresearch on intrusion detection,its trait is to achieve the detection and the response to theintrusion behavior using immunological principles, regulations and mechanism.Thisdissertation spreads its discussions around the applications of the algorithm picking-up fromimmunology in the intrusion detection,and the interrelated isssue of intrusion detection basedon immunological principles.On the base of summing-up the anterior productions, somepivotal technologies are discussed,then a model of network intrusion detection is designed.1 This article studies the status quo of the IDS(Intrusion Detection System)based onimmunological principles, and proposes the problems and deficiencies of the related keytechnologies.By the analogy analysis of the functionality, structure and detection ability, the similaritiesbetween immunity system and intrusion detection system are discovered, and the conceptmapping relationship is set up, which should be the premise of applying Immunity Theory tothe study of invasion detection system.This research includes an in-depth exploration of the key technologies about the LISYSmodel developed by Forrest etc and the two_tiers IDS model developed by Kim and Bently etc.The LISYS primarily simulate some part of the theory of biological immunity system, but theproblems as followed are still to be solved: Firstly,the negative selection algorithm to producemature detector possesses some deficiencies, represented by the potential cases of matchingeach other among detectors randomly generated.Secondly,"detection leak" exists. In the modeldeveloped by Kim and Bently etc, the negative selection, clonal selection and memory aretaken into account,but the set of memory detector might be redundant.2 this article discusses the improvement in the negative selection algorithm——thegeneration algorithm of the mature detector.As to the problem of the mutual matching between the detectors randomly generated inthe original algorithm, we add the filter function in our algorithm: only those strings that cannot be matched with any element can be added to the detector set, thus unmatched detectors areguaranteed. And through theoretical and experimental verification, we also discover that theoverall detecting ability of the detectors generated outgoes that of the original algorithm, whichrepresents that our algorithm has much more practical value under the circumstance of limitedsystem resource.3 Through studying the problem of "leak", a new algorithm is proposed, which can beapplied to judge whether any random pattern is detectable.As far as the reason of "leak" is concerned, some classification analysis is presented.Adopting a searching method of trying and tracing for string template with random patterns,the new algorithm generates a mature detector for detectable leak. The mature detector can be adynamic supplement to the detector set, which can reduce the cases of "leak".4 optimizing and maintaining the memory detector set by adopting the mechanism ofaffinity aberrance and the selection policy of "Least Recently Used"In this article, the memory detectors are generated by the algorithm of affinity mutationfirstly,then ,aimed at redundant in the set,memory detectors are filtered using abnormal patternsdetected.This method guarantees not only that every memory detectors are necessary andeffective, also that the memory detector "remembers" the entire abnormal characteristicsmatched, So the intrusion action happened can be rapidly recognized. Those losing highdetection abilities or matching normal pattern will be deleted by certain proportion accordingto the most recent time when matching to abnormity, so the set can accommodate morememory detectors newly generated, and the detection range can be enlarged.5 designing a system model of intrusion detection based on network and the scheme of themain function moduleThe model adopts the framework of distributed detection and central management, bearsthe virtue of distribution and robustness, generates mature detector by improved algorithm anddevelops memory detector by utilizing memory mechanism. The model can optimize memorydetector in a time cycle, so it will be adaptive and light load, and it can detect not only theunknown intrusion action, but also the known ones more rapidly.