A Hierarchy Immune Model For Web Server Intrusion Detection

With the rapid development of the Internet and the increasing number of websites,the security issues of Web servers are becoming more and more important.The emergence of network attack behaviors makes the construction of Web server intrusion detection system imminent.The immune algorithms currently used in Web server intrusion detection mainly include two kinds: the Dendritic Cell Algorithm and the Negative Selection Algorithm.Although the Dendritic Cell Algorithm can detect unknown intrusion behavior,the inaccuracy of signal extraction leads to a high false alarm rate.The Negative Selection Algorithm is a single-class learning algorithm,which has a better detection result on the trained intrusion types.But it cannot detect unknown intrusion behavior.The problems of the above two immune algorithms are related to the simulated immune mechanism.The Dendritic Cell Algorithm is based on the innate immune mechanism,which is the innate ability of a species.Its role is to present antigens regardless of type.The Negative Selection Algorithm is based on a specific immune mechanism which is generated by the individual's acquired learning.It can only recognize specific antigens.The innate and specific mechanisms of immunity are complementary.The innate layer can recognize unknown pathogens and present antigens for the specific layer's further processing.The specific layer can recognize the antigen which invaded again,and give a faster and stronger immune response.The complete immune mechanism can make up for the problems of the above two immune algorithms.Inspired by the above immune mechanism,this paper proposes a Hierarchy Immune Model for Web server intrusion detection,and solves the problems that the adaptability and accuracy of existing immune algorithms cannot be achieved at the same time.The Hierarchy Immune Model proposed in this paper can be divided into a congenital layer and a specific layer structurally.The innate layer divides the original dataset into a safe antigen set and a dangerous antigen set,which means normal dataset and dataset that may be abnormal.The specific layer establishes detectors for each category and classifies input data's category.The total process can be divided into the following two steps:The Training Process.It means the initial immune response stage.First,construct detectors for different categories to form an initial detector set of each category.Then use the Clonal Selection Algorithm to find the optimal set of detectors for this category.Finally,the combination of category and its optimal detector set is used as immune memory.The Test Process.It means the secondary immune response stage.Use the memory detectors to detect each data of the dangerous antigen set.During the detection,the specific antigen type is determined by calculating the distance between the antigen and the center of the detector and comparing with the radius of the detector.The data in the dangerous antigen set which is not recognized by the detectors are unknown types.Finally,this paper uses the KDD-Cup99 network intrusion detection data set as the experimental data set,and designs two sets of comparative experiments.Compared with the Dendritic Cell Algorithm,the experiment uses the accuracy rate,false alarm rate and other classification indicators to evaluate.The experimental results show that the Hierarchy Immune Model can not only obtain the invasion category,but also greatly reduce the false alarm rate.The false alarm rate has been reduced by 36.7%.The comparison experiment with the Negative Selection Algorithm uses the evaluation indicators of multiple types and unbalanced samples such as G-Mean,F-Measure,and ROC.The experimental results prove that the Hierarchy Immune Model can not only detect unknown types of invasion,but also continuously learn new ones.The Hierarchy Immune Model is more in line with the characteristics of immune adaptation and self-learning.