Artificial Immunity-based Intrusion Detection System

1. Artificial Immunity-based Intrusion Detection System Associate Prof. Fang Xian-jin Computer School of AUST

2. Background • With the development of computer and network technology, information security is becoming very significant. • Solution: Data encryption, Authentication, Authorization and Access control, Digital Signature, Firewall, Intrusion Detection System, VPN, Anti-virus technology.

3. Background • Firewall is the first line of security defense, but it can’t prevent attack from intranet. • IDS can provide real time detection and implement defense strategy, its main purpose is to deal with inner attack.

4. Intrusion Detection System • What is the IDS? Input can be OS log, network data packet, application system log, firewall log, etc. normal Input Intrusion Detection Anomalous

5. Intrusion Detection System • General study methodology in IDS • Misuse detection It is a rule-based detection technology, namely, p-best. The related technology is pattern matching algorithm. • Anomaly detection it is a activity-based detection technology. Firstly ,normal activity profile is created, and then comparing the deviation amplitude between input activity and normal activity profile. the following methods are used to study IDS: • Statistic method [1] • Data mining method [2] • Artificial Immunity System[3] • Artificial neural network[4][5] • Fuzzy expert system[6] • P-best (product-based expert system tool-kit) • All kinds of classification and clustering methods

6. Natural immune system & computer security Important properties of natural immune systems: • Multilayered protection • Highly distributed detector • Effector • Memory system • Diversity of detection ability across individuals • Inexact matching strategies • Sensitivity to most new foreign patterns

7. To be continued!

8. References [1]. Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji. A Sense of Self for Unix Processes. [2]. Wenke Lee and Salvatore J. Stolfo, data mining approaches for intrusion detection, in: proceeding of the 7th USENIX Security Symposium, 1998. [3]. Steven Andrew Hofmeyr, An Immunological Model of Distributed Detection and Its Application to Computer Security [D], Department of computer science, University of new Mexico, Albuquerque, NM,1999. [4]. Anup K Ghosh, James Wanken, Frank Charron. Detecting anomalous and unknown intrusion against programs[C]. In: proceeding of the 1998 Annual Computer Security Applications Conference(ACSAC’98),1998. [5]. 宋歌, 闫巧, 喻建平. 神经网络在异常检测中的应用[J], 计算机工程与应用, 2002.18(146). [6]. 李之棠, 杨红云. 模糊入侵检测模型[J]. 计算机工程与科学, p49, Vol 22, No 2, 2000. [7]. Herve DEBAR, Monique Becker, Didier Siboni. A. Neural Network Component for an intrusion detection System. IEEE Symposium on Security and Privacy. Oakland, California: IEEE Computer Society 1992:256-266 [8]. C.R. Gent, C.P. Sheppard. Predicting time series by a fully corrected neural network trained by back propagation [J]. Computing and control Engineering Journal,1992:12(5):123~127. [9]. Anup K Ghosh, Aaron Schwartzbard, Michel Schatz, et al. Learning Program behavior profile for intrusion detection and network monitoring, Santa Clara, CA IEEE Computer society,1999:9~12. [10]. Cannady. Artificial Neural network for misuse detection [C]. In: proceeding of the 1998 National information system security conference(NISSC’98), Arlington, VA, 1998:443-456.