SlideShare a Scribd company logo

Artificial immunity using constraint based detectors

U
UltraUploader
1 of 6
Download to read offline
ARTIFICIAL IMMUNITY USING CONSTRAINT-BASED DETECTORS Haiyu Hou Jun Zhu Gerry Dozier Department of Computer Science and Software Engineering Auburn University Auburn, AL 36849 ABSTRACT In this paper, an artificial Immune system (AIS) is used to detect abnormality in a computer network in an effort to provide protection from illegal intrusion and unauthorized use. The problem of anomaly detection can be addressed as the problem of distinguishing self patterns from non-self patterns. The self patterns could be any variety of characteristics of a system or its users. Detectors of an AIS recognize non-self patterns and invoke an alarm. In this work, an AIS was used to monitor simulated TCP/IP traffic on a simulated broadcast local area network. Detectors, in the form of interval constraints, were used to develop a simple and effective AIS. KEYWORDS: AIS, intrusion detection, self pattern, non-self pattern, constraint-based detector INTRODUCTION The immune system is critical in protecting the human body against the natural environment that contains a wide variety of pathogens in the form of viruses and bacteria [5]. Upon entering the body, these pathogens elicit immune system responses, during which antibody-mediated immunity kills and clears them from the body [5]. An artificial immune system (AIS) [4], inspired by the vertebrate immune system, is an automated system that can be used as the basis of a network security system. An AIS can monitor the traffic on a network and detect suspicious behavior [4]. An AIS can accomplish this by classifying normal traffic as self and abnormal traffic as non-self [1, 4]. Many researchers have investigated the effectiveness of AISs for computer security [1, 2, 4] and network security [3]. However these approaches have used binary coded detectors. In this paper, we propose an alternative network-based AIS that uses detectors that are coded as interval constraints. Τhe remainder of this paper is as follows. In the next section, we briefly explain the rationale on our AIS, next discuss our implementation followed a discussion of our problem set. Next we present our results followed by our conclusions.
RATIONALE The problem of anomaly detection can be addressed as distinguishing self patterns from non-self patterns[1]. The patterns could be a variety of characteristics of a system, such as the sequence of system calls [1, 3], the specification of a TCP/IP packet [4]. Our AIS monitors the TCP/IP traffic on a local area network (LAN). Each incoming or outgoing packet is broadcast to all the hosts on the LAN. For each packet, its source IP, destinations IP and port number on the internal host compose a data path triple (DP3) [4], which, as a pattern of the packet, is inspected by AIS; abnormal patterns are recognized as non-self. Non-self patterns will correspond to either a network intrusion by an external hacker, or misuse by an internal user. An AIS contains immature, mature and memory detectors [4]. Mature and memory detectors are responsible detecting anomalous activity. The immature detectors are randomly generated and must go through an immunological process called negative selection [4], during which illegitimate detectors which bind to self DP3s are killed. Immature detectors that have survived the process of negative selection will bind to non- self DP3s and become mature detectors. A mature detector has a lifespan during which it must catch at least one non-self DP3; otherwise it dies. After a mature detector matches a non-self DP3, it becomes a memory detector that has a longer lifespan than mature detectors. If a memory or mature detector matches a DP3 transmitted on the network, an alarm message is sent the network administrator. This is similar to what is proposed in [4]. IMPLEMENTATION Our implementation is as modified from [4]. For a TCP/IP packet, at least one internal host is involved in the connection. An IP address is composed of 4 bytes. For a class C LAN, the least significant byte is enough to identify an internal host, while the 4 bytes are all needed to specify the external hosts. The port on a host is identified by 2 bytes, which give 64k different numbers. To simplify the process, the port numbers is mapped into 69 categories according to [4]. Thus, a DP3 has 6 integers to specify a packet, with 4 integers for an external host IP address, 1 integer for the internal host IP address, and 1 integer for the port on the internal host. The first 5 integers range between 0 and 255, and the last integer ranges from 0 to 68. Another bit is included to indicate packet direction. If it’s an incoming packet, this bit is set to 0, and it’s set to 1 if the packet is outgoing. Accordingly, our constraint-based detectors are composed of 6 pairs of integer intervals and 1 direction bit. If an interval covers the corresponding number, the detector matches this field. If the detector matches the direction bit and all the six fields of a DP3, the detector matches the DP3 completely. A match threshold is set to adjust the specificity or generality for detectors to match a DP3. The match is most specific if the threshold is set to 6, and most general if the threshold is set to 1. The self set is composed of DP3s that represent normal activity on the network. It is reasonable to assume that the DP3s of the self set can be divided into separate sub self sets because the connections are between LANs and all the external hosts on a single
LAN have the same network address. For example, if 5 LANs have hosts connecting to a sixth LAN, then the self set of this sixth LAN may be classified into 5 clusters (or sub- self sets). EXPERIMENT SET-UP A simulation of 10 hosts each running an AIS was studied. Each of the AISs contained 100 constraint-based detectors. The self set had a size of 2000 DP3s, which were randomly generated and evenly spread into a number of clusters. There were several variables in setting up the experiment, including match threshold, number of self-clusters, and the lifespan of immature detectors. The lifespan of mature detectors was set to 100,000, which means it must match a non-self DP3 within 100,000 DP3 transmission on the network, or it dies and is replaced by a randomly generated immature detector. The lifespan of a memory detector was set to 200,000. The match threshold took on values between 1 and 6. The number of self-clusters took on values from the set {1, 2, 4, 5, 8, 10, 20, 25, 40, 50, 80, 100}. The lifespan of for immature detectors was selected from the set {10000, 15000, 20000}. For each possible set of parameters the resulting network security system was trained and tested 30 runs. A non-self set, consisting of 200 DP3s, was created by randomly generated. The self and non-self sets for each of the 30 runs were mutually exclusive. The experiment was divided into two stages. In the first stage, the training was carried out by randomly picking self-patterns from the self set and feeding them to the AISs. The training stage lasted for 150,000 iterations which equivalent to transmitting 150,000 DP3s across the simulated LAN. False positives were counted for the last 29,000 iterations in the first stage. In the testing stage, non-self patterns, or simulated attacks, were fed to the system to test the efficiency of detection. The number non-self DP3s identified by the system was summed up, and the summation divided by 200 in order to compute the detection rate. This was repeated nine additional times with nine other non- self sets being fed into the system, which resulted in 10 detection rates. The overall detection rate was calculated as the average of these 10 detection rates. RESULTS Average detection rates over various system settings are shown in Figures 1 - 3. From these figures, it can be seen that the detection rate went down when the number of clusters increased. However, for match thresholds of 2 and 3, the detection rates remained close to 1.0 until the cluster number increased beyond 40. The detection rate dropped because the increasing in self-clusters means more diversity in the self patterns, which requires more learning time and more memory resources as well. It’s reasonable to predicate that longer the training time and the larger size of the detector set the better the detection rate when working with a larger number of self-clusters. It can also be observed that for the best systems (those with a match threshold of 3 or 4 in Figures 1-3) a longer lifespan for immature detectors causes a decreased the detection rate. The reason is that the longer the immature detector lifespan, the greater chance for the immature detector to match a self-pattern during negative selection. This lessens the chance of an immature detector surviving negative selection and developing
into a mature detector. This, in turn, reduces the total number of mature detectors in the system. Although the resulting system may have fewer mature detectors, with a longer immature detector lifespan, the mature detectors are less likely to bind to self patterns which reduces the number of false positives generated. The issue of false positives will be discussed later. Life-Sp an o f Im m ature D etecto rs:10 00 0 0 0.2 0.4 0.6 0.8 1 1 2 4 5 8 10 20 25 40 50 80 100 Cluster s M T:1 M T:2 M T:3 M T:4 M T:5 M T:6 Life-Sp an o f Im m ature D etecto rs:1500 0 0 0.2 0.4 0.6 0.8 1 1 2 4 5 8 10 20 25 40 50 80 100 Cluster s M T:1 M T:2 M T:3 M T:4 M T:5 M T:6 Figure 1. Detection rate with lifespan of immature Figure 2. Detection rate with lifespan of immature detector set to 10000 detector set to 15000 Life-Span of Immature Detectors: 20000 0 0.2 0.4 0.6 0.8 1 1 2 4 5 8 10 20 25 40 50 80 100 Clusters DetectionRate MT: 1 MT: 2 MT: 3 MT: 4 MT: 5 MT: 6 False Positive with Match Threshold 2 0 5 10 15 20 25 Clusters FalsePositive LifeSpan: 10000 LifeSpan: 15000 LifeSpan: 20000 Figure 3. Detection rate with lifespan of immature Figure 4. False positives when the matching detector set to 20000 threshold was 2 In Figures 1-3, one can see that the match threshold is more important than the lifespan of immature detectors. It can be seen in figures that match thresholds of 3 and 4 were consistently the better performers. Lower threshold for a detector to match to a pattern means a relaxed constrain satisfaction, thus the immature detector got greater possibility to match to some pattern. This leads to less amount of mature detector with the same logic related above. On the other hand, high threshold leads to more mature detectors, however, these detectors have more trouble to match a pattern, even if it’s an obvious non-self pattern. So there’s a balance between the two, at which highest detection rate takes place. The number of self clusters also affects the setting of match threshold. If the number of self-clusters was below 25, 2 might be an ideal choice because the detection rate was kept very close to 1.0; however, it would be more advisable to choose 3 if the self patterns fall into more clusters because the detection rate with 3 as match threshold was kept over 0.95 even the cluster number reached 50 if the lifespan of immature detector was set to 10000.
The relationship between false positives and match threshold are shown in Figures 4 - 8. Match threshold of 1 resulted in 0 false positives regardless of the number of self clusters. It can be seen that increasing clusters increased the diversity of the self DP3s, which resulted in more false positives. This basically matches with the results as shown in Figures 1 - 3, except that when the match threshold was set to 2 there was a peak in the number of false positives for unknown reasons. From Figure 1 it can be seen that for match threshold of 2, the detection rate was kept very close to 1.0 until the number of clusters increased to 25, when it began to drop, and it was at this point that highest false positive rate occurred. When the cluster number exceeded 25, the detection rate dropped and so did the number of false positives. This was because with more diversity in the self DP3s, the system had fewer mature detectors and more difficulty matching a DP3, no matter it would be a false positive in the training phase, or it was a true intrusion in the testing phase. It was also observed that different settings on match threshold had a significant effect on the number of false positives generated, except for match threshold of 1. When the match threshold was set to 3 or 4, the system had the highest false positive rate, at which point the system also gave the highest detection rate, and the false positive dropped when the match threshold increased to 5 and 6. If the system is capable of recognizing more DP3s, it also potentially generates more false positives. So, there’s a trade-off between the detection rate and the accuracy of the detection. If the security of the network system were more concerned, higher detection rate would be more desired over the accuracy while false alarms are not much trouble, then a shorter immature detector lifespan and a match threshold of 3 or 4 would be suitable. The size of the self set was set to 2000 for the results reported here, however, we also tested the system with self set of varied size, and it turned out the self set size did not noticeably affect the system effectiveness. False Positive with Match Threshold 3 0 10 20 30 40 50 60 70 80 90 100 Clusters FalsePositive LifeSpan: 10000 LifeSpan: 15000 LifeSpan: 20000 F alse P o sitive w ith M atch T hresho ld 4 0 10 20 30 40 50 60 70 1 2 4 5 8 10 20 25 40 50 80 100 Cluster s LifeSpan:10000 LifeSpan:15000 LifeSpan:20000 Figure 5. False positives when the matching Figure 6. False positives when the matching threshold was 3 threshoold was 4 CONCLUSION We proposed an alternative approach to build an simple and efficient AIS. Constraint- based detector is easier to understand compared with binary string based detector [3], which facilitates the system security officer to analyze the network traffic when intrusion happens.
F alse P o sitive w ith M atch T hresho ld 5 0 5 10 15 20 25 30 35 1 2 4 5 8 10 20 25 40 50 80 100 Cluster s LifeSpan:10000 LifeSpan:15000 LifeSpan:20000 F alse P o sitive w ith M atch T hresho ld 6 0 1 2 3 4 5 6 7 8 1 2 4 5 8 10 20 25 40 50 80 100 Cluster s LifeSpan:10000 LifeSpan:15000 LifeSpan:20000 Figure 7. False positives when the matching Figure 8. False positives when the matching threshold was 3 threshoold was 4 The diversity of the self patterns decides the difficulty of the detection problem, which significantly influences the effectiveness of the AIS. The match threshold decides the specificity or generality of the match between detectors and patterns. A high match threshold results in more mature detectors that match patterns more specifically, while a low match threshold results in fewer mature detectors that match patterns more generally. The detection rate might be low if the match threshold is either too high or too low. The lifespan of an immature detector may also affect the number of mature detectors generated during the training phase. The longer the lifespan of immature detectors the fewer number of mature detectors there may be. This can lead to a lower detection rate. Effectiveness and accuracy are two important requirements for a good intrusion detection system. If the diversity of the self patterns were low with respect to the size of the AIS, the system would be both effective and accurate, giving a high anomaly detection rate and low false positive rate. However, if the self patterns showed high diversity with respect to the size of the AIS, there would be a trade-off between effectiveness and accuracy, one of which might be sacrificed for the other. REFERENCES 1. S. Forrest, S. Hofmeyr, A. Somayaji and T. Longstaff, “A Sense of Self for Unix Processes”. Proceedings of IEEE Symposium on Security and Privacy, 120 –128 (1996). 2. P. Harmer and G. Lamont, “An Agent Based Architecture for a Computer Virus Immune System”. Proceedings of the Genetic and Evolutionary computation Conference, (2000). 3. S. Hofmeyr, A. Somayaji and S. Forrest, “Intrusion Detection using Sequences of System Calls”. Journal of Computer Security 6: pp. 151-180 (1998). 4. S. Hofmeyr and S. Forrest, “Immunity by Design: An Artificial Immune System”. Proceedings of the Genetic and Evolutionary Computation Conference, (1999). 5. D. Krogh, “The Immune System: Defending the Body from Invaders”. Biology, ISBN: 0023668911 (2000).

Recommended

An Assessment of Security Mechanisms Against Reactive Jammer Attack In Wirele...
An Assessment of Security Mechanisms Against Reactive Jammer Attack In Wirele...An Assessment of Security Mechanisms Against Reactive Jammer Attack In Wirele...
An Assessment of Security Mechanisms Against Reactive Jammer Attack In Wirele...
ijfcstjournal
 
Ip trace ppt
Ip trace pptIp trace ppt
Ip trace ppt
deepakmarndi
 
An improved ip traceback mechanism for network
An improved ip traceback mechanism for networkAn improved ip traceback mechanism for network
An improved ip traceback mechanism for network
eSAT Publishing House
 
Ip traceback seminar full report
Ip traceback seminar full reportIp traceback seminar full report
Ip traceback seminar full report
deepakmarndi
 
Overview of IP traceback mechanism
Overview of IP traceback mechanismOverview of IP traceback mechanism
Overview of IP traceback mechanism
ibnu mubarok
 
Detection and localization of multiple spoofing attackers in wireless networks
Detection and localization of multiple spoofing attackers in wireless networksDetection and localization of multiple spoofing attackers in wireless networks
Detection and localization of multiple spoofing attackers in wireless networks
JPINFOTECH JAYAPRAKASH
 
Passive ip traceback disclosing the locations
Passive ip traceback disclosing the locationsPassive ip traceback disclosing the locations
Passive ip traceback disclosing the locations
jpstudcorner
 
Enhanced green firewall for
Enhanced green firewall forEnhanced green firewall for
Enhanced green firewall for
ijistjournal
 

Recommended

An Assessment of Security Mechanisms Against Reactive Jammer Attack In Wirele...
An Assessment of Security Mechanisms Against Reactive Jammer Attack In Wirele...An Assessment of Security Mechanisms Against Reactive Jammer Attack In Wirele...
An Assessment of Security Mechanisms Against Reactive Jammer Attack In Wirele...
ijfcstjournal
 
Ip trace ppt
Ip trace pptIp trace ppt
Ip trace ppt
deepakmarndi
 
An improved ip traceback mechanism for network
An improved ip traceback mechanism for networkAn improved ip traceback mechanism for network
An improved ip traceback mechanism for network
eSAT Publishing House
 
Ip traceback seminar full report
Ip traceback seminar full reportIp traceback seminar full report
Ip traceback seminar full report
deepakmarndi
 
Overview of IP traceback mechanism
Overview of IP traceback mechanismOverview of IP traceback mechanism
Overview of IP traceback mechanism
ibnu mubarok
 
Detection and localization of multiple spoofing attackers in wireless networks
Detection and localization of multiple spoofing attackers in wireless networksDetection and localization of multiple spoofing attackers in wireless networks
Detection and localization of multiple spoofing attackers in wireless networks
JPINFOTECH JAYAPRAKASH
 
Passive ip traceback disclosing the locations
Passive ip traceback disclosing the locationsPassive ip traceback disclosing the locations
Passive ip traceback disclosing the locations
jpstudcorner
 
Enhanced green firewall for
Enhanced green firewall forEnhanced green firewall for
Enhanced green firewall for
ijistjournal
 
Speedy ip trace back(sipt) for identifying sadhan
Speedy ip trace back(sipt) for identifying sadhanSpeedy ip trace back(sipt) for identifying sadhan
Speedy ip trace back(sipt) for identifying sadhan
Sadan Kumar
 
INTERNATIONAL INDEXED REFEREED RESEARCH PAPER
INTERNATIONAL INDEXED REFEREED RESEARCH PAPERINTERNATIONAL INDEXED REFEREED RESEARCH PAPER
INTERNATIONAL INDEXED REFEREED RESEARCH PAPER
INTERNATIONAL INDEXED,REFERRED,MULTILINGUAL,INTERDISCIPLINARY, MONTHLY RESEARCH JOURNAL
 
Review of black hole and grey hole attack
Review of black hole and grey hole attackReview of black hole and grey hole attack
Review of black hole and grey hole attack
ijma
 
Passive ip traceback disclosing the locations of ip spoofers from path backsc...
Passive ip traceback disclosing the locations of ip spoofers from path backsc...Passive ip traceback disclosing the locations of ip spoofers from path backsc...
Passive ip traceback disclosing the locations of ip spoofers from path backsc...
Pvrtechnologies Nellore
 
DDOS
DDOSDDOS
DDOS
Maulik Kotak
 
Review on Detection & Prevention Methods for Black Hole Attack on AODV based ...
Review on Detection & Prevention Methods for Black Hole Attack on AODV based ...Review on Detection & Prevention Methods for Black Hole Attack on AODV based ...
Review on Detection & Prevention Methods for Black Hole Attack on AODV based ...
IJERD Editor
 
An enhanced ip traceback mechanism for tracking the attack source using packe...
An enhanced ip traceback mechanism for tracking the attack source using packe...An enhanced ip traceback mechanism for tracking the attack source using packe...
An enhanced ip traceback mechanism for tracking the attack source using packe...
IAEME Publication
 
Packet sniffer repot
Packet sniffer repotPacket sniffer repot
Packet sniffer repot
Kunal Thakur
 
Co35503507
Co35503507Co35503507
Co35503507
IJERA Editor
 
PASSIVE IP TRACEBACK: DISCLOSING THE LOCATIONS OF IP SPOOFERS FROM PATH BACKS...
PASSIVE IP TRACEBACK: DISCLOSING THE LOCATIONS OF IP SPOOFERS FROM PATH BACKS...PASSIVE IP TRACEBACK: DISCLOSING THE LOCATIONS OF IP SPOOFERS FROM PATH BACKS...
PASSIVE IP TRACEBACK: DISCLOSING THE LOCATIONS OF IP SPOOFERS FROM PATH BACKS...
I3E Technologies
 
Ijnsa050211
Ijnsa050211Ijnsa050211
Ijnsa050211
IJNSA Journal
 
Internet Worm Classification and Detection using Data Mining Techniques
Internet Worm Classification and Detection using Data Mining TechniquesInternet Worm Classification and Detection using Data Mining Techniques
Internet Worm Classification and Detection using Data Mining Techniques
iosrjce
 
50120140506007 2
50120140506007 250120140506007 2
50120140506007 2
IAEME Publication
 
Packet capture in network security
Packet capture in network securityPacket capture in network security
Packet capture in network security
Chippy Thomas
 
An os independent heuristics based worm-containment system
An os independent heuristics based worm-containment systemAn os independent heuristics based worm-containment system
An os independent heuristics based worm-containment system
UltraUploader
 
Firewalls (6)
Firewalls (6)Firewalls (6)
Firewalls (6)
Bhargu Bhargavi
 
AODV protocol and Black Hole attack
AODV protocol and Black Hole attackAODV protocol and Black Hole attack
AODV protocol and Black Hole attack
Raj Sikarwar
 
Ar03302620266
Ar03302620266Ar03302620266
Ar03302620266
ijceronline
 
A precise termination condition of the probabilistic packet marking algorithm...
A precise termination condition of the probabilistic packet marking algorithm...A precise termination condition of the probabilistic packet marking algorithm...
A precise termination condition of the probabilistic packet marking algorithm...
Mumbai Academisc
 
Malicious User Attack in Cognitive Radio Networks
Malicious User Attack in Cognitive Radio NetworksMalicious User Attack in Cognitive Radio Networks
Malicious User Attack in Cognitive Radio Networks
TELKOMNIKA JOURNAL
 
(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)
UltraUploader
 
Becoming positive
Becoming positiveBecoming positive
Becoming positive
UltraUploader
 

More Related Content

What's hot

Review of black hole and grey hole attack
Review of black hole and grey hole attackReview of black hole and grey hole attack
Review of black hole and grey hole attack
ijma
 
Review on Detection & Prevention Methods for Black Hole Attack on AODV based ...
Review on Detection & Prevention Methods for Black Hole Attack on AODV based ...Review on Detection & Prevention Methods for Black Hole Attack on AODV based ...
Review on Detection & Prevention Methods for Black Hole Attack on AODV based ...
IJERD Editor
 
Packet sniffer repot
Packet sniffer repotPacket sniffer repot
Packet sniffer repot
Kunal Thakur
 
An os independent heuristics based worm-containment system
An os independent heuristics based worm-containment systemAn os independent heuristics based worm-containment system
An os independent heuristics based worm-containment system
UltraUploader
 
A precise termination condition of the probabilistic packet marking algorithm...
A precise termination condition of the probabilistic packet marking algorithm...A precise termination condition of the probabilistic packet marking algorithm...
A precise termination condition of the probabilistic packet marking algorithm...
Mumbai Academisc
 
Malicious User Attack in Cognitive Radio Networks
Malicious User Attack in Cognitive Radio NetworksMalicious User Attack in Cognitive Radio Networks
Malicious User Attack in Cognitive Radio Networks
TELKOMNIKA JOURNAL
 

What's hot (20)

Speedy ip trace back(sipt) for identifying sadhan
Speedy ip trace back(sipt) for identifying sadhanSpeedy ip trace back(sipt) for identifying sadhan
Speedy ip trace back(sipt) for identifying sadhan
 
INTERNATIONAL INDEXED REFEREED RESEARCH PAPER
INTERNATIONAL INDEXED REFEREED RESEARCH PAPERINTERNATIONAL INDEXED REFEREED RESEARCH PAPER
INTERNATIONAL INDEXED REFEREED RESEARCH PAPER
 
Review of black hole and grey hole attack
Review of black hole and grey hole attackReview of black hole and grey hole attack
Review of black hole and grey hole attack
 
Passive ip traceback disclosing the locations of ip spoofers from path backsc...
Passive ip traceback disclosing the locations of ip spoofers from path backsc...Passive ip traceback disclosing the locations of ip spoofers from path backsc...
Passive ip traceback disclosing the locations of ip spoofers from path backsc...
 
DDOS
DDOSDDOS
DDOS
 
Review on Detection & Prevention Methods for Black Hole Attack on AODV based ...
Review on Detection & Prevention Methods for Black Hole Attack on AODV based ...Review on Detection & Prevention Methods for Black Hole Attack on AODV based ...
Review on Detection & Prevention Methods for Black Hole Attack on AODV based ...
 
An enhanced ip traceback mechanism for tracking the attack source using packe...
An enhanced ip traceback mechanism for tracking the attack source using packe...An enhanced ip traceback mechanism for tracking the attack source using packe...
An enhanced ip traceback mechanism for tracking the attack source using packe...
 
Packet sniffer repot
Packet sniffer repotPacket sniffer repot
Packet sniffer repot
 
Co35503507
Co35503507Co35503507
Co35503507
 
PASSIVE IP TRACEBACK: DISCLOSING THE LOCATIONS OF IP SPOOFERS FROM PATH BACKS...
PASSIVE IP TRACEBACK: DISCLOSING THE LOCATIONS OF IP SPOOFERS FROM PATH BACKS...PASSIVE IP TRACEBACK: DISCLOSING THE LOCATIONS OF IP SPOOFERS FROM PATH BACKS...
PASSIVE IP TRACEBACK: DISCLOSING THE LOCATIONS OF IP SPOOFERS FROM PATH BACKS...
 
Ijnsa050211
Ijnsa050211Ijnsa050211
Ijnsa050211
 
Internet Worm Classification and Detection using Data Mining Techniques
Internet Worm Classification and Detection using Data Mining TechniquesInternet Worm Classification and Detection using Data Mining Techniques
Internet Worm Classification and Detection using Data Mining Techniques
 
50120140506007 2
50120140506007 250120140506007 2
50120140506007 2
 
Packet capture in network security
Packet capture in network securityPacket capture in network security
Packet capture in network security
 
An os independent heuristics based worm-containment system
An os independent heuristics based worm-containment systemAn os independent heuristics based worm-containment system
An os independent heuristics based worm-containment system
 
Firewalls (6)
Firewalls (6)Firewalls (6)
Firewalls (6)
 
AODV protocol and Black Hole attack
AODV protocol and Black Hole attackAODV protocol and Black Hole attack
AODV protocol and Black Hole attack
 
Ar03302620266
Ar03302620266Ar03302620266
Ar03302620266
 
A precise termination condition of the probabilistic packet marking algorithm...
A precise termination condition of the probabilistic packet marking algorithm...A precise termination condition of the probabilistic packet marking algorithm...
A precise termination condition of the probabilistic packet marking algorithm...
 
Malicious User Attack in Cognitive Radio Networks
Malicious User Attack in Cognitive Radio NetworksMalicious User Attack in Cognitive Radio Networks
Malicious User Attack in Cognitive Radio Networks
 

Viewers also liked

(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)
UltraUploader
 
Attitude adjustment trojans and malware on the internet
Attitude adjustment trojans and malware on the internetAttitude adjustment trojans and malware on the internet
Attitude adjustment trojans and malware on the internet
UltraUploader
 
Analyzing worms and network traffic using compression
Analyzing worms and network traffic using compressionAnalyzing worms and network traffic using compression
Analyzing worms and network traffic using compression
UltraUploader
 
Automatic extraction of computer virus signatures
Automatic extraction of computer virus signaturesAutomatic extraction of computer virus signatures
Automatic extraction of computer virus signatures
UltraUploader
 
Automated malware invariant generation
Automated malware invariant generationAutomated malware invariant generation
Automated malware invariant generation
UltraUploader
 
Analysis and detection of computer viruses and worms
Analysis and detection of computer viruses and wormsAnalysis and detection of computer viruses and worms
Analysis and detection of computer viruses and worms
UltraUploader
 

Viewers also liked (8)

(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)
 
Becoming positive
Becoming positiveBecoming positive
Becoming positive
 
Attitude adjustment trojans and malware on the internet
Attitude adjustment trojans and malware on the internetAttitude adjustment trojans and malware on the internet
Attitude adjustment trojans and malware on the internet
 
01 intro
01 intro01 intro
01 intro
 
Analyzing worms and network traffic using compression
Analyzing worms and network traffic using compressionAnalyzing worms and network traffic using compression
Analyzing worms and network traffic using compression
 
Automatic extraction of computer virus signatures
Automatic extraction of computer virus signaturesAutomatic extraction of computer virus signatures
Automatic extraction of computer virus signatures
 
Automated malware invariant generation
Automated malware invariant generationAutomated malware invariant generation
Automated malware invariant generation
 
Analysis and detection of computer viruses and worms
Analysis and detection of computer viruses and wormsAnalysis and detection of computer viruses and worms
Analysis and detection of computer viruses and worms
 

Similar to Artificial immunity using constraint based detectors

Hop- by- Hop Message Authentication and Wormhole Detection Mechanism in Wirel...
Hop- by- Hop Message Authentication and Wormhole Detection Mechanism in Wirel...Hop- by- Hop Message Authentication and Wormhole Detection Mechanism in Wirel...
Hop- by- Hop Message Authentication and Wormhole Detection Mechanism in Wirel...
Editor IJCATR
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
Performance analysis of transport layer basedhybrid covert channel detection ...
Performance analysis of transport layer basedhybrid covert channel detection ...Performance analysis of transport layer basedhybrid covert channel detection ...
Performance analysis of transport layer basedhybrid covert channel detection ...
IJNSA Journal
 
Anomalous payload based network intrusion detection
Anomalous payload based network intrusion detectionAnomalous payload based network intrusion detection
Anomalous payload based network intrusion detection
UltraUploader
 
A Secure Chaotic Communication System
A Secure Chaotic Communication SystemA Secure Chaotic Communication System
A Secure Chaotic Communication System
ijsrd.com
 
Performance Analysis of Transport Layer Basedhybrid Covert Channel Detection ...
Performance Analysis of Transport Layer Basedhybrid Covert Channel Detection ...Performance Analysis of Transport Layer Basedhybrid Covert Channel Detection ...
Performance Analysis of Transport Layer Basedhybrid Covert Channel Detection ...
IJNSA Journal
 
An internet worm early warning system
An internet worm early warning systemAn internet worm early warning system
An internet worm early warning system
UltraUploader
 
A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)
Mumbai Academisc
 
An efficient ant optimized multipath routing in wireless sensor network
An efficient ant optimized multipath routing in wireless sensor networkAn efficient ant optimized multipath routing in wireless sensor network
An efficient ant optimized multipath routing in wireless sensor network
Editor Jacotech
 
Iaetsd a survey on enroute filtering scheme in
Iaetsd a survey on enroute filtering scheme inIaetsd a survey on enroute filtering scheme in
Iaetsd a survey on enroute filtering scheme in
Iaetsd Iaetsd
 

Similar to Artificial immunity using constraint based detectors (20)

Hop- by- Hop Message Authentication and Wormhole Detection Mechanism in Wirel...
Hop- by- Hop Message Authentication and Wormhole Detection Mechanism in Wirel...Hop- by- Hop Message Authentication and Wormhole Detection Mechanism in Wirel...
Hop- by- Hop Message Authentication and Wormhole Detection Mechanism in Wirel...
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
 
Energy-Efficient Target Coverage in Wireless Sensor Networks Based on Modifie...
Energy-Efficient Target Coverage in Wireless Sensor Networks Based on Modifie...Energy-Efficient Target Coverage in Wireless Sensor Networks Based on Modifie...
Energy-Efficient Target Coverage in Wireless Sensor Networks Based on Modifie...
 
Energy-Efficient Target Coverage in Wireless Sensor Networks Based on Modifie...
Energy-Efficient Target Coverage in Wireless Sensor Networks Based on Modifie...Energy-Efficient Target Coverage in Wireless Sensor Networks Based on Modifie...
Energy-Efficient Target Coverage in Wireless Sensor Networks Based on Modifie...
 
Energy-Efficient Target Coverage in Wireless Sensor Networks Based on Modifie...
Energy-Efficient Target Coverage in Wireless Sensor Networks Based on Modifie...Energy-Efficient Target Coverage in Wireless Sensor Networks Based on Modifie...
Energy-Efficient Target Coverage in Wireless Sensor Networks Based on Modifie...
 
Performance analysis of transport layer basedhybrid covert channel detection ...
Performance analysis of transport layer basedhybrid covert channel detection ...Performance analysis of transport layer basedhybrid covert channel detection ...
Performance analysis of transport layer basedhybrid covert channel detection ...
 
Anomalous payload based network intrusion detection
Anomalous payload based network intrusion detectionAnomalous payload based network intrusion detection
Anomalous payload based network intrusion detection
 
A Secure Chaotic Communication System
A Secure Chaotic Communication SystemA Secure Chaotic Communication System
A Secure Chaotic Communication System
 
Performance Analysis of Transport Layer Basedhybrid Covert Channel Detection ...
Performance Analysis of Transport Layer Basedhybrid Covert Channel Detection ...Performance Analysis of Transport Layer Basedhybrid Covert Channel Detection ...
Performance Analysis of Transport Layer Basedhybrid Covert Channel Detection ...
 
An internet worm early warning system
An internet worm early warning systemAn internet worm early warning system
An internet worm early warning system
 
An Approach to Detect Packets Using Packet Sniffing
An Approach to Detect Packets Using Packet SniffingAn Approach to Detect Packets Using Packet Sniffing
An Approach to Detect Packets Using Packet Sniffing
 
A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)
 
L017317681
L017317681L017317681
L017317681
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)
 
IRJET- Low Priced and Energy Economical Detection of Replicas for Wireles...
IRJET- Low Priced and Energy Economical Detection of Replicas for Wireles...IRJET- Low Priced and Energy Economical Detection of Replicas for Wireles...
IRJET- Low Priced and Energy Economical Detection of Replicas for Wireles...
 
Procuring the Anomaly Packets and Accountability Detection in the Network
Procuring the Anomaly Packets and Accountability Detection in the NetworkProcuring the Anomaly Packets and Accountability Detection in the Network
Procuring the Anomaly Packets and Accountability Detection in the Network
 
System Event Monitoring for Active Authentication
System Event Monitoring for Active AuthenticationSystem Event Monitoring for Active Authentication
System Event Monitoring for Active Authentication
 
An efficient ant optimized multipath routing in wireless sensor network
An efficient ant optimized multipath routing in wireless sensor networkAn efficient ant optimized multipath routing in wireless sensor network
An efficient ant optimized multipath routing in wireless sensor network
 
A1803060110
A1803060110A1803060110
A1803060110
 
Iaetsd a survey on enroute filtering scheme in
Iaetsd a survey on enroute filtering scheme inIaetsd a survey on enroute filtering scheme in
Iaetsd a survey on enroute filtering scheme in
 

More from UltraUploader

01 le 10 regole dell'hacking
01 le 10 regole dell'hacking01 le 10 regole dell'hacking
01 le 10 regole dell'hacking
UltraUploader
 
00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)
UltraUploader
 
[E book ita] php manual
[E book ita] php manual[E book ita] php manual
[E book ita] php manual
UltraUploader
 
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
UltraUploader
 
[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manuale[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manuale
UltraUploader
 
(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)
UltraUploader
 
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoria(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
UltraUploader
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitor
UltraUploader
 
Botnetsand applications
Botnetsand applicationsBotnetsand applications
Botnetsand applications
UltraUploader
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worries
UltraUploader
 
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
UltraUploader
 
Bird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassemblyBird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassembly
UltraUploader
 
Biologically inspired defenses against computer viruses
Biologically inspired defenses against computer virusesBiologically inspired defenses against computer viruses
Biologically inspired defenses against computer viruses
UltraUploader
 
Biological versus computer viruses
Biological versus computer virusesBiological versus computer viruses
Biological versus computer viruses
UltraUploader
 
Biological aspects of computer virology
Biological aspects of computer virologyBiological aspects of computer virology
Biological aspects of computer virology
UltraUploader
 
Biological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networksBiological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networks
UltraUploader
 
Binary obfuscation using signals
Binary obfuscation using signalsBinary obfuscation using signals
Binary obfuscation using signals
UltraUploader
 
Beyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus securityBeyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus security
UltraUploader
 

More from UltraUploader (20)

1 (1)
1 (1)1 (1)
1 (1)
 
01 le 10 regole dell'hacking
01 le 10 regole dell'hacking01 le 10 regole dell'hacking
01 le 10 regole dell'hacking
 
00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)
 
[E book ita] php manual
[E book ita] php manual[E book ita] php manual
[E book ita] php manual
 
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
 
[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manuale[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manuale
 
(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)
 
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoria(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitor
 
Botnetsand applications
Botnetsand applicationsBotnetsand applications
Botnetsand applications
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worries
 
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
 
Blast off!
Blast off!Blast off!
Blast off!
 
Bird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassemblyBird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassembly
 
Biologically inspired defenses against computer viruses
Biologically inspired defenses against computer virusesBiologically inspired defenses against computer viruses
Biologically inspired defenses against computer viruses
 
Biological versus computer viruses
Biological versus computer virusesBiological versus computer viruses
Biological versus computer viruses
 
Biological aspects of computer virology
Biological aspects of computer virologyBiological aspects of computer virology
Biological aspects of computer virology
 
Biological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networksBiological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networks
 
Binary obfuscation using signals
Binary obfuscation using signalsBinary obfuscation using signals
Binary obfuscation using signals
 
Beyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus securityBeyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus security
 

Artificial immunity using constraint based detectors

  • 1. ARTIFICIAL IMMUNITY USING CONSTRAINT-BASED DETECTORS Haiyu Hou Jun Zhu Gerry Dozier Department of Computer Science and Software Engineering Auburn University Auburn, AL 36849 ABSTRACT In this paper, an artificial Immune system (AIS) is used to detect abnormality in a computer network in an effort to provide protection from illegal intrusion and unauthorized use. The problem of anomaly detection can be addressed as the problem of distinguishing self patterns from non-self patterns. The self patterns could be any variety of characteristics of a system or its users. Detectors of an AIS recognize non-self patterns and invoke an alarm. In this work, an AIS was used to monitor simulated TCP/IP traffic on a simulated broadcast local area network. Detectors, in the form of interval constraints, were used to develop a simple and effective AIS. KEYWORDS: AIS, intrusion detection, self pattern, non-self pattern, constraint-based detector INTRODUCTION The immune system is critical in protecting the human body against the natural environment that contains a wide variety of pathogens in the form of viruses and bacteria [5]. Upon entering the body, these pathogens elicit immune system responses, during which antibody-mediated immunity kills and clears them from the body [5]. An artificial immune system (AIS) [4], inspired by the vertebrate immune system, is an automated system that can be used as the basis of a network security system. An AIS can monitor the traffic on a network and detect suspicious behavior [4]. An AIS can accomplish this by classifying normal traffic as self and abnormal traffic as non-self [1, 4]. Many researchers have investigated the effectiveness of AISs for computer security [1, 2, 4] and network security [3]. However these approaches have used binary coded detectors. In this paper, we propose an alternative network-based AIS that uses detectors that are coded as interval constraints. Τhe remainder of this paper is as follows. In the next section, we briefly explain the rationale on our AIS, next discuss our implementation followed a discussion of our problem set. Next we present our results followed by our conclusions.
  • 2. RATIONALE The problem of anomaly detection can be addressed as distinguishing self patterns from non-self patterns[1]. The patterns could be a variety of characteristics of a system, such as the sequence of system calls [1, 3], the specification of a TCP/IP packet [4]. Our AIS monitors the TCP/IP traffic on a local area network (LAN). Each incoming or outgoing packet is broadcast to all the hosts on the LAN. For each packet, its source IP, destinations IP and port number on the internal host compose a data path triple (DP3) [4], which, as a pattern of the packet, is inspected by AIS; abnormal patterns are recognized as non-self. Non-self patterns will correspond to either a network intrusion by an external hacker, or misuse by an internal user. An AIS contains immature, mature and memory detectors [4]. Mature and memory detectors are responsible detecting anomalous activity. The immature detectors are randomly generated and must go through an immunological process called negative selection [4], during which illegitimate detectors which bind to self DP3s are killed. Immature detectors that have survived the process of negative selection will bind to non- self DP3s and become mature detectors. A mature detector has a lifespan during which it must catch at least one non-self DP3; otherwise it dies. After a mature detector matches a non-self DP3, it becomes a memory detector that has a longer lifespan than mature detectors. If a memory or mature detector matches a DP3 transmitted on the network, an alarm message is sent the network administrator. This is similar to what is proposed in [4]. IMPLEMENTATION Our implementation is as modified from [4]. For a TCP/IP packet, at least one internal host is involved in the connection. An IP address is composed of 4 bytes. For a class C LAN, the least significant byte is enough to identify an internal host, while the 4 bytes are all needed to specify the external hosts. The port on a host is identified by 2 bytes, which give 64k different numbers. To simplify the process, the port numbers is mapped into 69 categories according to [4]. Thus, a DP3 has 6 integers to specify a packet, with 4 integers for an external host IP address, 1 integer for the internal host IP address, and 1 integer for the port on the internal host. The first 5 integers range between 0 and 255, and the last integer ranges from 0 to 68. Another bit is included to indicate packet direction. If it’s an incoming packet, this bit is set to 0, and it’s set to 1 if the packet is outgoing. Accordingly, our constraint-based detectors are composed of 6 pairs of integer intervals and 1 direction bit. If an interval covers the corresponding number, the detector matches this field. If the detector matches the direction bit and all the six fields of a DP3, the detector matches the DP3 completely. A match threshold is set to adjust the specificity or generality for detectors to match a DP3. The match is most specific if the threshold is set to 6, and most general if the threshold is set to 1. The self set is composed of DP3s that represent normal activity on the network. It is reasonable to assume that the DP3s of the self set can be divided into separate sub self sets because the connections are between LANs and all the external hosts on a single
  • 3. LAN have the same network address. For example, if 5 LANs have hosts connecting to a sixth LAN, then the self set of this sixth LAN may be classified into 5 clusters (or sub- self sets). EXPERIMENT SET-UP A simulation of 10 hosts each running an AIS was studied. Each of the AISs contained 100 constraint-based detectors. The self set had a size of 2000 DP3s, which were randomly generated and evenly spread into a number of clusters. There were several variables in setting up the experiment, including match threshold, number of self-clusters, and the lifespan of immature detectors. The lifespan of mature detectors was set to 100,000, which means it must match a non-self DP3 within 100,000 DP3 transmission on the network, or it dies and is replaced by a randomly generated immature detector. The lifespan of a memory detector was set to 200,000. The match threshold took on values between 1 and 6. The number of self-clusters took on values from the set {1, 2, 4, 5, 8, 10, 20, 25, 40, 50, 80, 100}. The lifespan of for immature detectors was selected from the set {10000, 15000, 20000}. For each possible set of parameters the resulting network security system was trained and tested 30 runs. A non-self set, consisting of 200 DP3s, was created by randomly generated. The self and non-self sets for each of the 30 runs were mutually exclusive. The experiment was divided into two stages. In the first stage, the training was carried out by randomly picking self-patterns from the self set and feeding them to the AISs. The training stage lasted for 150,000 iterations which equivalent to transmitting 150,000 DP3s across the simulated LAN. False positives were counted for the last 29,000 iterations in the first stage. In the testing stage, non-self patterns, or simulated attacks, were fed to the system to test the efficiency of detection. The number non-self DP3s identified by the system was summed up, and the summation divided by 200 in order to compute the detection rate. This was repeated nine additional times with nine other non- self sets being fed into the system, which resulted in 10 detection rates. The overall detection rate was calculated as the average of these 10 detection rates. RESULTS Average detection rates over various system settings are shown in Figures 1 - 3. From these figures, it can be seen that the detection rate went down when the number of clusters increased. However, for match thresholds of 2 and 3, the detection rates remained close to 1.0 until the cluster number increased beyond 40. The detection rate dropped because the increasing in self-clusters means more diversity in the self patterns, which requires more learning time and more memory resources as well. It’s reasonable to predicate that longer the training time and the larger size of the detector set the better the detection rate when working with a larger number of self-clusters. It can also be observed that for the best systems (those with a match threshold of 3 or 4 in Figures 1-3) a longer lifespan for immature detectors causes a decreased the detection rate. The reason is that the longer the immature detector lifespan, the greater chance for the immature detector to match a self-pattern during negative selection. This lessens the chance of an immature detector surviving negative selection and developing
  • 4. into a mature detector. This, in turn, reduces the total number of mature detectors in the system. Although the resulting system may have fewer mature detectors, with a longer immature detector lifespan, the mature detectors are less likely to bind to self patterns which reduces the number of false positives generated. The issue of false positives will be discussed later. Life-Sp an o f Im m ature D etecto rs:10 00 0 0 0.2 0.4 0.6 0.8 1 1 2 4 5 8 10 20 25 40 50 80 100 Cluster s M T:1 M T:2 M T:3 M T:4 M T:5 M T:6 Life-Sp an o f Im m ature D etecto rs:1500 0 0 0.2 0.4 0.6 0.8 1 1 2 4 5 8 10 20 25 40 50 80 100 Cluster s M T:1 M T:2 M T:3 M T:4 M T:5 M T:6 Figure 1. Detection rate with lifespan of immature Figure 2. Detection rate with lifespan of immature detector set to 10000 detector set to 15000 Life-Span of Immature Detectors: 20000 0 0.2 0.4 0.6 0.8 1 1 2 4 5 8 10 20 25 40 50 80 100 Clusters DetectionRate MT: 1 MT: 2 MT: 3 MT: 4 MT: 5 MT: 6 False Positive with Match Threshold 2 0 5 10 15 20 25 Clusters FalsePositive LifeSpan: 10000 LifeSpan: 15000 LifeSpan: 20000 Figure 3. Detection rate with lifespan of immature Figure 4. False positives when the matching detector set to 20000 threshold was 2 In Figures 1-3, one can see that the match threshold is more important than the lifespan of immature detectors. It can be seen in figures that match thresholds of 3 and 4 were consistently the better performers. Lower threshold for a detector to match to a pattern means a relaxed constrain satisfaction, thus the immature detector got greater possibility to match to some pattern. This leads to less amount of mature detector with the same logic related above. On the other hand, high threshold leads to more mature detectors, however, these detectors have more trouble to match a pattern, even if it’s an obvious non-self pattern. So there’s a balance between the two, at which highest detection rate takes place. The number of self clusters also affects the setting of match threshold. If the number of self-clusters was below 25, 2 might be an ideal choice because the detection rate was kept very close to 1.0; however, it would be more advisable to choose 3 if the self patterns fall into more clusters because the detection rate with 3 as match threshold was kept over 0.95 even the cluster number reached 50 if the lifespan of immature detector was set to 10000.
  • 5. The relationship between false positives and match threshold are shown in Figures 4 - 8. Match threshold of 1 resulted in 0 false positives regardless of the number of self clusters. It can be seen that increasing clusters increased the diversity of the self DP3s, which resulted in more false positives. This basically matches with the results as shown in Figures 1 - 3, except that when the match threshold was set to 2 there was a peak in the number of false positives for unknown reasons. From Figure 1 it can be seen that for match threshold of 2, the detection rate was kept very close to 1.0 until the number of clusters increased to 25, when it began to drop, and it was at this point that highest false positive rate occurred. When the cluster number exceeded 25, the detection rate dropped and so did the number of false positives. This was because with more diversity in the self DP3s, the system had fewer mature detectors and more difficulty matching a DP3, no matter it would be a false positive in the training phase, or it was a true intrusion in the testing phase. It was also observed that different settings on match threshold had a significant effect on the number of false positives generated, except for match threshold of 1. When the match threshold was set to 3 or 4, the system had the highest false positive rate, at which point the system also gave the highest detection rate, and the false positive dropped when the match threshold increased to 5 and 6. If the system is capable of recognizing more DP3s, it also potentially generates more false positives. So, there’s a trade-off between the detection rate and the accuracy of the detection. If the security of the network system were more concerned, higher detection rate would be more desired over the accuracy while false alarms are not much trouble, then a shorter immature detector lifespan and a match threshold of 3 or 4 would be suitable. The size of the self set was set to 2000 for the results reported here, however, we also tested the system with self set of varied size, and it turned out the self set size did not noticeably affect the system effectiveness. False Positive with Match Threshold 3 0 10 20 30 40 50 60 70 80 90 100 Clusters FalsePositive LifeSpan: 10000 LifeSpan: 15000 LifeSpan: 20000 F alse P o sitive w ith M atch T hresho ld 4 0 10 20 30 40 50 60 70 1 2 4 5 8 10 20 25 40 50 80 100 Cluster s LifeSpan:10000 LifeSpan:15000 LifeSpan:20000 Figure 5. False positives when the matching Figure 6. False positives when the matching threshold was 3 threshoold was 4 CONCLUSION We proposed an alternative approach to build an simple and efficient AIS. Constraint- based detector is easier to understand compared with binary string based detector [3], which facilitates the system security officer to analyze the network traffic when intrusion happens.
  • 6. F alse P o sitive w ith M atch T hresho ld 5 0 5 10 15 20 25 30 35 1 2 4 5 8 10 20 25 40 50 80 100 Cluster s LifeSpan:10000 LifeSpan:15000 LifeSpan:20000 F alse P o sitive w ith M atch T hresho ld 6 0 1 2 3 4 5 6 7 8 1 2 4 5 8 10 20 25 40 50 80 100 Cluster s LifeSpan:10000 LifeSpan:15000 LifeSpan:20000 Figure 7. False positives when the matching Figure 8. False positives when the matching threshold was 3 threshoold was 4 The diversity of the self patterns decides the difficulty of the detection problem, which significantly influences the effectiveness of the AIS. The match threshold decides the specificity or generality of the match between detectors and patterns. A high match threshold results in more mature detectors that match patterns more specifically, while a low match threshold results in fewer mature detectors that match patterns more generally. The detection rate might be low if the match threshold is either too high or too low. The lifespan of an immature detector may also affect the number of mature detectors generated during the training phase. The longer the lifespan of immature detectors the fewer number of mature detectors there may be. This can lead to a lower detection rate. Effectiveness and accuracy are two important requirements for a good intrusion detection system. If the diversity of the self patterns were low with respect to the size of the AIS, the system would be both effective and accurate, giving a high anomaly detection rate and low false positive rate. However, if the self patterns showed high diversity with respect to the size of the AIS, there would be a trade-off between effectiveness and accuracy, one of which might be sacrificed for the other. REFERENCES 1. S. Forrest, S. Hofmeyr, A. Somayaji and T. Longstaff, “A Sense of Self for Unix Processes”. Proceedings of IEEE Symposium on Security and Privacy, 120 –128 (1996). 2. P. Harmer and G. Lamont, “An Agent Based Architecture for a Computer Virus Immune System”. Proceedings of the Genetic and Evolutionary computation Conference, (2000). 3. S. Hofmeyr, A. Somayaji and S. Forrest, “Intrusion Detection using Sequences of System Calls”. Journal of Computer Security 6: pp. 151-180 (1998). 4. S. Hofmeyr and S. Forrest, “Immunity by Design: An Artificial Immune System”. Proceedings of the Genetic and Evolutionary Computation Conference, (1999). 5. D. Krogh, “The Immune System: Defending the Body from Invaders”. Biology, ISBN: 0023668911 (2000).