scispace - formally typeset
Search or ask a question
Proceedings ArticleDOI

Artificial immune theory based network intrusion detection system and the algorithms design

04 Nov 2002-Vol. 1, pp 73-77
TL;DR: A network intrusion detection model based on artificial immune theory, which shows that this method can shrink each generation scale greatly and create a good niche for patterns evolving, is proposed in this paper.
Abstract: A network intrusion detection model based on artificial immune theory is proposed in this paper. In this model, self patterns and non-self patterns are built upon frequent behaviors sequences, then a simple but efficient algorithm for encoding patterns is proposed. Based on the result of encoding, another algorithm for creating detectors is presented, which integrates a negative selection with the clonal selection. The algorithm performance is analyzed, which shows that this method can shrink each generation scale greatly and create a good niche for patterns evolving.
Citations
More filters
Patent
03 Jun 2002
TL;DR: A network security system as discussed by the authors includes a system data store capable of storing a variety of data associated with an encrypted computer network and communications transmitted thereon, a communication interface supporting communication over a communication channel and a system processor.
Abstract: A network security system includes a system data store capable of storing a variety of data associated with an encrypted computer network and communications transmitted thereon, a communication interface supporting communication over a communication channel and a system processor. Data corresponding to communications transmitted over the encrypted communication network are received. One or more tests are applied to the received data to determine whether a particular communication represents a potential security violation. An alarm may be generated based upon the results of the applied test or tests.

251 citations

Journal ArticleDOI
TL;DR: Experimental results show that the presented algorithm produces fuzzy rules, which can be used to construct a reliable intrusion detection system.

85 citations


Cites background from "Artificial immune theory based netw..."

  • ...Some recent researches have utilized artificial immune systems (AIS) to detect intrusive behaviors in a computer network (Dasgupta and González, 2002; Harmer et al., 2002; Yang et al., 2002; Provost and Fawcett, 1998)....

    [...]

  • ...Some recent researches have utilized artificial immune systems (AIS) to detect intrusive behaviors in a computer network (Dasgupta and González, 2002; Harmer et al., 2002; Yang et al., 2002; Provost and Fawcett, 1998)....

    [...]

Proceedings ArticleDOI
07 Nov 2005
TL;DR: A novel intrusion detection approach by applying ant colony optimization for feature selection and SVM for detection and the least square based SVM estimation is adopted.
Abstract: This paper proposes a novel intrusion detection approach by applying ant colony optimization for feature selection and SVM for detection. The intrusion features are represented as graph-ere nodes, with the edges between them denoting the adding of the next feature. Ants traverse through the graph to add nodes until the stopping criterion is satisfied. The fisher discrimination rate is adopted as the heuristic information for ants' traversal. In order to avoid training of a large number of SVM classifier, the least square based SVM estimation is adopted. Initially, the SVM is trained based on grid search method to obtain discrimination function using the training data based on all features available. Then the feature subset produced during the ACO search process is evaluated based on their abilities to reconstruct the reference discriminative function using linear least square estimation. Finally SVM is retrained using the train data based on the obtained optimal feature subset to obtain intrusion detection model. The MIT's KDD Cup 99 dataset is used to evaluate our present method, the results clearly demonstrate that the method can be an effective way for intrusion feature selection and detection.

85 citations


Cites methods from "Artificial immune theory based netw..."

  • ...For the former, numerous machine learning methods such as artificial immune theory [2], Bayesian parameter estimation [3], clustering [4], data fusion [5] and neural networks [6] etc have been adopted to build good detection model....

    [...]

Journal ArticleDOI
TL;DR: Three kinds of genetic fuzzy systems based on Michigan, Pittsburgh and iterative rule learning (IRL) approaches are presented to deal with intrusion detection as a high-dimensional classification problem.
Abstract: Research highlights? We present three kinds of genetic fuzzy systems for intrusion detection problem. ? These IDSs can detect normal and abnormal behaviors in computer networks efficiently. ? Computer simulations demonstrate high performance of the proposed IDSs.? GFSs are able to develop accurate and also interpretable intrusion detection systems. The capability of fuzzy systems to solve different kinds of problems has been demonstrated in several previous investigations. Genetic fuzzy systems (GFSs) hybridize the approximate reasoning method of fuzzy systems with the learning capability of evolutionary algorithms. The objective of this paper is to design and analysis of various kinds of genetic fuzzy systems to deal with intrusion detection problem as a new real-world application area which is not previously tackled with GFSs. The resulted intrusion detection system would be capable of detecting normal and abnormal behaviors in computer networks. We have presented three kinds of genetic fuzzy systems based on Michigan, Pittsburgh and iterative rule learning (IRL) approaches to deal with intrusion detection as a high-dimensional classification problem. Experiments were performed with DARPA data sets which have information on computer networks, during normal and intrusive behaviors. The paper presents some results and compares the performance of different generated fuzzy rule sets in detecting intrusion in a computer network according to three different types of genetic fuzzy systems.

84 citations

Proceedings ArticleDOI
15 May 2014
TL;DR: This paper proposes an IDS model based on Information Gain for feature selection combined with the SVM classifier that can achieve higher detection rate and lower false alarm rate than regular SVM.
Abstract: Intrusion Detection Systems(IDS) have become a necessary component of almost every security infrastructure. Recently, Support Vector Machines (SVM) has been employed to provide potential solutions for IDS. With its many variants for classification SVM is a state-of-the-art machine learning algorithm. However, the performance of SVM depends on selection of the appropriate parameters. In this paper we propose an IDS model based on Information Gain for feature selection combined with the SVM classifier. The parameters for SVM will be selected by a swarm intelligence algorithm (Particle Swarm Optimization or Artificial Bee Colony). We use the NSL-KDD data set and show that our model can achieve higher detection rate and lower false alarm rate than regular SVM.

57 citations

References
More filters
Proceedings ArticleDOI
16 May 1994
TL;DR: A method for change detection which is based on the generation of T cells in the immune system is described, which reveals computational costs of the system and preliminary experiments illustrate how the method might be applied to the problem of computer viruses.
Abstract: The problem of protecting computer systems can be viewed generally as the problem of learning to distinguish self from other. The authors describe a method for change detection which is based on the generation of T cells in the immune system. Mathematical analysis reveals computational costs of the system, and preliminary experiments illustrate how the method might be applied to the problem of computer viruses. >

1,782 citations

Journal ArticleDOI
TL;DR: A body of work on computational immune systems that behave analogously to the natural immune system and in some cases have been used to solve practical engineering problems such as computer security are described.
Abstract: This review describes a body of work on computational immune systems that behave analogously to the natural immune system. These artificial immune systems (AIS) simulate the behavior of the natural immune system and in some cases have been used to solve practical engineering problems such as computer security. AIS have several strengths that can complement wet lab immunology. It is easier to conduct simulation experiments and to vary experimental conditions, for example, to rule out hypotheses; it is easier to isolate a single mechanism to test hypotheses about how it functions; agent-based models of the immune system can integrate data from several different experiments into a single in silico experimental system.

1,021 citations

Journal ArticleDOI
TL;DR: In this paper, a survey of host-based and network-based intrusion detection systems is presented, and the characteristics of the corresponding systems are identified, and an outline of a statistical anomaly detection algorithm employed in a typical IDS is also included.
Abstract: Intrusion detection is a new, retrofit approach for providing a sense of security in existing computers and data networks, while allowing them to operate in their current "open" mode. The goal of intrusion detection is to identify unauthorized use, misuse, and abuse of computer systems by both system insiders and external penetrators. The intrusion detection problem is becoming a challenging task due to the proliferation of heterogeneous computer networks since the increased connectivity of computer systems gives greater access to outsiders and makes it easier for intruders to avoid identification. Intrusion detection systems (IDSs) are based on the beliefs that an intruder's behavior will be noticeably different from that of a legitimate user and that many unauthorized actions are detectable. Typically, IDSs employ statistical anomaly and rulebased misuse models in order to detect intrusions. A number of prototype IDSs have been developed at several institutions, and some of them have also been deployed on an experimental basis in operational systems. In the present paper, several host-based and network-based IDSs are surveyed, and the characteristics of the corresponding systems are identified. The host-based systems employ the host operating system's audit trails as the main source of input to detect intrusive activity, while most of the network-based IDSs build their detection mechanism on monitored network traffic, and some employ host audit trails as well. An outline of a statistical anomaly detection algorithm employed in a typical IDS is also included. >

962 citations

Posted Content
TL;DR: In this article, a method for change detection which is based on the gereration of T cells in the immune system is described. But this method is not suitable for the problem of computer virus detection.
Abstract: The problem of protecting computer systems can be viewed generally as the problem of learning to distinguish {\it self} from {\it other}. We describe a method for change detection which is based on the gereration of T cells in the immune system. Mathematical analysis reveals computational costs of the system, and preliminary experiments illustrate how the method might be applied to the problem of computer viruses.

898 citations

01 Jan 1999
TL;DR: A framework for explicitly incorporating distribution is developed, and is used to demonstrate that negative detection is both scalable and robust, and it is shown that any scalable distributed detection system that requires communication is always less robust than a system that does not require communication.
Abstract: This dissertation explores an immunological model of distributed detection, called negative detection, and studies its performance in the domain of intrusion detection on computer networks. The goal of the detection system is to distinguish between illegitimate behaviour (nonself ), and legitimate behaviour (self ). The detection system consists of sets of negative detectors that detect instances of nonself; these detectors are distributed across multiple locations. The negative detection model was developed previously; this research extends that previous work in several ways. Firstly, analyses are derived for the negative detectionmodel. In particular, a framework for explicitly incorporating distribution is developed, and is used to demonstrate that negative detection is both scalable and robust. Furthermore, it is shown that any scalable distributed detection system that requires communication (memory sharing) is always less robust than a system that does not require communication (such as negative detection). In addition to exploring the framework, algorithms are developed for determining whether a nonself instance is an undetectable hole, and for predicting performance when the system is trained on nonrandom data sets. Finally, theory is derived for predicting false positives in the case when the training set does not include all of self. Secondly, several extensions to the model of distributed detection are described and analysed. These extensions include: multiple representations to overcome holes; activation thresholds and sensitivity levels to reduce false positive rates; costimulation by a human operator to eliminate autoreactive detectors; distributed detector generation to adapt to changing self sets; dynamic detectors to avoid consistent gaps in detection coverage; and memory, to implement signature-based detection. Thirdly, the model is applied to network intrusion detection. The system monitors TCP traffic in a broadcast local area network. The results of empirical testing of the model demonstrate that the system detects real intrusions, with false positive rates of less than one per day, using at most five kilobytes per computer. The system is tunable, so detection rates can be traded off against false positives and resource usage. The system detects new intrusive behaviours (anomaly detection), and exploits knowledge of past intrusions to improve subsequent detection (signature-based detection).

299 citations