Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Li Zhi-tang,Li Yao,Wang Li

DOI: https://doi.org/10.1109/hpcasia.2005.7

2005-01-01

Abstract:More and more intrusion detection systems were developed, but most of these systems have very poor accuracy. To overcome this problem, a self-adaptive anomaly detection system was developed using fuzzy detection anomaly algorithm with negative selection of biology. The algorithm improves the accuracy of the detection method and produces a novel method to measure the deviation from the normal that does not need a discrete division of the non-self space. The proposed anomaly detection model is designed as flexible, extendible, and adaptable in order to meet the needs and preferences of network administrators and can be also supplied for IPv6 environment. Different experiments are performed with MIT-DARAP 1999 dataset (Lippmann et al., 2000) and real word data from different sources. The experimental results show that the proposed algorithms provide some advantages over other algorithms

Baoliang Xu,Wenjian Luo,Xufa Wang

DOI: https://doi.org/10.1109/CIS.2009.165

2009-01-01

Abstract:In artificial immune systems, the detectors in the nonself space are often adopted to detect anomaly changes, such as the negative selection algorithm and its improvements. Since the detectors in the self space can also be used to detect anomaly changes, a frequently asked question is which kind of detector sets is more efficient for a specific problem. In this paper, firstly, the advantages and disadvantages of the self detector set and the nonself detector set are briefly reviewed. Secondly, when the complete matching rule is adopted, the average time costs of employing the nonself detector set and the self detector set for anomaly detection are compared theoretically. Thirdly, simulated experiments are done, and experimental results demonstrate that the theoretical conclusion is essentially correct.

Li-zhong Geng,Hui-bo Jia

DOI: https://doi.org/10.1109/IAS.2009.100

2009-01-01

Abstract:Rapid increase of information resources speeds the development of network storage. And security of network storage satisfies the demands of privacy and safety of the information. Data encryption and personal identity authentication which are based on cryptography can protect the storage against non-authorized access, while they are ineffective for malicious authorized users and inherent attacks. Also heavy performances affect the control of storage. This paper demonstrates an efficient intrusion detection system model for network-attached storage based on system calls and improves the Process Homeostasis to realize the implementation. The experimental results demonstrate high detection rate and low false detection rate. The total performance is about 3% additions when the detection system is running normally.

Haidong Yang,Jianhua Guo,Feiqi Deng

DOI: https://doi.org/10.1007/s10844-010-0118-3

2010-01-01

Journal of Intelligent Information Systems

Abstract:The current RFID systems are fragile to external attacks, due to the limitations of encryption authentication and physical protection methods used in implementation of RFID security systems. In this paper, we propose a collaborative RFID intrusion detection method that is based on an artificial immune system (AIS). The new method can enhance the security of RFID systems without need to amend the existing technical standards of RFID. Mimicking the immune cell collaboration in biological immune systems, RFID operations are defined as self and nonself antigens, representing legal and illegal RFID operations, respectively. Data models are defined for antigens' epitopes. Known RFID attacks are defined as danger signals represented by nonself antigens. We propose a method to collect RFID data for antigens and danger signals. With the antigen and danger signal data available, we use a negative selection algorithm to generate adaptive detectors for self antigens as RFID legal operations. We use an immune based clustering algorithm aiNet to generate collaborative detectors for danger signals of RFID intrusions. Simulation results have shown that the new RFID intrusion detection method has effectively reduced the false detection rate. The detection rate on known types of attacks was 98% and the detection rate on unknown type of attacks was 93%.

Xiaowen Liu,Geying Yang,Lina Wang,Jie Fu,Qinghao Wang

DOI: https://doi.org/10.1007/s10489-024-05288-2

IF: 5.3

2024-01-28

Applied Intelligence

Abstract:The artificial immune system and network anomaly detection system are developed with common goals and principles considered. Moreover, artificial immune-based network anomaly detection can adaptively learn and dynamically detect threats. However, existing immune recognition algorithms suffer from the curse of dimensionality, hole problems, and detector inefficiency tolerance. In this paper, we proposed a novel immune detector training mechanism for network anomaly detection. First, a hybrid filter embedded feature selection algorithm is designed to comprehensively evaluate features and select the optimal subset. Then, candidate detectors are generated based on self antigens, and the nonself region is represented using complementary space to circumvent the hole problem. Finally, considering the training efficiency during the evolution of the candidate detectors, an antigen clustering feature tree is constructed to rapidly index the tolerance objects. Furthermore, the algorithm considers the effect of the collaboration of multiple mature detectors on candidate detectors, and a Monte Carlo-based coverage estimation algorithm is designed to achieve more accurate and fine-grained maturation tolerance of candidate detectors. The theoretical analysis shows that the time complexity of our algorithm is significantly reduced. The experimental results show that our algorithm not only improves the detection accuracy but also reduces the time cost of detector training.

computer science, artificial intelligence

Xinpeng Zhang,Niaoqing Hu,Lei Hu

DOI: https://doi.org/10.1109/icrms.2011.5979301

2011-01-01

Abstract:According to the abnormal state detection without enough priori knowledge and fault samples, a new detector generation method with step radiuses is proposed. The method separates abnormal state space into several regions, and then sets different detector radius for them according to actual situations, has great flexibility and higher coverage rate to space. Artificial immune real-valued negative selection algorithm based on this method is applied to find the model for abnormal state detection, and later on be tested and analyzed in two different cases to some bearing using the model founded above. One with the fault samples and the other not. A conclusion is reached from the test that the method mentioned above can detect the known and unknown fault efficiently, and the correct detection rate is satisfactory.

GUO Zhen-he,TAN Ying,LIU Zheng-kai

DOI: https://doi.org/10.3969/j.issn.1000-1220.2005.11.012

2005-01-01

Abstract:Based on the principle of non-self detection and diversity of Ab,this paper studies anomaly detection algorithm of computer static resource.First of all,the relationship between the diversity of detector with detection holes is analyzed.Then,this paper proposes Computer Static System Resource Anomaly Detection Algorithms(SRAnDA).Finally,The proposed algorithm is verified by different datasets,and compared to MD5.It is turned out that its computational complexity and space complexity is superior to MD5,which indicates that the algorithm will has great prospect onto anomaly detection of Computer Immune System.

Xi Xiangyu,Zhang Tong,Ye Wei,Wen Zhao,Zhang Shikun,Du Dongdong,Gao Qing

DOI: https://doi.org/10.1142/s0218194018400211

2018-01-01

Abstract:An intruder of a company’s network may use stolen login credentials to silently collect sensitive data. Such malicious user behavior is difficult to detect as long as it does not trigger access violation or data leak alert. In this paper, we propose to use an ensemble of three unsupervised anomaly detection algorithms, namely OCSVM, RNN and Isolation Forest, to detect abnormal user behavior patterns. Besides, an User Behavior Analytics (UBA) Platform is proposed to collect logs, extract features and conduct experiments. The experiment results indicate that our algorithm outperforms each individual algorithm with recall of 96.55% and precision of 91.24% on average, while both OCSVM and RNN suffer from anomalies in the training set, and [Formula: see text] produces more false positives and false negatives in prediction.

HUANG Jun-cai,WANG Feng-bi,LUO Xun,SHE Kun,ZHOU Ming-tian

DOI: https://doi.org/10.3969/j.issn.1001-0548.2006.01.025

2006-01-01

Abstract:The feasibility of applying artificial immune theory in intrusion detection system is Analyzed, establishes a model combining artificial immune theory and data mining technique is estoblished. Based on the statistical theory, the amount of information that is lost by splitting a data stream into unordered strings can be estimated, and this estimate can be used to guide the choice of string length. Based on information-theory, a lower bound on the size of the detector set is derived. Detector Generating algorithm is described. The performance of Artificial Immune Intrusion Detection System (AIIDS) is better than the normal intrusion detection system based on knowledge engineering.

Jamie Twycross,Uwe Aickelin

DOI: https://doi.org/10.48550/arXiv.0910.3117

2009-10-16

Abstract:The immune system provides a rich metaphor for computer security: anomaly detection that works in nature should work for machines. However, early artificial immune system approaches for computer security had only limited success. Arguably, this was due to these artificial systems being based on too simplistic a view of the immune system. We present here a second generation artificial immune system for process anomaly detection. It improves on earlier systems by having different artificial cell types that process information. Following detailed information about how to build such second generation systems, we find that communication between cells types is key to performance. Through realistic testing and validation we show that second generation artificial immune systems are capable of anomaly detection beyond generic system policies. The paper concludes with a discussion and outline of the next steps in this exciting area of computer security.

Artificial Intelligence,Cryptography and Security,Neural and Evolutionary Computing

Wenjian Luo,Xianbin Cao,Xufa Wang

DOI: https://doi.org/10.1007/3-540-45600-7_40

2001-01-01

Abstract:Current network intrusion detection systems are of low intelligence level and have the main deficiency as being unable to detect new intrusive behaviors of unknown signatures.The protection mechanism of natural immune system has brought us inspirations to design a novel network intrusion detection system. The research on modeling a NIDS with natural immune system just started, including the negative selection algorithm proposed by S. Forrest and the basic system model proposed by J. Kim. Based on their works, this paper proposed a novel system structure including affinity mutation, which was used to improve the performance of anomaly detection, and established an basic system based on artificial immunology. This paper stressed on the novel construction and testing experiments. Result of the experiments proved that the application of the protection mechanism of natural immune system to network intrusion detection system has an exciting perspective.

Beibei Li,Yujie Chang,Hanyuan Huang,Wenshan Li,Tao Li,Wen Chen

DOI: https://doi.org/10.1016/j.future.2023.06.011

IF: 7.307

2023-06-18

Future Generation Computer Systems

Abstract:Recent years have witnessed an increased attack surface of the Industrial Internet of Things (IIoT), as the deep convergence of the Internet of Things (IoT) and other information and communications technologies (ICTs). However, the massive geographically-dispersed IoT devices and the big spatiotemporal data they generated, both pose extreme challenges to traditional centralized and cumbersome anomaly detection systems (ADSs). To meet this gap, in this paper we propose a novel artificial immunity based distributed and fast anomaly detection system, coined AIm-ADS. Specifically, first we develop an artificial immune system based data representation and distributed preprocessing framework, to characterize and prepare the hyper-dimensional IIoT data for anomaly detection (i.e., distinguishing between selfs and nonselfs). Second, we design a new negative selection based hyper-dimensional anomaly detector generation model along with a point-hyperspace (PH) tree based self-detector indexing mechanism, for creating anomaly detectors and indexing self-detectors in a hyperspace. Last, we craft a PH tree based fast anomaly detection method to identify anomalous behaviors of cyberattacks on IIoT. Extensive experiments on three publicly available and widely used real-world datasets (i.e., SDS, SWaT and WADI), demonstrate that the proposed AIm-ADS outperforms existing artificial immunity based and deep learning based anomaly detection studies, in terms of both the detection rate and detection time.

computer science, theory & methods

Julie Greensmith,Jamie Twycross,Uwe Aickelin

DOI: https://doi.org/10.1109/cec.2006.1688374

2006-01-01

SSRN Electronic Journal

Abstract:Artificial immune systems, more specifically the negative selection algorithm, have previously been applied to intrusion detection. The aim of this research is to develop an intrusion detection system based on a novel concept in immunology, the Danger Theory. Dendritic Cells (DCs) are antigen presenting cells and key to the activation of the human immune system. DCs perform the vital role of combining signals from the host tissue and correlate these signals with proteins known as antigens. In algorithmic terms, individual DCs perform multi-sensor data fusion based on time-windows. The whole population of DCs asynchronously correlates the fused signals with a secondary data stream. The behaviour of human DCs is abstracted to form the DC Algorithm (DCA), which is implemented using an immune inspired framework, libtissue. This system is used to detect context switching for a basic machine learning dataset and to detect outgoing portscans in real-time. Experimental results show a significant difference between an outgoing portscan and normal traffic.

Ting Han,Xuna Zhan,Jing Tao,Ken Cao,Yuheng Xiong

DOI: https://doi.org/10.1109/DASC-PICom-CBDCom-CyberSciTech52372.2021.00154

2021-01-01

Abstract:Anomaly behavior detection is a key step in building a secure and reliable system when a user operates the server system. If a hacker uploads a file containing malicious code during an attack, it will pose a huge threat to the computer system and cannot be detected only by file extension. To solve this problem, this paper proposes a novel anomaly upload behavior detection method that establishes an upload behavior detection model by the fuzzy inference algorithm. In general, membership functions of the fuzzy inference algorithm are directly given by expert's experience. Furthermore, we investigate an improved method for determining membership function, which is obtained by statistical and curve fitting of historical data, to facilitate user's real behavior pattern recognition in the upload behavior detection model. This method does not require calibration of historical data and can be well adapted to different application scenarios. We evaluate the performance of our method via extensive simulations and real-world experiments, whose results demonstrate the feasibility and effectiveness of the proposed method.

J. Twycross,U. Aickelin

2008-01-01

Abstract:The immune system provides a rich metaphor for computer security: anomaly detection that works in nature should work for machines. However, early artificial immune system approaches for computer security had only limited success. Arguably, this was due to these artificial systems being based on too simplistic a view of the immune system. We present here a second generation artificial immune system for process anomaly detection. It improves on earlier systems by having different artificial cell types that process information. Following detailed information about how to build such second generation systems, we find that communication between cells types is key to performance. Through realistic testing and validation, we show that second generation artificial immune systems are capable of anomaly detection beyond generic system policies. The chapter concludes with a discussion and outline of the next steps in this exciting area of computer security.

Tie-Shan Zhao,Zeng-Zhi Li,Ze-Min Wang,Xiao-Jun Lin

DOI: https://doi.org/10.1109/robio.2007.4522517

2007-01-01

Abstract:It is very useful to design adaptive LAN intrusion detection systems to improve the security of LANs. If a network connection links to an open port of an active host, it is defined as a normal one; otherwise, it is defined as an abnormal one. Rationality of the definitions is proved. Normal connections are self-bodies. A correct and complete self-body set can be used for an antibody set. If a new network connection doesn't match any self-body, it is abnormal. An adaptive antibody generation model is presented firstly. Based on it, an adaptive intrusion detection system is introduced. Experiments show that the system is feasible: the detection rate of intruders' scans is 100%, of intruders' random probes is more than 98%, and there are no false alerts.

Liang Xi,Rui-Dong Wang,Zhi-Yu Yao,Feng-Bin Zhang

DOI: https://doi.org/10.1109/tevc.2021.3058687

IF: 16.497

2021-06-01

IEEE Transactions on Evolutionary Computation

Abstract:The artificial immune system (AIS) is one of the important branches of artificial intelligence technology, and it is widely used in many fields. The detector set is the core knowledge set, and the AIS application effects are mainly determined by the generation, evolution, and detection of the detectors. Presently, the problem space (shape-space) of AIS mainly applied real-valued representation. But the real-valued detectors have some problems that have not been solved well, such as slow convergence speed of generation, holes in the nonself region, detector overlapping redundancy, dimension curse, etc., which lead to the unsatisfactory detection effects. Moreover, artificial immune anomaly detection is a dynamic adaptive model, needs to be evolved adaptively with the detection environments. Without better adaptive modeling, these problems mentioned before will get worse. In view of this, this article proposes a multisource immune detector adaptive model in neighborhood shape-space and applies it to anomaly detection: based on random, chaotic map and DNA genetic algorithm (DNA-GA), multisource neighborhood negative selection algorithm (MSNNSA), multisource neighborhood immune detector generation algorithm (MS-NIDGA), and neighborhood immune anomaly detection algorithm (NIADA) are proposed, so that the generation and detection of immune detectors can be improved efficiently; introducing immune adaptive and feedback mechanism, multisource neighborhood immune detector adaptive model (MS-NIDAM) is built, so that the detectors can be adaptively evolved in a more targeted search domain, and keep better distribution to the nonself region in real time, so as to solve various problems existing in the real-valued shape-space under dynamic environment mentioned before and improve the overall detection performances. The experimental results show that MS-NIDAM can improve the detector generation/evolution efficiency, keep the up-to-date understanding of the changing e-vironment, so as to obtain better overall detection performances and stability than other comparative methods.

computer science, artificial intelligence, theory & methods

Uwe Aickelin,Julie Greensmith

DOI: https://doi.org/10.48550/arXiv.0802.4002

2008-02-27

Neural and Evolutionary Computing

Abstract:The immune system provides an ideal metaphor for anomaly detection in general and computer security in particular. Based on this idea, artificial immune systems have been used for a number of years for intrusion detection, unfortunately so far with little success. However, these previous systems were largely based on immunological theory from the 1970s and 1980s and over the last decade our understanding of immunological processes has vastly improved. In this paper we present two new immune inspired algorithms based on the latest immunological discoveries, such as the behaviour of Dendritic Cells. The resultant algorithms are applied to real world intrusion problems and show encouraging results. Overall, we believe there is a bright future for these next generation artificial immune algorithms.

XR Yang,JY Shen,R Wang

DOI: https://doi.org/10.1109/icmlc.2002.1176712

2002-01-01

Abstract:A network intrusion detection model based on artificial immune theory is proposed in this paper. In this model, self patterns and non-self patterns are built upon frequent behaviors sequences, then a simple but efficient algorithm for encoding patterns is proposed. Based on the result of encoding, another algorithm for creating detectors is presented, which integrates a negative selection with the clonal selection. The algorithm performance is analyzed, which shows that this method can shrink each generation scale greatly and create a good niche for patterns evolving.