|
Artificial Immune SystemThis is immune system is concentrated on-protecting a local-area broadcast network (LAN) from network-based attacks. Broadcast LANs have the convenient property that every location (computer) sees every packet passing through the LAN. In this domain we define self to be the set of normal pair wise connections (at the TCP/IP level) between computers, including connections between two computers in the LAN as well as connections between one computer in the LAN and one extreme computer. A connection is defined in terms of its ?data path triple?-the source IP address, the destination IP address and the service (or port) by which the computers communicate. In this representation, this information is compressed to a single 49-bit string, which unambiguously defines the connection. Self is then the set of normally occurring connections observed over time on the LAN, each connection being represented by a 49-bit string. Similarly, non-self is also a set of connections (using the same 49-bit representation), the difference being that non-self consists of those connections, potentially an enormous number, that are not normally observed on the LAN.In our AIS, we will introduce one basic type of detector cell, which combines useful properties from different immune cells. This detector cell will have several different possible states, roughly corresponding to- 1. Immature lymphocytes undergoing negative selection. 2. Naïve lymphocytes, which have never matched foreign material. 3. Memory lymphocytes, which are long lived and easily stimulated. Each detector cell is represented by a single bit string of length l=49 bits. There are many ways of implementing the detectors, for example, a detector could be a production rule, or a neural network, or an agent. In this immune system we chose to implement detector as string matching, where each detector is a string d, and detection of a string s occurs when there is a match between s and d, according to a matching rule. Obvious matching rules include Hamming distance, or edit, but we have adopted a more immunologically plausible rule called r-contiguous bits. Two strings d and s match under the r-contiguous bits rule if d and s have the same symbols in at least r contiguous bit positions. The value r is a threshold and determines the specificity of the detector, which is an indication of the number of strings covered by a single detector. For example, if r=l, then matching is completely specific, that is, the detector will detect only a single string (itself; recall that l is the length of the detector bit string). A consequence of a partial matching rule with a threshold, such as r-contiguous bits, is that there is a trade off between the number of detectors used, and their specificity. The detectors are grouped into sets, one set per machine, or host, on the LAN; each host loosely corresponds to a different location in the body. Because of the broadcast assumption, each detector set is constantly exposed to the current set of connections in the LAN, which it uses as a dynamic definition of self. Within each detector set, new detectors are created randomly and asynchronously on a continual schedule, similar to the natural immune system. These new detectors remain immature fro some period of time, during which they have the opportunity to match any current network connections. If a detector matches when it is immature, it is killed (deleted). This process is called negative selection, and closely resembles the negative selection of immature lymphocytes in the body. A potential problem with this scheme is that a non-self packet arriving during negative selection could cause immature detectors to be erroneously eliminated. However, if we assume that non-self packets are rare ( a reasonable assumption), there are likely to be other mature detectors around to detect the foreign packet. We thus have a small loss of efficiency, from needlessly deleting a valid detector, but no appreciable loss of function. Detectors that survive this initial testing phase are promoted to mature detectors. If a mature detector d matches a sufficient number of packets, an alarmed is raised. The time for which d is a naïve lymphocytes can be thought of as a learning phase. At the end of the learning phase, if d has failed to match a sufficient number of non-self packets, it becomes a memory detector with greatly extended lifetime. Although these memory detectors must always be present, because the naïve detectors are necessary for the detection of novel foreign packets that is they are essential to anomaly detection.
|