Intrusion detection for computer systems can be seen as a problem of pattern classification, but the system must deal with some intrinsic characteristics that make it very difficult to detect intrusions directly using classical pattern recognition methods. For example, normal and anomalous states are distinguished using features that are multi-dimensional, and there is extreme asymmetry in the amount of data available for these two sets of states. Furthermore, the patterns involved cannot be recognized by linear methods. The natural human immune system1–3 faces the same difficulties, but successfully protects the body against a vast variety of foreign pathogens. It is a self-adaptive and self-learning classifier that can recognize and classify threats by learning, memory, and association. We have adapted the mechanisms of the human immune system to build an intrusion detection system to protect computer networks.
The idea of applying immunological principles to computer security began in 1994. Jeffrey Kephart designed an immune system for computers and computer networks.4 In 1994 and 1996 Stephanie Forrest and her group proposed a negative selection algorithm to detect changes in protected data and program files5 and to monitor Unix processes.6 (In negative selection, detectors that respond to normal conditions are eliminated.) In recent years, many artificial immune systems for network intrusion detection have been proposed such as LISYS,7,8 CDIS (Computer Defense Immune System),9 and others. Jungwon Kim10–13 presents a modified negative selection algorithm with niching and a novel genotype encoding scheme. Dipankar Dasgupta and his group used a genetic algorithm to evolve abnormal pattern detectors in the complement space and used a positive characterization method based on nearest-neighbor classification for comparison.14,15
AIIDS is a hybrid intrusion detection system that monitors both individual hosts and the network. In it, antibodies (the detectors that look for abnormal behavior) are composed of rules rather than bit strings or decimal strings. The system can express complex data features more flexibly and can inherit available rules more easily than other systems. AIIDS is made up of three detection subsystems and a console.
The immune-based host intrusion detection subsystem (AIHIDS) contains a monitoring system16 that includes an integrality monitor agent, an availability monitor agent, and a confidentiality monitor agent. Each independently monitors a different aspect of a system, and cooperates with the others to make an alarm decision.
The immune-based network intrusion detection subsystem (AINIDS) can extract more than forty features from network packets and detect old and new intrusions using passive immune antibodies and automatic immune antibodies.17 Passive immune antibodies inherit available rules and can detect known intrusions rapidly. Automatic immune antibodies integrate statistical methods with a fuzzy reasoning system to improve detection, and can discover novel attacks. The perfect co-stimulation signal mechanism was built to confirm that an alarm condition exists and to reduce false-positive alarms. AINIDS also includes an optimization component based on the clonal selection process, which creates more of the antibodies that are performing well and makes it possible for the rules to adapt to intrusions.
The immune-based network node intrusion detection subsystem (AINNIDS) takes network packets targeted at the network node on which it resides and performs protocol analysis in the same way the protocol stacks of the host do. It can defeat most techniques for evading intrusion detection. Also, it includes many application layer agents, such as an HTTP agent, an FTP agent, and an SMTP agent, to detect attacks based on application layer protocols.
We designed and developed an immune-based intrusion detection system, AIIDS, and then trained and tested it using data that we collected from a 40+ local area network at Shenzhen University and with data from the 1999 DARPA intrusion-detection-evaluation data sets. Both experiments show that AIIDS has a good detection rate for both known and novel attacks.