SPIE Startup Challenge 2015 Founding Partner - JENOPTIK Get updates from SPIE Newsroom
  • Newsroom Home
  • Astronomy
  • Biomedical Optics & Medical Imaging
  • Defense & Security
  • Electronic Imaging & Signal Processing
  • Illumination & Displays
  • Lasers & Sources
  • Micro/Nano Lithography
  • Nanotechnology
  • Optical Design & Engineering
  • Optoelectronics & Communications
  • Remote Sensing
  • Sensing & Measurement
  • Solar & Alternative Energy
  • Sign up for Newsroom E-Alerts
  • Information for:
SPIE Photonics West 2017 | Register Today

OPIE 2017

OPIC 2017

SPIE Defense + Commercial Sensing 2017 | Register Today




Print PageEmail PageView PDF

Optoelectronics & Communications

An intrusion detection system based on immune mechanisms

A bio-inspired approach affords better protection from both known and novel network attacks.
22 October 2006, SPIE Newsroom. DOI: 10.1117/2.1200609.0282

Intrusion detection for computer systems can be seen as a problem of pattern classification, but the system must deal with some intrinsic characteristics that make it very difficult to detect intrusions directly using classical pattern recognition methods. For example, normal and anomalous states are distinguished using features that are multi-dimensional, and there is extreme asymmetry in the amount of data available for these two sets of states. Furthermore, the patterns involved cannot be recognized by linear methods. The natural human immune system1–3 faces the same difficulties, but successfully protects the body against a vast variety of foreign pathogens. It is a self-adaptive and self-learning classifier that can recognize and classify threats by learning, memory, and association. We have adapted the mechanisms of the human immune system to build an intrusion detection system to protect computer networks.

The idea of applying immunological principles to computer security began in 1994. Jeffrey Kephart designed an immune system for computers and computer networks.4 In 1994 and 1996 Stephanie Forrest and her group proposed a negative selection algorithm to detect changes in protected data and program files5 and to monitor Unix processes.6 (In negative selection, detectors that respond to normal conditions are eliminated.) In recent years, many artificial immune systems for network intrusion detection have been proposed such as LISYS,7,8 CDIS (Computer Defense Immune System),9 and others. Jungwon Kim10–13 presents a modified negative selection algorithm with niching and a novel genotype encoding scheme. Dipankar Dasgupta and his group used a genetic algorithm to evolve abnormal pattern detectors in the complement space and used a positive characterization method based on nearest-neighbor classification for comparison.14,15

AIIDS is a hybrid intrusion detection system that monitors both individual hosts and the network. In it, antibodies (the detectors that look for abnormal behavior) are composed of rules rather than bit strings or decimal strings. The system can express complex data features more flexibly and can inherit available rules more easily than other systems. AIIDS is made up of three detection subsystems and a console.

The immune-based host intrusion detection subsystem (AIHIDS) contains a monitoring system16 that includes an integrality monitor agent, an availability monitor agent, and a confidentiality monitor agent. Each independently monitors a different aspect of a system, and cooperates with the others to make an alarm decision.

The immune-based network intrusion detection subsystem (AINIDS) can extract more than forty features from network packets and detect old and new intrusions using passive immune antibodies and automatic immune antibodies.17 Passive immune antibodies inherit available rules and can detect known intrusions rapidly. Automatic immune antibodies integrate statistical methods with a fuzzy reasoning system to improve detection, and can discover novel attacks. The perfect co-stimulation signal mechanism was built to confirm that an alarm condition exists and to reduce false-positive alarms. AINIDS also includes an optimization component based on the clonal selection process, which creates more of the antibodies that are performing well and makes it possible for the rules to adapt to intrusions.

The immune-based network node intrusion detection subsystem (AINNIDS) takes network packets targeted at the network node on which it resides and performs protocol analysis in the same way the protocol stacks of the host do. It can defeat most techniques for evading intrusion detection. Also, it includes many application layer agents, such as an HTTP agent, an FTP agent, and an SMTP agent, to detect attacks based on application layer protocols.


We designed and developed an immune-based intrusion detection system, AIIDS, and then trained and tested it using data that we collected from a 40+ local area network at Shenzhen University and with data from the 1999 DARPA intrusion-detection-evaluation data sets. Both experiments show that AIIDS has a good detection rate for both known and novel attacks.

Yan Qiao
College of Information Engineering, Shenzhen University
Shenzhen, China

Yan Qiao was born in 1972. She received her PhD in Information and Communication from Xidian University in 2003 and is currently an associate professor at Shenzhen University. She has published more than 20 papers in academic journals and the proceedings of international conferences. Her current research interests include network security and artificial immune systems.

1. Steven A. Hofmeyr, An Interpretative Introduction to the Immune System,
Design Principles for the Immune System and other Distributed Autonomous Systems.,
Oxford University Press, 2000.
2. S. Forrest, S. Hofmeyr, A. Somayaji, Computer immunology,
Comm. ACM,
Vol: 40, no. 10, pp. 88-96, 1997.
4. Jeffrey O. Kephart, A biologically inspired immune system for computers,
Artificial Life IV: Proc. Fourth Int'l Workshop on the Synthesis and Simulation of Living Systems.
5. Stephanie Forrest, Alan S. Perelson, and Lawrence Allen, Self-Noself Discrimination in a Computer,
Proc. 1994 IEEE Symp. on Research in Security and Privacy,
Los Alamos, CA, 1994.
6. S. Forrest, S. A. Hofmeyr,et al., A sense of self for Unix processes,
IEEE Symp. on Security and Privacy,
pp. 120-128, IEEE Computer Society, Oakland and California, 1996.
7. Steven A. Hofmeyr, Phd thesis, department of computer sciences,
An Immunological Model of Distributed Detection and its Application to Computer Security,
University of New Mexico, Albuquerque, NM, 1999.
8. Justin Balthrop, Stephanie Forrest, and Matthew Glickman, Revisting LISYS: Parameters and Normal Behavior,
Proc. 2002 Congress on Evolutionary Computation,
pp. 1045-1050, IEEE Press, Piscataway, NJ, 2002.
9. Paul Williams, Kevin Anchor, John Bebo, Gregg Gunsch, and Gary Lamont, CDIS: Towards a Computer Immune System for Detecting Network Intrusions,
Proc. 4th Int'l Symp., Recent Advances in Intrusion Detection 2001,
pp. 117-133, Springer-Verlag, Berlin, 2001.
10. Jungwon Kim and Peter Bentley, The Artificial Immune Model for Network Intrusion Detection,
7th Euro. Conf. on Intelligent Techniques and Soft Computing (EUFIT'99),
Aachen, Germany, 1999.
12. Jungwon Kim and Peter Bentley, An Evaluation of Negative Selection in an Artificial Immune System for Network Intrusion Detection,
Genetic and Evolutionary Comp. Conf. 2001 (GECCO-2001),
pp. 1330-1337, San Francisco, CA, 2001.
14. Dipankar Dasgupta, Immunity-Based Intrusion Detection Systems: A General Framework,
Proc. 22nd National Information Systems Security Conf. (NISSC),
16. Yan Qiao, Xie Weixin, and Yangbin Songge, An anomaly intrusion detection method based on HMM,
Electronics Letters,
Vol: 38, no. 13, pp. 663-664, 2002.