Study On Key Techniques Of Immune-Inspired Intrusion Detection Based On Gene Expression Programming

Current techniques used in computer security are not able to cope with the dynamic and increasingly complex nature of computer systems and their security. As an active defense technology, intrusion detection compensates the defects of traditional defense technology. Some biology immune system (BIS) features, such as detection, diversity, learning, tolerance and etc., support the intrusion detection system (IDS) requirements. The analogy between the BIS and IDS naturally attracts computer scientists to research on immune system approaches to intrusion detection. Immune-inspired IDS give us a prospective future in the coming application.The purpose of this dissertation is to explore and research on the framework and the key techniques of immune-inspired IDS (IIDS) by integrating two computational intelligence (CI) technologies, artificial immune system (AIS) and gene expression programming (GEP). The research work is financed by the National Natural Science Foundation (60603008) and the Hubei Province Natural Science Foundation (2007ABA342).The main works of this dissertation are outlined as follows:1. This dissertation presents a review of existing literature related with intrusion detection, such as basic concepts, function, architecture and technology that intrusion detection systems adopt. The development, trend and disadvantages of traditional intrusion detection technology are analyzed.2. The AIS is described in detail, especially the biologic foundation, basic concept, and basic elements. The overview of the research progression in IIDS shows that the basic elements (immune entities representation, affinity measure, immune algorithm) are the bottleneck of immune-inspired intrusion detection.3. Some computational intelligence technologies which are applied to intrusion detection are discussed in this dissertation. After presenting the relationship between AIS and evolutionary computation (EC), and introducing the concepts of GEP, this dissertation designs a GEP-based IIDS (GEP-IIDS) prototype. In GEP-IIDS, most key modules are implemented through improving existing approachs or algorithms, such as GEP-based chromosome presentation, immune algorithm for antibody generation, and detection engine. In order to improve system availability, the antibody pruning is proposed as a novel module in this dissertation.4. The KDD CUP’99 Data Set is used for evaluation, and the mapping relationship between KDD CUP’99 data basic features and SNORT rule options is discussed in this dissertation. Normalization is used to preprocess the sample data. The main evaluating metric and performance index of IDS effectiveness, efficiency, and availability are introduced.5. Starting with analysis of intrusion detection rules based on computational intelligence, this dissertation designs a GEP-based rule presentation, gives a selection method of terminal symbols, and defines a rule constraint grammar. Basing on these, a constraint-based GEP Rule extraction algorithm (CGREA) is proposed. The computational complexity and convergence of CGREA are discussed and tested. The results show that the rules based on GEP presentation are effective and simple, and the CGREA is significant in detection effect and time-space cost.6. There are two drawbacks of immune intrusion detection, namely scalability and coverage, and these are the main barriers to bringing it into a successful effective IDS.To solve this problem, this dissertation modifies the system basic elements:(1) A feature-gene representation for antigen and a constraint-based GEP representation for antibody are given; (2) An avidity (affinity) function is designed by means of weighting feature priorities; (3) By introducing avidity theory, an avidity-theory-based clonal selection (ATCS) algorithm is proposed. A balance factor k is used to balance the weight of self and non-self avidity in evaluating antibody. The ATCS algorithm integrates negative selection and positive selection. The experiment results indicate that the system performance is improved to be with higher detection rate of unknown attacks, lower false alarm rate and complexity.7. Two key techniques in GEP-IIDS, antibody pruning and detection engine, are investigated:(1) By analyzing of the non-self space coverage of antibodies generated by CGREA and ATCS algorithms, a GEP-based Abs Pruning (GAP) algorithm is designed for GEP-IIDS. Using different pruning sample sets, the redundant antibodies can be detected and dropped in simple steps, and detection performance is not affected. (2)An adaptive intrusion detection engine (AIDE) is proposed to increase the detection rate of previously unknown attack. Adjusting the detection rules order, AIDE is adaptive to system detection requirement. The test results show that both GAP algorithm and AIDE can improve the detection efficiency and system availability. In a word, in this dissertation, GEP is introduced into immune-inspired intrusion detection, and a GEP-based IIDS prototype is given. Some key techniques, such as antigen representation, GEP-based antibody presentation, immune algorithm, antibody pruning and detection engine, are explored and researched. The performance of Immune-inspired intrusion detection system is improved in terms of scalability, coverage, and computing complexity. The work in this dissertation is not only important to the application research of AIS,but also significant to hasten the integration and development of computational intelligence technologies.