Utilisation des algorithmes genetiques pour la detection d'intrusions dans les reseaux

One of the key components of the arsenal of protection tools are Intrusion Detection Systems (IDS). These systems examine network traffic as well as system and application logs in order to attempt to discriminate between normal non-malicious traffic, or white traffic, and malicious traffic, or black traffic, raising intrusion alarms when the latter is detected. However, they show several deficiencies and operational limits. One of the main problems is the high rate of false positives, i.e. the erroneous flagging of non-malicious traffic as intrusive. For some organisations, the number of daily alarms generated can exceed several tens or even hundreds of thousands, thus greatly reducing their effectiveness and consuming, human effort by pushing the security analysts to be devoted almost entirely to the update of the IDS rules databases and to the analysis of the audit logs. Furthermore, their calibration and tuning is complex, as they have to be adapted manually for each operating environment.;We also formulate the hypothesis that the evolution of several sets of rules would enable the emergence of an adaptive capability to multiple environments, not present in single rule-set evolution, and thus resulting in better performance when the environmental conditions change. Indeed, all previous work presented an evolution adapted to a particular and stationary environment, which involved a better performance in this environment and but not the emergence of multi-environmental adaptability.;Trying to address some of these problems has been the motivation of this master's thesis. Our objective is to present a Genetic Algorithms -based IDS, in order to verify the correctness of the formulated intuitive hypothesis. We also try to define the performance of a set of rules, and to check that such performance is better than single-rule performance, particularly when the environmental conditions change. Our proposal thus consists of an alternative GA based on multilevel evolution, where both rules and rule sets are subject to fitness evaluation and hence evolutionary pressure. We do this in order to allow for a certain versatility to emerge in the individuals (rule sets) resulting from training. We have also studied the effect of the diversification of the evolution environment on the performance of IDS resulting from this algorithm.;In order to evaluate the performance of this algorithm, we built this multi-level IDS-GA and proceeded with its experimental evaluation. It was compared to two reference GA-based IDS modelling the one-level evolution, where only fitness functions are only applied to single rules, adopted in most of the previous work. While the results obtained show that the performance of these IDS-GA is superior, they unfortunately did not allow us to undisputably show the relevance of this choice and to verify the correctness of the hypotheses issued, stipulating that (a) a set of not necessarily optimised rules would have a better detection capacity than a unique rule and; (b) that rules not necessarily highly optimised to a particular environment would be able to better adapt to an environmental change. This underachievement is mainly due to the selected data set chosen, extracted from the Competition in Data Mining and Knowledge Discovery in Database (KDD CUP) itself based on the DARPA IDS test data set, which did not present sufficient complexity and none gray traffic, as it allowed simple rules to quickly acquire a good performance.;Genetic Algorithms (GA), inspired by Darwin's Theory of Evolution, have been used for the evolution of the IDS detection rules set in a certain number of previous work in order to address these problems. The results obtained are interesting but still limited since they did nothing but evolve a single rule set and its performance bad been based on the performance of the best rule resulting from the GA. This presents, from our point of view, a worse performance than if the evolution is made with several sets of rules. This intuitive hypothesis, based on the practical experience of an intrusion detection analyst, seems to us relevant. In fact, the analyst receiving a large number of alarms generated separately by each rule of the IDS will not be able to consider individually each alarm, but will process them in a grouped fashion and correlate the results to evaluate their relevance.;Despite these limitations, the results obtained do seem to indicate that our choice could perform better in a more complex environment, allowing us to hope to be in the right direction towards he development of a new generation of IDS based on evolutionary algorithms, potentially having the capability of adaptating to changes in their operating environments. (Abstract shortened by UMI.).