A Synthetic Reverse Model Based on AIS and the Application - Advances in Computational Science and Engineering

Information Technology Reference

In-Depth Information

The network-based IDS highly resemble AIS in their protecting functions. Kim

studied on the intrusion detection based on clone selection and negative selection

mechanism. The experiment results which he provided proved that using a negative

detection operator was a key factor to keep a low false positive rate. The antibody

take the responsibility of detecting pathogens, therefore the creation, evolvement and

how it work are the key steps in modeling AIS. So, how to simulate the updating of

the gene set, the negative selection, the clone selection are the vital job to establish an

intrusion detection system in terms of the AIS principles. Table 1 list the comparison

on conceptions in AIS and IDS.

Table 1. Comparison on Conceptions in AIS and IDS

AIS

IDS

Antibody

Checking pattern

Antigen

Nonself pattern

Binding

Checking pattern matching with the nonself pattern

Negative selection

Lymphocyte clone

Monitor copy

Antigen monitoring

The monitoring of IDS

Clearing antigen

Monitor response

3 Similarity Distance of Network Behavior

3.1 Behavior Modeling

In this paper, a network behavior is described in a vector with some attributes in high

correlation. Generally, these attributes mainly include: service types ( srvType ),

source address ( srcIP ), source port ( srvPort ), destination address ( dstIP ), desti-

nation port ( dstPort ), duration ( dur ), number of bytes sent from Source port

( srcBytes ), number of bytes sent to destination port ( dstBytes ), state ( flag ).

Therefore, each of the network behavior is expressed by a 9-dimensional vector as

equation (1),

[

]

T

(1)

X

=

srvType

,

srcIP

,

srvPort

,

dstIP

,

dstPort

,

dur

,

srcBytes

,

dstBytes

,

flag

According to data types, these elements of vector X can be sorted into two parts: (1)

Character elements. The result of their matching operation is just a TRUE or FALSE.

Such elements are suitable for analogy reasoning algorithm that will be talked in this

paper. This type of elements are service type ( srvType ), source address ( srcIP ),

source port ( srvPort ), destination address ( dstIP ), destination port ( dstPort ), state

(flag), and so on. (2) Numerical elements. The value of such element is a number.

The result of comparating operation between them is a number too, not a boolean

value. These elements do not fit for the formula which is proposed in this paper. They

Advances in Computational Science and Engineering

Search WWH ::

Custom Search

Home