Information Technology Reference
In-Depth Information
Integrating Innate and Adaptive Immunity for
Intrusion Detection
Gianni Tedesco, Jamie Twycross, and Uwe Aickelin
School of Computer Science & IT (ASAP)
University of Nottingham
NG8 1BB
{ gxt, jpt, uxa } @cs.nott.ac.uk
Abstract. Network Intrusion Detection Systems (NIDS) monitor a net-
work with the aim of discerning malicious from benign activity on that
network. While a wide range of approaches have met varying levels of
success, most IDS's rely on having access to a database of known attack
signatures which are written by security experts. Nowadays, in order to
solve problems with false positive alerts, correlation algorithms are used
to add additional structure to sequences of IDS alerts. However, such
techniques are of no help in discovering novel attacks or variations of
known attacks, something the human immune system (HIS) is capable
of doing in its own specialised domain. This paper presents a novel im-
mune algorithm for application to an intrusion detection problem. The
goal is to discover packets containing novel variations of attacks covered
by an existing signature base.
Keywords: Intrusion Detection, Innate Immunity, Dendritic Cells.
1
Introduction
Network intrusion detection systems (NIDS) are usually based on a fairly low
level model of network tra c. While this is good for performance it tends to
produce results which make sense on a similarly low level which means that a
fairly sophisticated knowledge of both networking technology and infiltration
techniques is required to understand them.
Intrusion alert correlation systems attempt to solve this problem by post-
processing the alert stream from one or many intrusion detection sensors (perhaps
even heterogeneous ones). The aim is to augment the somewhat one-dimensional
alert stream with additional structure. Such structural information clusters alerts
in to “scenarios” - sequences of low level alerts corresponding to a single logical
threat.
A common model for intrusion alert correlation algorithms is that of the
attack graph. Attack graphs are directed acyclic graphs (DAGs) that represent
the various types of alerts in terms of their prerequisites and consequences.
Typically an attack graph is created by an expert from a priori information
about attacks. The attack graph enables a correlation component to link a given
Search WWH ::




Custom Search