Information Technology Reference
In-Depth Information
Immunocomputing Model of Intrusion Detection
Yuri Melnikov and Alexander Tarakanov
International Solvay Institutes for Physics and Chemistry
Campus Plaine, ULB, CP 231, Bd. du Triomphe, Brussels 1050, Belgium
imelniko@ulb.ac.be,tar@iias.spb.su
Abstract. The paper proposes an immunocomputing model of intrusion detec-
tion based on a mathematical notion of formal immune network. An application
example is provided using software emulator of an immunochip.
Keywords: immunocomputing, formal immune networks, immunochip
The biomolecular level of the natural immune system provides inspiration for various
mathematical models (see, e.g., [5]). However, the information processing capabilities
of artificial immune systems have only been recently appreciated [2], [4]. The
mathematical formalization of these capabilities forms the basis of the new immuno-
computing (IC) approach [11].
One of key notions of this approach is formal immune network (FIN) inspired by
N. Jerne's network theory of the immune system [7]. Possible applications of FIN to
information security (IS) are discussed in [8].
The present paper develops an IC model of intrusion detection in computer net-
works. The model includes data fusion by singular value decomposition (SVD), and
pattern recognition by special variant of FIN. The model is implemented as a version
of software emulator of an immunochip [10]. A numerical example is provided by
using a model of local area network of US Air Force [1].
Generally, IS data are multi-dimensional real values. In principle, FIN is able to
pattern recognition over such data. However, more effective and visual data mining
can be provided by using the concept of low-dimensional “shape space” proposed by
[3]. An IC model of mapping real-life data to such shape space of FIN have been
proposed by [11]. This data fusion by IC is based on rigorous mathematical properties
of SVD. Consider a brief description of the IC model in terms of intrusion detection.
Let x 1 , … , x n be indicators of the network connection. Let X = [x 1 , … , x n ] T be col-
umn-vector of a network connection record, where " T " is transposing symbol. Con-
sider a training matrix M = [X 1 ,…, X m ] T of dimension m × n , where X 1 ,…,X m are records
of the network connections with known behavior: normal ("self") or intrusion ("non-
self"). Compute the SVD of this matrix and select some right singular vector R k as an
“antibody-probe”. Consider any network connection record vector Z , and define its
“binding energy” w(Z) = Z T R k /s k , where s k is k -th singular value.
Thus, any n -dimensional vector Z can be reduced to one-dimensional value of its
binding energy with the probe. Selecting one, two, or three right singular vectors as
probes, we obtain the mapping of any n - dimensional data to one-, two- or three-
dimensional (1D, 2D, 3D) shape spaces. Note, that the reduction is optimal in the
sense of mean square error, according to the properties of SVD [6].
Search WWH ::




Custom Search