Information Technology Reference
In-Depth Information
7.2.4
Immunity-Based Intrusion Detection Systems
Further works by Hofmeyr et al. (1998) in computer security led to the develop-
ment of host-based intrusion detection systems, which construct a database that
catalogs the normal behavior over time in terms of the system calls made, etc. As
this record builds up, the database may be monitored for any system calls that are
not found in normal behavior patterns. Hofmeyr et al. argued that while simplis-
tic, this approach is not computationally expensive and has the advantage of being
platform and software independent.
Hofmeyr and Forrest (1999, 2000), Somayaji et al. (1998), and Warrender et al.
(1999) conducted extensive research on an artifi cial immune system called ARTIS
architecture, which could tackle the issue of protecting networks of computers.
h is is achieved in a similar way in monitoring network services, tra
c and user
behavior, and attempts to detect misuse or intrusion by observing departures from
normal behavior. Each computer runs a broadcaster, which broadcasts the source
and destination of each TCP SYN packet it sees, to other computers running LISYS
(a version of ARTIS). Particularly, a detection node processes the information from
the broadcasters. Each detection node receives data from broadcasters and mails it
to the administrator if it detects a novel TCP connection. A detection node has an
array of detectors that as a group determine if a packet is anomalous. Detectors
are randomly generated, with each one sensitive to a particular random source and
destination address, and port as well as near matches to it. For a newly generated
detector, if it sees a packet that matches its template, a new randomly generated
detector will replace it. For a detector over a week old, if it recognizes a packet,
it will send a mail to the administrator for inspection. By having this weeklong
“tolerization” period for the new detectors, they can generate detectors randomly
and only let the ones that do not send false-positives for a week “survive.” When the
user receives an alarm signal from a detector, if the user does nothing, the detec-
tor that fl agged the connection as anomalous will disappear and not bother the
user any more. If the user chooses to confi rm or “costimulate” the anomaly, the
detector that fl agged the anomaly will become a permanent part of the program's
repertoire and will alert the user whenever this TCP
connection is being requested
in the future (shown in Figure 7.4).
Balthrop et al. (2002) used a version of LISYS for monitoring network tra
c.
h e system used an NS algorithm (to mature 49-bit binary detectors, that is, trip-
lets representing Transmission Control Protocol [TCP] connections), which was
tested against connections collected during a training period. Matured detectors
were then distributed in each host on a live network (see Figure 7.5). Diversity was
created through each host independently reacting to its self and nonself (normal
and abnormal). h e matching function used was
r
-contiguous, and the detectors
were improved through a
nity maturation. It used a distributed detection strategy
wherein each detection node, through a diff erent representation fi lters incoming
strings through a randomly generated permutation mask. h is technique of having
Search WWH ::
Custom Search