Information Technology Reference
In-Depth Information
diff erent representations for each detection node is equivalent to multiple detector
shapes (hence changing the shape of the detectors), while keeping the “shape” of
the self-set constant.
7.2.5
Immune Agent Architecture
An immune agent architecture was introduced by Dasgupta (1999) where
immunity-based agents roamed in the machines (nodes or routers) and monitored
the situation in the network (i.e., looked for changes such as malfunctions, faults,
abnormalities, misuse, deviations, and intrusions). h ese agents could mutually
recognize each other's activities and took appropriate actions according to the
underlying security policies. Specifi cally, their activities were coordinated in a hier-
archical fashion while sensing, communicating, and generating responses. h ese
agents simultaneously monitored the networked computer's activities at diff erent
levels (such as user level, system level, process level, and packet level) to make
robust decision on intrusions or anomalies. Some agents used B cell mechanism,
some used T cell, and some had limited life cycle (time-dependent functional-
ities). Such architecture appears to be fl exible and extendible, where an agent can
learn and adapt to its environment dynamically and can detect both known and
unknown intrusions.
7.2.6
Immunogenetic Approaches in Intrusion Detection
Gonzalez (2002) proposed negative selection with detector rules (NSDR) to detect
attacks by monitoring network tra
c. A real-valued representation was used for
evolving hyper-rectangular-shaped detectors, interpreted as “if-then rules,” for
high-level characterization of the self/nonself space (i.e., normal and abnormal traf-
fi c). Experiments were performed using the 1999 Defense Advanced Research Proj-
ects Agency (DARPA) intrusion detection evaluation dataset. h is data represents
normal and abnormal information collected in a test network, in which simulated
attacks were performed. h e immunogenetic approach was able to produce detec-
tors that gave a good estimation of the amount of deviation from the normal.
Further works extended the NSDR algorithm to use fuzzy detection rules, and is
called NSFDR. h is improves the accuracy of the method and produces a measure
of deviation from the normal that does not need a discrete division of the nonself
space. It provides a better defi nition of the boundary between normal and abnor-
mal. h e earlier approach used a discrete division of the nonself space, whereas the
new approach does not need such a division because the fuzzy character of the rules
provides a natural estimate of the amount of deviation from the normal. It shows
an improved accuracy in the anomaly detection.
In another work, Kim and Bentley (2001) used three evolutionary stages: gene
library evolution, negative selection, and clonal selection with the goal of designing
Search WWH ::
Custom Search