Information Technology Reference
In-Depth Information
eff ective network intrusion detection systems. Here, detectors (in the form of classi-
fi ers) are evolved using the clonal selection algorithm wherein the evolving popula-
tion of detectors is clustered into “niches,” which help to distinguish between self
and nonself in network tra
c data.
7.2.7
Danger Theory in Network Security
Aicklen et al. (2003) fi rst proposed to use the danger theory (DT) concept in intru-
sion detection. h eir system behaves like the dendritic cells (DC) looking for danger
signals such as sudden increases in network tra
c or unusually high numbers of error
messages. If these signals increase above a preset threshold, it triggers an alert. Sub-
sequently, two algorithms were developed based on the DT, the dendritic cell algo-
rithm (DCA; Greensmith et al., 2006), and the Toll-like Receptor algorithm (TLR;
Tw y c r o s s , 2 0 0 7 ). h ese algorithms focus on diff erent aspects of innate immunity to
develop the AIS models; a brief description is provided in the following.
7.2.7.1 Dendritic Cell Algorithm
It is an abstraction of DC functions, which is based on the premise that “suspects”
in the form of antigen can be paired with “evidence” in the form of signals to iden-
tify potential sources of anomaly or intrusion. A general overview of the DCA is
provided by Greensmith et al. (2006). h e DCA is implemented using the libtissue
framework to facilitate the creation and updating of cells and tissue attributes. A
schematic diagram of the DCA is presented in Figure 7.6. h e algorithm processes
two input streams consisting of signals and antigens (data to be correlated). Par-
ticularly, the signal stream contains a specifi ed number of input signals, which are
prenormalized and categorized as pathogen-associated molecular pattern (PAMP),
danger signal, safe signal, or infl ammation. A storage facility for incoming signals
and antigen is provided and forms the “tissue” for the DCs. h e DCA can be
described on two levels: fi rst, at the level of an individual DC and second, at the
level of the DC population. Similar to the biological immune system, DCs exist in
one of the following three states—immature, semimature, or mature.
7.2.7.2 TLR Algorithm
Algorithmic steps of TLR algorithm (as described in Aickelin and Greensmith,
2007), which is primarily designed or anomaly detection in computer networks are
provided as follows:
1. Record set of system calls (low-level instructions in computing) made in
training data.
2. Record signal values experienced in training data.
Search WWH ::
Custom Search