摘要
人工免疫系统(AIS:Artifial Immune System)是一类基于生物免疫系统的功能、原理、特征而建立的用于解决各种复杂问题的计算系统。人工免疫系统是继人工神经网络、进化计算之后新的智能计算研究领域,是生命科学和计算机科学相交叉而形成的交叉学科研究热点。生物免疫系统的基本功能是识别自我和非我,并将非我清除,具有免疫识别、免疫应答、免疫记忆、和免疫耐受等功能,是一个自适应、自学习、自组织、并行处理和分布式的复杂系统。
通过研究生物免疫系统所蕴含的各种信息处理机制,构建和设计有效的入侵检测模型和算法,对于建立基于免疫原理的入侵检测新理论、新方法,改善当前网络安全状况具有至关重要的意义。本文从生物免疫系统突出的自适应识别能力的角度出发研究了基于生物免疫原理的入侵检测模式,以人工免疫进化网络(ai-net)为基础提出了一种异常入侵检测算法。针对当前入侵检测算法中与用户交互不够的缺陷,在算法中提出了预警因子的概念。最后就基于免疫原理的入侵检测算法一般框架进行了讨论。本论文的主要研究内容如下:
1分析和讨论了了入侵检测、生物免疫、人工免疫和聚类算法的原理和他们之间的联系,为算法的提出做好准备工作。
2提出了一种异常入侵检测算法,在算法中先是基于改进的动态ai-net算法进行网络数据的压缩,然后使用层次聚类方法进行聚类分析,形成“自体”、“非自体”集合用于异常入侵检测。试验结果表明,算法克服了ai-net参数较多,对问题比较敏感的缺点,同时,具有较好的检测性能。
3现有入侵检测方法考虑性能较多,对和用户的交互考虑较少。本文考虑到入侵检测的实际情况,提出了预警因子的概念,方便了用户根据自己的安全策略以取得检测率和误报率之间的平衡。在总结算法的基础上,提出了一个基于免疫原理的入侵检测算法框架,并就框架中的各组成部分进行了讨论。
Artificial Immune System (AIS) is a kind of computing system to solve many kinds of complex problems based on the function, principle, and character of biologieal immune system theories. Artificial Immune System,which is an emergent cross-discipline research field generated by life science and computer science, is a novel intelligent computation study after Artificial Neural Network and Evolutionary Computation. The basic function of biological immune system is to recongnize self and non-self, and then to classify and eliminate non-self.Biological immune system has immune recognition , immune response , immune memory,immune tolerance and other characteristics. It is a complex distributed system which works in self-adaptive,self-learning,self-organization and parallel processing.
With the in-depth study into various information processing mechanisms contained in biological immune system, many effective models and algorithms of intrusion detection can be established and designed,which plays an important role for the establishment of new theory and new method of intrusion detection based on biological immune system, also for the improvement of the current situation of network security. Inspired by the powerful recognition capability of immune system, we focus the study on the abnormal intrusion detection model based on immune system.Based on the ai-net,an algorithm for abnormal intrusion detection is proposed .In view of interactional flaws between users and intrusion detection model,which current algorithms frequently overlook, we bring forward the concept of Early Warning Factor.A framework of instrusion detection algorithm based on immune theory is also discussed at the final part.The main contribution of the dissertation are summarized as fellows:
1.The theory of intrution detection , biological immune system, Artifieial Immune System and data clustering has been discussed,as well as their relationships,which provide the base for the algorithm.
2. An algorithm based on abnormal intrusion detection is presented in the thesis. Compressed with an advanced ai-net algorithm,the network data in the algorithm is divided into "self"and "nonself" sets with hierarchical clustering analysis,which can be used for abnormal intrusion detection.The experiment results show that the algorithm has fewer parameters and little sensitivity than ai-net and performs well in detection.
3. The current intrusion detection algorithm take more performance into consideration, but little for the practical requirements of users.In view of the Intrution Detection System's actual situation,the concept of Early Warning Factor is presented in the thesis , which make it easy to get better tradeoff between detection rate and false positive rate according to security policies chosen by user. On the base of the algorithm, a framework of intrution detection algorithm based on the immune theory is discussed,so does the every part which composes the framework.
引文
[1]S.Forrest,S.A Hofmeyr,A.Somayaji.Computer Immunology Communication of the ACM,1997,40(10):88-96.
[2]闰巧,江勇,吴建平.基于免疫机理的网络入侵检测系统的抗体生成与检测组件.计算机学报,2005,28(10):1601-1607.
[3]Eleazar Eskin,Leonid Portnoy,Salvatore Stolfo,etc.A Geometric Framework for Unsupervised Anomaly Detection:Detecting Intrusions in Unlabeled Data,Data Mining for Security Applications.2002.
[4]F.S.Paula,M.A.Reis,D.A.M.Fernandes.A Hybrid IDS Based on the Immune System.In:L.Wang,J.Rajapakse,K.Fukushima eds.The 9th International Conference on Neural Information Processing.Singapore:lEEE Press,2002.1479-1484.
[5]J.Kim,P.J.Bentley.Negative Selection and Niching by an Artificial Immune System for Network Intrusion Detection.In:W.Banzhaf,J.Dalda,A.E.Eiben eds.Genetic and Evolutionary Computation Conference(GECCO'99).San Francisco,CA:Morgan- Kaufmann,1999,149-158.
[6]J.Kim,P.J.Bentley.Towards an Artificial Immune System for Network Intrusion Detection:an Investigation of Clonal Selection with a Negative Selection Operator.In:Z.E.Rassi ed.Congress on Evolutionary Cmputation(CEC-2001).Seoul,Korea:IEEE Press,2001.1244-1252.
[7]J.Kim,P.J.Bentley.Evaluating Negative Selection in an Artificial Immune System for Network Intrusion Detection.In:R.Heckendom,Robert eds.Genetic and Evolutionary Computation Conference 2001(GECCO-2001).San Francisco:Morgan- Kaufmann,2001.1220-1227.
[8]J.Kim.Integrating Artificial Immune Algorithms for Intrusion Detection:Ph.D Thesis.London:Department of Computer Science,University College London,2002.
[9]J.Kim,P.J.Bentley.Immune Memory in the Dynamic Clonal Selection Algorithm,The 1st International Conference on Artificial Immune Systems(ICARIS).Berlin,Bermany:Springer-Verlag,2002.57-65.
[10]J.Kim,P.J.Bentley.A Model of Gene Library Evolution in the Dynamic Clonal Selection Algorithm.In:J.Timmis,P.J.Bentley eds.The 1st International Conference on Artificial Immune Systems(ICARIS).Berlin,Germany:Springer -Verlag,2002.175-182.
[11]D.Dasgupta.Immunity-based Intrusion Detection System:A General Framework.In M.E.Kabay.The 22nd National Information Systems Security Conference(NISSC).Crystal City:ICSA,1999.147-160.
[12]唐正军.入侵检测技术导论,机械工业出版社,2004年4月第一版,16-19.
[13]Derson D,Frivold T,Valdes.A Next generation intrusion detection expert system(NIDES).Technical Report SRI-CSL-95-07.SRI international.USA.1995.
[14]李娜,基于聚类的网络入侵检测方法研究,广西大学,硕士论文,2007,9.
[15]George Kollios.Efficient Biased Sampling for Approximate Clustering and Outlier Detection in Large Data Sets.IEEE Transactions on knowledge and data engineering,vol.15,NO.5,September/october 2003.
[16]Zengyou He,et al.Discovering cluster- based local outliers.Pattern Recognition Letters,2003(24),1641-1650.
[17]Y Guan,A.Ghorbani and N.Belacel,Y means:A Clustering Method for Intrusion Detection[C].Proceedings of IEEE CCECE Canadian Conference on Electrical and Computer Engineering,2003,pp.1083-1086.
[18]Wang,Q.Megalooikonomon,V.A Clustering Algorithm for Intrusion Detection[C].In Proceeding of the SPIE Conference on Data Mining,Intrusion Detection,Information Assurance,and Data Network Security,2005,Vol.5821,pp.31-38.
[19]Tianming Hu,Sam Y Sung.Detecting pattern-based oufliers.Pattern Recognition Letters,2003(24)3059-3068.
[20]X.Li,N.Ye.A Supervised Clustering Algorithm for Computer Intrusion Detection[J].Knowledge and Information Systems,2005,8(4):498-509.
[21]Qing-Hua Li,Sheng-Yi Jiang,Xin Li.A Supervised Intrusion Detection Method[C].Proceedings of 2004 International Conference on Machine Learning and Cybernetics,Machine Learning and Cybernetics,2004,pp.1475-1479.
[22]Yu-Fang Zhang,Zhong-Yang Xiong,Xiu-Qiong Wang.Distrubuted Intrusion Detection Based On Clustering.Proceedings of the Fourth International Conference on Machine Learning and Cybernetics,Guangzhou,2005.
[23]Zhi-Xin Yu,Jing-Ran Chen,Tian-Qing Zhu.A Novel Adaptive Intrusion Detection System Based On Data Mining.Proceedings of the Fourth International Conference on Machine Learning and Cybernetics,Guangzhou,2005.
[24]Hai Jin,Jianhua Sun,Hao Chert,Zongfen Han.A Fuzzy Data Mining Based Intrusion Detection Model.Proceedings of 10th IEEE International Workshop on Future Trends of Distributed Computing Systems,IEEE Computer Society,2004,pp.191-197.
[25]蒋盛益,李庆华,王卉,孟中楼,一种基于聚类的有指导的入侵检测方法[J].小型微型计算机系统,2005,26(6):1042-1045.
[26]LeandroN.de Castro,Jon Timmis.Artificial Immune Systems:A New Computational Intelligence Paradigm.Proc of the IEEE SBRN(Brazilian Symposium on Artificial Neural Networks)[C],Brazilian,2000.
[27]Jon Timmis.Artificial immune systems:A novel data analysis technique inspired by the immune network theory.PhD thesis,Department of Computer Science,University of Wales,August 2000.
[28]David HaIld,Heilai Mannila,Padhraic Smyth.数据挖掘原理.北京:机械工业出版社,2003.
[29]Jiawei Han,Micheline Kamber.数据挖掘概念与技术.北京:机械工业出版社,2001.
[30]凌军,曹阳,尹建华,徐国雄,黄天赐.基于小生境技术的多样性抗体生成算法.电子学报,2003,31(8):1130-1133.
[31]张凤斌,杨永川,江了扬.遗传算法在基于网络异常的入侵检测中的应用.电子学报,2004,32(5):875-877.
[32]周明,孙树栋.遗传算法原理及应用.北京:国防工业出版社 1999.
[33]杨维,李歧强.粒子群优化算法综述.计算机工程科学,2004,6(5):88-94
[34]李宁,刘飞,孙德宝.基于带变异算子粒子群优化算法的约束布局优化研究.计算机学报,2004,27(7):897-903.
[35]姜勋平,基因免疫的原理和方法.第一版.北京:科学出版社.2004.
[36]焦李成,杜海峰,刘芳,公茂果,免疫优化计算、学习与识别,2006年06月第一版。
[37]李涛.计算机免疫学.北京:电子工业出版社,2004
[38]Farmer J D,Packard N H,Perelson A S.The immune system,adaptation,and machine learning[J].Physics D,1986,22:187-204.
[39]Ishida Y.International workshop on the immunity based systems 1996(IMBS'96)held in conjunction with ICMAS'96[EB/OL].http://www.sys.tutkie.rut.ac.jp/~ishi2da/IMBS96proc.html.1997-5-27.
[40]Dasgupta D.Artificial immune systems and their applications[M].Berlin:Springer Verlag,1999.3 23.
[41]钟将,基于人工免疫的入侵检测技术研究,[博士学位论文],重庆大学,2005年6月.
[42]J Timmis,M Neal,and J Hunt.An artificial immune system for data analysis Biosystems,55(1/3):143-150,2000.
[43]Dasgupta.An immune agent architecture for intrusion detection.CECCO 2000,Las Vegas,Nevada,USA,2000.
[44]Dasgupta,Gonzalez.An immunogenetic approach to intrusion detection.The University of Memphis,Tech Rep:CS-O1-001,2001.
[45]Leandro Nunes de Castro.An Evolutionary Immune Network for Data Clustering[A],Proc of the IEEE SBRN(Brazilian Symposium on Artificial Neural Networks)[C],Brazilian,2000:84-89.
[46]J.E.Hunt,A.Fellows.Introducing an Immune Response into a CBR system for Data Mining Systems In BCS ESG'96 Conference and published as Research and Development in Expert ⅩⅢ,1996.
[47]S.Forrest,A.S.Perelson,L.Allen,R.Cherukuri.Self-Nonself Discrimination in a Computer.Proceedings of IEEE Symposium on Research in Security and Privacy,pp.202-212,Oalaand,CA,16-18 May 1999.
[48]Kim,Bentley.The Artificial immune Model for network intrusion detection.The 7th EUFIT'99,Aachen,Germany,1999.
[49]李涛.计算机免疫学,北京:电子工业出版社.2004:53.
[50]漆安慎.免疫系统的非线性模型.上海科技教育出版社.1998年.
[51]J.D.Farmer,N.H.Packard,and A.S.Perelson.The immune system,adaptation,and machine learning.Physica D,22:187-204,1986.
[52]Zhou Ji and D.Dasgupta,Augmented Negative Selection Algorithm with Variable-Coverage Detectors.In:Proceedings of the Congress on Evolutionary Computation(CEC).Portland:Oregon USA,2004.
[53]Leandro N.C.and Fernando J.Z,An Evolutionary Immune Network for Data clustering,Proceedings of the IEEE Computer Society Press,SNBR'00,vol.l,pp:84-89,November,2000.
[54]林乐平.基于无监督的入侵检测,[硕士学位论文],西安电子科技大学,2005年4月。
[55]Zhe-xue Huang.Clustering Large Data Sets with Mixed Numeric and Categorical Values[C].Proceedings of the First Pacific-Asia Conference on Knowledge Discovery and Data Mining,Singapore:Word Scientific,1997,pp.21-34.
[56]Xiangyang Li,Nong Ye.A Supervised Clustering and Classification Algorithm for Mining Data with Mixed Variables[J].IEEE Transactions on Systems,Man,and Cybernetics,2006,36(2):396-406.
[57]Z.Huang.A Fast Clustering Algorithm to Cluster Very Large Categorical Data Sets in Data Mining[C].Proceedings of SIGMOD Workshop on Research Issues on Data Mining and Knowledge Discovery,1997,pp.146-151.
[58]Minho Kim,R.S.Ramakrishna.Projected Clustering for Categorical Datasets[J].Pattern Recognition Letters,2006,27(12):1405-1417.
[59]Daniel Barbara,Julia Couto,Yi Li.COOLCAT:An Entropy-Based Categorical Clustering[C].Proceedings of the eleventh international Information and Knowledge management,New York:ACM Press,2002,Algorithm conference pp.582-589.
[60]徐春鸽.人工免疫系统研究及其在数据聚类中的应用,[硕士学位论文],华南师范大学,32-34,2007年11月.