On the appropriateness of negative selection for anomaly detection and network intrusion detection

The immune system is a complex system which protects humans and animals against diseases caused by foreign intruders such as viruses, bacteria and fungi. It appears as if the recognition and protection mechanism of the immune system can lead to the development of novel concepts and techniques for detecting intrusions in computer networks, particularly in the area of anomaly detection. In this thesis, the principle of "negative selection" as a paradigm for detecting intrusions in computer networks and anomaly detection is explored. Negative selection is a process of the immune system, which destroys immature antibodies which are capable of recognizing self-antigens. Antibodies which survive the negative selection process are self-tolerant and are capable of recognizing almost any foreign body substance. Roughly speaking one can say that the negative selection endows the immune system with an ability to distinguish between self and non-self. Abstracting the principle of negative selection, the coding antigens as bit-strings which represent network packets or as real-valued n-dimensional points and antibodies as binary detectors or as hyperspheres, one obtains an immune-inspired technique for use in the above mentioned areas of application. We are talking about artificial immune systems, when principles and processes of the immune system are abstracted and applied for solving problems. In this thesis, we explore the appropriateness of the artificial immune system negative selection for intrusion detection and anomaly detection problems. In the first instance, we describe the immune system negative selection principle, and the subsequent the artificial immune system negative selection principe. We then describe which network information are required to de- tect an intrusion. Results reveal that previous works that apply the negative selection for this application area, are not appropriate for real-world intrusion detection problems. Moreover we explore if a different antibody-antigen representations, i.e. real-valued n-dimensional points and high-dimensional hyperspheres are appropriate for anomaly detection problems. The results obtained, reveal that negative selection is not appropriate for anomaly detection problems, especially when compared to statistical anomaly detection methods. In summary, we can unfortunately state that negative selection, is not appropriate for network intrusion detection and anomaly detection problems.

[1]  David Thomas,et al.  The Art in Computer Programming , 2001 .

[2]  David M. J. Tax,et al.  One-class classification , 2001 .

[3]  Michael Brady,et al.  Novelty detection for the identification of masses in mammograms , 1995 .

[4]  A. Perelson,et al.  Predicting the size of the T-cell receptor and antibody combining region from consideration of efficient self-nonself discrimination. , 1993, Proceedings of the National Academy of Sciences of the United States of America.

[5]  David J. C. MacKay,et al.  Information Theory, Inference, and Learning Algorithms , 2004, IEEE Transactions on Information Theory.

[6]  D. Dasgupta,et al.  Combining negative selection and classification techniques for anomaly detection , 2002, Proceedings of the 2002 Congress on Evolutionary Computation. CEC'02 (Cat. No.02TH8600).

[7]  Alex Alves Freitas,et al.  Revisiting the Foundations of Artificial Immune Systems: A Problem-Oriented Perspective , 2003, ICARIS.

[8]  Marc Ebner,et al.  On The Use Of Negative Selection In An Artificial Immune System , 2002, GECCO.

[9]  Paul Helman,et al.  On-line Negative Databases , 2004, Int. J. Unconv. Comput..

[10]  P. Helman,et al.  A formal framework for positive and negative detection schemes , 2004, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).

[11]  Fabio A. González,et al.  The Effect of Binary Matching Rules in Negative Selection , 2003, GECCO.

[12]  Dit-Yan Yeung,et al.  Parzen-window network intrusion detectors , 2002, Object recognition supported by user interaction for service robots.

[13]  Robert P. W. Duin,et al.  Data domain description using support vectors , 1999, ESANN.

[14]  V. Engelhard,et al.  How cells process antigens. , 1994, Scientific American.

[15]  Timothy K Starr,et al.  Positive and negative selection of T cells. , 2003, Annual review of immunology.

[16]  Claudia Eckert,et al.  A Comparative Study of Real-Valued Negative Selection to Statistical Anomaly Detection Techniques , 2005, ICARIS.

[17]  Paul Helman,et al.  An immunological approach to change detection: algorithms, analysis and implications , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[18]  Rogério de Lemos,et al.  Negative Selection: How to Generate Detectors , 2002 .

[19]  Walter Kern,et al.  An improved deterministic local search algorithm for 3-SAT , 2004, Theor. Comput. Sci..

[20]  J. A. Robinson,et al.  A Machine-Oriented Logic Based on the Resolution Principle , 1965, JACM.

[21]  Patrik D'haeseleer,et al.  An immunological approach to change detection: theoretical results , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[22]  G. Oster,et al.  Theoretical studies of clonal selection: minimal antibody repertoire size and reliability of self-non-self discrimination. , 1979, Journal of theoretical biology.

[23]  M. D. MacLaren The Art of Computer Programming—Volume 1: Fundamental Algorithms (Donald E. Knuth) , 1969 .

[24]  Claudia Eckert,et al.  On Permutation Masks in Hamming Negative Selection , 2006, ICARIS.

[25]  Paul Helman,et al.  On-line Negative Databases , 2005, Int. J. Unconv. Comput..

[26]  Ronald L. Wasserstein,et al.  Monte Carlo: Concepts, Algorithms, and Applications , 1997 .

[27]  Slawomir T. Wierzchon,et al.  Generating Optimal Repertoire of Antibody Strings in an Artificial Immune System , 2000, Intelligent Information Systems.

[28]  Claudia Eckert,et al.  Artificial Immune Systems for IT-Security. it-Information Technology , 2006 .

[29]  Trevor Hastie,et al.  The Elements of Statistical Learning , 2001 .

[30]  Slawomir T. Wierzchon,et al.  Discriminative power of the receptors activated by k-contiguous bits rule , 2000 .

[31]  Zhou Ji,et al.  Augmented negative selection algorithm with variable-coverage detectors , 2004, Proceedings of the 2004 Congress on Evolutionary Computation (IEEE Cat. No.04TH8753).

[32]  Osamu Watanabe,et al.  A Probabilistic 3-SAT Algorithm Further Improved , 2002, STACS.

[33]  Jonathan Timmis,et al.  Artificial Immune Systems: A New Computational Intelligence Approach , 2003 .

[34]  M. Sambridge,et al.  Monte Carlo analysis of inverse problems , 2002 .

[35]  Christopher C. White,et al.  Focus on Durability, PATH Research at the National Institute of Standards and Technology | NIST , 2001 .

[36]  Claudia Eckert,et al.  IT Sicherheit : Konzepte, Verfahren, Protokolle , 2007 .

[37]  Heekuck Oh,et al.  Neural Networks for Pattern Recognition , 1993, Adv. Comput..

[38]  Nello Cristianini,et al.  Kernel Methods for Pattern Analysis , 2004 .

[39]  Stephanie Forrest,et al.  An immunological model of distributed detection and its application to computer security , 1999 .

[40]  William Feller,et al.  An Introduction to Probability Theory and Its Applications , 1967 .

[41]  S T Lhu,et al.  Discriminative power of the receptors activated by k-contiguous bits rule , 2000 .

[42]  Peter J. Bentley,et al.  An evaluation of negative selection in an artificial immune system for network intrusion detection , 2001 .

[43]  D. Ruppert The Elements of Statistical Learning: Data Mining, Inference, and Prediction , 2004 .

[44]  Yiwen Liang,et al.  Self-regulating Method for Model Library Based Artificial Immune Systems , 2005, ICARIS.

[45]  Claudia Eckert,et al.  An Investigation of R-Chunk Detector Generation on Higher Alphabets , 2004, GECCO.

[46]  Martin Thorsen Ranang An Artificial Immune System Approach to Preserving Security in Computer Networks , 2002 .

[47]  Eli Upfal,et al.  Probability and Computing: Randomized Algorithms and Probabilistic Analysis , 2005 .

[48]  S. Marsland Novelty Detection in Learning Systems , 2008 .

[49]  Vladimir N. Vapnik,et al.  The Nature of Statistical Learning Theory , 2000, Statistics for Engineering and Information Science.

[50]  P. J. Green,et al.  Density Estimation for Statistics and Data Analysis , 1987 .

[51]  Tom Fawcett,et al.  ROC Graphs: Notes and Practical Considerations for Data Mining Researchers , 2003 .

[52]  Stephanie Forrest,et al.  Coverage and Generalization in an Artificial Immune System , 2002, GECCO.

[53]  Paul Helman,et al.  The Crossover Closure and Partial Match Detection , 2003, ICARIS.

[54]  Dipankar Dasgupta,et al.  Novelty detection in time series data using ideas from immunology , 1996 .

[55]  Richard Bellman,et al.  Adaptive Control Processes: A Guided Tour , 1961, The Mathematical Gazette.

[56]  Uwe Schöning A Probabilistic Algorithm for k-SAT and Constraint Satisfaction Problems , 1999, FOCS.

[57]  Claudia Eckert,et al.  Generalization Regions in Hamming Negative Selection , 2006, Intelligent Information Systems.

[58]  Gábor Lugosi,et al.  Introduction to Statistical Learning Theory , 2004, Advanced Lectures on Machine Learning.

[59]  Claudia Eckert,et al.  The Link between r-contiguous Detectors and k-CNF Satisfiability , 2006, 2006 IEEE International Conference on Evolutionary Computation.

[60]  Fabio A. González,et al.  A Randomized Real-Valued Negative Selection Algorithm , 2003, ICARIS.

[61]  Julie Greensmith,et al.  Immune system approaches to intrusion detection – a review , 2004, Natural Computing.

[62]  Stephen J. Roberts,et al.  Extreme value statistics for novelty detection in biomedical signal processing , 2000 .

[63]  Michel Verleysen,et al.  Learning high-dimensional data , 2001 .

[64]  Christopher M. Bishop,et al.  Novelty detection and neural network validation , 1994 .

[65]  Claudia Eckert,et al.  On the appropriateness of negative selection defined over Hamming shape-space as a network intrusion detection system , 2005, 2005 IEEE Congress on Evolutionary Computation.

[66]  Claudia Eckert,et al.  Is negative selection appropriate for anomaly detection? , 2005, GECCO '05.

[67]  Claudia Eckert,et al.  On the Use of Hyperspheres in Artificial Immune Systems as Antibody Recognition Regions , 2006, ICARIS.

[68]  Sergey Ablameyko,et al.  Limitations and Future Trends in Neural Computation , 2003 .

[69]  A. N. Zincir-Heywood,et al.  Intrusion Detection Systems , 2008 .

[70]  Rüdiger Reischuk,et al.  Einführung in die Komplexitätstheorie , 1990 .

[71]  Alan S. Perelson,et al.  Self-nonself discrimination in a computer , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[72]  Stephanie Forrest,et al.  Revisiting LISYS: parameters and normal behavior , 2002, Proceedings of the 2002 Congress on Evolutionary Computation. CEC'02 (Cat. No.02TH8600).

[73]  Nello Cristianini,et al.  An Introduction to Support Vector Machines and Other Kernel-based Learning Methods , 2000 .

[74]  David G. Stork,et al.  Pattern Classification , 1973 .

[75]  Stephanie Forrest,et al.  Architecture for an Artificial Immune System , 2000, Evolutionary Computation.

[76]  Glenn W. Rowe Theoretical Models in Biology: The Origin of Life, the Immune System, and the Brain , 1994 .

[77]  G. Weisbuch,et al.  Immunology for physicists , 1997 .

[78]  Zhou Ji,et al.  Real-Valued Negative Selection Algorithm with Variable-Sized Detectors , 2004, GECCO.

[79]  Jack Koziol Intrusion Detection with Snort , 2003 .

[80]  Max Leppmeier,et al.  Kugelpackungen von Kepler bis heute , 1997 .