Enhancing host based intrusion detection systems with danger theory of artificial immune systems

Rather than discriminating activity by belonging to self or non-self, danger theory extends its discrimination to be between non-self but harmless and self but harmful. The danger theory states that the system does not respond only to foreignness (non-self) but to danger signals. In this dissertation, three methods performing host-based anomaly intrusion detection that use trails of system calls have been implemented and investigated. One system (the lookahead-pairs method based IDS) was then enhanced by incorporating danger theory mechanisms to its original design. The research consisted of two stages. In the first stage, three intrusion detection systems (IDSs) have been implemented based on the following methods: the sequence profile method, the lookahead-pairs methods, and overlap-relationship method. All systems were unable to detect the system-call-denial-of-service attack and the lookahead-pairs method had the smallest storage requirements. In the second stage, the lookahead-pairs method based IDS has been enhanced with functionalities of the danger theory. The original lookahead-pairs method based IDS can only detect intrusions resulting from mismatch instances. In addition to detecting mismatches, the enhanced system considered the danger signals resulting from high usages of CPU and memory while in detection mode. Parameters corresponding to danger signals can be easily modified or added to our system. The lookahead pairs method enhanced with danger theory IDS had better detection rate, false positive rate and false negative rate. Both systems finished their detection stage in less than one second. Furthermore, when the lookahead pairs method based IDS is only enhanced with the iDC functionality, it will not experience any significant additional storage costs. However, if the B cell functionality is added, the storage cost would double. The systems were tested against the databases obtained from the university of New Mexico and in specific the datasets of the both the “login” and “ps” applications. In addition, different test cases were created to test the functionalities of the modified system. The implemented systems were also validated and verified and passed these tests.

[1]  H. Dai,et al.  Applying both positive and negative selection to supervised learning for anomaly detection , 2005, GECCO '05.

[2]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[3]  Gregg H. Gunsch,et al.  An artificial immune system architecture for computer security applications , 2002, IEEE Trans. Evol. Comput..

[4]  Julie Greensmith,et al.  Malicious Code Execution Detection and Response Immune System inspired by the Danger Theory , 2010, ArXiv.

[5]  Tal Garfinkel,et al.  Ostia: A Delegating Architecture for Secure System Call Interposition , 2004, NDSS.

[6]  Stephanie Forrest,et al.  Automated response using system-call delays , 2000 .

[7]  Gianni Tedesco,et al.  Firestorm Network Intrusion Detection System , 2003 .

[8]  Christoph C. Michael,et al.  Using Finite Automata to Mine Execution Data for Intrusion Detection: A Preliminary Report , 2000, Recent Advances in Intrusion Detection.

[9]  Carla Marceau,et al.  Intrusion detection for distributed applications , 1999, CACM.

[10]  Uwe Aickelin,et al.  Cooperative Automated Worm Response and Detection ImmuNe ALgorithm(CARDINAL) Inspired by T-Cell Immunity and Tolerance , 2005, ICARIS.

[11]  James Cannady,et al.  A self-adaptive negative selection approach for anomaly detection , 2004, Proceedings of the 2004 Congress on Evolutionary Computation (IEEE Cat. No.04TH8753).

[12]  Peter J. Bentley,et al.  Towards an artificial immune system for network intrusion detection: an investigation of dynamic clonal selection , 2002, Proceedings of the 2002 Congress on Evolutionary Computation. CEC'02 (Cat. No.02TH8600).

[13]  Peter J. Bentley,et al.  Negative selection and niching by an artificial immune system for network intrusion detection , 1999 .

[14]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[15]  Julie Greensmith,et al.  Dendritic Cells for Anomaly Detection , 2006, 2006 IEEE International Conference on Evolutionary Computation.

[16]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[17]  Mark Burgess,et al.  Configurable immunity for evolving human-computer systems , 2004, Sci. Comput. Program..

[18]  Zhou Ji,et al.  Estimating the detector coverage in a negative selection algorithm , 2005, GECCO '05.

[19]  Stephanie Forrest,et al.  Engineering an Immune System 1 , 2001 .

[20]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[21]  Zhou Ji,et al.  Augmented negative selection algorithm with variable-coverage detectors , 2004, Proceedings of the 2004 Congress on Evolutionary Computation (IEEE Cat. No.04TH8753).

[22]  Karl N. Levitt,et al.  Automated detection of vulnerabilities in privileged programs by execution monitoring , 1994, Tenth Annual Computer Security Applications Conference.

[23]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[24]  TERRAN LANE,et al.  Temporal sequence learning and data reduction for anomaly detection , 1999, TSEC.

[25]  Stephanie Forrest,et al.  Immunity by design: an artificial immune system , 1999 .

[26]  Claudia Eckert,et al.  Is negative selection appropriate for anomaly detection? , 2005, GECCO '05.

[27]  Peter J. Bentley,et al.  An artificial immune model for network intrusion detection , 1999 .

[28]  Patrik D'haeseleer,et al.  An immunological approach to change detection: theoretical results , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[29]  Kien A. Hua,et al.  Exploiting pattern relationship for intrusion detection , 2003, 2003 Symposium on Applications and the Internet, 2003. Proceedings..

[30]  Stephanie Forrest,et al.  Infect Recognize Destroy , 1996 .

[31]  S. B. Nair,et al.  An Artificial Immune System for a Multi Agent Robotics System , 2007 .

[32]  Uwe Aickelin,et al.  Experimenting with Innate Immunity , 2010, ArXiv.

[33]  Dipankar Dasgupta,et al.  A study of artificial immune systems applied to anomaly detection , 2003 .

[34]  Stephanie Forrest,et al.  Operating system stability and security through process homeostasis , 2002 .

[35]  Mark Burgess,et al.  Principle Components and Importance Ranking of Distributed Anomalies , 2005, Machine Learning.

[36]  Paul Helman,et al.  The Crossover Closure and Partial Match Detection , 2003, ICARIS.

[37]  Claudia Eckert,et al.  On the appropriateness of negative selection defined over Hamming shape-space as a network intrusion detection system , 2005, 2005 IEEE Congress on Evolutionary Computation.

[38]  Dipankar Dasgupta,et al.  Immuno-inspired autonomic system for cyber defense , 2007, Inf. Secur. Tech. Rep..

[39]  Peng Ning,et al.  Building Attack Scenarios through Integration of Complementary Alert Correlation Method , 2004, NDSS.

[40]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[41]  Uwe Aickelin,et al.  A recommender system based on the immune network , 2002, Proceedings of the 2002 Congress on Evolutionary Computation. CEC'02 (Cat. No.02TH8600).

[42]  Peter J. Bentley,et al.  Immune Memory in the Dynamic Clonal Selection Algorithm , 2002 .

[43]  Fabio A. González,et al.  Anomaly Detection Using Real-Valued Negative Selection , 2003, Genetic Programming and Evolvable Machines.

[44]  Michel Dagenais,et al.  Measuring and Characterizing System Behavior Using Kernel-Level Event Logging , 2000, USENIX Annual Technical Conference, General Track.

[45]  Zbigniew Michalewicz,et al.  Parameter control in evolutionary algorithms , 1999, IEEE Trans. Evol. Comput..

[46]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[47]  Timothy Fraser,et al.  Hardening COTS software with generic software wrappers , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[48]  Dipankar Dasgupta,et al.  Immunity-Based Intrusion Detection System: A General Framework , 1999 .

[49]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[50]  Uwe Aickelin,et al.  Danger Theory: The Link between AIS and IDS? , 2003, ICARIS.

[51]  Salvatore J. Stolfo,et al.  A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[52]  Peter J. Bentley,et al.  An evaluation of negative selection in an artificial immune system for network intrusion detection , 2001 .

[53]  Rogério de Lemos,et al.  Negative Selection: How to Generate Detectors , 2002 .

[54]  Julie Greensmith,et al.  Introducing Dendritic Cells as a Novel Immune-Inspired Algorithm for Anomoly Detection , 2005, ICARIS.

[55]  D. Endler,et al.  Intrusion detection. Applying machine learning to Solaris audit data , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[56]  R. Sekar,et al.  On Preventing Intrusions by Process Behavior Monitoring , 1999, Workshop on Intrusion Detection and Network Monitoring.

[57]  Stephanie Forrest,et al.  Revisiting LISYS: parameters and normal behavior , 2002, Proceedings of the 2002 Congress on Evolutionary Computation. CEC'02 (Cat. No.02TH8600).

[58]  Gerry V. Dozier,et al.  Vulnerability Analysis of Immunity-Based Intrusion Detection Systems Using Evolutionary Hackers , 2004, GECCO.

[59]  Mark Burgess Two Dimensional Time-Series for Anomaly Detection and Regulation in Adaptive Systems , 2002, DSOM.

[60]  Yuxin Ding,et al.  Host-based intrusion detection using dynamic and static behavioral models , 2003, Pattern Recognit..

[61]  Stephanie Forrest,et al.  Principles of a computer immune system , 1998, NSPW '97.

[62]  Tal Garfinkel,et al.  Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools , 2003, NDSS.

[63]  Fabio A. González,et al.  An immunity-based technique to characterize intrusions in computer networks , 2002, IEEE Trans. Evol. Comput..

[64]  Paul Helman,et al.  An immunological approach to change detection: algorithms, analysis and implications , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[65]  P. Matzinger The Danger Model: A Renewed Sense of Self , 2002, Science.

[66]  Honghua Dai,et al.  Constructing Detectors in Schema Complementary Space for Anomaly Detection , 2004, GECCO.

[67]  Fabio A. González,et al.  An Imunogenetic Technique To Detect Anomalies In Network Traffic , 2002, GECCO.

[68]  Debin Gao,et al.  Gray-box extraction of execution graphs for anomaly detection , 2004, CCS '04.

[69]  Philip K. Chan,et al.  Learning Useful System Call Attributes for Anomaly Detection , 2005, FLAIRS Conference.

[70]  P. Matzinger Tolerance, danger, and the extended family. , 1994, Annual review of immunology.

[71]  Christopher Krügel,et al.  On the Detection of Anomalous System Call Arguments , 2003, ESORICS.

[72]  Uwe Aickelin,et al.  libtissue - implementing innate immunity , 2006, 2006 IEEE International Conference on Evolutionary Computation.

[73]  Michael Schatz,et al.  Learning Program Behavior Profiles for Intrusion Detection , 1999, Workshop on Intrusion Detection and Network Monitoring.

[74]  Jon Timmis,et al.  Once More Unto the Breach: Towards Artificial Homeostasis? , 2005 .

[75]  Uwe Aickelin,et al.  Towards a Conceptual Framework for Innate Immunity , 2005, ICARIS.

[76]  Fabio A. González,et al.  Discriminating and visualizing anomalies using negative selection and self-organizing maps , 2005, GECCO '05.

[77]  Thomas Stibor,et al.  On the appropriateness of negative selection for anomaly detection and network intrusion detection , 2006 .

[78]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[79]  Jean-Yves Le Boudec,et al.  An Artificial Immune System for Misbehavior Detection in Mobile Ad-Hoc Networks with Virtual Thymus, Clustering, Danger Signal and Memory Detectors , 2004, Int. J. Unconv. Comput..

[80]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[81]  Fabio A. González,et al.  An immuno-fuzzy approach to anomaly detection , 2003, The 12th IEEE International Conference on Fuzzy Systems, 2003. FUZZ '03..

[82]  Paulo Lício de Geus,et al.  An intrusion detection system using ideas from the immune system , 2004, IEEE Congress on Evolutionary Computation.

[83]  Jeffrey O. Kephart,et al.  Blueprint for a Computer Immune System , 1999 .

[84]  L. Segel,et al.  Design Principles for the Immune System and Other Distributed Autonomous Systems , 2001 .

[85]  Stephanie Forrest,et al.  Information Immune Systems , 2003, Genetic Programming and Evolvable Machines.

[86]  Jeffrey O. Kephart,et al.  A biologically inspired immune system for computers , 1994 .

[87]  Peter J. Bentley,et al.  Towards an artificial immune system for network intrusion detection: an investigation of clonal selection with a negative selection operator , 2001, Proceedings of the 2001 Congress on Evolutionary Computation (IEEE Cat. No.01TH8546).

[88]  Richard P. Lippmann,et al.  An Overview of Issues in Testing Intrusion Detection Systems , 2003 .

[89]  Charles A. Janeway,et al.  Decoding the Patterns of Self and Nonself by the Innate Immune System , 2002, Science.

[90]  Stephanie Forrest,et al.  Architecture for an Artificial Immune System , 2000, Evolutionary Computation.

[91]  D. Dasgupta,et al.  Immunity-based systems: a survey , 1997, 1997 IEEE International Conference on Systems, Man, and Cybernetics. Computational Cybernetics and Simulation.

[92]  Robert K. Cunningham,et al.  Fusing A Heterogeneous Alert Stream Into Scenarios , 2002, Applications of Data Mining in Computer Security.

[93]  Anastasia Pagnoni,et al.  An innate immune system for the protection of computer networks , 2005 .

[94]  T. Lane,et al.  Sequence Matching and Learning in Anomaly Detection for Computer Security , 1997 .

[95]  Fabio A. González,et al.  A Randomized Real-Valued Negative Selection Algorithm , 2003, ICARIS.

[96]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[97]  Julie Greensmith,et al.  Immune system approaches to intrusion detection – a review , 2004, Natural Computing.

[98]  Philip K. Chan,et al.  MORPHEUS: motif oriented representations to purge hostile events from unlabeled sequences , 2004, VizSEC/DMSEC '04.

[99]  D. Dasgupta,et al.  Combining negative selection and classification techniques for anomaly detection , 2002, Proceedings of the 2002 Congress on Evolutionary Computation. CEC'02 (Cat. No.02TH8600).

[100]  Uwe Aickelin Artificial Immune Systems (AIS) - A New Paradigm for Heuristic Decision Making , 2008, ArXiv.

[101]  Calvin Ko,et al.  Detecting and countering system intrusions using software wrappers , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[102]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[103]  Debin Gao,et al.  On Gray-Box Program Tracking for Anomaly Detection , 2004, USENIX Security Symposium.

[104]  Jean-Yves Le Boudec,et al.  An Artificial Immune System Approach to Misbehavior Detection in Mobile Ad Hoc Networks , 2004, BioADIT.

[105]  Julie Greensmith,et al.  Two Ways to Grow Tissue for Artificial Immune Systems , 2005, ICARIS.