A hybrid artificial immune system and Self Organising Map for network intrusion detection

Network intrusion detection is the problem of detecting unauthorised use of, or access to, computer systems over a network. Two broad approaches exist to tackle this problem: anomaly detection and misuse detection. An anomaly detection system is trained only on examples of normal connections, and thus has the potential to detect novel attacks. However, many anomaly detection systems simply report the anomalous activity, rather than analysing it further in order to report higher-level information that is of more use to a security officer. On the other hand, misuse detection systems recognise known attack patterns, thereby allowing them to provide more detailed information about an intrusion. However, such systems cannot detect novel attacks. A hybrid system is presented in this paper with the aim of combining the advantages of both approaches. Specifically, anomalous network connections are initially detected using an artificial immune system. Connections that are flagged as anomalous are then categorised using a Kohonen Self Organising Map, allowing higher-level information, in the form of cluster membership, to be extracted. Experimental results on the KDD 1999 Cup dataset show a low false positive rate and a detection and classification rate for Denial-of-Service and User-to-Root attacks that is higher than those in a sample of other works.

[1]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[2]  T. Kohonen Self-organized formation of topographically correct feature maps , 1982 .

[3]  L.L. DeLooze Attack Characterization and Intrusion Detection using an Ensemble of Self-Organizing Maps , 2006, 2006 IEEE Information Assurance Workshop.

[4]  Jun He,et al.  Evolving discrete-valued anomaly detectors for a network intrusion detection system using negative selection , 2006 .

[5]  A.N. Zincir-Heywood,et al.  On the capability of an SOM based intrusion detection system , 2003, Proceedings of the International Joint Conference on Neural Networks, 2003..

[6]  Stephanie Forrest,et al.  Immunity by design: an artificial immune system , 1999 .

[7]  Jian Li,et al.  The research and implementation of intelligent intrusion detection system based on artificial neural network , 2004, Proceedings of 2004 International Conference on Machine Learning and Cybernetics (IEEE Cat. No.04EX826).

[8]  Tim Bass,et al.  Intrusion detection systems and multisensor data fusion , 2000, CACM.

[9]  Peter J. Bentley,et al.  Finding Acceptable Solutions in the Pareto-Optimal Range using Multiobjective Genetic Algorithms , 1998 .

[10]  Samir W. Mahfoud Crowding and Preselection Revisited , 1992, PPSN.

[11]  Fabio A. González,et al.  An immunity-based technique to characterize intrusions in computer networks , 2002, IEEE Trans. Evol. Comput..

[12]  Fabio A. González,et al.  An Imunogenetic Technique To Detect Anomalies In Network Traffic , 2002, GECCO.

[13]  Tao Xiong,et al.  A combined SVM and LDA approach for classification , 2005, Proceedings. 2005 IEEE International Joint Conference on Neural Networks, 2005..

[14]  Simon Haykin,et al.  Neural Networks: A Comprehensive Foundation , 1998 .

[15]  P. K. Chawdhry,et al.  Soft Computing in Engineering Design and Manufacturing , 1998, Springer London.

[16]  Teuvo Kohonen,et al.  Self-organized formation of topologically correct feature maps , 2004, Biological Cybernetics.

[17]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[18]  Andrew H. Sung,et al.  Intrusion detection using neural networks and support vector machines , 2002, Proceedings of the 2002 International Joint Conference on Neural Networks. IJCNN'02 (Cat. No.02CH37290).

[19]  Emin Anarim,et al.  An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks , 2005, Expert Syst. Appl..

[20]  Jonathan Timmis,et al.  Artificial Immune Systems: A New Computational Intelligence Approach , 2003 .

[21]  Gilbert L. Peterson,et al.  An Artificial Immune System-Inspired Multiobjective Evolutionary Algorithm with Application to the Detection of Distributed Computer Network Intrusions , 2007, ICARIS.

[22]  Taeshik Shon,et al.  A hybrid machine learning approach to network anomaly detection , 2007, Inf. Sci..

[23]  James Cannady,et al.  Artificial Neural Networks for Misuse Detection , 1998 .

[24]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[25]  Peter J. Bentley,et al.  An evaluation of negative selection in an artificial immune system for network intrusion detection , 2001 .

[26]  Alan S. Perelson,et al.  Self-nonself discrimination in a computer , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[27]  Stephanie Forrest,et al.  Revisiting LISYS: parameters and normal behavior , 2002, Proceedings of the 2002 Congress on Evolutionary Computation. CEC'02 (Cat. No.02TH8600).

[28]  David B. Fogel,et al.  Parallel problem solving from nature, 2: Proceedings of the Second Conference on parallel problem solving from nature: R. Männer and B. Manderick (eds.), North-Holland, Amsterdam, ISBN 0-444-89730-5, xii + 618pp., US$168.50/Dfl. 295.00 , 1993 .

[29]  Malcolm I. Heywood,et al.  A Linear Genetic Programming Approach to Intrusion Detection , 2003, GECCO.

[30]  Teuvo Kohonen,et al.  Improved versions of learning vector quantization , 1990, 1990 IJCNN International Joint Conference on Neural Networks.

[31]  Jonathan Timmis,et al.  Artificial immune systems - a new computational intelligence paradigm , 2002 .

[32]  Fabio A. González,et al.  Anomaly Detection Using Real-Valued Negative Selection , 2003, Genetic Programming and Evolvable Machines.

[33]  Julie Greensmith,et al.  Immune system approaches to intrusion detection – a review , 2004, Natural Computing.

[34]  L.L. DeLooze Classification of computer attacks using a self-organizing map , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[35]  M. Shyu,et al.  A Novel Anomaly Detection Scheme Based on Principal Component Classifier , 2003 .