Immune model for anomaly detection

E-mail Print PDF

One of the scientific tasks of the project is investigation of a biological approach to intrusion detection represented by the human immune system and development of a new analysis technique incorporating most beneficial immune principles. Using immune models as the basis for a new anomaly detection technique is justified by the similarities between functions of the biological and network defense systems consisting in protection from dangerous foreign intrusions, and unique properties of human immune system such as fault-tolerance, adaptability and efficiency that comply with required properties of a network security system.

Proposed immune framework for anomaly detection on normalized security events presented in adopts the key mechanisms of the human immune system including the immune memory and the immune response. The human immune system implements both approaches that currently used in intrusion detection: anomaly detection (the primary immune response) and misuse detection (the secondary immune response). It helps to minimize failures caused by unknown attacks and reduce possibility of false alarms thus making up the deficiencies of one approach to enhance reliability of defense.

A new anomaly detection technique implies new pattern building and matching algorithms, and also anomaly classification procedure. These algorithms must provide a precise and compact description of the normal space and robustness to noise in training data, and must also adapt to natural changes in normal behaviour. The aim of an anomaly classification procedure is to simplify an investigation of detected security incidents and reduce false positive error rates. The anomaly classification is based on gene library evolution in the human immune system with which experience on encountered antigens is accumulated over generations. During the classification detected anomalies must be processed to derive common features and memorized via misuse detectors that describe various security incidents. In contrast to other artificial immune system studies where the normal space complement is used for detector generation, this immune framework exploits only those abnormal events, which occurred in reality. As IT-infrastructures tend to change with the time periodical actualization of the analysis system is required to prevent autoimmune reactions.

Last Updated on Saturday, 22 August 2009 18:42  

Search in site