CN114117420A - Intrusion detection system of distributed multi-host network based on artificial immunology - Google Patents
Intrusion detection system of distributed multi-host network based on artificial immunology Download PDFInfo
- Publication number
- CN114117420A CN114117420A CN202111409425.4A CN202111409425A CN114117420A CN 114117420 A CN114117420 A CN 114117420A CN 202111409425 A CN202111409425 A CN 202111409425A CN 114117420 A CN114117420 A CN 114117420A
- Authority
- CN
- China
- Prior art keywords
- detector
- attack
- matching
- network
- algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 26
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 57
- 238000013377 clone selection method Methods 0.000 claims abstract description 23
- 238000012549 training Methods 0.000 claims abstract description 15
- 230000000739 chaotic effect Effects 0.000 claims abstract description 8
- 238000000034 method Methods 0.000 claims description 31
- 230000008569 process Effects 0.000 claims description 21
- 239000000427 antigen Substances 0.000 claims description 17
- 102000036639 antigens Human genes 0.000 claims description 17
- 108091007433 antigens Proteins 0.000 claims description 17
- 238000010367 cloning Methods 0.000 claims description 8
- 238000004364 calculation method Methods 0.000 claims description 6
- 238000013507 mapping Methods 0.000 claims description 6
- 238000005291 chaos (dynamical) Methods 0.000 claims description 5
- 239000011159 matrix material Substances 0.000 claims description 4
- 230000035772 mutation Effects 0.000 claims description 4
- 239000013589 supplement Substances 0.000 claims description 3
- 230000003053 immunization Effects 0.000 claims 1
- 238000002649 immunization Methods 0.000 claims 1
- 230000036039 immunity Effects 0.000 abstract description 15
- 230000002068 genetic effect Effects 0.000 abstract description 11
- 238000007477 logistic regression Methods 0.000 abstract description 3
- 230000000694 effects Effects 0.000 abstract description 2
- 230000002708 enhancing effect Effects 0.000 abstract 1
- 210000004027 cell Anatomy 0.000 description 17
- 210000000987 immune system Anatomy 0.000 description 6
- 230000007123 defense Effects 0.000 description 5
- 210000001744 T-lymphocyte Anatomy 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 108090000623 proteins and genes Proteins 0.000 description 3
- 102000004169 proteins and genes Human genes 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000035945 sensitivity Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 206010064571 Gene mutation Diseases 0.000 description 1
- 241000282412 Homo Species 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000000254 damaging effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000008303 genetic mechanism Effects 0.000 description 1
- 210000002861 immature t-cell Anatomy 0.000 description 1
- 230000035800 maturation Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000005312 nonlinear dynamic Methods 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000035755 proliferation Effects 0.000 description 1
- 238000010845 search algorithm Methods 0.000 description 1
- 238000010187 selection method Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
- 210000001541 thymus gland Anatomy 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an intrusion detection system of a distributed multi-host network based on artificial immunology, which is used for identifying whether attacks are known or not through a Hash algorithm so as to reduce the matching overhead of specific immunity; combining with the information sharing of multiple hosts, the network can identify more attacks finally; meanwhile, a large number of random detectors are generated more efficiently by adopting Logistic regression of a chaotic algorithm and put into training, so that the random detectors have better randomness; and finally, by combining a clone selection algorithm of a genetic algorithm, enhancing the cross effect on the basis of variation, iteratively increasing the value by using better convergence to clone a detector with better matching and higher affinity, preferentially generating, and finally converging the population result in a global optimal mode to obtain the rapid self-adaptive discovery capability on the intrusion attack. Compared with other traditional intrusion detection systems, the system has higher robustness and adaptability, and has lower undetected rate and error rate for attack detection.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an intrusion detection system of a distributed multi-host network based on artificial immunology.
Background
With the rapid development of information technology, people rely more and more on internet technology to develop daily business, which brings countless new challenges to network defense, and the network security problem is increasingly prominent.
The traditional method for resisting network attacks mainly aims at static attacks and novel attack threats, analyzes and evaluates the security risks of the attacks, and lacks self-adaptive capacity. At present, the intrusion attack becomes a real threat at every moment, and the network security defense technology without considering the intrusion attack obviously has serious defects, and the accuracy is difficult to guarantee. Therefore, detection of intrusion attack threats has become an important issue for network security.
The complexity and diversity of cyber attacks makes traditional IT defense (e.g., antivirus software or intrusion prevention systems) almost obsolete. Furthermore, as attackers continue to discover and exploit vulnerabilities in systems, even traditional defense strategies that establish multiple layers of defense become increasingly ineffective. An attacker can intentionally destroy the network access of the computer or destroy the network attack of the computer. At the same time, people are also getting lower and lower in cost for attacks, and combining some simple and isolated attack types can create new malicious attacks of complex forms with potentially damaging effects.
With the biological inspiration, an immune algorithm based on the biological immune system has emerged, and the network security protection system has a striking similarity to the human immune system, both of which are intended to protect itself from external attacks in a complex external environment. Thus, the immune system inherently possesses the ability to recognize and inactivate unknown viruses.
In chaotic dynamics, a simplest nonlinear dynamics model is Logistic mapping, which is an ecological model, and the expression is x (t +1) ═ μ x (t) (1-x (t)), and when μ takes a value in a certain range, periodicity does not exist, all track points take values at random, and no law exists, so that taking out any long section in a track at the moment is equivalent to taking out a batch of randomly distributed digital sequences in a certain range, and when taking values in the interval by using state parameters, the whole system is in a chaotic state, and random numbers can be generated.
Negative selection algorithm, also called negative selection method, is an algorithm proposed by Forrest in 1994, which is widely applied in AIS (Artificial immune system), and is one of AIS's core algorithms. Negative selection is an isolated selection algorithm, as opposed to positive selection, which in humans means the nascent T cell self proteins in the thymus, which are components of the host or essential for survival, and which are destroyed prior to maturation if immature T cells react to these proteins. Based on this premise, the remaining T cells successfully undergo this process without destruction, i.e., those that do not respond to essential components of the body. Mature T cells have the property of being tolerant to themselves. The algorithm forms a mature detector for the determination of self and non-self cells by continuous training of the tolerant cells.
The genetic algorithm was first proposed in 1975 by professor j. holland, university of michigan, in his monograph "adaptability of nature and artificial systems", and originated in the study of natural and artificial adaptive systems in the 60's. It is a kind of randomized search algorithm which uses natural selection and natural genetic mechanism in biology as reference. The genetic algorithm simulates the propagation, crossing and gene mutation phenomena in the natural selection and natural heredity process, a group of candidate solutions is reserved in each iteration, better individuals are selected from solution groups according to a certain index, the individuals are combined by using genetic operators (selection, crossing and mutation) to generate a new generation of candidate solution groups, and the process is repeated until a certain convergence index is met.
The clonal selection algorithm was proposed by de Castro and Von Zuben in 2000 based on the clonal selection theory of the immune system. The clone selection algorithm is also one of core algorithms of AIS, and the clone selection theory is that in an initial population, the best part of individuals are selected according to the evaluated excellent value; the selected individuals are cloned and mutated, and the best individuals are selected from the mutated individuals and added to the original population. And randomly replacing a part of individuals in the population, then entering the next generation population, and repeating iteration until the constraint condition is met. The idea is that only cells that recognize the antigen will be selected for proliferation, while those that do not recognize the antigen are targeted.
In the algorithm, the traditional bit matching mode is still adopted for the known attack, so that the cost is high; the immature detector of the conventional negative selection algorithm is generated by a random number, since the random number generated by the computer is generated by a seed (common clock) by a determinable function (common linear congruence). Therefore, when a large number of random numbers are generated in a short time or the length of the random numbers is long, the randomness is poor; the traditional clone selection algorithm is mainly based on variation, and usually focuses on local optimal solution, so that convergence is too slow and global optimal condition is not enough to be found; the traditional immune network model is based on a simple network, and the miss rate and the error rate of attack detection in the network are high. Therefore, there is a need for an intrusion detection scheme that addresses a combination of the above-mentioned shortcomings.
Disclosure of Invention
Aiming at the problems, the invention provides an intrusion detection system of a distributed multi-host network based on artificial immunology, which adopts a Hash algorithm to store known attacks for quick discrimination, simultaneously utilizes the initial value sensitivity of a chaos theory to solve the problem of poor randomness, and can also refer to the idea of taking cross as the main in a genetic algorithm during iteration by combining an immune algorithm and a clone selection algorithm so as to strengthen the overall idea. Meanwhile, a multi-host multi-node network deployment mode is adopted, so that the missing rate of attack detection is greatly reduced, and the detection performance of attacks is improved.
In order to achieve the above purpose, the invention provides the following technical scheme:
a distributed multi-host network intrusion detection system based on artificial immunology adopts a distributed multi-host network, hosts are independent of each other, a plurality of nodes are arranged in the hosts, detectors are arranged in the nodes, when one host in the network captures information in the network, the information is processed and then compared with a known attack library to obtain a hash value, if the comparison is successful, interception is carried out, otherwise, a specific immune process is carried out; in the specific immune process, firstly, a negative selection algorithm is adopted to carry out tolerance training of an immature detector, then, the mature detector is subjected to clone selection, an antibody with higher antigen affinity is added, whether the attack is the attack or not is finally judged, if yes, a known attack library is intercepted and updated, and if not, information is loaded.
Further, the process of processing the captured information is as follows: collecting the currently common attack mode, training by adopting a training set in a network intrusion detection data packet KDDCup _ data _10percent in an open source data set KDDCup99, wherein each piece of data contains 41 features and identifiers, firstly, extracting the features, selecting five features of 2 nd, 3 rd, 4 th, 23 th and 42 th of the data packet, wherein the 2 nd feature is a protocol mark, the 3 rd feature is a network service type, the 4 th feature is a network connection state, the 23 rd feature is the number of connections with the current connection having the same host, and the 42 th feature is an attack type mark label, converting letters into ASCII codes and normalizing after discretizing to remove punctuation marks, mapping values into a range of [0,1], and then generating a two-dimensional matrix for sequential storage.
Further, the storage process of the known attack is: and calculating a hash value of the processed known attack by using a hash function, and storing the hash value into a known attack library.
Further, two different kinds of information are considered attacks provided that they produce the same hash value.
Further, the immature detector is generated by the following process: the method comprises the steps that a random number x is generated by a computer time seed at random according to a time stamp, a Logistic mapping expression x (t +1) of a chaos theory is equal to mu x (t) (1-x (t)), a section with any length in a track is taken out under the condition that mu is within a certain range, a random number string is generated when a value is taken in the section by using a state parameter, then, a sub-string is formed according to a unified format, and finally, the immature detector is formed in a grouping mode.
Further, the algorithmic process of endurance training the immature detector using the negative selection algorithm is: firstly, defining an autologous cell set; putting a certain amount of detector to match with autologous cells; when the detector is matched with the autologous cells, the detector is automatically destroyed; meanwhile, a chaotic system is adopted to generate a random sequence to be used as a new detector supplement; detectors that do not match autologous cells over a period of time become mature detectors and are added to the collection.
Furthermore, the matching method of the detector and the autologous cells adopts the combination of all-bit matching, continuous r-bit matching and Hamming matching.
Further, the matching process of the detector and the autologous cells adopts an index mode, and continuous r bits are matched from a certain bit as a first bit.
Further, the process of the clone selection algorithm is as follows: firstly, generating a series of maturity detectors by a negative selection algorithm; matching the detector with the antigen and calculating the affinity of the match; if the matching degree of the antigen does not reach the convergence criterion, carrying out clone selection, including cloning, mutation and crossing; after clone selection, entering the next generation of colony, and simultaneously performing matching calculation affinity with the antigen again; and when the affinity matching reaches the expected convergence condition, outputting the current result set and ending the algorithm.
Further, the information finally judged as the attack is transmitted to other hosts.
Compared with the prior art, the invention has the beneficial effects that:
1. the intrusion detection system of the distributed multi-host network based on the artificial immunology combines the nonspecific immunity and the specific immunity of a human body, judges whether the attack is a known attack or not by the Hash value of attack data, and directly intercepts the known attack by adopting the nonspecific immunity (skin).
2. When a random immature detector is generated at a negative selection part, a Logistic regression mapping mode of a chaos theory is adopted to generate a random value, the random value has stronger randomness compared with a random number generated by a common timestamp, and meanwhile, based on the initial value sensitivity, a large amount of random numbers are generated in time and in a short time, and better performance can be guaranteed. Meanwhile, in the matching mode, an index-based mode is used for matching, so that the expense caused by matching is reduced.
3. Combining the advantages of a clone selection algorithm and a genetic algorithm, both algorithms are iterative algorithms generated by simulating the self system of an organism or an evolved ecological system, and are both group search strategies to emphasize information exchange among individuals in a group. An operator of a genetic algorithm can be used for reference and adopted as an iterative operator in the clone selection algorithm, so that the convergence of the clone algorithm is better, the property of global optimum is better emphasized, and the possibility of falling into a local optimum solution is avoided.
4. The antibody generated by specific immunity and the identification of the target antigen are stored in a hash value mode, and information is transmitted to other hosts in the distributed network for non-specific immunity interception when the other hosts encounter the attack. The network adopts a multi-host and multi-node mode, and when any host detects and confirms the attack, other hosts in the network can obtain the information of the attack. When the detector of any node in the host judges that the node is attacked, the information is considered to be the attack, and therefore the missing rate of the network system model for attack detection is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present application or technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and other drawings can be obtained by those skilled in the art according to the drawings.
Fig. 1 is a flowchart of a distributed multi-host network intrusion detection system based on artificial immunity according to an embodiment of the present invention.
Fig. 2 is a diagram of a network environment according to an embodiment of the present invention.
Fig. 3 is a flowchart of a captured data processing method according to an embodiment of the present invention.
Fig. 4 is a flowchart of generating an immature detector by using chaos theory according to an embodiment of the present invention.
FIG. 5 is a flowchart of a negative selection algorithm provided in an embodiment of the present invention
Fig. 6 is a schematic diagram of an autologous cell set and a detector set according to an embodiment of the present invention.
FIG. 7 is a flow chart of a clone selection algorithm provided by an embodiment of the present invention.
Fig. 8 is a schematic diagram of cloning, crossing, and mutation processes provided in an embodiment of the present invention.
Detailed Description
For a better understanding of the present solution, the method of the present invention is described in detail below with reference to the accompanying drawings.
The whole process of the distributed multi-host network intrusion detection system based on artificial immunity is shown in figure 1, and the system firstly configures an environment, wherein the network is a distributed multi-host network, hosts are mutually independent, a plurality of nodes are arranged in the hosts, and detectors exist in the nodes. When a certain host in the network captures the information in the network, the information is processed and then compared with the hash value of the known attack library, if the comparison is successful, the interception is carried out, otherwise, the specific immune process is carried out. The specific immunity firstly adopts a negative selection algorithm to carry out tolerance training of a detector, then carries out clone selection on a mature detector, adds an antibody with higher antigen affinity, finally judges whether the specific immunity is an attack, intercepts and updates a known attack library if the specific immunity is the attack, and loads information if the specific immunity is not the attack. This scheme will be described in detail below.
A. Configuring an environment
The method comprises the following steps: configuring a network environment and building a host in a network, as shown in fig. 2, there are r hosts in a current network, each host has r nodes, and there are multiple detectors in the nodes.
Step two: handling of known attacks. Collecting the currently common attack mode, training by using a training set in a network intrusion detection data packet KDDCup _ data _10percent in an open source data set KDDCup99, wherein each piece of data contains 41 features and identifiers, firstly extracting the features, selecting five features of 2, 3, 4, 23 and 42, wherein the feature 2 is a protocol mark, the feature 3 is a network service type, the feature 4 is a network connection state, the feature 23 is the number of connections with the same host as the current connection, and the feature 42 is an attack type mark label. After the punctuation mark is removed through discretization, the letters are converted into ASCII codes and normalized, the values are mapped into the range of [0,1], and then a two-dimensional matrix is generated for sequential storage. The general steps are shown in figure 3.
Step three: the known attacks are stored. And calculating a hash value of the processed known attack by using a hash function, and storing the hash value into a known attack library. The system adopts the measures that if two different kinds of information generate the same hash value, namely hash collision, the information is considered as attack preferentially, so that the undetected rate of attack identification is reduced.
B. Non-specific immune process
The method comprises the following steps: the captured network data is processed. The system adopts the test level in the network intrusion detection data packet KDDCup _ data _10percent in the open source data set KDDCup99 to test, and the processing steps after the characteristic extraction and normalization of the data are the same as the processing mode of the known attack.
Step two: and performing hash calculation on the generated two-dimensional matrix data, comparing the hash value with the stored known attack after the hash function calculation is performed, if the comparison is successful, indicating that the attack is performed and intercepting, otherwise, entering the next step.
C. Specific immune process
The method comprises the following steps: as shown in fig. 4, firstly, a random number x is randomly generated by a computer time seed according to a timestamp, when μ is within a certain range, periodicity does not exist, all track points take values at random, and no rule exists, so that taking out an arbitrarily long section of a track is equivalent to taking out a batch of randomly distributed digital sequences within a certain range, when taking values in the interval by using state parameters, the whole system is in a chaotic state, so that random number strings can be rapidly generated in batches within a short time, then a sub-string is formed according to a unified format, and finally the sub-string is grouped to form an immature detector.
Step two: the immature detector is tolerized using a negative selection algorithm that also follows the mechanisms of the human immune system, first generating an immature set of detectors (i.e., T cells that have been tolerized to the time of training) and also generating a self-set (i.e., autologous cell proteins). Each detector in the set of detectors is matched to the data corresponding to the self-set and if matched, the detector is pinned. If the matching is not successful, adding the information into the mature detector set. When the number of detectors needed is insufficient, then a new immature detector is added into the immature detector set. The detailed steps are shown in fig. 5.
Firstly, defining an autologous cell set;
secondly, putting a certain amount of detectors to match with autologous cells;
thirdly, when the detector is matched with the autologous cells, the detector is automatically destroyed;
fourthly, simultaneously generating a random sequence by adopting the chaotic system to supplement a new detector;
fifthly, after a period of tolerance period, the detector which is not matched with the autologous cells becomes a mature detector and is added into the collection.
In the matching process, a new matching algorithm is designed by combining all-bit matching, continuous r-bit matching and Hamming matching. And by adopting an index mode, continuous r bits taking a certain bit as a head bit are matched, so that the overhead brought by the calculation amount is reduced. For example, the autologous sequence is 001010 and the detector is (001, 1), indicating that the index starts from bit number 1, the length is 3, the content is 001, and the match is exactly three bits before the autologous, therefore, the detector needs to be destroyed. Fig. 6 shows the detector sequences for the side of the mature detector set when the set of autologous cells is 01011, 01010, 01101.
Step three: clonal iterations of the antigen are performed using a genetic algorithm based clonal selection algorithm. And adopting an operator of the genetic algorithm as an iterative operator in the clone selection algorithm. Meanwhile, the clone selection algorithm mainly based on variation can also refer to the idea mainly based on intersection in the genetic algorithm during iteration, and not only cloning and variation can be performed during clone selection, but also intersection can be performed, and the whole clone selection algorithm process is shown in the attached figure 7.
Firstly, generating a series of mature detectors by a negative selection algorithm;
matching the detector with the antigen and calculating the matching affinity;
thirdly, if the matching degree of the antigen does not reach the convergence criterion, carrying out clone selection, including cloning, variation and crossing;
after cloning and selection, entering the next generation of population, and simultaneously performing matching calculation of affinity with the antigen again;
and fifthly, when the affinity matching reaches the expected convergence condition, outputting the current result set and ending the algorithm. The cloning, variation and crossover portions are shown in FIG. 8, where the cloning is performed by directly preserving the original sequence itself; the variation is that 0 of several bits becomes 1 or 1 becomes 0; and the crossing is that the first half section and the second half section of the two sequences are respectively taken and then exchanged, the first half section of the first sequence is spliced with the second half section of the second sequence, and the first half section of the second sequence is spliced with the second half section of the first sequence.
D. Matching unknown information
The method comprises the following steps: and putting the unknown information into the population set for matching, if the unknown information is not matched, indicating that the unknown information is safe information, and receiving and loading. If the mark is attack, interception is carried out. Any detector in different nodes identifies unknown information as an attack, and the information is considered as the attack, so that the missing rate of attack identification can be reduced. And the error rate of information judgment is reduced by multiple iteration steps.
Step two: the intercepted novel attack calculates the hash value of the novel attack through a hash function, stores the hash value into a known attack library, and transmits the information of the attack to other hosts in the network. And the nonspecific immunity performance of the whole network is enhanced.
The distributed multi-host network intrusion detection system based on artificial immunity identifies whether attacks are known or not through a Hash algorithm so as to reduce the matching overhead of specific immunity; by combining information sharing of multiple hosts, if one host is attacked for a certain time and finally intercepted and resisted, the attacked information (including antibodies and corresponding target cell antigens) is sent to other hosts through the network, and finally the network can recognize more attacks; meanwhile, a large number of random detectors are generated more efficiently by adopting Logistic regression of a chaotic algorithm and put into training, so that the random detectors have better randomness; and finally, a clone selection algorithm combined with a genetic algorithm is used, the cross effect is enhanced on the basis of variation, the antibodies (detectors) with better matching performance and higher affinity are iteratively added with better convergence to clone, the generation is preferentially carried out, and finally, the population result is converged in a global optimal mode to obtain the rapid self-adaptive discovery capability on the intrusion attack. Compared with other traditional intrusion detection systems, the system has higher robustness and adaptability, and has lower missed detection rate and error rate for attack detection.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: it is to be understood that modifications may be made to the technical solutions described in the foregoing embodiments, or equivalents may be substituted for some of the technical features thereof, but such modifications or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. A distributed multi-host network intrusion detection system based on artificial immunology is characterized in that a distributed multi-host network is adopted, hosts are independent of each other, a plurality of nodes are arranged in the hosts, detectors are arranged in the nodes, when a certain host in the network captures information in the network, the information is processed and then compared with a known attack library to obtain a hash value, if the comparison is successful, interception is carried out, otherwise, a specific immunization process is carried out; in the specific immune process, firstly, a negative selection algorithm is adopted to carry out tolerance training of an immature detector, then, the mature detector is subjected to clone selection, an antibody with higher antigen affinity is added, whether the attack is the attack or not is finally judged, if yes, a known attack library is intercepted and updated, and if not, information is loaded.
2. The system of claim 1, wherein the captured information is processed by: collecting the currently common attack mode, training by adopting a training set in a network intrusion detection data packet KDDCup _ data _10percent in an open source data set KDDCup99, wherein each piece of data contains 41 features and identifiers, firstly, extracting the features, selecting five features of 2 nd, 3 rd, 4 th, 23 th and 42 th of the data packet, wherein the 2 nd feature is a protocol mark, the 3 rd feature is a network service type, the 4 th feature is a network connection state, the 23 rd feature is the number of connections with the current connection having the same host, and the 42 th feature is an attack type mark label, converting letters into ASCII codes and normalizing after discretizing to remove punctuation marks, mapping values into a range of [0,1], and then generating a two-dimensional matrix for sequential storage.
3. The system of claim 1, wherein the known attacks are stored by: and calculating a hash value of the processed known attack by using a hash function, and storing the hash value into a known attack library.
4. The system of claim 3, wherein two different types of information are considered attacks if they generate the same hash value.
5. The system of claim 1, wherein the immature detector is generated by: the method comprises the steps that a random number x is generated by a computer time seed at random according to a time stamp, a Logistic mapping expression x (t +1) of a chaos theory is equal to mu x (t) (1-x (t)), a section with any length in a track is taken out under the condition that mu is within a certain range, a random number string is generated when a value is taken in the section by using a state parameter, then, a sub-string is formed according to a unified format, and finally, the immature detector is formed in a grouping mode.
6. The system of claim 1, wherein the algorithmic process for training the immature detector with a negative selection algorithm is: firstly, defining an autologous cell set; putting a certain amount of detector to match with autologous cells; when the detector is matched with the autologous cells, the detector is automatically destroyed; meanwhile, a chaotic system is adopted to generate a random sequence to be used as a new detector supplement; detectors that do not match autologous cells over a period of time become mature detectors and are added to the collection.
7. The system of claim 6, wherein the matching method of the detector and the autologous cells is a combination of full bit matching, sequential r bit matching and Hamming matching.
8. The system of claim 7, wherein the matching of the detector with the autologous cells is performed by means of index, and the r consecutive bits are matched with a certain bit as the first bit.
9. The system of claim 1, wherein the clone selection algorithm is performed by: firstly, generating a series of maturity detectors by a negative selection algorithm; matching the detector with the antigen and calculating the affinity of the match; if the matching degree of the antigen does not reach the convergence criterion, carrying out clone selection, including cloning, mutation and crossing; after clone selection, entering the next generation of colony, and simultaneously performing matching calculation affinity with the antigen again; and when the affinity matching reaches the expected convergence condition, outputting the current result set and ending the algorithm.
10. The system of claim 1, wherein the information that is ultimately determined to be an attack is transmitted to other hosts.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111409425.4A CN114117420B (en) | 2021-11-25 | 2021-11-25 | Intrusion detection system of distributed multi-host network based on artificial immunology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111409425.4A CN114117420B (en) | 2021-11-25 | 2021-11-25 | Intrusion detection system of distributed multi-host network based on artificial immunology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114117420A true CN114117420A (en) | 2022-03-01 |
| CN114117420B CN114117420B (en) | 2024-05-03 |
Family
ID=80372459
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111409425.4A Active CN114117420B (en) | 2021-11-25 | 2021-11-25 | Intrusion detection system of distributed multi-host network based on artificial immunology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114117420B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101299691A (en) * | 2008-06-13 | 2008-11-05 | 南京邮电大学 | Method for detecting dynamic gridding instruction based on artificial immunity |
| CN101887498A (en) * | 2010-06-30 | 2010-11-17 | 南京邮电大学 | Virus checking method based on immune algorithm in mixed peer-to-peer network |
| CN102750490A (en) * | 2012-03-23 | 2012-10-24 | 南京邮电大学 | Virus detection method based on collaborative immune network evolutionary algorithm |
| CN104981813A (en) * | 2012-03-30 | 2015-10-14 | 爱迪德技术有限公司 | Securing accessible systems using dynamic data mangling |
| US20170374091A1 (en) * | 2016-06-27 | 2017-12-28 | Research Foundation Of The City University Of New York | Digital immune system for intrusion detection on data processing systems and networks |
| CN108365947A (en) * | 2018-03-05 | 2018-08-03 | 郑州轻工业学院 | A kind of image encryption method based on Feistel networks Yu dynamic DNA encoding |
| US20180285769A1 (en) * | 2017-03-31 | 2018-10-04 | Business Objects Software Ltd. | Artificial immune system for fuzzy cognitive map learning |
-
2021
- 2021-11-25 CN CN202111409425.4A patent/CN114117420B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101299691A (en) * | 2008-06-13 | 2008-11-05 | 南京邮电大学 | Method for detecting dynamic gridding instruction based on artificial immunity |
| CN101887498A (en) * | 2010-06-30 | 2010-11-17 | 南京邮电大学 | Virus checking method based on immune algorithm in mixed peer-to-peer network |
| CN102750490A (en) * | 2012-03-23 | 2012-10-24 | 南京邮电大学 | Virus detection method based on collaborative immune network evolutionary algorithm |
| CN104981813A (en) * | 2012-03-30 | 2015-10-14 | 爱迪德技术有限公司 | Securing accessible systems using dynamic data mangling |
| US20170374091A1 (en) * | 2016-06-27 | 2017-12-28 | Research Foundation Of The City University Of New York | Digital immune system for intrusion detection on data processing systems and networks |
| US20180285769A1 (en) * | 2017-03-31 | 2018-10-04 | Business Objects Software Ltd. | Artificial immune system for fuzzy cognitive map learning |
| CN108365947A (en) * | 2018-03-05 | 2018-08-03 | 郑州轻工业学院 | A kind of image encryption method based on Feistel networks Yu dynamic DNA encoding |
Non-Patent Citations (1)
| Title |
|---|
| 杨洋;姚培华;: "基于免疫原理的入侵检测模型", 黑龙江科技信息, no. 36, 25 December 2009 (2009-12-25) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114117420B (en) | 2024-05-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110191103B (en) | DGA domain name detection and classification method | |
| Halbouni et al. | Machine learning and deep learning approaches for cybersecurity: A review | |
| Li et al. | Adversarial-example attacks toward android malware detection system | |
| Shetu et al. | A survey of botnet in cyber security | |
| Niu et al. | Identifying APT malware domain based on mobile DNS logging | |
| CN107122221A (en) | Compiler for regular expression | |
| Andrade et al. | A model based on LSTM neural networks to identify five different types of malware | |
| Oña et al. | Phishing attacks: detecting and preventing infected e-mails using machine learning methods | |
| CN112333195A (en) | APT attack scene reduction detection method and system based on multi-source log correlation analysis | |
| Khaleefa et al. | Concept and difficulties of advanced persistent threats (APT): Survey | |
| Zhang et al. | Detection of android malware based on deep forest and feature enhancement | |
| Ismaila | E-mail spam classification with artificial neural network and negative selection algorithm | |
| CN112070161B (en) | Network attack event classification method, device, terminal and storage medium | |
| Sherin et al. | Stacked ensemble-IDS using NSL-KDD dataset | |
| CN114117420A (en) | Intrusion detection system of distributed multi-host network based on artificial immunology | |
| KR102562671B1 (en) | Threat hunting system and method for against social issue-based advanced persistent threat using genetic algorithm | |
| Zhang et al. | Evaluation of data poisoning attacks on federated learning-based network intrusion detection system | |
| Sujana et al. | Temporal based network packet anomaly detection using machine learning | |
| Song et al. | Generating Fake Cyber Threat Intelligence Using the GPT-Neo Model | |
| Ajmera et al. | A survey report on identifying different machine learning algorithms in detecting domain generation algorithms within enterprise network | |
| Mohammed et al. | An automated signature generation method for zero-day polymorphic worms based on multilayer perceptron model | |
| Karthik et al. | Detecting Internet of Things Attacks Using Post Pruning Decision Tree-Synthetic Minority Over Sampling Technique. | |
| Madan et al. | Bot attack detection using various machine learning algorithms | |
| Venkatramulu et al. | Usage Patterns and Implementation of Machine Learning for Malware Detection and Predictive Evaluation | |
| Lin et al. | Ransomware Detection by Distinguishing API Call Sequences through LSTM and BERT Models |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |