CN114117420B - Intrusion detection system of distributed multi-host network based on artificial immunology - Google Patents
Intrusion detection system of distributed multi-host network based on artificial immunology Download PDFInfo
- Publication number
- CN114117420B CN114117420B CN202111409425.4A CN202111409425A CN114117420B CN 114117420 B CN114117420 B CN 114117420B CN 202111409425 A CN202111409425 A CN 202111409425A CN 114117420 B CN114117420 B CN 114117420B
- Authority
- CN
- China
- Prior art keywords
- detector
- attack
- matching
- intrusion detection
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 32
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 55
- 238000000034 method Methods 0.000 claims abstract description 36
- 238000013377 clone selection method Methods 0.000 claims abstract description 17
- 230000036039 immunity Effects 0.000 claims abstract description 16
- 238000012549 training Methods 0.000 claims abstract description 14
- 230000000739 chaotic effect Effects 0.000 claims abstract description 9
- 230000008569 process Effects 0.000 claims description 23
- 239000000427 antigen Substances 0.000 claims description 17
- 102000036639 antigens Human genes 0.000 claims description 17
- 108091007433 antigens Proteins 0.000 claims description 17
- 238000010367 cloning Methods 0.000 claims description 8
- 230000035772 mutation Effects 0.000 claims description 7
- 238000013507 mapping Methods 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 5
- 238000005291 chaos (dynamical) Methods 0.000 claims description 5
- 239000011159 matrix material Substances 0.000 claims description 4
- 238000012545 processing Methods 0.000 claims description 4
- 239000013589 supplement Substances 0.000 claims description 3
- 230000002068 genetic effect Effects 0.000 abstract description 11
- 238000007477 logistic regression Methods 0.000 abstract description 3
- 230000000694 effects Effects 0.000 abstract description 2
- 238000005728 strengthening Methods 0.000 abstract description 2
- 210000004027 cell Anatomy 0.000 description 17
- 210000000987 immune system Anatomy 0.000 description 7
- 210000001744 T-lymphocyte Anatomy 0.000 description 6
- 230000007123 defense Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 3
- 108090000623 proteins and genes Proteins 0.000 description 2
- 102000004169 proteins and genes Human genes 0.000 description 2
- 230000035945 sensitivity Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 206010064571 Gene mutation Diseases 0.000 description 1
- 241000282412 Homo Species 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000008303 genetic mechanism Effects 0.000 description 1
- 210000002861 immature t-cell Anatomy 0.000 description 1
- 230000035800 maturation Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000005312 nonlinear dynamic Methods 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000010845 search algorithm Methods 0.000 description 1
- 238000010187 selection method Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
- 210000001541 thymus gland Anatomy 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Data Mining & Analysis (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Evolutionary Biology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an intrusion detection system of a distributed multi-host network based on artificial immunology, which is used for reducing the matching cost of specific immunity by recognizing whether attack is known or not through a hash algorithm; combining with multi-host information sharing, finally enabling the network to identify more attacks; meanwhile, a great amount of random detectors are generated more efficiently by adopting Logistic regression of a chaotic algorithm and put into training, so that the random detector has better randomness; and finally, by combining a clone selection algorithm of a genetic algorithm, strengthening the crossing effect on the basis of variation, iterating a detector with better value-added clone matching and higher affinity with better convergence, preferentially generating, and finally converging a population result in a globally optimal mode to obtain the rapid self-adaptive discovery capability for intrusion attack. Compared with other traditional intrusion detection systems, the method has higher robustness and adaptivity, and has lower omission ratio and error rate for attack detection.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an intrusion detection system of a distributed multi-host network based on artificial immunology.
Background
With the rapid development of information technology, people increasingly rely on internet technology to develop daily services, which brings numerous new challenges to network defense and increasingly prominence of network security problems.
The traditional method for resisting the network attack mainly aims at static attack, analyzes and evaluates the security risk aiming at the threat of novel attack, and lacks self-adaptive capability. At present, the intrusion attack becomes a network security defense technology which is really under the condition of threat at all times and does not consider the intrusion attack, obviously has serious defects, and the accuracy of the network security defense technology is difficult to guarantee. Therefore, detection of intrusion attack threats has become an important topic of network security.
The complexity and diversity of network attacks almost obsolete traditional IT defenses (such as antivirus software or intrusion prevention systems). Furthermore, as attackers continue to discover and exploit vulnerabilities in systems, even traditional defense strategies that build multiple layers of defenses become increasingly ineffective. An attacker may either intentionally disrupt the network access of a computer or disrupt the network attack of a computer. At the same time, the cost of attack by people is lower and lower, and a new complex form of malicious attack with potential destructive effects can be created by combining some simple and isolated attack types.
In the biological inspired, immune algorithms have emerged that prototype the biological immune system, and the network security protection system has a striking similarity to the human immune system, both to protect itself from external attacks in complex external environments. Thus, the immune system is inherently provided with the ability to recognize and inactivate unknown viruses.
In chaotic dynamics, a simplest nonlinear dynamics model is Logistic mapping, which is an ecological model, the expression of the model is x (t+1) =μx (t) (1-x (t)), and under the condition that μ takes a numerical value in a certain range, periodicity does not exist, all track points can take values randomly, and no rule exists, so that taking out a section with any length in a track is equivalent to taking out a batch of randomly distributed digital sequences in a certain range, and when taking values in the section by using state parameters, the whole system is in a chaotic state, so that random numbers can be generated.
The negative selection algorithm, also called negative selection method, is an algorithm proposed by Forrest in 1994, and the algorithm is widely applied to AIS (ARTIFICIAL IMMUNE SYSTEMS, artificial immune system) and is one of the core algorithms of AIS. Negative selection is an isolated selection algorithm, which in contrast to positive selection, in humans means that the T cells that are newly produced in the thymus are self-proteins that are essential for the host or for survival, and if immature T cells react to these proteins, such T cells are destroyed prior to maturation. According to this premise, the remaining T cells successfully undergo this process without being destroyed, i.e., those T cells that do not respond to the essential components of the body. Mature T cells have the property of tolerating themselves. The algorithm forms a mature detector by constantly training the tolerating cells for the purpose of judging self and non-self cells.
Genetic algorithms were first proposed by the university of michigan, U.S. J.Holland teachings in 1975 in his monograph, "adaptation to natural and artificial systems", originating from the study of natural and artificial adaptive systems in the 60 s. It is a kind of randomized search algorithm that references natural selection and natural genetic mechanism in the biology world. The genetic algorithm simulates the phenomena of propagation, crossing and gene mutation occurring in the natural selection and natural genetic process, a group of candidate solutions are reserved in each iteration, better individuals are selected from the solution group according to a certain index, genetic operators (selection, crossing and mutation) are utilized to combine the individuals to generate a new generation of candidate solution group, and the process is repeated until a certain convergence index is met.
The clonal selection algorithm was proposed by de Castro and Von Zuben in 2000 based on the clonal selection theory of the immune system. The clone selection algorithm is one of the core algorithms of AIS, and the clone selection theory is that in an initial group, a part of individuals with best value are selected according to the evaluated excellent value; cloning is performed by selected individuals to mutate, and some best individuals are selected from the individuals to be added into the original population. And randomly replacing a part of individuals in the population, then entering the next generation population, and repeatedly iterating until the constraint condition is met. The idea is that only cells recognizing the antigen will be selectively proliferated, while those not recognizing the antigen are targeted.
In the algorithm, the conventional bit matching form is still adopted for the known attack, so that the cost is high; the immature detector of the conventional negative selection algorithm is generated from random numbers, since the computer generated random numbers are generated by a determinable function (common linear congruence) by a seed (common clock). Therefore, when a large amount of random numbers are generated in a short time or the random number length is long, the randomness is poor; the traditional clone selection algorithm mainly comprises variation, and local optimal solutions are often emphasized, so that the convergence is too slow, and the situation of global optimal conditions is not found sufficiently; the traditional immune network model is based on a simple network, and the omission rate and the error rate of attack detection in the network are high. Thus, there is a need for an intrusion detection scheme that comprehensively addresses the above-described shortcomings.
Disclosure of Invention
Aiming at the problems, the invention provides an intrusion detection system of a distributed multi-host network based on artificial immunology, which adopts a hash algorithm to store known attacks for rapid screening, and simultaneously adopts the initial value sensitivity of a chaos theory to solve the problem of poor randomness. Meanwhile, a network deployment mode with multiple hosts and multiple nodes is adopted, so that the omission ratio of attack detection is greatly reduced, and the detection performance of the attack is improved.
In order to achieve the above object, the present invention provides the following technical solutions:
An intrusion detection system of a distributed multi-host network based on artificial immunology adopts the distributed multi-host network, hosts are mutually independent, a plurality of nodes are arranged in the hosts, detectors are arranged in the nodes, when one host in the network captures information in the network, the information is processed and then compared with a known attack library, if the comparison is successful, interception is carried out, otherwise, a specific immune process is carried out; the specific immune process firstly adopts a negative selection algorithm to carry out tolerance training of the immature detector, then carries out clone selection on the mature detector, increases the antibody with higher affinity to the antigen, finally judges whether the attack is carried out, intercepts and updates a known attack library if the attack is carried out, and otherwise loads information.
Further, the process of processing the captured information is as follows: the method comprises the steps of collecting the currently commonly used attack mode, training by adopting a training set in a network intrusion detection data packet kddcup _data_10percent in an open source dataset KDDCup, wherein each piece of data contains 41 features and identifiers, firstly extracting the features, selecting five features of 2 nd, 3 rd, 4 th, 23 nd and 42 th of the data, wherein the feature number 2 is a protocol mark, the feature number 3 is a network service type, the feature number 4 is a network connection state, the feature number 23 is a connection number with the same host as the current connection, the feature number 42 is an attack type mark label, discretizing, converting letters into ASCII codes and normalizing, mapping the values into a range of [0,1], and then generating a two-dimensional matrix for sequential storage.
Further, the storage procedure of known attacks is: the hash value of the processed known attack is calculated by using the hash function and stored in the known attack library.
Further, if two different kinds of information produce the same hash value, they are considered as attacks.
Further, the generation process of the immature detector is as follows: the method comprises the steps of generating a random number x by a time stamp randomly through a computer time seed, taking out an arbitrary length section in a track under the condition that mu is in a certain range through a Logistic mapping expression x (t+1) =mu x (t) (1-x (t)) of a chaos theory, generating a random number string when a state parameter is used for taking a value in the section, forming a substring according to a unified format, and finally grouping to form an immature detector.
Further, the algorithmic process of tolerating training of the immature detector using a negative selection algorithm is: first, an autologous cell collection is defined; putting a certain amount of detectors into the system to match with the autologous cells; when the detector is matched with the autologous cells, automatically destroying the detector; meanwhile, a random sequence is generated by adopting a chaotic system and is used as a new detector supplement; detectors that have not matched to autologous cells over a period of tolerance become mature detectors to be added to the collection.
Further, the detector and autologous cell matching method adopts a combination of all-bit matching, sequential r-bit matching and hamming matching.
Further, the matching process of the detector and the autologous cells adopts an index mode, and the consecutive r bits taking a certain bit as the first bit are matched.
Further, the process of the clonal selection algorithm is as follows: first a series of maturity detectors are generated by a negative selection algorithm; matching the detector to the antigen and calculating a matching affinity; if the matching degree of the antigen does not reach the convergence standard, performing clone selection including cloning, mutation and crossing; after clone selection, entering the next generation group, and simultaneously carrying out matching calculation on the antigen and the next generation group; and when the affinity matching reaches the expected convergence condition, outputting the current result set, and ending the algorithm.
Further, the information finally judged as the attack is transferred to other hosts.
Compared with the prior art, the invention has the beneficial effects that:
1. The intrusion detection system based on the distributed multi-host network of artificial immunology combines the nonspecific immunity and the specific immunity of the human body, judges whether the attack is a known attack or not through the hash value of the attack data, and directly intercepts the known attack by adopting the nonspecific immunity (skin).
2. When the random immature detector is generated by the negative selection part, a random value is generated by adopting a Logistic regression mapping mode of a chaos theory, so that the random value has stronger randomness compared with a random number generated by a common time stamp, and meanwhile, the random value can be generated in a large amount in a short time based on initial value sensitivity, so that better performance can be ensured. Meanwhile, in the matching mode, an index-based mode matching is used, so that the cost caused by matching is reduced.
3. Combining the advantages of the clonal selection algorithm and the genetic algorithm, the two algorithms are iterative algorithms generated by simulating the system of the organism or the evolved ecological system, and are population searching strategies, so that the information exchange among individuals in the population is emphasized. The operator of the genetic algorithm can be used as an iterative operator in the clone selection algorithm, so that the convergence of the clone algorithm is better, the property of global optimum is more focused, and the possibility of sinking into a local optimum solution is avoided.
4. Antibodies generated by specific immunity and identification of target antigens are also stored in a hash value manner and information is transmitted to other hosts in the distributed network for non-specific immune interception when the other hosts encounter such attacks. The network adopts a multi-host multi-node mode, and when any host detects and confirms the attack, other hosts in the network can acquire the information of the attack. When the detector of any node in the host computer judges that the node is attacked, the information is considered as an attack, so that the omission ratio of the network system model to attack detection is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings required for the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments described in the present application, and other drawings may be obtained according to these drawings for a person having ordinary skill in the art.
Fig. 1 is a flowchart of a distributed multi-host network intrusion detection system based on artificial immunity according to an embodiment of the present invention.
Fig. 2 is a network environment diagram provided in an embodiment of the present invention.
Fig. 3 is a flowchart of a captured data processing procedure according to an embodiment of the present invention.
Fig. 4 is a flowchart of a chaos theory generating immature detector provided by an embodiment of the present invention.
FIG. 5 is a flowchart of a negative selection algorithm according to an embodiment of the present invention
FIG. 6 is a schematic diagram of an autologous cell collection and a detector collection according to an embodiment of the present invention.
FIG. 7 is a flowchart of a clonal selection algorithm in accordance with an embodiment of the present invention.
FIG. 8 is a schematic diagram of cloning, crossing and mutation processes according to an embodiment of the present invention.
Detailed Description
For a better understanding of the present technical solution, the method of the present invention is described in detail below with reference to the accompanying drawings.
The invention provides a distributed multi-host network intrusion detection system based on artificial immunity, the whole flow is shown in figure 1, firstly, the network is a distributed multi-host network, hosts are mutually independent, a plurality of nodes are arranged in the hosts, and detectors exist in the nodes. When a host in the network captures information in the network, the information is processed and then compared with a known attack library, if the comparison is successful, interception is carried out, and otherwise, a specific immune process is carried out. The specific immunity firstly adopts a negative selection algorithm to carry out tolerance training of the detector, then the mature detector is subjected to clone selection, antibodies with higher affinity to the antigen are added, finally whether the attack is judged, if so, a known attack library is intercepted and updated, and otherwise, information is loaded. This scheme will be described in detail below.
A. Configuration environment
Step one: the network environment is configured and hosts in the network are built, as shown in fig. 2, there are r hosts in the current network, each host has r nodes, and multiple detectors exist in the nodes.
Step two: handling of known attacks. The method comprises the steps of collecting the currently commonly used attack mode, training by adopting a training set in a network intrusion detection data packet kddcup _data_10percent in an open source dataset KDDCup, wherein each piece of data contains 41 features and identifiers, firstly extracting the features, selecting five features of 2,3,4, 23 and 42, wherein the feature number 2 is a protocol mark, the feature number 3 is a network service type, the feature number 4 is a network connection state, the feature number 23 is the connection number of the same host machine as the current connection, and the feature number 42 is an attack type mark label. After the punctuation marks are removed by discretization, letters are converted into ASCII codes and normalized, values are mapped into the range of [0,1], and then a two-dimensional matrix is generated for sequential storage. The general procedure is shown in figure 3.
Step three: the known attacks are stored. The hash value of the processed known attack is calculated by using the hash function and stored in the known attack library. The system takes measures that if two different kinds of information generate the same hash value, namely hash collision, the two different kinds of information are preferentially considered as attacks, so that the miss rate of attack identification is reduced.
B. Nonspecific immune process
Step one: the captured network data is processed. The system adopts a test level in a network intrusion detection data packet kddcup _data_10 percentage in an open source dataset KDDCup to test, and the processing steps after feature extraction and normalization of the data are the same as those of the known attack.
Step two: and carrying out hash calculation on the generated two-dimensional matrix data, comparing the hash value with the stored known attacks after the hash function calculation, and if the comparison is successful, indicating that the attack is an attack and intercepting the attack, otherwise, entering the next step.
C. specific immune process
Step one: as shown in fig. 4, a random number x is generated by a time stamp randomly by a time seed of a computer, a random number string can be generated rapidly in batches in a short time by using a state parameter in a chaotic state when the random number is taken in the interval, a substring is formed according to a unified format, and an immature detector is formed by finally grouping under the condition that no periodicity exists and no rule exists when mu is taken in a certain range, all track points are randomly taken out, so that a section with any length in the track is taken out and is equivalent to a section of a random number sequence which is taken out in a certain range, and the whole system is in a chaotic state when a state parameter is taken out in the section.
Step two: the immature detectors are tolerably trained using a negative selection algorithm, which also mimics the mechanisms of the human immune system, by first generating an immature detector set (i.e., T cells prior to tolerizing) and also generating an autologous set (i.e., autologous cell proteins). Each detector in the set of detectors will match the data corresponding to the set of self-bodies and if so, the detector is pinned. If the mismatch is successful, it is added to the maturity detector set. When the number of detectors needed is insufficient, then a new immature detector is added into the immature detector set. The detailed steps are shown in fig. 5.
① First, an autologous cell collection is defined;
② Putting a certain amount of detectors into the system to match with the autologous cells;
③ When the detector is matched with the autologous cells, automatically destroying the detector;
④ Meanwhile, a random sequence is generated by adopting a chaotic system and is used as a new detector supplement;
⑤ Detectors that have not matched to autologous cells over a period of tolerance become mature detectors to be added to the collection.
Wherein, the matching process combines full-bit matching, continuous r-bit matching and Hamming matching, and designs a new matching algorithm. And by adopting an index mode, the continuous r bits taking a certain bit as the first bit are matched, so that the cost caused by the calculated amount is reduced. For example, the auto-sequence is 001010 and the detector is 001,1, indicating that starting from bit 1, index 3, content 001, exactly matches the first three bits of the auto-sequence, so the detector needs to be destroyed. FIG. 6 shows the detector sequences on the side of the mature detector set when the autologous cell set is 01011, 01010, 01101.
Step three: cloning iterations of the antigen were performed using a genetic algorithm-based clonal selection algorithm. The operators of the genetic algorithm are used as iterative operators in the clonal selection algorithm. Meanwhile, the mutation-based clone selection algorithm can refer to the concept of crossover-based genetic algorithm in iteration, and the whole clone selection algorithm process is shown in figure 7.
① First a series of maturity detectors are generated by a negative selection algorithm;
② Matching the detector to the antigen and calculating a matching affinity;
③ If the matching degree of the antigen does not reach the convergence standard, performing clone selection including cloning, mutation and crossing;
④ After clone selection, entering the next generation group, and simultaneously carrying out matching calculation on the antigen and the next generation group;
⑤ And when the affinity matching reaches the expected convergence condition, outputting the current result set, and ending the algorithm. Cloning, mutation and crossover are shown in FIG. 8, wherein the cloning directly retains the original sequence itself; variation is where 0 of several bits becomes 1 or 1 becomes 0; the intersection is that the first half section and the second half section of the two sequences are respectively taken and then exchanged, the first half section of the first sequence is spliced with the second half section of the second sequence, and the first half section of the second sequence is spliced with the second half section of the first sequence.
D. matching unknown information
Step one: and (5) putting the unknown information into a population set for matching, and if the unknown information is not matched, indicating that the unknown information is the safety information and receiving the loading. If the mark is attack, interception is performed. Any one detector in different nodes recognizes unknown information as an attack, and the information is considered as the attack, so that the omission rate of attack recognition can be reduced. The error rate of information judgment is reduced through a plurality of iteration steps.
Step two: the intercepted novel attack calculates the hash value of the novel attack through a hash function, stores the hash value into a known attack library and transmits the information of the attack to other hosts in the network. Enhancing the nonspecific immunity of the whole network.
According to the distributed multi-host network intrusion detection system based on artificial immunity, whether attack is known or not is identified through a hash algorithm, so that the matching cost of specific immunity is reduced; if one host receives a certain attack and finally intercepts and resists the attack, the information of the attack (comprising the antibody and the corresponding target cell antigen) is sent to other hosts through a network by combining with multi-host information sharing, so that the network can finally recognize more attacks; meanwhile, a great amount of random detectors are generated more efficiently by adopting Logistic regression of a chaotic algorithm and put into training, so that the random detector has better randomness; and finally, by combining a clone selection algorithm of a genetic algorithm, strengthening the crossing effect on the basis of variation, iterating an antibody (detector) with better value-added clone matching and higher affinity with better convergence, preferentially generating, and finally converging a population result in a globally optimal mode to obtain the rapid self-adaptive discovery capability for intrusion attack. In conclusion, compared with other traditional intrusion detection systems, the system has higher robustness and adaptivity and lower omission rate and error rate for attack detection.
The above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may be modified or some technical features may be replaced with others, which may not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (8)
1. An intrusion detection system of a distributed multi-host network based on artificial immunology is characterized in that the distributed multi-host network is adopted, hosts are mutually independent, a plurality of nodes are arranged in the hosts, detectors are arranged in the nodes, when one host in the network captures information in the network, the information is processed and then compared with a known attack library, if the comparison is successful, interception is carried out, otherwise, a specific immune process is carried out; the specific immune process firstly adopts a negative selection algorithm to carry out tolerance training of an immature detector, then carries out clone selection on the mature detector, increases the antibody with higher affinity to antigen, finally judges whether the attack is carried out, intercepts and updates a known attack library if the attack is carried out, otherwise, loads information;
the generation process of the immature detector is as follows: generating a random number x by a time stamp randomly by a time seed of a computer, taking out a section with any length in a track under the condition that mu is in a certain range through a Logistic mapping expression x (t+1) =mu x (t) (1-x (t)) of a chaos theory, generating a random number string when a state parameter is used for taking a value in the section, forming a substring according to a unified format, and finally grouping to form an immature detector;
The algorithmic process of tolerating training of the immature detector using a negative selection algorithm is: first, an autologous cell collection is defined; putting a certain amount of detectors into the system to match with the autologous cells; when the detector is matched with the autologous cells, automatically destroying the detector; meanwhile, a random sequence is generated by adopting a chaotic system and is used as a new detector supplement; detectors that have not matched to autologous cells over a period of tolerance become mature detectors to be added to the collection.
2. The intrusion detection system of an artificial immunity-based distributed multi-host network according to claim 1, wherein the process of processing the captured information is: the method comprises the steps of collecting the currently commonly used attack mode, training by adopting a training set in a network intrusion detection data packet kddcup _data_10percent in an open source dataset KDDCup, wherein each piece of data contains 41 features and identifiers, firstly extracting the features, selecting five features of 2 nd, 3 rd, 4 th, 23 nd and 42 th of the data, wherein the feature number 2 is a protocol mark, the feature number 3 is a network service type, the feature number 4 is a network connection state, the feature number 23 is a connection number with the same host as the current connection, the feature number 42 is an attack type mark label, discretizing, converting letters into ASCII codes and normalizing, mapping the values into a range of [0,1], and then generating a two-dimensional matrix for sequential storage.
3. The intrusion detection system of an artificial immunity-based distributed multi-host network of claim 1, wherein the storage of known attacks is: the hash value of the processed known attack is calculated by using the hash function and stored in the known attack library.
4. An intrusion detection system according to claim 3 wherein two different kinds of information are considered as attacks provided that they produce the same hash value.
5. The intrusion detection system of an artificial immunity-based distributed multi-host network according to claim 1, wherein the detector-to-autologous cell matching method employs a combination of all-bit matching, continuous r-bit matching, and hamming matching.
6. The intrusion detection system of an artificial immunity based distributed multi-host network according to claim 5, wherein the matching process of the detector and the autologous cells uses an index method to match from a certain bit to a consecutive r bits of the first bit.
7. The intrusion detection system of an artificial immunity-based distributed multi-host network of claim 1, wherein the process of the clonal selection algorithm is: first a series of maturity detectors are generated by a negative selection algorithm; matching the detector to the antigen and calculating a matching affinity; if the matching degree of the antigen does not reach the convergence standard, performing clone selection including cloning, mutation and crossing; after clone selection, entering the next generation group, and simultaneously carrying out matching calculation on the antigen and the next generation group; and when the affinity matching reaches the expected convergence condition, outputting the current result set, and ending the algorithm.
8. The intrusion detection system of claim 1, wherein the information ultimately determined as an attack is passed to other hosts.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111409425.4A CN114117420B (en) | 2021-11-25 | 2021-11-25 | Intrusion detection system of distributed multi-host network based on artificial immunology |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111409425.4A CN114117420B (en) | 2021-11-25 | 2021-11-25 | Intrusion detection system of distributed multi-host network based on artificial immunology |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114117420A CN114117420A (en) | 2022-03-01 |
CN114117420B true CN114117420B (en) | 2024-05-03 |
Family
ID=80372459
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111409425.4A Active CN114117420B (en) | 2021-11-25 | 2021-11-25 | Intrusion detection system of distributed multi-host network based on artificial immunology |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114117420B (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101299691A (en) * | 2008-06-13 | 2008-11-05 | 南京邮电大学 | Method for detecting dynamic gridding instruction based on artificial immunity |
CN101887498A (en) * | 2010-06-30 | 2010-11-17 | 南京邮电大学 | Virus checking method based on immune algorithm in mixed peer-to-peer network |
CN102750490A (en) * | 2012-03-23 | 2012-10-24 | 南京邮电大学 | Virus detection method based on collaborative immune network evolutionary algorithm |
CN104981813A (en) * | 2012-03-30 | 2015-10-14 | 爱迪德技术有限公司 | Securing accessible systems using dynamic data mangling |
CN108365947A (en) * | 2018-03-05 | 2018-08-03 | 郑州轻工业学院 | A kind of image encryption method based on Feistel networks Yu dynamic DNA encoding |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10609057B2 (en) * | 2016-06-27 | 2020-03-31 | Research Foundation Of The City University Of New York | Digital immune system for intrusion detection on data processing systems and networks |
US20180285769A1 (en) * | 2017-03-31 | 2018-10-04 | Business Objects Software Ltd. | Artificial immune system for fuzzy cognitive map learning |
-
2021
- 2021-11-25 CN CN202111409425.4A patent/CN114117420B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101299691A (en) * | 2008-06-13 | 2008-11-05 | 南京邮电大学 | Method for detecting dynamic gridding instruction based on artificial immunity |
CN101887498A (en) * | 2010-06-30 | 2010-11-17 | 南京邮电大学 | Virus checking method based on immune algorithm in mixed peer-to-peer network |
CN102750490A (en) * | 2012-03-23 | 2012-10-24 | 南京邮电大学 | Virus detection method based on collaborative immune network evolutionary algorithm |
CN104981813A (en) * | 2012-03-30 | 2015-10-14 | 爱迪德技术有限公司 | Securing accessible systems using dynamic data mangling |
CN108365947A (en) * | 2018-03-05 | 2018-08-03 | 郑州轻工业学院 | A kind of image encryption method based on Feistel networks Yu dynamic DNA encoding |
Non-Patent Citations (1)
Title |
---|
基于免疫原理的入侵检测模型;杨洋;姚培华;;黑龙江科技信息;20091225(36);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN114117420A (en) | 2022-03-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Halbouni et al. | Machine learning and deep learning approaches for cybersecurity: A review | |
Tang et al. | Detection of SQL injection based on artificial neural network | |
Ravi et al. | Adversarial defense: DGA-based botnets and DNS homographs detection through integrated deep learning | |
CN110191103B (en) | DGA domain name detection and classification method | |
Li et al. | LSTM based phishing detection for big email data | |
CN109359439B (en) | software detection method, device, equipment and storage medium | |
CN109450845B (en) | Detection method for generating malicious domain name based on deep neural network algorithm | |
Peng et al. | Network intrusion detection based on deep learning | |
Andrade et al. | A model based on LSTM neural networks to identify five different types of malware | |
CN107122221A (en) | Compiler for regular expression | |
Zhao et al. | Maldeep: A deep learning classification framework against malware variants based on texture visualization | |
Zhang et al. | Detection of android malware based on deep forest and feature enhancement | |
CN113221112B (en) | Malicious behavior identification method, system and medium based on weak correlation integration strategy | |
CN115270996A (en) | DGA domain name detection method, detection device and computer storage medium | |
CN115396169B (en) | Method and system for multi-step attack detection and scene restoration based on TTP | |
CN112507336A (en) | Server-side malicious program detection method based on code characteristics and flow behaviors | |
Hoang et al. | Iot malware classification based on system calls | |
CN117454380B (en) | Malicious software detection method, training method, device, equipment and medium | |
CN111400713A (en) | Malicious software family classification method based on operation code adjacency graph characteristics | |
Song et al. | Generating fake cyber threat intelligence using the gpt-neo model | |
Depuru et al. | Deep learning-based malware classification methodology of comprehensive study | |
Lin et al. | Ransomware Detection by Distinguishing API Call Sequences through LSTM and BERT Models | |
CN114117420B (en) | Intrusion detection system of distributed multi-host network based on artificial immunology | |
Lu et al. | Stealthy malware detection based on deep neural network | |
CN115600202A (en) | Multi-cutting strategy and deep convolution based malicious software detection and family classification method for generating countermeasure network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |