Experiments with Applying Artificial Immune System in Network Attack Detection

The assurance of security within a network is difficult due to the variations of attacks. This research conducts various experiments to implement an Artificial Immune System based Intrusion Detection System to identify intrusions using the Negative Selection Algorithm. This research explores the implementation of an Artificial Immune System opposed to the industry standard of machine learning. Various experiments were conducted to identify a method to separate data to avoid false-positive results. The use of an Artificial Immune System requires a self and nonself classification to determine if an intrusion is present within the network. The results of an Artificial Immune System based Intrusion Detection System achieved high accuracy when the data records were separated by service. The Negative Selection Algorithm created a range and it provided detectors to determine if an intrusion was present based off of the threshold. The threshold is the number of detectors that must be triggered for the system to identify an intrusion. Many services were unusable as they did contain the requirement of both self and nonself data records, that did not overlap. The results were high accuracies in general for the remaining tested services. Disciplines Information Security | Management Information Systems | Technology and Innovation This event is available at DigitalCommons@Kennesaw State University: http://digitalcommons.kennesaw.edu/ccerp/2017/research/ 3 Experiments with Applying Artificial Immune System in Network Attack Detection INTRODUCTION Securing information “covers all the processes and mechanisms by which computer based equipment, information and services are protected from unintended or unauthorized access, change, or destruction” (Yang, Li, Hu, Wang, & Zou, 2014). An Intrusion Detection System (IDS) helps to identify a possible malicious attack or odd behaviors within a network (Tavallaee, Bagheri, Lu, Ghorbani, 2009). An Intrusion Detection System applied to the principles of an Artificial Immune System can provide a resolution to the problems that can occur while securing information. This implementation of an Intrusion Detection System differs from the industry standard of implementing machine learning. This research applies an Artificial Immune System (AIS) based Intrusion Detection System to the KDD CUP 1999 Corrected dataset. The KDD CUP 1999 full dataset is primarily used for machine learning. The full dataset’s sub-datasets include training and test datasets. The KDD CUP 1999 Corrected dataset was used because it is a smaller dataset than the full data set and it is a testing dataset. The dataset is comprised of normal and abnormal data records. Each normal data record has different features that make it an example of normal traffic flow. The abnormal data records or intrusions have different characteristics that identify them differently. The problem that arises when implementing the Artificial Immune System to the dataset is the makeup of the dataset. The KDD CUP 1999 Corrected dataset is composed of a mixture of different types of intrusions and different normal data records. This research takes a new approach of defining self and nonself by isolating self and nonself of a service. The implementation of the AIS based IDS will be defined below. ARTIFICIAL IMMUNE SYSTEM An Artificial Immune System uses the model of a Human Immune System to implement a self and nonself identities (Yang et al., 2014). The AIS model identifies key components of the problem and sets parameters on how to identify that problem (Yang et al., 2014). The Negative Selection Algorithm was the algorithm was used in this experiment to implement an AIS. This algorithm requires classification of self and 1 Cooper: Experiments with Applying Artificial Immune System in Network Att Published by DigitalCommons@Kennesaw State University, 2017 nonself. This research shows that strict self and nonself classification for intrusions renders higher accuracies to detect an intrusion. Negative Selection Algorithm The Negative Selection Algorithm is a generation algorithm used to create “accurate and efficient detectors” (Yang et al., 2014) that distinguish between self and nonself. The components needed in the Negative Selection Algorithm are the threshold, number of detectors, and the number of features. The number of detectors and threshold relationship resemble the antigen and antibody relationship within the Human Immune System. In humans, an antigen is any substance that causes an immune system to produce an antibody that acts in response of the antigen (Yang et al., 2014). An antibody is used by the immune system to neutralize pathogens such as bacteria and viruses. Similar to the Human Immune System, the AIS detects its version of an antigen, the intrusion, by the Negative Selection Algorithm. The threshold is what determines an intrusion. The artificial body uses the sensory attribute of the Negative Selection Algorithm whereby a specified number of detectors tripped will cause the data record to be classified as an intrusion. Figure 1 illustrates a normal Human Immune System. Figure 2 illustrates a Human Immune System with an antigen (yellow circle). The antibodies (arrows pointed to cell) are attacking the antigen to protect the immune system. 2 KSU Proceedings on Cybersecurity Education, Research and Practice, Event 3 [] http://digitalcommons.kennesaw.edu/ccerp/2017/research/3 Figure 3 shows an Artificial Immune System with normal activity. Figure 4 is an illustration of an Artificial Immune System with an abnormal cell (yellow circle). The circles in this figure represent detectors within the system. The arrow represents the threshold variable used to identify an intrusion.