The method of computer systems protection based on immune networks.

 

Anton Titov¹, post graduate student

1 Computer System Department, Faculty of Information and Computing Technique, National Technical University of Ukraine “Kyiv Polytechnic Institute”, Address: 37, Prospect Permohy, 03056, Kyiv-56, Ukraine, e-mail: info@itrans.kiev.ua

 

There are two approaches in the field of intrusion detection: expert methods and statistical methods.

 

Expert Intrusion Detection Systems are based on signature methods. They use specific rules, added by developers of the system as new attacks occurred. Such systems have several drawbacks: there is a problem of detecting previously unknown or modified attacks, the need of signatures database continuous updating, also the size of such database is enormous.

 

Statistical methods represent the potential for network activity identification based on limited observation, incomplete data, have the ability to recognize previously unknown attacks.

 

Along with artificial neural networks, there is a statistical method - immune network - the result of mathematical modeling principles of information processing by biomolecules. Generalized immune network have an advantage in learning, which consist of direct computational procedure of differential equations system constructing. Also immune networks have potentially better accuracy than neural networks.

 

The main part of Intrusion Detection system, based on artificial immune system (AIS), maintains two processes - the evolution of gene libraries and negative selection.

 

The selection of initial data for the gene libraries formation is based on the characteristics of used network protocols, in particular, their weakest sides in terms of protecting. Then, when it detects abnormal activity, detectors in the network library will be added to match it. It should be noted that, as the volume of gene libraries is limited, only the most often detected "genes" are stored.

 

On the second stage the generation of random "genes" occurs. The generated “genes” are called pre-detectors. All pre-detectors are have to pass the test which is called “negative selection”. Negative selection deletes pre-detectors which detect normal activity as attack.

 

The ultimate goal in this case is the creation of a limited set of detectors, which can detect maximum number of network anomalies. This set is distributed on the network nodes, forming secondary IDS (Intrusion Detection System).

 

The main advantage of AIS is the ability to detect new types of attacks, by identifying network anomalies. Unlike neural approach or methods based on genetic algorithm, the AIS accepts the necessary decisions on the basis of results obtained by direct calculation system of differential equations that significantly reduces reaction time, as well as improve the accuracy of detecting attacks.