The Network Intrusion Detection (NID) system developed by UNM is designed to detect network attacks by analysing and monitoring the network traffic. The system developed for detecting the intrusions is also named LISYS, which stands for Ligthweigth Intrusion detection SYStem.
Normally NID applications use signatures to detect the intrusions, the signatures are extracted from known attacks by human experts and are constantly being added to the NID’s database as updates. The NID systems use the signatures to detect possible intrusions and will stop the intrusions by rejection or refusing the malicious network traffic. Other NID systems also detect abnormal behaviour using statistical analysis.
The basic idea in LISYS is to train the system on normal network traffic, known as self, trough a period of time. After training the system will be able detect all kind of abnormal behaviour, known as nonself, which the system was not exposed to during the training period. Instead of rejecting the network traffic as other NID systems does, LISYS will notify a human operator which will decide whether or not the abnormal behaviour is an intrusion attempt, the human operator will from here on decide which kind of action to take against the abnormal network traffic.
The structure of LISYS is built from another system called ARTIS, ARTificial Immune System, also designed by the researchers from UNM. The ARTIS sys-tem models most of the components and techniques from the biological immune system and could by used in a lot of different applications. We will therefore shortly describe ARTIS in a separate section before describing the LISYS sys-tem.
4.2 Network Intrusion Detections 39
4.2.1 ARTIS
In ARTIS the detectors of the lymphocytes are modelled as binary strings, the detector contains the state of the lymphocyte which is either immature, mature, or memory. The detector also contains an indication of whether it is activated or not, when it last got activated, and how many matches it has accumulated. Finally, the detector contains a randomly generated binary string which represent the regions on the lymphocytes that binds to foreign substances.
ARTIS models the distributed environment of the biological immune system by placing the detectors in a graph with vertices. Each vertex can contain several detectors and the detectors can migrate from one vertex to another. To model the local environment of the biological immune system each detector is only able to interact with the other detectors in the same vertex.
To match with foreign substances they use a matching rule called r-contiguous-bits, which simply determines the maximum number of contiguous bits that two bit sequences have in common. The matching rule is described more in detail in section 5.7.2 on page 55.
To train the system on normal behaviour, they randomly generate the receptors so these could either bind to self or nonself. Afterwards the receptors are exposed to self. Those receptors which binds (match) to the set of self are killed in a process known as negative selection. The receptors that survive this process will change their state from being immature to mature and are now only able to bind (match) with nonself.
To model the surviving stimulation from the local environment each detector has a probability pdeath of dying once it has reached the matured state. If the receptor dies it is replaced by a new randomly generated receptor, which again will be exposed to the set of self and undergo the process of negative selection.
Generally all the receptors which dies are replaced by new randomly generated receptors, this enables the system to keep a constant rate of receptors just like the biological immune system which has a constant rate of lymphocytes.
When the matured receptor match with a foreign substance its match number is increased by some value, and when the match value exceeds an activation threshold the receptor becomes activated. When activated, the receptor has the possibility of advancing into a memory detector, but to keep the number of memory detectors constant, only a small fraction of the activated detectors will become memory detectors, all others will die. If the maximum number of memory detectors are reached the last recently activated memory detector will be replaced by the new one. In this way the ARTIS system is able to model the feature known as immunological memory from the biological immune system.
When the mature detector gets activated it will notify the human operator of the system to indicate that it has detected some abnormal behaviour. The human operator is now able to take the appropriate action against the abnor-mal behaviour and can eliminate the threat which caused the detectors to get activated.
4.2.2 LISYS
In the LISYS system the researchers have only decided to monitor TCP/IP network traffic, the sets of self and nonself are therefore represented by binary strings containing information on the TCP/IP network traffic. The represen-tation of the TCP/IP traffic will only contain information about the network connection and not actual data. The representation of a network connection consist of a single 49-bit string containing source IP address, destination IP address, and TCP service or port.
Self is then defined as the set of network connections which are normally ob-served in the training period, and nonself is defined as the set of connections that are not normally observed in the network traffic. To model the distributed environment given as a graph with vertices in ARTIS, each vertex corresponds to a computer in a LAN, and the network connecting the computers corresponds to the graph. The local environment is modelled by a detector node that holds several detectors at the same time. It is assumed that the network is broadcast such that every computer sees every packet passing through the network.
To summarise LISYS implements most of the components and techniques given in ARTIS and use network connections to represent the set of self and nonself.
4.2.3 Results
LISYS was tested using data collected from 50 computers at the Computer Science Department of the New Mexico University. Through a period of 50 days over 2.3 million TCP/IP connections was collected, resulting in 3900 unique connections representing the self set. The system was then trained on the self set and afterwards exposed to seven different intrusions attempts. The intrusion attempts consisted of IP address probing and different kinds of port scanning.
To summarise the system was able to detect all seven intrusions and the average of false positives generated by the system over 20 days was 1.76 pr. day, which is quite good for a NID system [11, p.18].
For more information on UNM’s ARTIS and LISYS system we refer to [11] and [12]. For more general information about UNM’s computer immune systems we refer to [13–19].
41
Chapter 5
Modelling a Computer Immune System
When modelling a computer immune system we take reference in the immune system of the human body. We try to imitate some of its components and mechanisms, hoping to build a system which will be able to make computer systems more secure and robust.
A computer immune system could be used for a lot of different kinds of ap-plications when making computer system more secure and robust. The system could for instance be used in virus detection, network intrusion detections and in other kinds of change detection systems. We will therefore try to focus on modelling the system on such a high abstraction level that different kinds of applications could be built from the design.
We will in this chapter describe how the most important components and mecha-nisms of the immune system could be modelled in a computer. This chapter is by no means an instruction in how computer immune systems should be designed, because it only suggest how the most important components and techniques could be modelled. When designing and building a computer immune system not all components and techniques of the biological immune system are useful, because some elements might even be used in a completely different way than in the biological immune system. The goal is often not to model the complete biological immune system, but rather making smarter and better applications with inspiration from the biological immune system.
The chapter starts out by looking at the different layer of defence systems that the immune system consist of. After this we discuss some limitations and lightly specify what kind of functionality there is needed in such a system. Then we go more into detail with some of the components of the immune system, here we discuss how we could represent the huge amount of cells, model the circulation of the cells, and what self and nonself is in context to a computer. Finally
we discuss the recognition done by the lymphocytes, different kinds of loose matching, elements needed to model lymphocytes, and how stimulation from the environment could be modelled in a computer system.