Nội dung

MINISTRY OF EDUCATION AND TRAINING VIETNAM ACADEMY OF SCIENCE AND TECHNOLOGY GRADUATE UNIVERSITY OF SCIENCE AND TECHNOLOGY NGUYEN VAN TRUONG IMPROVING SOME ARTIFICIAL IMMUNE ALGORITHMS FOR NETWORK INTRUSION DETECTION Major: Mathematical foundations for Informatics Code: 62 46 01 10 SUMMARY OF THE DOCTORAL THESIS OF MATHEMATICS Hanoi – 2019 Thesis is completed at: Graduate University of Science and Technology Vietnam Academy of Science and Technology. Supervisors: 1. Assoc. Prof., Dr. Nguyen Xuan Hoai 2. Assoc. Prof., Dr. Luong Chi Mai Review 1: Review 2: Review 3: The thesis will be defended, meeting at: Graduate University of Science and Technology - Vietnam Academy of Science and Technology. At: Thesis can be found at the library: - National Library of Vietnam - Library of Graduate University Of Science And Technology 1 INTRODUCTION Motivation Internet users and computer networks are suffering from rapid increase in number of attacks. In order to keep them safe, there is a need for effective security monitoring systems, such as Intrusion Detection Systems (IDS). However, intrusion detection has to face a number of different problems such as huge network traffic volumes, highly imbalanced data distribution, the difficulty to realize decision boundaries between normal and abnormal behavior, and a requirement for continuous adaptation to a constantly changing environment. As a result, many researchers have attempted to use different type of approaches to build reliable intrusion detection system. One of the promising computational intelligence methods for intrusion detection that have emerged recently are artificial immune systems (AIS) inspired by the biological immune system. Negative selection algorithm (NSA) of AIS, is widely used for intrusion detection systems (IDS). Despite its successful application, NSA has some weaknesses: 1-High false positive rate and/or false negative rate, 2-High training and/or testing time, 3-Exponential relationship between the size of the training data and the number of detectors possibly generated for testing, 4-Changeable definitions of ”normal data” and ”abnormal data” in dynamic network environment. To overcome these limitations, trends of recent works are to concentrate on complex structure of immune detectors, matching methods and hybrid NSAs. Objectives Since data representation is one of the factors that affect the training and testing time, a compact and complete detector generation algorithm is investigated. The thesis investigates optimal algorithms to generate detector set in AIS. They help to reduce both training time and detecting time of AIS-based IDSs. Also, it is regarded to propose and investigate an AIS-based IDS that can promptly detect attacks, either if they are known or never seen before. The proposed system makes use of AIS with statistics as analysis methods and flow-based network traffic as data source. Problem statements Since the NSA has four main limitations as listed in the first section, this thesis concentrates on three problems: 1. The first problem is to find compact representations of data. Objectives of this problem’s solution is not only to minimize memory storage but also to reduce testing time. 2. The second problem is to propose algorithms that can reduce training time and testing time in compared with all existing related algorithms. 3. The third problem is to improve detection performance with respect to reducing false 2 alarm rates while keeping detection rate and accuracy rate as high as possible. It is impossible to find an optimal algorithm that can reduce time and memory complexities with best detection performance. These aspects are always in conflict with each other. Thus, in each chapter, we will propose algorithms to solve each problem quite independently. The intrusion detection problem mentioned in this thesis can be informally stated as: Given a finite set S of network flows which labeled with self (normal) or nonself (abnormal). The objective is to build classifying models on S that can label an unlabeled network flow s. Outline of thesis Chapter 1 introduces the background knowledge necessary to discuss the algorithms proposed in following chapters. In Chapter 2, a combination of selection algorithms is presented. The technique reduces detectors storage generated in training phase. Testing time, an important measurement in IDS, will also be reduced as a direct consequence of a smaller memory complexity. Tree structure is used to improve time and memory complexities. A complete and nonredundant detector set is necessary to archive acceptable self and nonself coverage of classifiers. A selection algorithm to generate this type of detectors set is investigated in Chapter 3. Chapter 4 includes two selection algorithms for fast training phase. The optimal algorithms can generate a detectors set in linear time with respect to size of training data. In term of detection time, the first algorithm and the second one is linear and polynomial, respectively. Chapter 5 mainly introduces a hybrid approach of positive selection algorithm with statistics. Frequencies of self and nonself data contained in leaves of tree-based detectors play an important role in improving performance of the proposed algorithms. The hybrid approach came as a new positive selection algorithm for two-class classification that can be trained with samples from both self and nonself data types. 3 Chapter 1 BACKGROUND 1.1 Human immune system Our human immune system has a multi-layered protection architecture, including physical barriers, physiological barriers, an innate immune system, and an adaptive immune system. The adaptive immune system is capable of adaptively recognizing specific types of pathogens, and memorizing them for accelerated future responses. It is the main inspiration for AISs. 1.2 Selection algorithms Negative selection approaches are based on self-nonself discrimination in biology system. This property makes it attractive for computer and network security researchers. A survey show that in six year 2008-2013, NSA predominate all the other models of AIS in term of published papers in both network security and anomaly detection. 1.2.1 Negative Selection Algorithms A typical NSA comprises of two phases: detector generation and detection. In the detector generation phase, the detector candidates are generated by some random processes and censored by matching them against given self samples taken from a set S (representing the system components). The candidates that match any element of S are eliminated and the rest are kept and stored in the detector set D. 1.2.2 Positive Selection Algorithms A PSA contains two phases: detector generation and detection. In the detector generation phase, the detector candidates are generated by some random processes and matched against the given self sample set S. The candidates that do not match any element in S are eliminated and the rest are kept and stored in the detector set D. In the detection phase, the collection of detectors are used to distinguish self from non-self. If incoming data instance matches any detector, it is claimed as self. 1.3 Basic terms and definitions 1.3.1 Strings, substrings and languages An alphabet Σ is nonempty and finite set of symbols. A string s ∈ Σ∗ is a sequence of symbols from Σ, and its length is denoted by |s|. A string is called empty string if its length equals 0. 4 Given an index i ∈ {1, . . . , |s|}, then s[i] is the symbol at position i in s. Given two indices i and j, whenever j ≥ i, then s[i . . . j] is the substring of s with length j − i + 1 that starts at position i and whenever j < i, then s[i . . . j] is the empty string. If i = 1, then s[i . . . j] is a prefix of s and, if j = |s|, then s[i . . . j] is a suffix of s. For a proper prefix or suffix s0 of s, we have in addition |s0 | < |s|. Given a string s ∈ Σ` , another string d ∈ Σr with 1 ≤ r ≤ `, and an index i ∈ {1, . . . , ` − r + 1}, we say that d occurs in s at position i if s[i . . . i + r − 1] = d. Moreover, concatenation of two strings s and s0 is s + s0 . A set of strings S ⊆ Σ∗ is called a language. For two indices i and j, we define S[i . . . j] = {s[i . . . j]|s ∈ S}. 1.3.2 Prefix trees, prefix DAGs A prefix tree T is a rooted directed tree with edge labels from Σ where for all c ∈ Σ, every node has at most one outgoing edge labeled with c. For a string s, we write s ∈ T if there is a path from the root of T to a leaf such that s is the concatenation of the labels on this path. The language L(T ) described by T is defined as the set of all strings that have a nonempty prefix s ∈ T . Trees for self dataset and nonself dataset are called positive trees and negative trees, respectively. A prefix DAG D is a directed acyclic graph with edge labels from Σ, where again for all c ∈ Σ, every node has at most one outgoing edge labeled with c. Similar to prefix trees, the terms root and leaf used to refer to a node without incoming and outgoing edges, respectively. We write s ∈ D if there is a path from a root node to a leaf node in D that is labeled by s. Given n ∈ D, the language L(D, n) contains all strings that have a nonempty prefix that labels a path from n to some leaf. Moreover, we define L(D) = ∪n is a root of D L(D, n). A prefix DAG can be turned into a finite automaton to decide the membership of strings in languages. 1.3.3 Detectors Given an alphabet Σ is nonempty and finite set of symbols, positive and negative r-chunk detectors, r-contiguous detectors, rcbvl-detectors could be defined as follows: Definition 1.1. Given a self set S ⊆ Σ` , a tuple (d, i) of a string d ∈ Σr , where r ≤ `, and an index i ∈ {1, ..., ` − r + 1} is a positive r-chunk detector if there exists a s ∈ S such that d occurs in s. Definition 1.2. Given a self set S ⊆ Σ` , a tuple (d, i) of a string d ∈ Σr , r ≤ `, and an index i ∈ {1, ..., ` − r + 1} is a negative r-chunk detector if d does not occurs any s ∈ S. Example 1.1. Let ` = 6, r = 3. Given a set of five self strings S = {s1 = 010101, s2 = 111010, s3 = 101101, s4 = 100011, s5 = 010111}. The set of some positive r-chunk detectors is {(010,1), (111,1), (101,2), (110,2), (010,3), (101,3), (101,4), (010,4), (111,4))}. The set 5 of some negative r-chunk detectors is {(000,1), (001,1), (011,1), (001,2), (010,2), (100,2), (000,3), (100,3), (000,4), (001,4), (100,4)}. Definition 1.3. Given a self set S ⊆ Σ` , a string d ∈ Σ` is a r-contiguous detector if d[i, . . . , i+ r − 1] does not occurs any s ∈ S for all i ∈ {1, ..., ` − r + 1}. Example 1.2. Let ` = 5, r = 3. Given a set of 7 self strings S = {s1 = 01111, s2 = 00111, s3 = 10000, s4 = 10001, s5 = 10010, s6 = 10110, s7 = 11111}. The set of all 3-contiguous detectors is {01011, 11011}. We also use the following notations: • Dpi = {(d, i)|(d, i) is a positive r-chunk detector} is set of all positive r-chunk detectors at position i, i = 1, . . . , ` − r + 1. • Dni = {(d, i)|(d, i) is a negative r-chunk detector} is set of all negative r-chunk detectors at position i, i = 1, . . . , ` − r + 1. • CHU N Kp (S, r) = ∪`−r+1 i=1 Dpi is set of all positive r-chunk detectors. • CHU N K(S, r) = ∪`−r+1 i=1 Dni is set of all negative r-chunk detectors. • CONT(S, r) is the set of all r-contiguous detectors that do not match any string in S. • For a given detectors set X, L(X) is the set of all nonself strings detected by X. We also say that Σ` \ L(X) is the set of all self strings detected by X. Definition 1.4. Given a self set S ⊆ Σ` . A triple (d, i, j) of a string d ∈ Σk , 1 ≤ k ≤ `, an index i ∈ {1, ..., ` − r + 1} and an index j ∈ {i, ..., ` − r + 1} is called a negative detector under rcbvl matching rule if d does not occur in any s, s ∈ S. To combine PSA and NSA in a unified framework, we have to change the original semantic of positive selection in the detection phase as follows. Definition 1.5. If new instance matches ` − r + 1 positive r-chunk detectors (dij , i), i = 1, . . . , ` − r + 1, it is claimed as self, otherwise it is claimed as nonself. With this new detection semantic, the following proposition on the equivalence of detection coverage of r-chunk type PSA and NSA could be stated. Theorem 1.1 (Detection Coverage). The detection coverage of positive and negative selection algorithms coincide. L(CHU N Kp (S, r)) = L(CHU N K(S, r)) 6 1.3.4 Ring representation of data With reference to string-based detectors set, a simple technique for this approach is to concatenate each string representing a detector with its fist k symbols. Each new linear string is a ring representation of its original binary one. Given a set of strings S ⊂ Σ` , a set Sr ⊂ Σ`+r−1 includes ring representations of all strings in S by concatenating each string s ∈ S with its fist r − 1 symbols. We can easily apply the idea of ring strings for other data representations in AIS. One way to do this, for instance, is to create ring representations of other structures such as trees, and automata, from set Sr instead of S as usual. 1.3.5 Frequency trees Given a set D of length-equaled strings, a tree T on D, noted TD , is a rooted directed tree with edge labels from Σ where for all c ∈ Σ, every node has at most one outgoing edge labeled with c. For a string s, we write s ∈ T if there is a path from the root of T to a leaf such that s is the concatenation of the labels on this path. Each leaf is associated with an integer number, that is frequency of string s ∈ D and s is the concatenation of the labels on the path ending by this leaf. We also use two concepts: self trees and nonself trees to present r-chunk detectors set for normal dataset and abnormal dataset, respectively. 1.4 Datasets We only concentrate on flow-based NIDSs because: 1 - It can detect some special attacks more efficient and faster than payload based one, since lesser information is needed to be analyzed; 2 - Flow-based anomaly detection methods process only packet headers and reduce data and processing time for high-speed detection on large networks. It can solve the scalability problem in condition of increasing network usage and load. 3 - Flow-based NIDSs decrease privacy issues in comparison with packet-based ones because of the absence of payload. The DARPA-Lincoln datasets: The DARPA-Lincoln datasets were collected by MITs Lincoln laboratory with the purpose of evaluating the performance of different intrusion detection methodologies. UT datasets: This data set was captured by monitoring a honeypot hosted in the University of Twente network. The dataset has three categories: malicious traffic, unknown traffic and side-effect traffic. Each flow in the datasets has 12 fields. Netflow datasets: This dataset focuses only on flows to a specific port and a IP address which receives the most number of attacks. It contains all 129,571 traffics (including attacks) to and from victims. 7 Chapter 2 COMBINATION OF NEGATIVE SELECTION AND POSITIVE SELECTION 2.1 New Positive-Negative Selection Algorithm Our algorithm first constructs ` − r + 1 binary trees (called positive trees) corresponding to ` − r + 1 positive r-chunk detector set Dpi , i = 1, . . . , ` − r + 1. Then, all complete subtrees of these trees are removed to achieve a compact representation of the positive r-chunk detector set while maintaining the detection coverage. Finally, for every ith positive trees, we decide whether or not it should be converted to the negative tree, which covers the negative r-chunk detector set Dni . The decision depends on which tree is more compact. When this process is done, we have ` − r + 1 compact binary trees that some of them represent positive r-chunk detectors and the others represent negative ones. The r-chunk matching rule on binary trees is implemented as follows: a given sample s matches the positive (negative) tree ith if s[i . . . i + k] is a path from the root to a leaf, i = 1, . . . , ` − r + 1, k < r. The detection phase can be conducted by traveling the compact binary trees iteratively one by one: a sample s is claimed as non-self if it matches a negative tree or it does not match all positive trees, otherwise it is considered as self. From the description of DetectorGeneration, it is trivial to show that it takes |S|(` − r + 1).r steps to generate all necessary trees (detector generation time complexity) and (` − r + 1).r steps to verify a cell string as self or non-self in the worst case (worse-case detection time complexity). These time complexities are similar to the state-of-the-art NSAs (PSAs). Theorem 2.1. Given a self set S and an integer `, procedure DetectorGeneration produces the detector (binary) tree set that have at most total (` − r + 1).2r−2 less number of nodes in comparison to the detector tree set created by a PSA or NSA only, where r ∈ {2, . . . , ` − r + 1}. 8 Algorithm 2.1 Detector Generation Algorithm. 1: procedure DetectorGeneration(S, r, T ) Input: A set of self strings S ⊆ Σ` , a matching threshold r ∈ {1, . . . , `}. Output: A set T of ` − r + 1 prefix trees presenting all r-chunk detectors. 2: T =∅ 3: for i = 1, ..., ` − r + 1 do 4: create an empty prefix tree Ti 5: for all s ∈ S do 6: insert every s[i . . . i + r − 1] into Ti 7: for all internal node n ∈ Ti do 8: if n is root of complete binary subtree then 9: delete this subtree 10: if (number of leaves of Ti ) > (number of nodes of Ti that have only one child) then 11: for all internal node ∈ Ti do 12: if it has only one child then 13: if the child is a leaf then 14: delete the child 15: create the other child for it 16: mark Ti as a negative tree 17: T = T ∪ {Ti } Algorithm 2.2 Positive-Negative Selection Algorithm. 1: procedure PNSA(T , r, s) Input: A set T of ` − r + 1 prefix trees presenting all r-chunk detectors, a matching threshold r ∈ {1, . . . , `}, an unlabeled string s ∈ Σ` . Output: A label of s (as self or nonself). 2: f lag = true . A temporary boolean variable 3: i=1 4: while (i ≤ ` − r + 1) and (f lag = true) do 5: if (Ti is positive tree) and (s ∈ / Ti ) then 6: f lag = false 7: if (Ti is negative tree) and (s ∈ Ti ) then 8: f lag = false 9: i=i+1 10: if f lag = false then 11: output s is nonself 12: else 13: output s is self 2.2 Experiments Table 2.1 shows the results on detector memory storage and detection time of PNSA compared to one of the popular single NSAs on some combinations of S, ` and r. We have conducted another experiment by choosing ` = 40, |S| = 20,000 (S is the set of randomly generated binary strings of length `) and varying r (from 15 to 40). Then, `−r +1 trees were created using single NSA and other ` − r + 1 compact trees were created using PNSA. Next, both detector sets were used to detect every s ∈ S. Next experiment is conducted on Netflow dataset. Table 2.2