The thesis for the degree of doctor of Philosophy in mathematics: Improving some artificial immune algorithms for network intrusion detection

pdf
Số trang The thesis for the degree of doctor of Philosophy in mathematics: Improving some artificial immune algorithms for network intrusion detection 103 Cỡ tệp The thesis for the degree of doctor of Philosophy in mathematics: Improving some artificial immune algorithms for network intrusion detection 2 MB Lượt tải The thesis for the degree of doctor of Philosophy in mathematics: Improving some artificial immune algorithms for network intrusion detection 56 Lượt đọc The thesis for the degree of doctor of Philosophy in mathematics: Improving some artificial immune algorithms for network intrusion detection 9
Đánh giá The thesis for the degree of doctor of Philosophy in mathematics: Improving some artificial immune algorithms for network intrusion detection
4.2 ( 15 lượt)
Nhấn vào bên dưới để tải tài liệu
Đang xem trước 10 trên tổng 103 trang, để tải xuống xem đầy đủ hãy nhấn vào bên trên
Chủ đề liên quan

Nội dung

MINISTRY OF EDUCATION AND TRAINING VIETNAMESE ACADEMY OF SCIENCE AND TECHNOLOGY GRADUATE UNIVERSITY OF SCIENCE AND TECHNOLOGY ———————————— NGUYEN VAN TRUONG IMPROVING SOME ARTIFICIAL IMMUNE ALGORITHMS FOR NETWORK INTRUSION DETECTION THE THESIS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY IN MATHEMATICS Hanoi - 2019 MINISTRY OF EDUCATION AND TRAINING VIETNAMESE ACADEMY OF SCIENCE AND TECHNOLOGY GRADUATE UNIVERSITY OF SCIENCE AND TECHNOLOGY ———————————— NGUYEN VAN TRUONG IMPROVING SOME ARTIFICIAL IMMUNE ALGORITHMS FOR NETWORK INTRUSION DETECTION THE THESIS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY IN MATHEMATICS Major: Mathematical foundations for Informatics Code: 62 46 01 10 Scientific supervisor: 1. Assoc. Prof., Dr. Nguyen Xuan Hoai 2. Assoc. Prof., Dr. Luong Chi Mai Hanoi - 2019 Acknowledgments First of all I would like to thank is my principal supervisor, Assoc. Prof., Dr. Nguyen Xuan Hoai for introducing me to the field of Artificial Immune System. He guides me step by step through research activities such as seminar presentations, paper writing, etc. His genius has been a constant source of help. I am intrigued by his constructive criticism throughout my PhD. journey. I wish also to thank my co-supervisor, Assoc. Prof., Dr. Luong Chi Mai. She is always very enthusiastic in our discussion promising research questions. It is a pleasure and luxury for me to work with her. This thesis could not have been possible without my supervisors’ support. I gratefully acknowledge the support from Institute of Information Technology, Vietnamese Academy of Science and Technology, and from Thai Nguyen University of Education. I thank the financial support from the National Foundation for Science and Technology Development (NAFOSTED), ASEAN-European Academic University Network (ASEA-UNINET). I thank M.Sc. Vu Duc Quang, M.Sc. Trinh Van Ha and M.Sc. Pham Dinh Lam, my co-authors of published papers. I thank Assoc. Prof., Dr. Tran Quang Anh and Dr. Nguyen Quang Uy for many helpful insights for my research. I thank colleagues, especially my cool labmate Mr. Nguyen Tran Dinh Long, in IT Research & Development Center, HaNoi University. Finally, I thank my family for their endless love and steady support. Certificate of Originality I hereby declare that this submission is my own work under my scientific supervisors, Assoc. Prof., Dr. Nguyen Xuan Hoai, and Assoc. Prof., Dr. Luong Chi Mai. I declare that, it contains no material previously published or written by another person, except where due reference is made in the text of the thesis. In addition, I certify that all my co-authors allow me to present our work in this thesis. Hanoi, 2019 PhD. student Nguyen Van Truong i Contents List of Figures List of Tables v vii Notation and Abbreviation INTRODUCTION viii 1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Problem statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Outline of thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1 BACKGROUND 1.1 5 Detection of Network Anomalies . . . . . . . . . . . . . . . . . . . . . . 5 1.1.1 Host-Based IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.1.2 Network-Based IDS . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.1.3 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.1.4 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.2 A brief overview of human immune system . . . . . . . . . . . . . . . . 8 1.3 AIS for IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.3.1 AIS model for IDS . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.3.2 AIS features for IDS . . . . . . . . . . . . . . . . . . . . . . . . 11 Selection algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1.4.1 12 1.4 Negative Selection Algorithms . . . . . . . . . . . . . . . . . . . ii 1.4.2 1.5 1.6 1.7 Positive Selection Algorithms . . . . . . . . . . . . . . . . . . . 15 Basic terms and definitions . . . . . . . . . . . . . . . . . . . . . . . . . 16 1.5.1 Strings, substrings and languages . . . . . . . . . . . . . . . . . 16 1.5.2 Prefix trees, prefix DAGs and automata . . . . . . . . . . . . . 17 1.5.3 Detectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 1.5.4 Detection in r-chunk detector-based positive selection . . . . . . 20 1.5.5 Holes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 1.5.6 Performance metrics . . . . . . . . . . . . . . . . . . . . . . . . 22 1.5.7 Ring representation of data . . . . . . . . . . . . . . . . . . . . 23 1.5.8 Frequency trees . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Datasets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 1.6.1 The DARPA-Lincoln datasets . . . . . . . . . . . . . . . . . . . 27 1.6.2 UT dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 1.6.3 Netflow dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 1.6.4 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2 COMBINATION OF NEGATIVE SELECTION AND POSITIVE SELECTION 30 2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.2 Related works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 2.3 New Positive-Negative Selection Algorithm . . . . . . . . . . . . . . . . 31 2.4 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 2.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 3 GENERATION OF COMPACT DETECTOR SET 43 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 3.2 Related works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 3.3 New negative selection algorithm . . . . . . . . . . . . . . . . . . . . . 45 iii 3.3.1 Detectors set generation under rcbvl matching rule . . . . . . . 45 3.3.2 Detection under rcbvl matching rule . . . . . . . . . . . . . . . 48 3.4 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 3.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 4 FAST SELECTION ALGORITHMS 51 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 4.2 Related works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 4.3 A fast negative selection algorithm based on r-chunk detector . . . . . . 52 4.4 A fast negative selection algorithm based on r-contiguous detector . . . 57 4.5 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 4.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 5 APPLYING HYBRID ARTIFICIAL IMMUNE SYSTEM FOR NETWORK SECURITY 66 5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 5.2 Related works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 5.3 Hybrid positive selection algorithm with chunk detectors . . . . . . . . 69 5.4 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 5.4.1 Datasets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 5.4.2 Data preprocessing . . . . . . . . . . . . . . . . . . . . . . . . . 71 5.4.3 Performance metrics and parameters . . . . . . . . . . . . . . . 72 5.4.4 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 5.5 CONCLUSIONS Contributions of this thesis 78 . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Future works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Published works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 iv BIBLIOGRAPHY 81 v List of Figures 1.1 Classification of anomaly-based intrusion detection methods . . . . . . 7 1.2 Multi-layered protection and elimination architecture . . . . . . . . . . 9 1.3 Multi-layer AIS model for IDS . . . . . . . . . . . . . . . . . . . . . . . 10 1.4 Outline of a typical negative selection algorithm. . . . . . . . . . . . . . 13 1.5 Outline of a typical positive selection algorithm. . . . . . . . . . . . . . 15 1.6 Example of a prefix tree and a prefix DAG. . . . . . . . . . . . . . . . . 18 1.7 Existence of holes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 1.8 Negative selections with 3-chunk and 3-contiguous detectors. . . . . . . 23 1.9 A simple ring-based representation (b) of a string (a). . . . . . . . . . . 25 1.10 Frequency trees for all 3-chunk detectors. . . . . . . . . . . . . . . . . . 26 2.1 Binary tree representation of the detectors set generated from S. . . . . 33 2.2 Conversion of a positive tree to a negative one. . . . . . . . . . . . . . . 33 2.3 Diagram of the Detector Generation Algorithm. . . . . . . . . . . . . . 35 2.4 Diagram of the Positive-Negative Selection Algorithm. . . . . . . . . . 37 2.5 One node is reduced in a tree: a compact positive tree has 4 nodes (a) and its conversion (a negative tree) has 3 node (b). . . . . . . . . . . . 38 2.6 Detection time of NSA and PNSA. . . . . . . . . . . . . . . . . . . . . 40 2.7 Nodes reduction on trees created by PNSA on Netflow dataset. . . . . . 41 2.8 Comparison of nodes reduction on Spambase dataset. . . . . . . . . . . 41 3.1 Diagram of a algorithm to generate perfect rcbvl detectors set. . . . . . 47 4.1 Diagram of the algorithm to generate positive r-chunk detectors set. . . 55 vi 4.2 A prefix DAG G and an automaton M . . . . . . . . . . . . . . . . . . 4.3 Diagram of the algorithm to generate negative r-contiguous detectors set. 61 4.4 An automaton represents 3-contiguous detectors set. . . . . . . . . . . . 4.5 Comparison of ratios of runtime of r-chunk detector-based NSA to runtime of Chunk-NSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.6 57 62 63 Comparison of ratios of runtime of r-contiguous detector-based NSA to runtime of Cont-NSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.