《Immune System Metaphors Applied to Intrusion Detection and :免疫系统应用于入侵检测和隐喻》由会员分享,可在线阅读,更多相关《Immune System Metaphors Applied to Intrusion Detection and :免疫系统应用于入侵检测和隐喻(29页珍藏版)》请在金锄头文库上搜索。
1、Immune System Metaphors Applied to Intrusion Detection and Related Problemsby Ian Nunn, SCS, Carleton University Overview of Presentation Review of immune system properties of most interest Algorithm design and the representation of application domains Examples of two recognition algorithms Overview
2、 of application areas Focus on intrusion detection systems (IDS) Advantages of IS models and future research The IS model as a swarm systemImmune System Characteristics of Interest The human immune system (IS) is a system of detectors (principally B and T cells) that: After initial negative selectio
3、n (tolerization), does not recognize elements of the body (self) Is adaptable in that it can recognize over time, any foreign element (non-self) including those never before encountered Remembers previous foreign element encounters Dynamically regenerates its elements Regulates the population size a
4、nd diversity of its elements Is robust to input signal noise (recognition region) and detector loss Is distributed in nature with no central or hierarchical control Is error tolerant in that self recognition does not halt the system Is self-protecting since it is part of selfRepresentation of Self/N
5、on-Self IS elements involved are cellular proteins and their peptide sequences Recognition is based on matching of structural regions called epitopes on antigens and paratopes on antibodies Shape space model: a parameterized representation (genotype) of the conformational form of self/non- self elem
6、ents (phenotype)IS Application Algorithm Design Requires a deep understanding of the problem domain Self/non-self discrimination the fundamental IS principle Steps in designing an IS algorithm: Identification of features allowing correct and complete self/non -self discrimination* Representation or
7、encoding of features, particularly of continuous real-valued parameters*. Ab and Ag feature strings of same length facilitate algorithm performance analysis Determination of a matching or fitness function. Important for evolution of Ab populations (affinity maturation) Selection of IS principles to
8、apply, e.g. negative selection, costimulation, affinity maturation, etc.* This is hard stuff and an important step in applying any modeling technique whether genetic algorithms or swarm simulations (recall for army ants the problem of deciding what parameters to assign to the ants and to the environ
9、ment and what values to allow).Approach to Feature Selection and Representation Antibodies and antigens represented by strings of features: The set of actual values observed such as sensor readings, voltages, ASCII text is called the applications phenotype The coded representation is called the appl
10、ications genotype A feature is encoded by symbols from a finite alphabet Some application feature domains: Binary variables: digital signals in computer systems Discrete real variables: ASCII character text Continuous real variables: real world sensors Continuous domains must be mapped onto discrete
11、 domains since we work with finite alphabets to ensure finite Ab/Ag population spacesPhenotype Representation: Change Detection Problem Domains OS (UNIX) processes: sequences of top level system calls Program execution: alphabet symbols represent op codes File system: reduction to ASCII or binary st
12、rings User behavior and interface use: keystrokes, mouse clicks Time series data representation of a physical (plant) processes: x/y position of a milling machine tool Memory accesses: memory address calls Local network traffic: TCP/IP packets: addresses, ports Network traffic through routers and ga
13、teways: TCP/IP packets, addresses, volumeIS Phenotype Encoding and Matching Using a Binary Model1 Genotype = Phenotype : 32 bit string on a binary alphabetMany matching (fitness) functions possible, e.g. for li a contiguous substring of l 1s in the complementary match (Hamming distance)Example: Use
14、of a Binary Model with a GA for Clonal Selection1 Start with randomly generated Ag and possibly incomplete Ab populations For each Ab in turn, compute its average match (fitness) with a random fixed-size Ag subpopulation Use a standard GA with mutation but no crossover to evolve successively better
15、generations of antibodies Niches observed to develop in coverage space for genetic commonalities (bacterial polysaccaride coating) if the initial populations have a bias Self recognition minimized (without negative selection) by selecting for more Ag specific instead of more general antibodies less
16、likely to match selfEstablishing Antibody FitnessRandom sub- populationGA Evolution of Antibodies1_ 1011010111110111Use of a Negative Selection Algorithm for Clonal Selection5,2 Want explicit self-filtering (tolerization) Algorithm: Generate the set S of self (sub)strings Generate a set R0 of random strings M
