Journal of Software - Academy Publisher

More documents

Recommendations

Info

806 JOURNAL OF SOFTWARE, VOL. 6, NO. 5, MAY 2011 Multilevel Network Security Monitoring and Evaluation Model Jin Yang Department of Computer Science/LeShan Normal Univ., LeShan, China Email:jinnyang@163.com Tang Liu College of Fundamental Education/Sichuan Normal Univ., Chengdu, China Email: 253960818@qq.com Lingxi Peng * Department of Computer and Education software/Guangzhou Univ., Guangzhou, China Email: bigluckboy@163.com XueJun Li, Gang Luo Department of Computer Science/LeShan Normal Univ., LeShan, China Email:279718518@qq.com Abstract—Based on the correspondence between the artificial immune system antibody and pathogen invasion intensity, this paper is to establish a real-time network risk evaluation model. According to the network intrusion own characteristics and the consequence from service, assets and attack, this paper design to build a hierarchical, quantitative measurement indicator system, and an unified evaluation information base and knowledge base. The paper also combines assets evaluation system and network integration evaluation system, considering from the application layer, the host layer, network layer may be factors that affect the network risks. The experimental results show that the new model improves the ability of intrusion detection and prevention than that of the traditional passive intrusion prevention systems. Index Terms—network security; artificial immune; intrusion detection I. INTRODUCTION The traditional network security approaches include virus detection, frangibility evaluation, and firewall etc, e.g., the Intrusion Detection System (IDS) [1]. They rely upon collecting and analyzing the viruses’ specimens or intrusion signatures with some traditional techniques [2]. Moreover, being lack of self-learning and self-adapting abilities, they can only prevent those known network intrusions, and can do nothing for those variety intrusions. Recent years, the artificial immune system has the * Corresponding author. This work is supported by the National Natural Science Foundation of China under Grant (No.61003310) and the Scientific Research Fund of Sichuan Provincial Education Department (No. 10ZB005). © 2011 ACADEMY PUBLISHER doi:10.4304/jsw.6.5.806-813 features of dynamic, self-adaptation and diversity [3-6] that just meet the constraints derived from the characteristics of the grid environment, and mobile agent has many same appealing properties as that of artificial immune system. Negative Selection Algorithm and the concept of computer immunity proposed by Forrest in 1994 [7-8]. In contrast, the AIS theory adaptively generates new immune cells so that it is able to detect previously unknown and rapidly evolving harmful antigens [9]. However, much theoretical groundwork in immunological computation has been taken up, but there is a lack of perfectly systems based AIS of dynamical immunological surveillance for network security. Based on the correspondence between the artificial immune system antibody in the artificial immune systems and pathogen invasion intensity, this paper is to establish a network risk evaluation model. According to the network intrusion own characteristics and the consequence from service, assets and attack, we design to built a hierarchical, quantitative measurement indicator system, and an unified evaluation information base and knowledge base. This model will help the network managers evaluate the possibility and the graveness degree of the network dangerous quickly, ease the pressure of recognition, to get targeted immediate defense strategy of the strength and risk level of the current network attacks. II. THE EVALUATION OF THE NETWORK DANGER The biological immune system can produce antibodies to resist pathogens through B cells distributing all over the human body. And T cells can regulate the antibody concentration. Simulating biological immune system, we place a certain amount of immune cells into the network, and perceive the surrounding environment. Simulating creatural immune system, we place a certain amount of
JOURNAL OF SOFTWARE, VOL. 6, NO. 5, MAY 2011 807 immune cells into the network, and perceive the surrounding environment of the detectors. As soon as the immune detectors detect an attack, the detectors begin clone and generate a mass of similar detectors in order to defend from fiercer network attacks and warn the dangerous level of the network [10]. While the network danger become abating, the corresponding numbers of antibodies will decrease at the same time. The detectors’ number and type reflect the attack’s intensity and type suffered by the network intrusion. In this model, the detectors can be categorized, according to the evolvement progress of the detectors themselves, into 3 types, viz. immature detectors, mature detectors and memory detectors, and the content will be expatiated in detail in the following. Figure 1. The Framework of danger-detecting in the NDEMAIS III. THE DYNAMICAL IMMUNOLOGICAL SURVEILLANCE MODEL BASED ON AIS A. The Definition of Antigen, Antibody, Self and Non-self l Definition: Antigens ( Ag , Ag ⊂ U , D = { 0, 1} ) are fixed-length binary strings extracted from the Internet Protocol (IP) packets transferred in the network. The antigen consists of the source and destination IP addresses, port number, protocol type, IP flags, IP overall packet length, TCP/UDP/ICMP fields [11-12], etc. The structure of an antibody is the same as that of an antigen. For virus detection, the nonself set (Nonself) represents IP packets from a computer network attack, while the self set (Self) is normal sanctioned network service transactions and nonmalicious background clutter. Set Ag contains two subsets, Self ⊆ Ag and Nonself ⊆ Ag such that Self ∪ Nonself = Ag and Self ∩ Nonself = Φ . (1) B. The Dynamic Equations of the Mature Detectors Tb = { x | x ∈ B, ∀y ∈ Self ( < x. d, y >∉ Match ∧ x. count < β)} (2) © 2011 ACADEMY PUBLISHER T ( t) = T ( 0) = 0, t = 0 (3) T ( t + Δt) = T ( t) + Tnew ( Δt) −Tmatch _ self ( Δt) −Tdead ( Δt) −Tactive ( Δt) T . age( t + Δt) = T. age( t) + 1, when T. age( t + Δt) < λ (5) ∂Tmatch _ self Tmatch _ self ( t + Δt) = T ( t), ∂xmatch _ self when f match ( T ( t −1), Self ( t −1)) = 1 (4) (6) T . count( t + Δt) = T. count( t) + 1 (7) ∂Tactive Tactive ( Δ t) = ⋅ Δt, when T. count( t + Δt) ≥ β (8) ∂x active ∂Tdeath Tdead ( Δt) = ⋅ Δt, ∂xdeath when T. count( t + Δt) < β , andT. count > λ ∂Tactive ⋅ Δt = I maturatiio n ( t), T. ρ( Δt) = 0, ∂xactive when I. age( t) > α (9) (10) Equation (4) depicts the lifecycle of the mature detector, simulating the process that the mature detectors evolve into the next generation. All mature detectors have a fixed lifecycle (λ). If a mature detector matches enough antigens ( ≥ β ) in its lifecycle, it will evolve to a memory detector. However, the detector will be eliminated and replaced by new generated mature detector if they do not match enough antigens in their lifecycle. Tnew (t) is the generation of new mature detector. Tdead (t) is the set of detector that haven’t match enough antigens ( ≤ β ) in lifecycle or classified self antigens as nonself at time t. T ( t + Δt) simulates that the mature detector undergo one step of evolution. Tdead (t) indicates that the mature detector are getting older. Tactive (t) is the set of the least recently used mature detector which degrade into Memory detector and be given a new age T > 0 and count β > 1. Because the degraded memory detector has better detection capability than mature detector, it is better to form a memory detector. When the same antigens arrive again, they will be detected immediately by the memory detector. In the mature detector lifecycle, the inefficient detectors on classifying antigens are killed through the process of clone selection. Therefore, the method can enhance detection efficiency when the abnormal network behaviors intrude the system again. In the course, λ is the threshold of the affinity for the activated detectors. The affinity function fmatch ( x, y) may be any kind of Hamming, Manhattan, Euclidean, and rcontinuous matching, etc. In this model, we take rcontinuous matching algorithm to compute the affinity of
Page 1 and 2:
Journal of Software ISSN 1796-217X
Page 3 and 4:
JOURNAL OF SOFTWARE, VOL. 6, NO. 5,
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12: JOURNAL OF SOFTWARE, VOL. 6, NO. 5,
Page 61: JOURNAL OF SOFTWARE, VOL. 6, NO. 5,
Page 82 and 83: 826 JOURNAL OF SOFTWARE, VOL. 6, NO
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157 and 158:
Page 159 and 160:
Page 161 and 162:
Page 163 and 164:
Page 165 and 166:
Page 167 and 168:
Page 169 and 170:
Page 171 and 172:
Page 173 and 174:
Page 175 and 176:
Page 177 and 178:
Page 179 and 180:
Page 181 and 182:
Page 183 and 184:
Page 185 and 186:
Page 187 and 188:
Page 189 and 190:
Page 191 and 192:
Page 193 and 194:
Page 195 and 196:
Page 197 and 198:
Page 199 and 200:
Page 201 and 202:
Page 203 and 204:
Page 205 and 206:
Page 207 and 208:
Aims and Scope. Call for Papers and
show all

Journal of Software - Academy Publisher

Create successful ePaper yourself

Delete template?

Save as template?