Detection of Network Attacks With Artificial Immune System

Introduction

Network security became more important because of increasing usage of internet and network technologies. Diversity of user profiles and increase of users have a big effect on network attacks. Various security policies are developed in the internal structures of institutions to protect the accessibility, integrity, and confidentiality of data against these security threats. These policies are supported by security applications that are important for the network system and can be software or hardware such as firewall and intrusion detection systems (IDS). IDS need a learning process to decide whether the activities occurring on the network are going to be attacked or not. Machine learning is a popular research area that aims to enable machines to make decisions on their own by adopting human learning tactics. There are many studies that apply different machine learning methodologies to detect network attacks in the literature. Nguyen and Choi (2008) used J48 for detection, Koc et al. (2012) used Hidden Naive Bayes Multiclass Classifier, Hosseinpour et al. (2014) benefited from artificial immune system (AIS), Dasgupta and González (2002) used niching technique with genetic algorithm (GA) for generate detector in AIS, and Gupta and Shrivastava (2015) implemented support vector machine (SVM) and bee colony together for anomaly detection. This study is based on AIS algorithms to detect the attacks. AIS has been inspired by the human immune system. This system has been investigated especially for being an effective methodology to detect virus, fraud and fault control (Dasgupta, 1998). Negative selection algorithm (NSA) is effective on categorizing attacks, therefore in this paper the focus will be on this point. NSA uses antigen and anticors' structures which exist within natural immune system. The attacks in a network are assumed as antigen and the self-cells are recognized in the learning process as anticors.

In the literature, the IDS studies are based on two different detection methods: Anomaly detection and the misuse detection. In misuse detection, events on the system are evaluated according to signatures based on the weak points of the system or security policies. Every attack defined on the system has a signature. Behaviors that are not within these signatures are called normal. There should be defined signature for new attacks and it should be introduced to these systems. The main problem with this method is that the new attack type will not be recognized. Whereas anomaly detection determines the behavior on the system as normal or abnormal. In general, the traffic on the network is monitored and an assessment is made according to the thresholds. The system is trained through normal and abnormal situations, then it is expected to make an evaluation for each new data.

There are limited numbers of papers involving IDS and AIS together. A concurrent study was designed with Particle Swarm Optimization (Tabatabaefar et al., 2017). The experimental results were given as the detection and performance measurement rates. There has not been a comparison with any machine learning algorithm. Another IDS study is based solely on regular AIS (Suliman et al., 2018). DoS and Probing attack classes were detected and the results for correctly predicted attacks were calculated. Another study in the literature (Igbe et al., 2017) presents a method to detect DoS/DDoS attacks by using the Dendritic Cell Algorithm involved in AIS algorithms. In this method, the network traffic features were gathered as a vector and then used to retrieve antigen and signals. The signals were processed to be distinguished into dangerous and safe categories. The output signal was determined as anomaly or normal according to the computational values of the antigens.