基于免疫学的入侵检测系统研究
|
摘要
基于免疫学的入侵检测是近几年来入侵检测领域研究的热点,它的突出特点是利用生物体免疫系统的原理、规则与机制来实现对入侵行为的检测和反应。入侵检测系统与免疫系统具有本质的相似性:免疫系统负责识别生物体的Self与Nonself细胞,并清除异常细胞;IDS则辨别正常与异常行为模式,采取适当的措施阻止对系统的入侵行为。本课题围绕计算机免疫学的负选择检测模型以及基于该模型的入侵检测应用展开了深入的研究。
在介绍人工免疫系统及其免疫学基础知识后,论文首次结合理论分析与仿真实验对人工免疫系统的正检测模式与负检测模式进行了对比研究。理论分析和仿真实验结果都表明,在Self抽样集很大的情况下,负检测模式具有较高的性价比。网络型入侵检测需要处理海量的数据流,因此负检测模式适用于基于免疫学的IDS研究。
论文对入侵检测问题的负选择检测模型进行了全面、系统的形式化描述,明确提出了入侵检测的Self定义,分析了Self的编码表示及其特性,包括模式分布特性以及检测规则与检测模式等。论文深入分析了入侵检测问题检测器集的表示与特性,包括检测器集的规模与生成重试次数等,以及非完备训练集与多重表示法对模型的影响。
对负选择检测模型初始检测器集生成算法进行了深入的研究,提出新的生成算法。借鉴进化计算的成果,提出检测器集生成的rcb模板法和rcb贪婪法,并讨论了遗传算法在检测器集生成中的应用。针对rch检测规则,论文首次提出rch穷举生成算法以及一个改进算法。
在生成算法的基础上,分析了rcb和rch检测规则下的检测漏洞。论文第一次提出了rcb检测规则下的检测漏洞计量算法,其时间复杂度和空间复杂度都较为合理。另外论文还提出了一个算法,用于直接判断某个Nonself模式是否为检测漏洞。
在对负选择检测模型进行分布式扩展后,提出一个基于免疫学原理的多代理IDS框架,用于联网计算机的入侵检测与反应。多代理检测系统同时在不同层次监视联网计算机的活动情况,能够根据参数配置实时监视网络。
自主设计并实现了一个基于免疫学的入侵检测系统原型IIDS。IIDS是一个基于免疫学的异常型网络入侵检测系统,工作在LAN上,具有分布式体系结构。论文采用实际网络环境中收集的数据集对IIDS进行了测试实验。测试结果表明,IIDS可以很好地检测出对网络的入侵行为,达到了预期目标。
In recent years, immune-based intrusion detection has become a key research area in intrusion detection system, exploring natural immunological theories, mechanisms and principles for detecting and reacting to intrusions. Information protecting systems can be viewed generally as the problem of learning to distinguish self from nonself. An IDS should protect the computers or networks from unauthorized intruders and malice codes, which is analogous to the immune system's protecting the body (self) from invasion by inimical microbes (nonself). Supported by the National High Technology Research and Development Program (863 Program), the research topic of this thesis is dedicated to negative selection model and its application to intrusion detection.
After reviews of artificial immune system and the basic immunological material necessary for this dissertation, positive and negative detection approach are compared, by both theoretical analyses and experiments. It comes to the conclusion that negative approach can achieve better results at low cost. As great amount of packets pass through network EDS, negative detection approach is more feasible for it.
Comprehensive formalization and new analysis of the negative selection model are developed. The coding schemes of self and their characteristics are described in detail based on definition of self, including pattern distribution, detection rule and detection scheme. Furthermore, the presentation and functions of detector set for intrusion detection are investigated, such as size and generation retries of detector set. In addition, the effects of non-complete training sets and multiple representations on the model are also discussed.
As the basis of studying detector generation in EDS, several new algorithms are presented. Inspired by evolution computing, the thesis firstly analyzes rcb template and rcb greedy algorithm. Gene algorithm is also covered as a detector generation algorithm. As to rch detection rule, rch exhaustive algorithm and its improvement are illustrated for the first time.
Based on detector generation rules, detection holes under rcb and rch are analyzed. A new detection hole counting algorithm is developed, with sound time and space complexity. Moreover, a novel algorithm is presented with the ability of checking whether a nonself pattern is a hole or not.
After discussion of distributed negative selection model, an immune-based multi-agent system is introduced for protecting networking computers. The multi-agent detection system can simultaneously monitor the activities of computers at different levels in order to find intrusions. The proposed intrusion detection system is designed to perform real-time monitoring in accordance with the preferences.
An immune-based IDS prototype IIDS is designed and implemented, which is an anomaly network EDS for LANs. IIDS is highly distributed and robust. IIDS is tested with data sets
generated by a realistic context, and the experimental results disclaim its effectiveness in detection of network attacks as supposed.
在介绍人工免疫系统及其免疫学基础知识后,论文首次结合理论分析与仿真实验对人工免疫系统的正检测模式与负检测模式进行了对比研究。理论分析和仿真实验结果都表明,在Self抽样集很大的情况下,负检测模式具有较高的性价比。网络型入侵检测需要处理海量的数据流,因此负检测模式适用于基于免疫学的IDS研究。
论文对入侵检测问题的负选择检测模型进行了全面、系统的形式化描述,明确提出了入侵检测的Self定义,分析了Self的编码表示及其特性,包括模式分布特性以及检测规则与检测模式等。论文深入分析了入侵检测问题检测器集的表示与特性,包括检测器集的规模与生成重试次数等,以及非完备训练集与多重表示法对模型的影响。
对负选择检测模型初始检测器集生成算法进行了深入的研究,提出新的生成算法。借鉴进化计算的成果,提出检测器集生成的rcb模板法和rcb贪婪法,并讨论了遗传算法在检测器集生成中的应用。针对rch检测规则,论文首次提出rch穷举生成算法以及一个改进算法。
在生成算法的基础上,分析了rcb和rch检测规则下的检测漏洞。论文第一次提出了rcb检测规则下的检测漏洞计量算法,其时间复杂度和空间复杂度都较为合理。另外论文还提出了一个算法,用于直接判断某个Nonself模式是否为检测漏洞。
在对负选择检测模型进行分布式扩展后,提出一个基于免疫学原理的多代理IDS框架,用于联网计算机的入侵检测与反应。多代理检测系统同时在不同层次监视联网计算机的活动情况,能够根据参数配置实时监视网络。
自主设计并实现了一个基于免疫学的入侵检测系统原型IIDS。IIDS是一个基于免疫学的异常型网络入侵检测系统,工作在LAN上,具有分布式体系结构。论文采用实际网络环境中收集的数据集对IIDS进行了测试实验。测试结果表明,IIDS可以很好地检测出对网络的入侵行为,达到了预期目标。
In recent years, immune-based intrusion detection has become a key research area in intrusion detection system, exploring natural immunological theories, mechanisms and principles for detecting and reacting to intrusions. Information protecting systems can be viewed generally as the problem of learning to distinguish self from nonself. An IDS should protect the computers or networks from unauthorized intruders and malice codes, which is analogous to the immune system's protecting the body (self) from invasion by inimical microbes (nonself). Supported by the National High Technology Research and Development Program (863 Program), the research topic of this thesis is dedicated to negative selection model and its application to intrusion detection.
After reviews of artificial immune system and the basic immunological material necessary for this dissertation, positive and negative detection approach are compared, by both theoretical analyses and experiments. It comes to the conclusion that negative approach can achieve better results at low cost. As great amount of packets pass through network EDS, negative detection approach is more feasible for it.
Comprehensive formalization and new analysis of the negative selection model are developed. The coding schemes of self and their characteristics are described in detail based on definition of self, including pattern distribution, detection rule and detection scheme. Furthermore, the presentation and functions of detector set for intrusion detection are investigated, such as size and generation retries of detector set. In addition, the effects of non-complete training sets and multiple representations on the model are also discussed.
As the basis of studying detector generation in EDS, several new algorithms are presented. Inspired by evolution computing, the thesis firstly analyzes rcb template and rcb greedy algorithm. Gene algorithm is also covered as a detector generation algorithm. As to rch detection rule, rch exhaustive algorithm and its improvement are illustrated for the first time.
Based on detector generation rules, detection holes under rcb and rch are analyzed. A new detection hole counting algorithm is developed, with sound time and space complexity. Moreover, a novel algorithm is presented with the ability of checking whether a nonself pattern is a hole or not.
After discussion of distributed negative selection model, an immune-based multi-agent system is introduced for protecting networking computers. The multi-agent detection system can simultaneously monitor the activities of computers at different levels in order to find intrusions. The proposed intrusion detection system is designed to perform real-time monitoring in accordance with the preferences.
An immune-based IDS prototype IIDS is designed and implemented, which is an anomaly network EDS for LANs. IIDS is highly distributed and robust. IIDS is tested with data sets
generated by a realistic context, and the experimental results disclaim its effectiveness in detection of network attacks as supposed.
引文
[1] 中国互联网络发展状况统计报告, http://www.cnnic.net.cn/develst/report.shtml.
[2] Hobbes' Internet Timeline v5. 6, http://www.zakon.org/robert/internet/timeline/.
[3] 国家计算机病毒应急处理中心, http://www.antivirus-china.org.cn/.
[4] CERT, http://www.cert.org/.
[5] [美]Terry Escamilla,入侵者检测.北京,电子工业出版社,1999. 7.
[6] Anderson, J. P., Computer Security Technology Planning Study, ESD-TR-73-51, ESD/AFSC, Hanscom AFB, Bedford, MA (Oct. 1972)
[7] Paul Innella and Oba McMillan. An Introduction to Intrusion Detection Systems. Tetrad Digital Integrity, LLC. December 6, 2001.
[8] Anderson, J. P., Computer Security Threat Monitoring and Surveillance, James P. Anderson Co., Fort Washington, PA ,1980.
[9] Federal Standard 1037C. Trusted Computing Base. Aug, 1996.
[10] Dorothy Denning. An Intrusion-Detection Model. EEEE Trans, on Software Eng., February 1987.
[11] Lunt, Teresa F. A Survey of Intrusion Detection Techniques. Computers and Security 12, 4 (June 1993) : 405-418.
[12] Kemmerer, Richard A. Computer Security. 1153-1164. Encyclopedia of Software Engineering. New York, NY: John Wiley and Sons, 1994.
[13] Mukherjee, Biswanath, L.; Heberlein, Todd; & Levitt, Karl N. Network Intrusion Detection. IEEE Network 8, 3 (May/June 1994) : 26-41.
[14] Helman, P. and Liepins, G. E. Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse. IEEE Transactions on Software Engineering, vol. 19, pp. 886-901, 1993.
[15] Lee, S. C. and Heinbuch, D. V. Training a Neural network Based Intrusion Detector to Recognize Novel Attacks. IEEE Workshop Information Assurance and Security, West Point, NY, 2000.
[16] J. Cannady. Artificial neural networks for misuse detection. In Proceedings of the 1998 National Information Systems Security Conference (NISSC'98) , pages 443-456, October 5-8 1998. Arlington.
[17] K. Fox, R. Henning, J. Reed and R. Simonian. A Neural Network Approach Towards Intrusion Detection, National Computer Security Conference, 1990.
[18] H. Debar, M Becker, D. Siboni. A Neural Network Component for an Intrusion Detection System. Proceedings, EEEE Symposium on Research in Computer Security and Privacy, 1992.
[19] Ryan, J. , Lin,M., and Miikkulainen, R. Intrusion Detection with Neural Networks. In Jordan, M. 1998.
[20] Henry S. Teng, Kaihu Chen, and Stephen C Lu. Security Audit Trail Analysis Using
Inductively Generated Predictive Rules. In Proceedings of the Sixth Conference on Artificial Intelligence Applications, pages 24-29, Piscataway, New Jersey, March 1990. EEEE.
[21] J. Frank. Artificial intelligence and intrusion detection: Current and future directions. In Proceedings of the 17th National Computer Security Conference, October 1994.
[22] Doak, J. Intrusion Detection: The Application of Feature Selection, A Comparison of Algorithms, and the Application of a Wide Area Network Analyzer. Master's thesis, University of California, Davis, Dept. of Computer Science. 1992.
[23] D. Bulatovic, D. Valesevic. A distributed intrusion detection system based on Bayesian alarm networks. In Proceedings of the Secure Networking-CQRE [Secure]'99 Conference, Dusseldorf, November/December, 1999.
[24] U. Lindqvist, P. Porras. Detecting computer and network misuse through the production-based expert system toolset (P-BEST). In Proceedings of the 1999 IEEE Symposium on Security and Privacy, California, May, 1999.
[25] M. Sebring, E. Shellhouse, M. Hanna, and R. Whitehurst. Expert Systems in Intrusion Detection: A Case Study. In Proceedings of the 11th National Computer Security Conference, October 1988.
[26] K. Jackson, D. DuBois, and C. Stallings. An expert system application for network intrusion detection. Proceedings of the 14th Department of Energy Computer Security Group Conference, 1991.
[27] Me, Michel. Intrusion Detection: A Bibliography. 2001.
[28] K. Ilgun, R. Kemmerer, and P. Porras. State Transition Analysis: A Rule Based Intrusion Detection System. EEEE Transactions on Software Engineering, 21(3) , Mar. 1995.
[29] Koral Ilgun. USTAT: A Real-Time Intrusion Detection System for UNIX. Master's Thesis, Computer Science Department, University of California, Santa Barbara, July 1992.
[30] Porras, P. STAT : A State Transition Analysis Tool for Intrusion Detection. Master's thesis, Computer Science Department, University of California, Santa Barbara , 1992.
[31] Helmer, G., Wong, J., Slagell, M., Honavar, V., Miller, L., and Lutz, R. Software fault tree and colored Petri net based specification, design, and implementation of agent-based intrusion detection systems. ACM Transactions on Information and System Security, 2000.
[32] Sandeep Kumar. Classification and Detection of Computer Intrusions. Ph.D. Dissertation, August 1995.
[33] T D Garvey and Teresa F Lunt. Model based intrusion detection. In Proceedings of the 14th National Computer Security Conference, pages 372-385, October 1991.
[34] 吴作顺.IDS的普遍缺陷.中国计算机报(周刊),2002年第18期,C35版.
[35] J. H. Holland, Adaptation in Natural and Artificial Systems, University of Michigan Press, Ann Arbor, MI, 1975.
[36] 胡守仁,余少波,戴葵.神经网络导论.长沙,国防科技大学出版社,1993年10月.
[37] I.Antoniou, S.Gutnikov, V.Ivanov, Yu.Melnikov and A.Tarakanov. Immunocomputing: a survey. Solvay Preprint 01-02.
[38] Immunocomputing Project, European Information Society Technologies Programme, Long Term Research, IST-2000-26016, Dec. 2000-Dec. 2003. Coordinated by the International Solvay Institutes for Physics and Chemistry.
[39] 陈慰峰主编.医学免疫学.北京,人民卫生出版社,2001年第3版.
[40] De Castro, L. N. & Von Zuben, F. J. Learning and Optimization Using the Clonal Selection Principle. IEEE Transactions on Evolutionary Computation, Special Issue on Artificial Immune Systems. 2001.
[41] Ada, G. L. & Nossal, G. The Clonal Selection Theory. Scientific American, 257(2) , pp. 50-57. 1987.
[42] Burnet, F. M. The Clonal Selection Theory of Acquired Immunity. Cambridge: Cambridge University Press. 1959
[43] De Castro, L. N. & Von Zuben, F. J. The Clonal Selection Algorithm with Engineering Applications. In Proceedings of GECCO'00, Workshop on Artificial Immune Systems and Their Applications, pp. 36-37. 2000.
[44] Jerne NK. Towards a network theory of the immune system. Ann Immunol (Paris), 1974; 125C:373.
[45] De Castro, L. N. & Von Zuben, F. J. An Evolutionary Immune Network for Data Clustering. In Proceedings of the IEEE SBRN'00 (Brazilian Simposium on Artificial Neural Networks), pp. 84-89. 2000.
[46] Forsdyke D. R., Further implications of a theory of immunity, J. Theor. Biol. 52 (1975) pp. 187-198.
[47] Forsdyke D. R., Heat shock proteins defend against intracellular pathogens: a non-immunological basis for self/not-self discrimination, J. Theor. Biol. 115 (1985) pp. 471-473.
[48] S. Forrest, A.S. Perelson, L. Allen, R, etc. Self-Nonself Discrimination in a Computer. In : Proceedings of the 1994 IEEE Symposium on Research in Security and Privacy, Los Alamitos, CA: IEEE Computer Society Press , 1994.
[49] P. D'haeseleer, S. Forrest, and P. Helman. An Immunological Approach to Change Detection: Algorithms, Analysis, and Implications. In: Proceedings of the 1996 EEEE Symposium on Computer Security and Privacy.
[50] De Castro, L. N. & Von Zuben, F. J. Artificial Immune Systems: Part II-A Survey of Applications. Technical Report-RT DCA 02/00, p. 65. 2000.
[51] S.A. Hofmeyr. An Immunological Model of Distributed Detection and its Application to Computer Security. PhD Dissertation, University of New Mexico, 1999.
[52] 吴作顺.新思维:基于免疫学的IDS.计算机世界(周刊).2002年第10期,D22版.
[53] Forrest, S., Hofmeyr S. A. & Somayaji A. Computer Immunology. Communications of the ACM, 40(10) , pp. 88-96. 1997.
[54] Kim, J. & Bentley, P. The Human Immune System and Network Intrusion Detection. In Proc. of the EUFIT' 99.
[55] Kim, J. & Bentley, P. Negative Selection and Niching by an Artificial Immune System for Network Intrusion Detection. In Proc. of GECCO' 99, pp. 149-158.
[56] An Overview of the Immune System, http://www.cs.unm.edu/-immsec/.
[57] Inman, J.K. The antibody combining region: Speculations on the hypothesis of general multi-specificity. Theoretical Immunology. 1987.
[58] Osmond, D.G. The turn-over of B-cell populations. Immunology Today, 14(1) , 34-37. 1993.
[59] MacKay, C. R. Immunological memory. Advanced Immunology, 53, 217-265. 1993.
[60] Gray, D. The dynamics of immunological memory. Semin. Immunology, 4, 29-34. 1992.
[61] Smith, D., Forrest, S., & Perelson, A. S. Immunological memory is associative. In Workshop Notes, Workshop 4: Immunity Based Systems, Intnl. Conf. on Multiagent Systems (pp. 62-70) . 1998.
[62] Moskophidis, D., Lechner, F., Pircher, H., & Zinkernagel, R. M. Virus persistence in acutely infected immunocompetent mice by exhaustion of antiviral cytotoxic effector Tcells. Nature, 362,758-761. 1993.
[63] Matzinger, P. Tolerance, danger and the extended family. Annual Review in Immunology, 12, 991-1045, 1994.
[64] Mitchison, A. Will we survive? Scientific American, 269(3) , 102-108, 1993.
[65] Leandro N. de Castro, Jon Timmis. Artificial Immune Systems: A New Computational Intelligence Paradigm.
[66] Jon Timmis. Artificial immune systems: A novel data analysis technique inspired by the immune network theory. PhD thesis, Department of Computer Science, University of Wales, Aberystwyth. Ceredigion. Wales., August 2000.
[67] 陈国良,王煦法,庄镇良等.遗传算法及其应用.北京,人民邮电出版社.1999年5月.
[68] Perelson, A. and Oster, G. Theoretical studies of clonal selection: minimal antibody repertoire size and reliability of self-nonself discrimination. J. Theor. Biol. 81:645-670. 1979.
[69] A.S. Perelson. Immune network theory. Immunological Review, 110:5-36, 1989.
[70] Perelson, A. S., Hightower, R. & Forrest, S. Evolution and Somatic Learning in V-Region Genes. Research in Immunology, 147, pp. 202-208. 1996.
[71] Bersini, H. and F. Varela. Hints for Adaptive Problem Solving Gleaned from Immune Network. In Proceedings of the Workshop on Parallel Problem Solving from Nature. Dortmund, Oct 1-3. 1990.
[72] J. O. Kephart. A biologically inspired immune system for computers. In R. A. Brooks and P. Maes, editors, Artificial Life IV: Proceedings of the Fourth International Workshop on the Synthesis and Simulation of Living Systems, pages 130-139, Cambridge, MA, 1994. MIT Press.
[73] D. Bradley, A. Tyrrell. Immunotronics: Hardware Fault Tolerance Inspired by the Immune System. Proceedings 3rd International Conference on Evolvable Systems, LNCS 1801, pp. 11-20, Springer-Verlag, April 2000.
[74] Cooke, D. and Hunt,J. Recognizing promotor sequences using an artificial immune system.
Pages 89-97 of: Proc. of Intelligent System in Molecular Biology. AAAI Press. 1995.
[75] Ishida, Y. An Immune Network Approach to Sensor-based Diagnosis by Self-Organization. Complex Systems, 10, pp. 73-90. 1996.
[76] Ishida, Y. The Immune System as a Self-Identification Process: A Survey and a Proposal. In Proc. of the IMBS'96. 1996.
[77] Ishiguro, A., Watanabe, Y. & Kondo, T. A Robot with a Decentralized Consensus-Making Mechanism Based on the Immune System. In Proc. ISADS' 97, pp. 231-237. 1997.
[78] Hart, E., Ross, P. & Nelson, J. Producing Robust Schedules Via An Artificial Immune System. In Proc. of the ICEC'98. 1998.
[79] D. Dasgupta and F. A. Gonzalez. An Immunogenetic Approach to Intrusion Detection, CS Technical Report (No. CS-01-001) , The University of Memphis. May, 2001.
[80] J. L. Bentley. Multidimensional binary search trees used for associative searching. Communications of the ACM 18, 1975, pp 509-517.
[81] D. M. Mount and S. Arya. ANN: A library for approximate nearest neighbor searching. CGC 2nd Annual Fall Workshop on Computational Geometry, URL: http //www.cs. umd. edu/-mount/ANN. 1997.
[82] D. Dasgupta and F.A. Gonzalez. Evolving Complex Fuzzy Classifier Rules Using a Linear Genetic Representation. In the proceedings of the International Conference Genetic and Evolutionary Computation (GECCO), San Francisco, California, July 7-11, 2001.
[83] DARPA Intrusion Detection Evaluation. http://www.ll.mit.edu/IST/ideval/.
[84] Chapman, D. B. & Zwicky, E. D. Building Internet Firewalls. O' Reilly & Associates: Sebastopol, CA. 1995.
[85] Kim, J. and Bentley, P. J. Towards an Artificial Immune System for Network Intrusion Detection: An Investigation of Clonal Selection with a Negative Selection Operator. The Congress on Evolutionary Computation (CEC-2001) , Seoul, Korea, pp. 1244-1252, May 27-30,2001.
[86] Fayyad, U. M., and Irani, K. B. Multi-Interval Discretization of Continuous-Valued Attributes for Classification Learning. Proceeding of The Thirteenth International Joint Conference on Artificial Intelligence, pp. 1022-1027. 1993.
[87] Percus, J. K., Percus, O. E., & Perelson, A. S. Predicting the size of the antibody-combining region from consideration of efficient self/nonself discrimination. In Procedings of the National Academy of Science 90 (pp. 1691-1695) . 1993.
[88] D' haeseleer, P. Further Efficient Algorithms for Generating Antibody Strings. Technical Report CS95-6, Dept. of Computer Science, University of New Mexico, Farris Engineering Building, UNM, Albuquerque. 1995.
[89] Lehmer,D.H. Mathematical methods in large-scale computing units. In Proceedings of the 2nd Symposium on Large-Scale Digital Calculating Machinery (pp. 141-146) . Cambridge, MA: Havarvd University Press. 1949.
[90] C. E. Shannon. A mathematical theory of communication. Bell System Tech. J., 27:379-423,
623-656, 1948.
[91] J.K. Percus, O.E.Percus, and A.S. Perelson. Probability of self-nonself discrimination. In: A.S. Perelson and G. Weisbbuch, ed. Theoritical and Experimental Insights into Immunology, NY: Springer-Verlag, 183-197. 1992.
[92] R.J. De Boer and A.S.Pererson. How diverse should the immune system be. In: Proceedings of the Royal Society London B, v.252. London: Biol. Sci, 171-175. 1993.
[93] S. Forrest, B. Javornik, R.E. Smith, etc. Using genetic algorithms to explore pattern recognition in the immune system. Evolutionary Computation, 1(3): 191-211, 1993.
[94] http://iids.sourceforge.net/.
[95] http://www.tcpdump.org/.
[96] K. Ingham. Personal communication. 2001.
[97] Williams, R. H. Electrical Engineering Probability. West Publishing Company: StPaul, MN. 1991.
[98] Segel, L. A. The immune system as a prototype of autonomous decentralized systems. In Proceedings of the IEEE Conference on Systems, Man and Cybernetics. 1997.
[99] Venema, W. TCP wrapper: Network monitoring, access control and booby traps. In Proceedings of the 3rd UNIX Security Symposium. 1992.
[100] Kaplan, T. Personal communication. 1998.
[101] Garfinkel, S. & Spafford, G. Practical Unix and Internet Security, 2nd Edition. O'Reilly and Associates, Inc. 1996.
[102] Jansen, W., Mell, P., Karygiannis, T., and Marks, D. Mobile agents in intrusion detection and response. In Proceedings of the 12th Annual Canadian Information Technology Security Symposium (Ottawa, Canada, June 2000).
[103] Dipankar Dasgupta, Immunity-Based Intrusion Detection Systems: A General Framework. In the proceedings of the 22nd National Information Systems Security Conference (NISSC), October 18-21, 1999.
[104] Jai Balasubramaniyan, Jose Omar Garcia-Fernandez, David Isacoff, E. H. Spafford, and Diego Zamboni. An Architecture for Intrusion Detection using Autonomous Agents. Department of Computer Sciences, Purdue University; Coast TR 98-05, 1998.
[105] 闫巧,谢维信.免疫思想在计算机安全中系统中的应用.计算机科学,2002年第2期.
[106] WU Zuo-shun. IMMUNOCOMPUTING. DPCS2002, Wuhan, 2002. 10.
[107] 吴作顺,窦文华,刘志峰.基于免疫学的多代理入侵检测系统研究.国防科技大学学报,2002年10月.
[108] 吴作顺,窦文华.免疫型入侵检测研究.国防科大第二届研究生学术会议.2002年10月.
[109] 吴作顺,窦文华.CORBA分布式对象应用中的免疫型入侵检测研究.通信学报.
[110] Marceau, C., etc. Architecture of a CORBA Immune System. Odyssey Research Associates Technical Report TM-98-0005, 1998.
[111] Paul K.Harmer. An artificial Immune System Architecture for Computer security Application. IEEE transaction on SMC, Volume6, Number3, June 2002.
[112] Fernando Esponda, S. Forrest. A formal framework of positive and negative detection schemems.
[113] S.T. Wierzchon. Generating Optimal Repertoire of Antibody Strings in an Artificial Immune System. In M. Klopotek, M. Michalewicz and S. T. Wierzchon (eds.) Intelligent Information Systems. Advances in Soft Computing Series of Physica-Verlag/Springer Verlag, Heidelberg/New York 2000, Physica-Verlag, 119-133.
[114] L.N. de Castro and J. I. Timmis. Artificial Immune Systems: A New Computational Intelligence Approach, Springer-Verlag, 2002.
[115] 周明天,汪文勇.TCP/IP网络原理与技术.清华大学出版社,1997.
[116] 肖人彬,王磊.人工免疫系统:原理、模型、分析与展望.计算机学报,Vol.25,No.12,1281-1293,2002.
[117] CIDF规范. http://www.isi.edu/gost/cidf/.
[118] IDWG工作组. http://www.ietf.org/html.charters/idwg-charter.html。
[2] Hobbes' Internet Timeline v5. 6, http://www.zakon.org/robert/internet/timeline/.
[3] 国家计算机病毒应急处理中心, http://www.antivirus-china.org.cn/.
[4] CERT, http://www.cert.org/.
[5] [美]Terry Escamilla,入侵者检测.北京,电子工业出版社,1999. 7.
[6] Anderson, J. P., Computer Security Technology Planning Study, ESD-TR-73-51, ESD/AFSC, Hanscom AFB, Bedford, MA (Oct. 1972)
[7] Paul Innella and Oba McMillan. An Introduction to Intrusion Detection Systems. Tetrad Digital Integrity, LLC. December 6, 2001.
[8] Anderson, J. P., Computer Security Threat Monitoring and Surveillance, James P. Anderson Co., Fort Washington, PA ,1980.
[9] Federal Standard 1037C. Trusted Computing Base. Aug, 1996.
[10] Dorothy Denning. An Intrusion-Detection Model. EEEE Trans, on Software Eng., February 1987.
[11] Lunt, Teresa F. A Survey of Intrusion Detection Techniques. Computers and Security 12, 4 (June 1993) : 405-418.
[12] Kemmerer, Richard A. Computer Security. 1153-1164. Encyclopedia of Software Engineering. New York, NY: John Wiley and Sons, 1994.
[13] Mukherjee, Biswanath, L.; Heberlein, Todd; & Levitt, Karl N. Network Intrusion Detection. IEEE Network 8, 3 (May/June 1994) : 26-41.
[14] Helman, P. and Liepins, G. E. Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse. IEEE Transactions on Software Engineering, vol. 19, pp. 886-901, 1993.
[15] Lee, S. C. and Heinbuch, D. V. Training a Neural network Based Intrusion Detector to Recognize Novel Attacks. IEEE Workshop Information Assurance and Security, West Point, NY, 2000.
[16] J. Cannady. Artificial neural networks for misuse detection. In Proceedings of the 1998 National Information Systems Security Conference (NISSC'98) , pages 443-456, October 5-8 1998. Arlington.
[17] K. Fox, R. Henning, J. Reed and R. Simonian. A Neural Network Approach Towards Intrusion Detection, National Computer Security Conference, 1990.
[18] H. Debar, M Becker, D. Siboni. A Neural Network Component for an Intrusion Detection System. Proceedings, EEEE Symposium on Research in Computer Security and Privacy, 1992.
[19] Ryan, J. , Lin,M., and Miikkulainen, R. Intrusion Detection with Neural Networks. In Jordan, M. 1998.
[20] Henry S. Teng, Kaihu Chen, and Stephen C Lu. Security Audit Trail Analysis Using
Inductively Generated Predictive Rules. In Proceedings of the Sixth Conference on Artificial Intelligence Applications, pages 24-29, Piscataway, New Jersey, March 1990. EEEE.
[21] J. Frank. Artificial intelligence and intrusion detection: Current and future directions. In Proceedings of the 17th National Computer Security Conference, October 1994.
[22] Doak, J. Intrusion Detection: The Application of Feature Selection, A Comparison of Algorithms, and the Application of a Wide Area Network Analyzer. Master's thesis, University of California, Davis, Dept. of Computer Science. 1992.
[23] D. Bulatovic, D. Valesevic. A distributed intrusion detection system based on Bayesian alarm networks. In Proceedings of the Secure Networking-CQRE [Secure]'99 Conference, Dusseldorf, November/December, 1999.
[24] U. Lindqvist, P. Porras. Detecting computer and network misuse through the production-based expert system toolset (P-BEST). In Proceedings of the 1999 IEEE Symposium on Security and Privacy, California, May, 1999.
[25] M. Sebring, E. Shellhouse, M. Hanna, and R. Whitehurst. Expert Systems in Intrusion Detection: A Case Study. In Proceedings of the 11th National Computer Security Conference, October 1988.
[26] K. Jackson, D. DuBois, and C. Stallings. An expert system application for network intrusion detection. Proceedings of the 14th Department of Energy Computer Security Group Conference, 1991.
[27] Me, Michel. Intrusion Detection: A Bibliography. 2001.
[28] K. Ilgun, R. Kemmerer, and P. Porras. State Transition Analysis: A Rule Based Intrusion Detection System. EEEE Transactions on Software Engineering, 21(3) , Mar. 1995.
[29] Koral Ilgun. USTAT: A Real-Time Intrusion Detection System for UNIX. Master's Thesis, Computer Science Department, University of California, Santa Barbara, July 1992.
[30] Porras, P. STAT : A State Transition Analysis Tool for Intrusion Detection. Master's thesis, Computer Science Department, University of California, Santa Barbara , 1992.
[31] Helmer, G., Wong, J., Slagell, M., Honavar, V., Miller, L., and Lutz, R. Software fault tree and colored Petri net based specification, design, and implementation of agent-based intrusion detection systems. ACM Transactions on Information and System Security, 2000.
[32] Sandeep Kumar. Classification and Detection of Computer Intrusions. Ph.D. Dissertation, August 1995.
[33] T D Garvey and Teresa F Lunt. Model based intrusion detection. In Proceedings of the 14th National Computer Security Conference, pages 372-385, October 1991.
[34] 吴作顺.IDS的普遍缺陷.中国计算机报(周刊),2002年第18期,C35版.
[35] J. H. Holland, Adaptation in Natural and Artificial Systems, University of Michigan Press, Ann Arbor, MI, 1975.
[36] 胡守仁,余少波,戴葵.神经网络导论.长沙,国防科技大学出版社,1993年10月.
[37] I.Antoniou, S.Gutnikov, V.Ivanov, Yu.Melnikov and A.Tarakanov. Immunocomputing: a survey. Solvay Preprint 01-02.
[38] Immunocomputing Project, European Information Society Technologies Programme, Long Term Research, IST-2000-26016, Dec. 2000-Dec. 2003. Coordinated by the International Solvay Institutes for Physics and Chemistry.
[39] 陈慰峰主编.医学免疫学.北京,人民卫生出版社,2001年第3版.
[40] De Castro, L. N. & Von Zuben, F. J. Learning and Optimization Using the Clonal Selection Principle. IEEE Transactions on Evolutionary Computation, Special Issue on Artificial Immune Systems. 2001.
[41] Ada, G. L. & Nossal, G. The Clonal Selection Theory. Scientific American, 257(2) , pp. 50-57. 1987.
[42] Burnet, F. M. The Clonal Selection Theory of Acquired Immunity. Cambridge: Cambridge University Press. 1959
[43] De Castro, L. N. & Von Zuben, F. J. The Clonal Selection Algorithm with Engineering Applications. In Proceedings of GECCO'00, Workshop on Artificial Immune Systems and Their Applications, pp. 36-37. 2000.
[44] Jerne NK. Towards a network theory of the immune system. Ann Immunol (Paris), 1974; 125C:373.
[45] De Castro, L. N. & Von Zuben, F. J. An Evolutionary Immune Network for Data Clustering. In Proceedings of the IEEE SBRN'00 (Brazilian Simposium on Artificial Neural Networks), pp. 84-89. 2000.
[46] Forsdyke D. R., Further implications of a theory of immunity, J. Theor. Biol. 52 (1975) pp. 187-198.
[47] Forsdyke D. R., Heat shock proteins defend against intracellular pathogens: a non-immunological basis for self/not-self discrimination, J. Theor. Biol. 115 (1985) pp. 471-473.
[48] S. Forrest, A.S. Perelson, L. Allen, R, etc. Self-Nonself Discrimination in a Computer. In : Proceedings of the 1994 IEEE Symposium on Research in Security and Privacy, Los Alamitos, CA: IEEE Computer Society Press , 1994.
[49] P. D'haeseleer, S. Forrest, and P. Helman. An Immunological Approach to Change Detection: Algorithms, Analysis, and Implications. In: Proceedings of the 1996 EEEE Symposium on Computer Security and Privacy.
[50] De Castro, L. N. & Von Zuben, F. J. Artificial Immune Systems: Part II-A Survey of Applications. Technical Report-RT DCA 02/00, p. 65. 2000.
[51] S.A. Hofmeyr. An Immunological Model of Distributed Detection and its Application to Computer Security. PhD Dissertation, University of New Mexico, 1999.
[52] 吴作顺.新思维:基于免疫学的IDS.计算机世界(周刊).2002年第10期,D22版.
[53] Forrest, S., Hofmeyr S. A. & Somayaji A. Computer Immunology. Communications of the ACM, 40(10) , pp. 88-96. 1997.
[54] Kim, J. & Bentley, P. The Human Immune System and Network Intrusion Detection. In Proc. of the EUFIT' 99.
[55] Kim, J. & Bentley, P. Negative Selection and Niching by an Artificial Immune System for Network Intrusion Detection. In Proc. of GECCO' 99, pp. 149-158.
[56] An Overview of the Immune System, http://www.cs.unm.edu/-immsec/.
[57] Inman, J.K. The antibody combining region: Speculations on the hypothesis of general multi-specificity. Theoretical Immunology. 1987.
[58] Osmond, D.G. The turn-over of B-cell populations. Immunology Today, 14(1) , 34-37. 1993.
[59] MacKay, C. R. Immunological memory. Advanced Immunology, 53, 217-265. 1993.
[60] Gray, D. The dynamics of immunological memory. Semin. Immunology, 4, 29-34. 1992.
[61] Smith, D., Forrest, S., & Perelson, A. S. Immunological memory is associative. In Workshop Notes, Workshop 4: Immunity Based Systems, Intnl. Conf. on Multiagent Systems (pp. 62-70) . 1998.
[62] Moskophidis, D., Lechner, F., Pircher, H., & Zinkernagel, R. M. Virus persistence in acutely infected immunocompetent mice by exhaustion of antiviral cytotoxic effector Tcells. Nature, 362,758-761. 1993.
[63] Matzinger, P. Tolerance, danger and the extended family. Annual Review in Immunology, 12, 991-1045, 1994.
[64] Mitchison, A. Will we survive? Scientific American, 269(3) , 102-108, 1993.
[65] Leandro N. de Castro, Jon Timmis. Artificial Immune Systems: A New Computational Intelligence Paradigm.
[66] Jon Timmis. Artificial immune systems: A novel data analysis technique inspired by the immune network theory. PhD thesis, Department of Computer Science, University of Wales, Aberystwyth. Ceredigion. Wales., August 2000.
[67] 陈国良,王煦法,庄镇良等.遗传算法及其应用.北京,人民邮电出版社.1999年5月.
[68] Perelson, A. and Oster, G. Theoretical studies of clonal selection: minimal antibody repertoire size and reliability of self-nonself discrimination. J. Theor. Biol. 81:645-670. 1979.
[69] A.S. Perelson. Immune network theory. Immunological Review, 110:5-36, 1989.
[70] Perelson, A. S., Hightower, R. & Forrest, S. Evolution and Somatic Learning in V-Region Genes. Research in Immunology, 147, pp. 202-208. 1996.
[71] Bersini, H. and F. Varela. Hints for Adaptive Problem Solving Gleaned from Immune Network. In Proceedings of the Workshop on Parallel Problem Solving from Nature. Dortmund, Oct 1-3. 1990.
[72] J. O. Kephart. A biologically inspired immune system for computers. In R. A. Brooks and P. Maes, editors, Artificial Life IV: Proceedings of the Fourth International Workshop on the Synthesis and Simulation of Living Systems, pages 130-139, Cambridge, MA, 1994. MIT Press.
[73] D. Bradley, A. Tyrrell. Immunotronics: Hardware Fault Tolerance Inspired by the Immune System. Proceedings 3rd International Conference on Evolvable Systems, LNCS 1801, pp. 11-20, Springer-Verlag, April 2000.
[74] Cooke, D. and Hunt,J. Recognizing promotor sequences using an artificial immune system.
Pages 89-97 of: Proc. of Intelligent System in Molecular Biology. AAAI Press. 1995.
[75] Ishida, Y. An Immune Network Approach to Sensor-based Diagnosis by Self-Organization. Complex Systems, 10, pp. 73-90. 1996.
[76] Ishida, Y. The Immune System as a Self-Identification Process: A Survey and a Proposal. In Proc. of the IMBS'96. 1996.
[77] Ishiguro, A., Watanabe, Y. & Kondo, T. A Robot with a Decentralized Consensus-Making Mechanism Based on the Immune System. In Proc. ISADS' 97, pp. 231-237. 1997.
[78] Hart, E., Ross, P. & Nelson, J. Producing Robust Schedules Via An Artificial Immune System. In Proc. of the ICEC'98. 1998.
[79] D. Dasgupta and F. A. Gonzalez. An Immunogenetic Approach to Intrusion Detection, CS Technical Report (No. CS-01-001) , The University of Memphis. May, 2001.
[80] J. L. Bentley. Multidimensional binary search trees used for associative searching. Communications of the ACM 18, 1975, pp 509-517.
[81] D. M. Mount and S. Arya. ANN: A library for approximate nearest neighbor searching. CGC 2nd Annual Fall Workshop on Computational Geometry, URL: http //www.cs. umd. edu/-mount/ANN. 1997.
[82] D. Dasgupta and F.A. Gonzalez. Evolving Complex Fuzzy Classifier Rules Using a Linear Genetic Representation. In the proceedings of the International Conference Genetic and Evolutionary Computation (GECCO), San Francisco, California, July 7-11, 2001.
[83] DARPA Intrusion Detection Evaluation. http://www.ll.mit.edu/IST/ideval/.
[84] Chapman, D. B. & Zwicky, E. D. Building Internet Firewalls. O' Reilly & Associates: Sebastopol, CA. 1995.
[85] Kim, J. and Bentley, P. J. Towards an Artificial Immune System for Network Intrusion Detection: An Investigation of Clonal Selection with a Negative Selection Operator. The Congress on Evolutionary Computation (CEC-2001) , Seoul, Korea, pp. 1244-1252, May 27-30,2001.
[86] Fayyad, U. M., and Irani, K. B. Multi-Interval Discretization of Continuous-Valued Attributes for Classification Learning. Proceeding of The Thirteenth International Joint Conference on Artificial Intelligence, pp. 1022-1027. 1993.
[87] Percus, J. K., Percus, O. E., & Perelson, A. S. Predicting the size of the antibody-combining region from consideration of efficient self/nonself discrimination. In Procedings of the National Academy of Science 90 (pp. 1691-1695) . 1993.
[88] D' haeseleer, P. Further Efficient Algorithms for Generating Antibody Strings. Technical Report CS95-6, Dept. of Computer Science, University of New Mexico, Farris Engineering Building, UNM, Albuquerque. 1995.
[89] Lehmer,D.H. Mathematical methods in large-scale computing units. In Proceedings of the 2nd Symposium on Large-Scale Digital Calculating Machinery (pp. 141-146) . Cambridge, MA: Havarvd University Press. 1949.
[90] C. E. Shannon. A mathematical theory of communication. Bell System Tech. J., 27:379-423,
623-656, 1948.
[91] J.K. Percus, O.E.Percus, and A.S. Perelson. Probability of self-nonself discrimination. In: A.S. Perelson and G. Weisbbuch, ed. Theoritical and Experimental Insights into Immunology, NY: Springer-Verlag, 183-197. 1992.
[92] R.J. De Boer and A.S.Pererson. How diverse should the immune system be. In: Proceedings of the Royal Society London B, v.252. London: Biol. Sci, 171-175. 1993.
[93] S. Forrest, B. Javornik, R.E. Smith, etc. Using genetic algorithms to explore pattern recognition in the immune system. Evolutionary Computation, 1(3): 191-211, 1993.
[94] http://iids.sourceforge.net/.
[95] http://www.tcpdump.org/.
[96] K. Ingham. Personal communication. 2001.
[97] Williams, R. H. Electrical Engineering Probability. West Publishing Company: StPaul, MN. 1991.
[98] Segel, L. A. The immune system as a prototype of autonomous decentralized systems. In Proceedings of the IEEE Conference on Systems, Man and Cybernetics. 1997.
[99] Venema, W. TCP wrapper: Network monitoring, access control and booby traps. In Proceedings of the 3rd UNIX Security Symposium. 1992.
[100] Kaplan, T. Personal communication. 1998.
[101] Garfinkel, S. & Spafford, G. Practical Unix and Internet Security, 2nd Edition. O'Reilly and Associates, Inc. 1996.
[102] Jansen, W., Mell, P., Karygiannis, T., and Marks, D. Mobile agents in intrusion detection and response. In Proceedings of the 12th Annual Canadian Information Technology Security Symposium (Ottawa, Canada, June 2000).
[103] Dipankar Dasgupta, Immunity-Based Intrusion Detection Systems: A General Framework. In the proceedings of the 22nd National Information Systems Security Conference (NISSC), October 18-21, 1999.
[104] Jai Balasubramaniyan, Jose Omar Garcia-Fernandez, David Isacoff, E. H. Spafford, and Diego Zamboni. An Architecture for Intrusion Detection using Autonomous Agents. Department of Computer Sciences, Purdue University; Coast TR 98-05, 1998.
[105] 闫巧,谢维信.免疫思想在计算机安全中系统中的应用.计算机科学,2002年第2期.
[106] WU Zuo-shun. IMMUNOCOMPUTING. DPCS2002, Wuhan, 2002. 10.
[107] 吴作顺,窦文华,刘志峰.基于免疫学的多代理入侵检测系统研究.国防科技大学学报,2002年10月.
[108] 吴作顺,窦文华.免疫型入侵检测研究.国防科大第二届研究生学术会议.2002年10月.
[109] 吴作顺,窦文华.CORBA分布式对象应用中的免疫型入侵检测研究.通信学报.
[110] Marceau, C., etc. Architecture of a CORBA Immune System. Odyssey Research Associates Technical Report TM-98-0005, 1998.
[111] Paul K.Harmer. An artificial Immune System Architecture for Computer security Application. IEEE transaction on SMC, Volume6, Number3, June 2002.
[112] Fernando Esponda, S. Forrest. A formal framework of positive and negative detection schemems.
[113] S.T. Wierzchon. Generating Optimal Repertoire of Antibody Strings in an Artificial Immune System. In M. Klopotek, M. Michalewicz and S. T. Wierzchon (eds.) Intelligent Information Systems. Advances in Soft Computing Series of Physica-Verlag/Springer Verlag, Heidelberg/New York 2000, Physica-Verlag, 119-133.
[114] L.N. de Castro and J. I. Timmis. Artificial Immune Systems: A New Computational Intelligence Approach, Springer-Verlag, 2002.
[115] 周明天,汪文勇.TCP/IP网络原理与技术.清华大学出版社,1997.
[116] 肖人彬,王磊.人工免疫系统:原理、模型、分析与展望.计算机学报,Vol.25,No.12,1281-1293,2002.
[117] CIDF规范. http://www.isi.edu/gost/cidf/.
[118] IDWG工作组. http://www.ietf.org/html.charters/idwg-charter.html。