Communications of the ACM
Principles of a computer immune system
NSPW '97 Proceedings of the 1997 workshop on New security paradigms
Security is fuzzy!: applying the fuzzy logic paradigm to the multipolicy paradigm
NSPW '92-93 Proceedings on the 1992-1993 workshop on New security paradigms
Intrusion detection
Adaptive Intrusion Detection: A Data Mining Approach
Artificial Intelligence Review - Issues on the application of data mining
Anomaly Detection over Noisy Data using Learned Probability Distributions
ICML '00 Proceedings of the Seventeenth International Conference on Machine Learning
A sense of self for Unix processes
SP'96 Proceedings of the 1996 IEEE conference on Security and privacy
| Hi-index | 0.00 |
At the present intrusion detection systems are still immature and cannot be deployed as a complete defense considering the inability to detect new types of attacks and high false alarm. A large part of the problem is that current techniques are external, and not internal. On the other side, natural immune systems identify and protect the organism by distinguishing between self (i.e. normal organisms or behaviors) and non-self (i.e. abnormal or anomalous behavior). In this paper, we utilize a computer immunology model to detect anomaly intrusions from new/unknown attacks. In a computer system, self is defined as normal behavior patterns in the past, and non-self might be a masquerader, foreign code in the form of a virus, worm or Trojan horse. We introduce a finite state machine to build the behavior profile from sequences of system calls of privileged processes. New sequences are compared with the profile to determine the "self" and "non-self" for the immunology model. A fuzzy interference system is further applied to evaluate the overall threat. Experimental results show that the model can successfully detect most of the intrusion traces with a very low false alarm rate.