Summary of the doctoral thesis of Mathematics: Improving some artificial immune algorithms for network intrusion detection

MINISTRY OF EDUCATION AND TRAINING

VIETNAM ACADEMY OF SCIENCE AND TECHNOLOGY GRADUATE UNIVERSITY OF SCIENCE AND TECHNOLOGY

NGUYEN VAN TRUONG IMPROVING SOME ARTIFICIAL IMMUNE ALGORITHMS FOR NETWORK INTRUSION DETECTION Major: Mathematical foundations for Informatics Code: 62 46 01 10 SUMMARY OF THE DOCTORAL THESIS OF MATHEMATICS Hanoi – 2019

Thesis is completed at: Graduate University of Science and Technology - Vietnam Academy of Science and Technology. Supervisors:

1. Assoc. Prof., Dr. Nguyen Xuan Hoai 2. Assoc. Prof., Dr. Luong Chi Mai

Review 1: Review 2: Review 3: The thesis will be defended, meeting at: Graduate University of Science and Technology - Vietnam Academy of Science and Technology. At: Thesis can be found at the library:

- National Library of Vietnam - Library of Graduate University Of Science And Technology

1

INTRODUCTION Motivation

Internet users and computer networks are suffering from rapid increase in number of attacks.

In order to keep them safe, there is a need for effective security monitoring systems, such

as Intrusion Detection Systems (IDS). However, intrusion detection has to face a number of

different problems such as huge network traffic volumes, highly imbalanced data distribution,

the difficulty to realize decision boundaries between normal and abnormal behavior, and a

requirement for continuous adaptation to a constantly changing environment. As a result,

many researchers have attempted to use different type of approaches to build reliable intrusion

detection system.

One of the promising computational intelligence methods for intrusion detection that have

emerged recently are artificial immune systems (AIS) inspired by the biological immune system.

Negative selection algorithm (NSA) of AIS, is widely used for intrusion detection systems

(IDS). Despite its successful application, NSA has some weaknesses: 1-High false positive rate

and/or false negative rate, 2-High training and/or testing time, 3-Exponential relationship

between the size of the training data and the number of detectors possibly generated for

testing, 4-Changeable definitions of ”normal data” and ”abnormal data” in dynamic network

environment. To overcome these limitations, trends of recent works are to concentrate on

complex structure of immune detectors, matching methods and hybrid NSAs. Objectives

Since data representation is one of the factors that affect the training and testing time,

a compact and complete detector generation algorithm is investigated.

The thesis investigates optimal algorithms to generate detector set in AIS. They help to

reduce both training time and detecting time of AIS-based IDSs.

Also, it is regarded to propose and investigate an AIS-based IDS that can promptly detect

attacks, either if they are known or never seen before. The proposed system makes use of AIS

Problem statements

with statistics as analysis methods and flow-based network traffic as data source.

Since the NSA has four main limitations as listed in the first section, this thesis concen-

trates on three problems:

1. The first problem is to find compact representations of data. Objectives of this prob-

lem’s solution is not only to minimize memory storage but also to reduce testing time.

2. The second problem is to propose algorithms that can reduce training time and testing

time in compared with all existing related algorithms.

3. The third problem is to improve detection performance with respect to reducing false

2

alarm rates while keeping detection rate and accuracy rate as high as possible.

It is impossible to find an optimal algorithm that can reduce time and memory complexities

with best detection performance. These aspects are always in conflict with each other. Thus,

in each chapter, we will propose algorithms to solve each problem quite independently.

The intrusion detection problem mentioned in this thesis can be informally stated as:

Given a finite set S of network flows which labeled with self (normal) or nonself (abnormal).

The objective is to build classifying models on S that can label an unlabeled network flow s. Outline of thesis

Chapter 1 introduces the background knowledge necessary to discuss the algorithms

proposed in following chapters.

In Chapter 2, a combination of selection algorithms is presented. The technique reduces

detectors storage generated in training phase. Testing time, an important measurement in IDS,

will also be reduced as a direct consequence of a smaller memory complexity. Tree structure

is used to improve time and memory complexities.

A complete and nonredundant detector set is necessary to archive acceptable self and

nonself coverage of classifiers. A selection algorithm to generate this type of detectors set is

investigated in Chapter 3.

Chapter 4 includes two selection algorithms for fast training phase. The optimal algo-

rithms can generate a detectors set in linear time with respect to size of training data. In term

of detection time, the first algorithm and the second one is linear and polynomial, respectively.

Chapter 5 mainly introduces a hybrid approach of positive selection algorithm with statis-

tics. Frequencies of self and nonself data contained in leaves of tree-based detectors play an

important role in improving performance of the proposed algorithms. The hybrid approach

came as a new positive selection algorithm for two-class classification that can be trained with

samples from both self and nonself data types.

3

Chapter 1

BACKGROUND

1.1 Human immune system

Our human immune system has a multi-layered protection architecture, including physical

barriers, physiological barriers, an innate immune system, and an adaptive immune system.

The adaptive immune system is capable of adaptively recognizing specific types of pathogens,

and memorizing them for accelerated future responses. It is the main inspiration for AISs. 1.2 Selection algorithms

Negative selection approaches are based on self-nonself discrimination in biology system. This

property makes it attractive for computer and network security researchers. A survey show

that in six year 2008-2013, NSA predominate all the other models of AIS in term of published

papers in both network security and anomaly detection. 1.2.1 Negative Selection Algorithms

A typical NSA comprises of two phases: detector generation and detection. In the detector

generation phase, the detector candidates are generated by some random processes and cen-

sored by matching them against given self samples taken from a set S (representing the system

components). The candidates that match any element of S are eliminated and the rest are

kept and stored in the detector set D. 1.2.2 Positive Selection Algorithms

A PSA contains two phases: detector generation and detection. In the detector generation

phase, the detector candidates are generated by some random processes and matched against

the given self sample set S. The candidates that do not match any element in S are eliminated

and the rest are kept and stored in the detector set D. In the detection phase, the collection

of detectors are used to distinguish self from non-self. If incoming data instance matches any

detector, it is claimed as self. 1.3 Basic terms and definitions 1.3.1 Strings, substrings and languages An alphabet Σ is nonempty and finite set of symbols. A string s ∈ Σ∗ is a sequence of symbols

from Σ, and its length is denoted by |s|. A string is called empty string if its length equals 0.

4

Given an index i ∈ {1, . . . , |s|}, then s[i] is the symbol at position i in s. Given two indices i

and j, whenever j ≥ i, then s[i . . . j] is the substring of s with length j − i + 1 that starts at

position i and whenever j < i, then s[i . . . j] is the empty string. If i = 1, then s[i . . . j] is a prefix of s and, if j = |s|, then s[i . . . j] is a suffix of s. For a proper prefix or suffix s(cid:48) of s, we have in addition |s(cid:48)| < |s|. Given a string s ∈ Σ(cid:96), another string d ∈ Σr with 1 ≤ r ≤ (cid:96), and

an index i ∈ {1, . . . , (cid:96) − r + 1}, we say that d occurs in s at position i if s[i . . . i + r − 1] = d. Moreover, concatenation of two strings s and s(cid:48) is s + s(cid:48).

A set of strings S ⊆ Σ∗ is called a language. For two indices i and j, we define S[i . . . j] =

{s[i . . . j]|s ∈ S}. 1.3.2 Prefix trees, prefix DAGs

A prefix tree T is a rooted directed tree with edge labels from Σ where for all c ∈ Σ, every

node has at most one outgoing edge labeled with c. For a string s, we write s ∈ T if there is

a path from the root of T to a leaf such that s is the concatenation of the labels on this path.

The language L(T ) described by T is defined as the set of all strings that have a nonempty

prefix s ∈ T . Trees for self dataset and nonself dataset are called positive trees and negative

trees, respectively.

A prefix DAG D is a directed acyclic graph with edge labels from Σ, where again for all

c ∈ Σ, every node has at most one outgoing edge labeled with c. Similar to prefix trees, the

terms root and leaf used to refer to a node without incoming and outgoing edges, respectively.

We write s ∈ D if there is a path from a root node to a leaf node in D that is labeled by

s. Given n ∈ D, the language L(D, n) contains all strings that have a nonempty prefix that

labels a path from n to some leaf. Moreover, we define L(D) = ∪n is a root of DL(D, n).

A prefix DAG can be turned into a finite automaton to decide the membership of strings

in languages. 1.3.3 Detectors

Given an alphabet Σ is nonempty and finite set of symbols, positive and negative r-chunk

detectors, r-contiguous detectors, rcbvl-detectors could be defined as follows:

Definition 1.1. Given a self set S ⊆ Σ(cid:96), a tuple (d, i) of a string d ∈ Σr, where r ≤ (cid:96), and

an index i ∈ {1, ..., (cid:96) − r + 1} is a positive r-chunk detector if there exists a s ∈ S such that d

occurs in s.

Definition 1.2. Given a self set S ⊆ Σ(cid:96), a tuple (d, i) of a string d ∈ Σr, r ≤ (cid:96), and an index

i ∈ {1, ..., (cid:96) − r + 1} is a negative r-chunk detector if d does not occurs any s ∈ S.

Example 1.1. Let (cid:96) = 6, r = 3. Given a set of five self strings S = {s1 = 010101, s2 =

111010, s3 = 101101, s4 = 100011, s5 = 010111}. The set of some positive r-chunk detectors

is {(010,1), (111,1), (101,2), (110,2), (010,3), (101,3), (101,4), (010,4), (111,4))}. The set

5

of some negative r-chunk detectors is {(000,1), (001,1), (011,1), (001,2), (010,2), (100,2),

(000,3), (100,3), (000,4), (001,4), (100,4)}.

Definition 1.3. Given a self set S ⊆ Σ(cid:96), a string d ∈ Σ(cid:96) is a r-contiguous detector if d[i, . . . , i+

r − 1] does not occurs any s ∈ S for all i ∈ {1, ..., (cid:96) − r + 1}.

Example 1.2. Let (cid:96) = 5, r = 3. Given a set of 7 self strings S = {s1 = 01111, s2 = 00111,

s3 = 10000, s4 = 10001, s5 = 10010, s6 = 10110, s7 = 11111}. The set of all 3-contiguous

detectors is {01011, 11011}.

We also use the following notations:

• Dpi = {(d, i)|(d, i) is a positive r-chunk detector} is set of all positive r-chunk detectors

at position i, i = 1, . . . , (cid:96) − r + 1.

• Dni = {(d, i)|(d, i) is a negative r-chunk detector} is set of all negative r-chunk detectors

at position i, i = 1, . . . , (cid:96) − r + 1.

i=1 Dpi is set of all positive r-chunk detectors.

• CHU N Kp(S, r) = ∪(cid:96)−r+1

i=1 Dni is set of all negative r-chunk detectors.

• CHU N K(S, r) = ∪(cid:96)−r+1

• CONT(S, r) is the set of all r-contiguous detectors that do not match any string in S.

• For a given detectors set X, L(X) is the set of all nonself strings detected by X. We also

say that Σ(cid:96) \ L(X) is the set of all self strings detected by X.

Definition 1.4. Given a self set S ⊆ Σ(cid:96). A triple (d, i, j) of a string d ∈ Σk, 1 ≤ k ≤ (cid:96), an

index i ∈ {1, ..., (cid:96) − r + 1} and an index j ∈ {i, ..., (cid:96) − r + 1} is called a negative detector under

rcbvl matching rule if d does not occur in any s, s ∈ S.

To combine PSA and NSA in a unified framework, we have to change the original semantic

of positive selection in the detection phase as follows.

Definition 1.5. If new instance matches (cid:96) − r + 1 positive r-chunk detectors (dij , i), i = 1, . . . , (cid:96) − r + 1, it is claimed as self, otherwise it is claimed as nonself.

With this new detection semantic, the following proposition on the equivalence of detec-

tion coverage of r-chunk type PSA and NSA could be stated.

Theorem 1.1 (Detection Coverage). The detection coverage of positive and negative selection

algorithms coincide.

L(CHU N Kp(S, r)) = L(CHU N K(S, r))

1.3.4 Ring representation of data

6

With reference to string-based detectors set, a simple technique for this approach is to con-

catenate each string representing a detector with its fist k symbols. Each new linear string is a ring representation of its original binary one. Given a set of strings S ⊂ Σ(cid:96), a set Sr ⊂ Σ(cid:96)+r−1 includes ring representations of all strings in S by concatenating each string s ∈ S with its fist

r − 1 symbols. We can easily apply the idea of ring strings for other data representations in

AIS. One way to do this, for instance, is to create ring representations of other structures such

as trees, and automata, from set Sr instead of S as usual. 1.3.5 Frequency trees

Given a set D of length-equaled strings, a tree T on D, noted TD, is a rooted directed tree with edge labels from Σ where for all c ∈ Σ, every node has at most one outgoing edge labeled

with c. For a string s, we write s ∈ T if there is a path from the root of T to a leaf such that s

is the concatenation of the labels on this path. Each leaf is associated with an integer number,

that is frequency of string s ∈ D and s is the concatenation of the labels on the path ending

by this leaf. We also use two concepts: self trees and nonself trees to present r-chunk detectors

set for normal dataset and abnormal dataset, respectively. 1.4 Datasets

We only concentrate on flow-based NIDSs because: 1 - It can detect some special attacks more

efficient and faster than payload based one, since lesser information is needed to be analyzed;

2 - Flow-based anomaly detection methods process only packet headers and reduce data and

processing time for high-speed detection on large networks. It can solve the scalability prob-

lem in condition of increasing network usage and load. 3 - Flow-based NIDSs decrease privacy

issues in comparison with packet-based ones because of the absence of payload.

The DARPA-Lincoln datasets: The DARPA-Lincoln datasets were collected by MITs Lin-

coln laboratory with the purpose of evaluating the performance of different intrusion detection

methodologies.

UT datasets: This data set was captured by monitoring a honeypot hosted in the University

of Twente network. The dataset has three categories: malicious traffic, unknown traffic and

side-effect traffic. Each flow in the datasets has 12 fields.

Netflow datasets: This dataset focuses only on flows to a specific port and a IP address

which receives the most number of attacks. It contains all 129,571 traffics (including attacks)

to and from victims.

7

Chapter 2

COMBINATION OF NEGATIVE SELECTION AND POSITIVE SELECTION

2.1 New Positive-Negative Selection Algorithm

Our algorithm first constructs (cid:96) − r + 1 binary trees (called positive trees) corresponding to

(cid:96) − r + 1 positive r-chunk detector set Dpi, i = 1, . . . , (cid:96) − r + 1. Then, all complete subtrees of

these trees are removed to achieve a compact representation of the positive r-chunk detector set while maintaining the detection coverage. Finally, for every ith positive trees, we decide

whether or not it should be converted to the negative tree, which covers the negative r-chunk

detector set Dni. The decision depends on which tree is more compact. When this process is

done, we have (cid:96) − r + 1 compact binary trees that some of them represent positive r-chunk

detectors and the others represent negative ones.

The r-chunk matching rule on binary trees is implemented as follows: a given sample s matches the positive (negative) tree ith if s[i . . . i + k] is a path from the root to a leaf,

i = 1, . . . , (cid:96) − r + 1, k < r. The detection phase can be conducted by traveling the compact

binary trees iteratively one by one: a sample s is claimed as non-self if it matches a negative

tree or it does not match all positive trees, otherwise it is considered as self. From the

description of DetectorGeneration, it is trivial to show that it takes |S|((cid:96) − r + 1).r steps to

generate all necessary trees (detector generation time complexity) and ((cid:96) − r + 1).r steps to

verify a cell string as self or non-self in the worst case (worse-case detection time complexity).

These time complexities are similar to the state-of-the-art NSAs (PSAs).

Theorem 2.1. Given a self set S and an integer (cid:96), procedure DetectorGeneration produces the detector (binary) tree set that have at most total ((cid:96) − r + 1).2r−2 less number of nodes in

comparison to the detector tree set created by a PSA or NSA only, where r ∈ {2, . . . , (cid:96) − r + 1}.

8

Algorithm 2.1 Detector Generation Algorithm. 1: procedure DetectorGeneration(S, r, T )

Input: A set of self strings S ⊆ Σ(cid:96), a matching threshold r ∈ {1, . . . , (cid:96)}. Output: A set T of (cid:96) − r + 1 prefix trees presenting all r-chunk detectors.

T = ∅ for i = 1, ..., (cid:96) − r + 1 do

2: 3: 4: 5: 6:

create an empty prefix tree Ti for all s ∈ S do

insert every s[i . . . i + r − 1] into Ti

for all internal node n ∈ Ti do if n is root of complete binary subtree then delete this subtree

if (number of leaves of Ti) > (number of nodes of Ti that have only one child) then for all internal node ∈ Ti do

7: 8: 9: 10: 11: 12: 13: 14: 15: 16:

if it has only one child then if the child is a leaf then delete the child create the other child for it

17:

mark Ti as a negative tree

T = T ∪ {Ti}

Algorithm 2.2 Positive-Negative Selection Algorithm. 1: procedure PNSA(T , r, s)

Input: A set T of (cid:96) − r + 1 prefix trees presenting all r-chunk detectors, a matching threshold r ∈ {1, . . . , (cid:96)}, an unlabeled string s ∈ Σ(cid:96). Output: A label of s (as self or nonself). (cid:46) A temporary boolean variable

2: 3: 4: 5: 6:

f lag = true i = 1 while (i ≤ (cid:96) − r + 1) and (f lag = true) do if (Ti is positive tree) and (s /∈ Ti) then f lag = false

7: 8:

9:

if (Ti is negative tree) and (s ∈ Ti) then f lag = false

i=i+1

10: 11: 12: 13:

2.2 Experiments

if f lag = false then output s is nonself else output s is self

Table 2.1 shows the results on detector memory storage and detection time of PNSA compared

to one of the popular single NSAs on some combinations of S, (cid:96) and r. We have conducted

another experiment by choosing (cid:96) = 40, |S| = 20,000 (S is the set of randomly generated binary

strings of length (cid:96)) and varying r (from 15 to 40). Then, (cid:96)−r +1 trees were created using single

NSA and other (cid:96) − r + 1 compact trees were created using PNSA. Next, both detector sets

were used to detect every s ∈ S. Next experiment is conducted on Netflow dataset. Table 2.2

9

Table 2.1: Comparison of memory and detection time reductions.

S 1,000 2,000 2,000 2,000 (cid:96) 50 30 40 50 r Memory (%) Time (%) 12 15 17 20 0 2.5 25.9 36.3 0 5 42.7 50

shows some of the experiment steps. The percentage of node reduction is in the final column.

Table 2.2: Comparison of nodes generation on Netflow dataset.

r 5 10 15 20 25 30 35 40 45 NSA 727 33,461 1,342,517 9,428,132 18,997,102 29,668,240 42,596,987 58,546,497 79,034,135 PNSA 706 31,609 1,154,427 6,157,766 11,298,739 17,080,784 24,072,401 32,841,794 44,194,012 Reduction(%) 2.89 5.53 14.01 34.68 40.52 42.42 43.48 43.90 44.08

10

Chapter 3

GENERATION OF COMPACT DETECTOR SET

3.1 New negative selection algorithm

Given a non-empty set S of self strings of length (cid:96), and an integer r ∈ {1, . . . , (cid:96) − r + 1}, this

section presents a new NSA bases on rcbvl matching rule. Some prefix trees are first used to

generate perfect detectors set from S and then this set is used to distinguish if a new sample

as self or non-self.

Algorithm 1 summarizes the first phase of new NSA. From the description of the algo- rithm, it takes |S|.((cid:96) − r + 1).r steps to generate ((cid:96) − r + 1) prefix trees and |D|.((cid:96) − r + 1).2r

steps to generate perfect detector set D.

Example 3.1. Given (cid:96), r and the set of self strings S as in Example 1.1, S = {s1 = 010101, s2

= 111010, s3 = 101101, s4 = 100011, s5 = 010111}. Some steps in the Algorithm 1 generating

a perfect detector set {(0001,1,2), (00100,1,4), (100,4,4), (011110,1,4), (11000,1,3)} are:

Set D is first created as (00,1,1), (011,1,1), (110,1,1). Then the for loop (lines 13-29) calculates

D and D1 as following:

For i = 2: D = (0001,1,2); (0010,1,2); (0111,1,2); (1100,1,2) and D1 = ∅.

For i = 3: D = (00100,1,3); (01111,1,3); (11000,1,3) and D1 = (0001,1,2).

For i = 4: D = (00100,1,4); (011110,1,4) and D1 = (0001,1,2); (11000,1,3); (100,4,4).

The final step, D = D (cid:83) D1 in line 30, generates the perfect detector set {(0001,1,2), (00100,1,4), (100,4,4), (011110,1,4), (11000,1,3)}.

To detect if a given string s is self or non-self, we simply check our rcbvl matching rule

on s against every detector in D. If it is the case, output s is nonself, otherwise s is self. 3.2 Experiments

The flow-based NetFlow is used for experiment 1. A randomly created dataset is used for

experiment 2. Flows in NetFlow are converted into binary strings by two steps. The first

step is to map all features to binary string features. After this step, a total string features

are constructed for both normal data and anomalous one. The second step is to concatenate

11

Algorithm 3.1 Algorithm to generate perfect rcbvl detector set 1: procedure GenerationDetectors(S, (cid:96), r, D) 2:

3: 4: 5:

for i = 1, ..., (cid:96) − r + 1 do Create an empty prefix tree Ti for all s ∈ S do for i = 1, ..., (cid:96) − r + 1 do

insert every s[i . . . i + r − 1] into Ti

for i = 1, ..., (cid:96) − r + 1 do

6: 7: 8: 9:

10:

for all non-leaf node n ∈ Ti and all σ ∈ Σ do if no edge with label σ starts at n then create a new leaf n(cid:48) and an edge (n, n(cid:48)) labeled with σ.

delete every node n ∈ Ti from which none of the newly created leaves is reachable.

D1 = ∅ D = { (s, 1, 1)|s ∈ T1 } for i = 2, ..., (cid:96) − r + 1 do

D2 = ∅ for all (s, k, j) ∈ D do

if there exists a s(cid:48) ∈ Ti where s[i − k + 1...|s|] is prefix of it then (cid:83){(s + s(cid:48)[|s| − j + k...|s(cid:48)|], k, i)}

11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23:

24:

D2 = D2 delete every node n ∈ Ti from which only nodes in the s(cid:48) is reachable for all s(cid:48) ∈ Ti where s[i − k + 1...|s|] is prefix of it do if |s| − i + k < r then (cid:83){(s[|s|] + s(cid:48), i − 1, i)} D2 = D2 else (cid:83){(s(cid:48), i, i)} D2 = D2

delete every node n ∈ Ti from which only nodes in the s(cid:48) is reachable

25: 26:

27: 28:

else (cid:83){(s, k, j)} D1 = D1

29:

30:

(cid:83){(s(cid:48), i, i)} for all s(cid:48) ∈ Ti do D2 = D2

D = D2 D = D (cid:83) D1

12

the binary string features for every flows. After this step, dataset contains binary strings with

their length of 49. The distributions of training and testing datasets as well as parameters r,

(cid:96) for 4 experiments are described in Table 3.1.

Table 3.1: Data and parameters distribution for experiments and results comparison.

Size (in bits) (cid:96) r Train Test rcbvl Time (in minutes) r-chunk rcbvl

49 49 10 8 119,571 79,571 10,000 50,000 r-chunk Case 1 206,810 31,672 42,704 8,096 1 0.8 0.2 0.18

30 30 12 14 25,000 40,000 25,000 10,000 Case 2 367,092 2,324,056 79,222 392,815 4.1 8.65 0.75 1.4

Results in Table 3.1 show that our proposed algorithm reduce both size (bits) of detectors

and time to classify testing dataset in comparison with that of best algorithm proposed in 2004.

13

Chapter 4

FAST SELECTION ALGORITHMS

4.1 A fast negative selection algorithm based on r-chunk detector.

Table 4.1 shows the comparison of our results with the runtimes of previously published

r-chunk detector-based algorithms. All runtimes for training phase and classification phase

are given for a binary alphabet (|Σ| = 2) since not all algorithms are applicable to arbitrary

alphabets. The parameter K = min{|S[i..i+r−1]|, i = 1, . . . , (cid:96)−r+1}. The parameter |D|, the

desired number of detectors, is only applicable to algorithms that generate detectors explicitly.

Our algorithm and algorithm in by Textor produce the results that would be obtained with

the maximal number of generated detectors. We proposed a NSA that produces a substantial

performance improvement in training phase compared to the most effective published NSA by

Textor.

Table 4.1: Comparison of our results with the runtimes of previously published algorithms.

Matching rules

r-chunk

r-contiguous

Algorithms Stibor et al. Elberfeld, Textor Elberfeld, Textor Present thesis D’haeseleer et al. (linear) D’haeseleer et al. (greedy) Wierzcho´n Elberfeld, Textor (2009) Elberfeld, Textor (2011) Present thesis Training (2r + |S|)((cid:96) − r + 1) r2|S|((cid:96) − r) |S|(cid:96)r |S|(cid:96) (2r + |S|)((cid:96) − r) 2r|S|((cid:96) − r) 2r(|D|((cid:96) − r) + |S|) |S|3(cid:96)3r3 |S|(cid:96)r |S|(cid:96) + (2r − K).(cid:96) Classification |D|(cid:96) |S|(cid:96)2r (cid:96) (cid:96) |D|(cid:96) |D|(cid:96) |D|(cid:96) |S|2(cid:96)3r3 (cid:96) (cid:96)r

We use the following notations: An array Q, where Q[s][c] is a pointer used for creating new nodes in the tree, s ∈ Σr−1, and c ∈ Σ; An array P, where P [i] is a structure of two fields, a pointer P[i].end and a string P[i].str ∈ Σr−1.

Algorithm 4.3 summarizes the overall of proposed Chunk-NSA. In the algorithm, we use

a self set S, an integer r ∈ {1, . . . , (cid:96) − r + 1}, a cell string s to be detected, a prefix DAG G.

14

Algorithm 4.1 To generate positive r-chunk detectors set 1: procedure PositiveR-chunkDetector(S, r, G)

Input: A set of self strings S ⊆ Σ(cid:96), a matching threshold r ∈ {1, . . . , (cid:96)}. Output: A prefix DAG G presenting positive r-chunk detectors set.

2: 3: 4: 5:

G = ∅ for i = 1, ..., |S| do

insert si[1 . . . r] into G and assign P [i].end to the leaf node in path s[1 . . . r] P [i].str = s[2 . . . r] for i = r + 1, ..., (cid:96) do for j = 1, ..., |S| do

6: 7: 8: 9:

if Q[P [j].str][sj[i]] = N U LL then Q[P [j].str][sj[i]] = new()

10: 11: 12: 13:

14:

15:

for j = 1, ..., |S| do p = P [j].end for c ∈ Σ do if (Q[P [j].str][c] (cid:54)= N U LL)&&(edge starts from p with label c does not exist) then

create an edge starts from p with label c to Q[P [j].str][c] P [j].end = end node of the edge starts from p with label sj[i]

16: 17: 18:

for j = 1, ..., |S| do

Q[P [j].str][sj[i]] = N U LL P [j].str = P [j].str[2...r − 1] + sj[i]

Chunk-NSA will detect s as self or nonself.

Theorem 4.1. Given any S ⊆ Σ(cid:96), s ∈ Σ(cid:96) and r ∈ {1, . . . , (cid:96)}, algorithm Chunk-NSA constructs an automaton M with L(M ) ∩ Σ(cid:96) = L(CHU N K(S, r)) in time O(|S|.(cid:96).|Σ|) and checks if

4.2 A fast negative selection algorithm based on r-contiguous detec- tor

s ∈ L(M ) in time O((cid:96)).

Two arrays P and Q are used in this section as the same meaning in the previous section.

Besides, we use two set P1 and P2 of pointers for chunk detectors. They swap their roles at

the end of each step.

Theorem 4.2. There exists an algorithm that, given any S ⊆ Σ(cid:96) and r ∈ {1, . . . , (cid:96)}, constructs a finite automaton M with L(M ) ∩ Σ(cid:96) = CON T (S, r) in time O(|S|.(cid:96).|Σ| + (Σr − K).(cid:96)), where

4.3 Experiments

K= min{|S[i..i + r − 1]|, i = 1, . . . , (cid:96) − r + 1}.

In our experiments, we use the NetFlow and a random datasets for experiment 1 and experi-

ment 2, respectively. In Table 4.2, the runtime of NSA by Textor (2011) on experiment 1 and

experiment 2 are in columns a and c, respectively. Also, the runtime of proposed Chunk-NSA

on experiment 1 and experiment 2 are in columns b and d, respectively.

15

Algorithm 4.2 To generate negative r-chunk detectors set 1: procedure NegativeR-chunkDetector(S, r, G)

Input: A set of self strings S ⊆ Σ(cid:96), a matching threshold r ∈ {1, . . . , (cid:96)}. Output: A prefix DAG G presenting negative r-chunk detectors set.

2: 3: 4: 5: 6: 7:

PositiveR-chunkDetector(S, r, G) create a special node n(cid:48) for each non-leaf node n ∈ G do for c ∈ Σ do

if no edge with label c starts at n then create new edge (n, n(cid:48)) labeled with c

8: 9: 10:

for each node n ∈ G do if n is not reachable to n(cid:48) then delete n

Algorithm 4.3 A fast r-chunk detector-based NSA 1: procedure Chunk-NSA(s, S, r, G, M )

Input: A set of self strings S ⊆ Σ(cid:96), an unlabeled string s ∈ Σ(cid:96), a matching threshold r ∈ {1, . . . , (cid:96)}. Output: A prefix DAG G presenting negative r-chunk detectors set, an automaton M , a label of s (self or nonself).

2: 3: 4: 5: 6: 7:

NegativeR-chunkDetector(S, r, G) turn G into an automaton M if s ∈ L(M ) then output s is nonself else output s is self

Table 4.2: Comparison of Chunk-NSA with r-chunk detector-based NSA.

r

10 11 12 13 14 15 16 17 18 19 20 Experiment 1 a/b b 2.9 454 3.2 439 3.4 454 4.1 435 4.2 418 4.3 486 4.5 437 5.3 391 5.5 410 6.3 375 7.0 359 a 1,330 1,395 1,564 1,767 1,771 2,092 1,985 2,071 2,249 2,345 2,859 Experiment 2 c/d d 3.1 482 3.5 472 4.5 360 4.7 453 5.0 451 6.2 450 8.5 365 9.6 427 10.7 422 11.3 470 15.6 437 c 1,490 1,633 637 2,134 2,276 2,793 3,086 4,079 4,509 5,312 6,796

16

Algorithm 4.4 Algorithm to generate negative r-contiguous detectors set 1: procedure Cont-NSA(S, r, G)

Input: A set of self strings S ⊆ Σ(cid:96), a matching threshold r ∈ {1, . . . , (cid:96)}. Output: An automaton G presenting negative r-contiguous detectors set.

2: 3: 4: 5: 6:

G = P1 = ∅ for s ∈ Σr \ S[1 . . . r] do

insert s into G and create p.end that points to the leaf node in path s p.str = s[2 . . . r] P1 = P1 ∪ {p} for i = r + 1, ..., (cid:96) do for j = 1, ..., |S| do

7: 8: 9: 10:

if Q[P [j].str][sj[i]] = N U LL then Q[P [j].str][sj[i]] = new()

P2 = ∅ for each p ∈ P1 do for c ∈ Σ do if (Q[p.str][c] = N U LL) then

11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23:

Q[p.str][c] = new() p.str = p.str[2...r − 1] + c p.end = Q[p.str][c] P2 = P2 ∪ {p} else if Q[p.str][c] is newly created in this inner for loop then

p.str = p.str[2...r − 1] + c p.end = Q[p.str][c] P2 = P2 ∪ {p}

24: 25: 26:

for j = 1, ..., |S| do

Q[P [j].str][sj[i]] = N U LL P [j].str = P [j].str[2...r − 1] + sj[i]

27: 28: 29:

30:

for each p ∈ P1 do for c ∈ Σ do Q[p.str][c] = N U LL

P1 = P2

for each node n ∈ G do

31: 32: 33: 34:

if n is not reachable to a leaf node ∈ P1 then delete n turn G into an automaton

17

Chapter 5. APPLYING HYBRID ARTIFICIAL IMMUNE SYSTEM FOR NETWORK SECURITY

5.1 Hybrid Positive Selection Algorithm With Chunk Detectors Given (cid:96), r, a normal data set N ⊂ Σ(cid:96), an abnormal data set A ⊂ Σ(cid:96). Algorithm 4.5 and

Algorithm 4.6 create positive trees and negative trees, respectively. A new data instance s ∈ Σ(cid:96) is detected as self or nonself by Algorithm 4.7.

Algorithm 4.5 Algorithm to generate positive trees 1: procedure SelfTreesGeneration(N , r, TN )

2: 3:

Input: A set of self strings N ⊆ Σ(cid:96), a matching threshold r ∈ {1, . . . , (cid:96)}. Output: A set TN of (cid:96) − r + 1 prefix trees presenting positive trees. for i = 1, ..., (cid:96) do

Create an empty tree TNi

4: 5: 6:

for all s ∈ Nr do for i = 1, ..., (cid:96) do

insert every s[i . . . i + r − 1] into TNi

Algorithm 4.6 Algorithm to generate negative trees 1: procedure NonselfTreesGeneration(A, r, TA)

2: 3:

Input: A set of nonself strings A ⊆ Σ(cid:96), a matching threshold r ∈ {1, . . . , (cid:96)}. Output: A set TA of (cid:96) − r + 1 prefix trees presenting negative trees. for i = 1, ..., (cid:96) do

Create an empty tree TAi

4: 5: 6:

for all s ∈ Ar do for i = 1, ..., (cid:96) do

insert every s[i . . . i + r − 1] into TAi

In Algorithm 4.7, Leaf(s, T ) is a function to return frequency value corresponding with a string s ∈ Σr, this value is contained in the leaf of the path labeled by s in tree T . Parameters

d1 and d2 sum up frequencies of s in positive trees TN and negative trees TA, respectively. Four other parameters t1, t2, t3, t4 are also used in PSA2 to control its performance.

18

Algorithm 4.7 Algorithm PSA2 to detect if a new data instance s ∈ Σ(cid:96) is self or nonself 1: procedure PSA2(N , A, s, r, TN , TA)

Input: A set of nonself strings N ⊆ Σ(cid:96), a set of self strings A ⊆ Σ(cid:96), an unlabeled string s ∈ Σ(cid:96), a matching threshold r ∈ {1, . . . , (cid:96)}. Output: A set TA of (cid:96) − r + 1 prefix trees presenting negative trees, a set TN of (cid:96) − r + 1 prefix trees presenting positive trees, a label of s (self or nonself).

2: 3: 4: 5: 6: 7: 8: 9:

10: 11:

SelfTreesGeneration(N , r, TN ) NonselfTreesGeneration(A, r, TA) d1 = d2 = d3 = 0 Create a string sr as ring representation of the string s for i = 1, ..., (cid:96) do

s(cid:48) = sr[i . . . i + r − 1] if s(cid:48) /∈ TNi then d1 = d1 + 1 if s(cid:48) /∈ TAi then d2 = d2 + 1

12: 13:

14: 15: 16: 17:

if Leaf(s(cid:48), TNi) < Leaf(s(cid:48), TAi).t1 then d3 = d3 + 1

5.2 Experiment 5.2.1 Datasets

if d1 > t2 then output s is nonself else if d2 > t3 then output s is self else if d3.t4 > (cid:96) then output s is nonself else output s is self

We use two popular flow-based datasets: NetFlow and TU. Similar to the previous studies, we

select the same 4 features from the NetFlow dataset as the input of experiments 1, 5, 6, and

7; 7 features from the NetFlow dataset as the input of experiments 2 and 3; 4 features from

the UT dataset as the input of experiment 4.

Table 4.3: Features for NIDS. Experiment Dataset Feature

1 2, 3

5.2.2 Data preprocessing

UT 4 5, 6, 7 NetFlow Packets, Octets, Duration, Flags NetFlow Packets, Octets, Duration, Scr port, Dst port, Flags, IP protocol Packets, Octets, Duration, Flags NetFlow Packets, Octets, Duration, Flags

The preprocessing for the features of training dataset is composed of two steps. The first step

is to map all features to binary string features. After this step, a total string features are

constructed for both normal data and anomalous one. The second step is to concatenate the

binary string features for every flows. After this step, training dataset contains equaled-length

binary strings. For testing dataset, each feature will be convert to a binary string using the

19

map of training data. If a feature value is not in range of corresponding training feature range,

its binary form will be selected randomly.

Example 4.1. Given a training dataset contain numerical two-feature flows S = {N, A},

where set of normal data N = {n1 = (1; 8); n2 = (0.5; 6)} and anomalous data A = {a1 =

(1; 9); a2 = (1; 6), a3 = (0.5; 9)}.

The ranges of the first feature and the second one are {0.5; 1} and {6; 8; 9}, respectively.

Therefore, we can use one bit (two bits) to encode the first (the second) feature. A map of the

numeric ranges {0.5; 1} and {6; 8; 9} can be binary string ranges {0; 1} and {00; 01; 10},

respectively. Finally, the training dataset contains strings of length 3, S = {N, A}, where N

= {n1 = 101; n2 = 000} and A = {a1 = 110; a2 = 100, a3 = 010}.

Assuming a flow s = (2; 8) is in testing dataset. The first feature (2 /∈ {0.5; 1}) is

randomly encoded by 0 or 1 while the second feature (8 ∈ {6; 8; 9}) is encoded by 01. The

5.2.3 Performance metrics

binary form of s is 001 or 101.

We used a 10-fold cross-validation technique to evaluate our approach in Experiments 1 and

4. In Experiments 2, 3 and 5-7, a hold-out validation is used to evaluate our approach with

subsets of Netflow dataset as described in Table 4.4.

Table 4.4: Distribution of flows and parameters for experiments.

Experiment Normal flows

1 2 (cid:96) 49 63 r 10 10 t1 5 7 t2 7 9 t3 8 14 t4 9 7

3 53 9 12 16 7 8

4 5 41 49 7 14 1 3 7 37 2 11 4 4

6 48 12 4 19 7 5

7 46 11 2 30 8 3 105,033 59,980 for training, 45,053 for testing 59,980 for training, 45,053 for testing 5,968 70,022 for training, 35,011 for testing 52,516 for training, 52,517 for testing 35,011 for training, 70,022 for testing Attack flows 24,538 5,952 for training, 18,586 for testing 5,952 for training, 18,586 for testing 10,000 16,359 for training, 8,179 for testing 12,269 for training, 12,269 for testing 8,179 for training, 16,359 for testing

Algorithm PSA2 requires the 5 integer-valued parameters r, t1, t2, t3, t4, which control

the detection performance of NIDS. To obtain optimal values of parameters for a given dataset,

we first predict the possible value ranges for them. Then we test with every quintuple (r, t1, t2,

t3, t4) in these ranges on a randomly sampled subset, usually one-tenth, of the testing dataset.

Finally, we retest the system on the whole testing dataset in localities of parameters in the

chosen quintuple. Regarding to 10-fold cross-validation, the chosen quintuple in the fold 1 is

20

used to estimate the others folds to reduce training time. Additionally, value of (cid:96) is determined

by encoding technique in data preprocessing. Distribution of parameter values and a number

of flows for all four experiments are showed in Table 4.4.

Since it is challenging to decide which objective function is the best to choose an optimal

quintuple. More specifically, optimization problem in this research is a multi-objective opti-

mization problem: we aim to increase the DR while reducing the FAR at the same time. We

select our objective function to reach the highest DR while keeping FAR as low as possible. 5.2.4. Performance

Table 4.5 illustrates the results of all experiments. We compare PSA2 performance with some

other algorithms in most recently published works and some ones run with the help of WEKA

tool (Version 3.6).

21

Table 4.5: Comparison between PSA2 and other algorithms.

Algorithms ACC DR FAR Experiment 1

PSA2 BBNN SVM (linear) SVM (polynomial) SVM (RBF) SVM (sigmoid) Naive Bayes Random Forest Random Tree 0.9879 0.9682 0.9273 0.9344 0.9468 0.9614 0.6777 0.9943 0.9941 0.9977 0.9992 0.9992 0.9975 0.9974 0.9974 0.9975 0.9976 0.9977 0.0146 0.0514 0.1223 0.1071 0.0839 0.0871 0.5116 0.0064 0.0067 Experiment 2

0.9676 0.9645 0.9622 0.9564 0.9369

PSA2 PSOGSA-based MLP Cuckoo-based MLP GSA-based MLP PSO-based MLP EBP-based MLP Random Forest Random Tree 0.9896 0.9812 0.9796 0.9763 0.9672 0.9655 0.9309 0.7596 0.7634 0.1771 0.0013 0.0119 0.0133 0.0155 0.0203 0.0315 0 0.0001 Experiment 3 0.9626

0.9781 0.9196 0.7157 0.7151 0.0421 0.0400 0.0157 0.0384 0.0063 0.0065 PSA2 (10% labelled data) S4VM (10% labelled, 90% unlabelled data) Random Forest (10% labelled data) Random Tree (10% labelled data) Experiment 4

PSA2 Naive Bayes SVM (linear) SVM (polynomial) SVM (RBF) SVM (sigmoid) Random Forest Random Tree 0.9757 0.6832 0.7315 0.7143 0.6263 0.6263 0.9777 0.9766 0.9634 0.9972 1.0000 0.8788 1.0000 1.0000 0.9675 0.9664 0.0035 0.8668 0.7185 0.5613 0.9998 1.0000 0.0052 0.0062 Experiment 5

PSA2 Random Forest 0.9845 0.9818 0.9979 0.9997 0.0186 0.0868 Experiment 6

PSA2 Random Forest 0.9961 0.9870 0.9915 0.9998 0.0028 0.0636 Experiment 7

PSA2 Random Forest 0.9847 0.9901 0.9979 0.9999 0.0183 0.0490

The results of Experiment 1 show that PSA2 reaches best performance when we set

quintuple values (10, 5, 7, 8, 9) for parameters quintuple (r, t1, t2, t3, t4), in which the

22

remarkable FAR is 1.46%, and ACC is 98.79%. Moreover, DR is ranked the second with

99.77%. BBNN and SVM (linear) have the highest DR, but their FAR are not comparable

with that of PSA2. Both Random Forest and Random Tree perform excellently with highest

ACC, admirable DR and genuine FAR.

Results of Experiment 2 show that PSA2 outperforms four algorithms proposed by Jadidi

(2013) in terms of three metrics DR, ACC and FAR. Also, PSA2 is better than both Random

Forest and Random Tree in terms of ACC and DR.

PSA2 can not train with unlabelled data, so we only use 10% labelled dataset, 5998 attack

flows and 595 normal flows, for training phase in Experiment 3. Meanwhile algorithm S4VM

uses 100% training dataset for training, in which 90% unlabelled dataset and 10% labelled

dataset. Results from the experiment strongly confirm the efficiency of PSA2 in comparison

with methods proposed by Jadidi (2015). Both Random Forest and Random Tree perform

badly with very low ACC and DR.

In Experiment 4, PSA2 is competitive with both Random Forest and Random Tree.

Some SVMs achieved admirable accuracies with 100%, but their FARs are very high with

approximately or even 100%. Poor FARs of these algorithms mean that they can not verify

the nature of benign traffic in the dataset, while PSA2, Random Forest and Random Tree can.

In experiments 5-7, ACCs and DRs of two algorithms PSA2 and Random Forest are similar.

However, FARs of PSA2 are better (far lower) than that of Random Forest.

In all experiments, FAR of PSA2 is always the lowest among that of compared algorithms

except for Random Forest and Random Tree in experiments 1-3. This result partly proves the

consistency of PSA2 for NIDS.

Two drawbacks of PSA2 are listed: 1- It must store a map to encode each new sample

into a binary string in detection phase. The size of the map depend on the distribution of flow

features’ domains. However, all four experiments show that map storage does not exceed 1%

size of training dataset. 2- Time to tune parameters is an expensive factor in PSA2. Depending

on training data, it takes about 2-5 hours to choose optimal parameters in the experiments.

23

CONCLUSIONS Contributions of this thesis

1. Propose a ring representation of data instead of linear one for better performance in

terms of both detection rate and accuracy rate.

2. Propose an algorithm PNSA that combine two selection algorithms in a uniform for

compact representation of data. Performance of the algorithm is highly guaranteed by

experiment result and theoretical proof.

3. Propose a negative selection algorithm with variable length of detectors to generate a

complete a and non-redundant detector sets to reduce detectors storage and classification

time.

4. Propose a algorithm Chunk-NSA and experimentally and theoretically prove that it is r

times faster in data training compared with a recently published algorithm.

5. Propose an algorithm, called PSA2, to apply a hybrid algorithm that combines PSA

and some statistical approaches to achieve better performance of intrusion detection in

Future work

compared with some recently published work.

• Combine our algorithms with some machine learning methods to have better detection

performance.

• Further develop technique that can choose optimal parameters and integrate them in

new objective functions for hybrid NIDS.

• Improve proposed algorithms to apply them on other data types with different data

representations, matching rule is also a future research direction.

Published work

• Further optimize Cont-NSA for better detection time and optimal training time.

A1. N. V. Truong and P. D. Lam, “Improving negative selection algorithm in artificial immune

systems for computer virus detection,” Journal of Science and Technology, Thai Nguyen

University, 72(06):53–58, 2010.

A2. N. V. Truong, V. D. Quang and T. V. Ha, “A fast r-chunk detector-based negative selection

algorithm,” Journal of Science and Technology, Thai Nguyen University,90(02):55–58, 2012.

24

A3. N. V. Truong and T. V. Ha, “Another look at r-chunk detector-based negative selection

algorithm,” Journal of Science and Technology, Thai Nguyen University, 102(02):45–50,

2013.

A4. N. V. Truong, N. X. Hoai, and L. C. Mai, “A Novel Combination of Negative and Positive

Selection in Artificial Immune Systems,” Vietnam National University, Hanoi Journal of

Science: Computer Science and Communication Engineering, 31(1):22–31, 2015.

A5. N. V. Truong, P. D. Lam, and V. D. Quang, “Some Improvements of Selection Algorithms

for Spam Email Filtering,” Journal of Science and Technology, Thai Nguyen University,

151(06):85–91, 2016.

A6. N. V. Truong, N. X. Hoai, “An improved positive selection algorithm for flow-based intrusion detection,” Proceedings of the The 2nd National Conference on Fundamental and Applied

IT Research (FAIR), 2019 (Accepted).