Clonal Selection Method for Immuntiy based Intrusion Detection Systems by Kasthurirangan Parthasarathy Abstract This Paper presents a description of an intrusion detection ap- proach modeled on the basis of two bio-inspired concepts namely, negative selection and clonal selection. The negative selection mechanism of the im- mune system can detect the foreign patterns in the complement(nonself) space. The clonal selection principle is used to explain the basic features of an adaptive immune response to an antigenic stimulus. It establishes the idea that only those cells that recognize the antigens are selected to proliferate. The selected cells are subject to affinity maturation process, which improves their affinity to the selective antigens. The MODCLONALG algorithm de- scribed in this paper, is a special refinement of the clonal selection principle, that attempts to implement the negative selection mechanism. A detailed discussion of the MODCLONALG to generate the rule sets representing the negative selection(nonself) is provided. Finally, an Intrusion Detection Sys- tem model is proposed that incorporates a knowledge base constructed by CLONALG using negative selection and uses CLONALG for recognition of the malicious activities in the system. Keywords Artificial immune system, negative selection principle, clonal selection principle, evolutionary algorithms, optimization, intrusion detec- tion. 1 Introduction Computer Security is a field that has gained significance over the past few years, especially with the widespread internetworking of computers. One of the important aspects of computer security is the detection of intrusions and attacks. Hence, considerable amount of research works have been dedicated to the exploration of various possible methods for detection of intrusions and 1 attacks. Of late, the intrusion detection systems, modeled on the basis of the Artificial Immune System, have gained prominence because of their promise to provide for feasible and efficient detection mechanisms[4]. The Artificial Immune System is modeled on the basis of the Natural Immune System found in living organisms. In this paper, an Intrusion Detection System is proposed which makes use of the negative selection mechanism of the immune system along with the clonal selection principle. The main objective is to combine the clonal selection method with negative selection to obtain a comprehensive definition of the nonself space. The nonself space represents a set of activities in a system that are considered to be abnormal or undesirable. This is hence the complement of the self space which represents a set of activities that are considered normal in the system. The clonal selection method is a refined form of evolutionary approaches which are stochastic search processes. The definition of self or nonself have combinatorial possibilities and hence the search space is vast. Conventional deterministic approaches cannot provide complete coverage of such a search space in real time. Hence,the evolutionary approach, with its stochastic nature, provides a reasonably efficient method to develop a representation of self or nonself that can cover the enormous search space[1].These evolutionary algorithms are modeled on the basis of Natural Evolution, where in the fittest of the individuals are selected for reproduction and they recombine to produce unique offspring with mutation to add diversity to their characteristics. The clonal selection principle makes use of these features but with a slight modification that allows it to handle the cases of multimodal optimization much more efficiently[2]. The MODCLONALG discussed in this paper, is a specialized form of a clonal selection algorithm, that generates a set of rules charecterizing the complement(nonself) space. The Intrusion Detection System model proposed makes use of this algorithm to build its knowledge base. The pattern recog- nition tasks of the system are performed by the CLONALG which is another form of a clonal selection algorithm. 2 Artificial Immune Systems Artificial Immune Systems (AIS) form the basis of solutions for various real world problems and in particular intrusion detection. AIS aim at using ideas gleaned from immunology in order to develop systems capable of performing a wide range of tasks in various research areas. This is basically a refinement of the Natural Immune System built into the living organisms, specifically directed at information processing. 2 When a pathogen (a germ) enters the body of an organism, the immune system immediately recognizes that the pathogens cell formulation is different from that of the body cells. The Germinal Center (GC) plays an important role in this activity and takes over to tackle the situation. It is one of the functional modules of the natural immune systems, which evolves in some organs and plays a major role in immune response. The development of a GC is a complex process, which is formed dynamically when antigen-activated B-Cells migrate into primary follicles of the peripheral lymphoid organs. The formation of GC requires activation of B-Cells, Migration of B-Cells, T and B Cell Interactions, and the availability of the network of follicular denritic cells (FD). From the information processing point of view, the role of the germinal center can be used as a pattern matching model, particularly, to distinguish between the known patterns and novel patterns. There are various concepts in the Artificial Immune System like, Clonal Selection, Affinity Maturation, Somatic Mutation, Receptor Editing that are discussed in relation to the detection of intrusions in this paper. 3 Intrusion Detection Intrusion detection is a problem related with the field of Computer Secu- rity where in the computer systems are guarded against malicious activities and attacks. There are various forms of security breach like, virus activity, masqueraded user, denial of service attacks etc. The ’Intrusion Detection Systems’ continually monitor the state of the system and raise alarms when any suspicious activities occur in the system. These systems are best mod- eled with a tremendous amount of motivation from the Artificial Immune Systems. The conventional intrusion detection systems are built by incorporating a knowledge base with the system that provides a comprehensive definition of normal activities called Self so that the system can use it to differentiate unusual activities which are categorized as nonself. The system activities can be classified in to: 1. Normal 2. Attack 3. Error 4. Abnormalities 3 The normal activities can be recorded and on the basis of the collected information, a definition of normal behaviour in the system is created as a statistical average of all the recorded activities. The system can then be monitored continuously to record the current activities which are compared with the normal behaviour and depending upon the level of deviation can be classified further into attacks or errors or abnormalities. 3.1 Representation of the Self and Non-Self The main purpose of intrusion detection is to identify which states of a system are normal and which are abnormal.The states of a system can be represented by a set of features. System State Space[1]: A state of the system is represented by a vector i i i n of features x = (x1; :::; xn)²[0; 0; 1:0] . The space of states is represented by the set S ⊆ [0:0; 1:0]n. It includes the feature vectors corresponding to all possible states of the system. Normal Subspace[1]: A set of feature vectors Self ⊆ S represents the normal states of the system.Its complement is called Nonself and is defined as Nonself = S ¡ Self. Thus the charecteristic function for Self definition would be: n XSelf : [0:0; 1:0] ! 0; 1 If various levels of normalcy are to be represented then the definition can be modified such that: n XSelf : [0:0; 1:0] ! [0:0; 1:0] The problem[1]: Given a set of normal spaces Self 0 ⊆ Self, a good estimate of the normal space charecteristic function xSelf needs to be built. This function should be able to decide whether or not the observed state of the system is anamalous. 3.2 Negative Selection Approach in Intrusion Detec- tion Intrusion Detection systems need to distinguish between the self and nonself space. Also, the nonself space elements must be further categorized in or- der to determine specific response for protection and recovery from different attacks. The negative selection mechanism in the immune system works in 4 such a way that when the antibody cells generated bind to the self-protein, they are destroyed, so only those cells which do not bind to self proteins are allowed to proliferate. This approach is extended to the intrusion detection process and a negative selection algorithm has been arrived at[1]. The Negative Selection algorithm[1] can be summarized as: 1. Define Self as collection of strings of length l over a finite alphabet, a collection that needs to be monitored. 2. Generate a set of R detectors, each of which fails to match any string in s. 3. Monitor S for changes by continually matching the detectors in R against S. If any detector ever matches, then a change is known to have occured as the detectors are designed to not match any of the original strings in s. These detectors can be represented as a set of real-valued rules.These rules constitute a complement of the normal values of the feature vectors(described below). A rule is considered good if it does not cover positive samples and its area is large. Thus, an evolutionary algorithm can be used to evolve the rules to cover the nonself space guided by this criterion. The basic structure of the detector rules is as follows: 1 R :If Cond1, then Level1 . i R :If Condi, then Level1 . i+1 R :If Condi+1, then Level2 . j R :If Condj, then Level 2 . where i i i i Condi = x1 2 [low1; high1] and : : : and xn 2 [lown; highn]; (x1; : : : ; xn) - feauture vector; j j [lowi ; highi ] : lower and upper values for the feature xi in the condition part of the rule Rj 5 The condition part of each rule defines a hypercube in the descriptor space ([0:0; 1:0]n).