Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 116 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
116
Dung lượng
0,98 MB
Nội dung
MINISTRY OF EDUCATION AND TRAINING VIETNAMESE ACADEMY OF SCIENCE AND TECHNOLOGY GRADUATE UNIVERSITY OF SCIENCE AND TECHNOLOGY |||||||||||| NGUYEN VAN TRUONG IMPROVING SOME ARTIFICIAL IMMUNE ALGORITHMS FOR NETWORK INTRUSION DETECTION THE THESIS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY IN MATHEMATICS Hanoi - 2019 MINISTRY OF EDUCATION VIETNAMESE ACADEMY AND TRAINING OF SCIENCE AND TECHNOLOGY GRADUATE UNIVERSITY OF SCIENCE AND TECHNOLOGY |||||||||||| NGUYEN VAN TRUONG IMPROVING SOME ARTIFICIAL IMMUNE ALGORITHMS FOR NETWORK INTRUSION DETECTION THE THESIS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY IN MATHEMATICS Major: Mathematical foundations for Informatics Code: 62 46 01 10 Scienti c supervisor: Assoc Prof., Dr Nguyen Xuan Hoai Assoc Prof., Dr Luong Chi Mai Hanoi - 2019 Acknowledgments First of all I would like to thank is my principal supervisor, Assoc Prof., Dr Nguyen Xuan Hoai for introducing me to the eld of Arti cial Immune System He guides me step by step through research activities such as seminar presentations, paper writing, etc His genius has been a constant source of help I am intrigued by his constructive criticism throughout my PhD journey I wish also to thank my cosupervisor, Assoc Prof., Dr Luong Chi Mai She is always very enthusiastic in our discussion promising research questions It is a pleasure and luxury for me to work with her This thesis could not have been possible without my supervisors’ support I gratefully acknowledge the support from Institute of Information Technology, Vietnamese Academy of Science and Technology, and from Thai Nguyen University of Education I thank the nancial support from the National Foundation for Science and Technology Development (NAFOSTED), ASEANEuropean Academic University Network (ASEA-UNINET) I thank M.Sc Vu Duc Quang, M.Sc Trinh Van Ha and M.Sc Pham Dinh Lam, my co-authors of published papers I thank Assoc Prof., Dr Tran Quang Anh and Dr Nguyen Quang Uy for many helpful insights for my research I thank colleagues, especially my cool labmate Mr Nguyen Tran Dinh Long, in IT Research & Development Center, HaNoi University Finally, I thank my family for their endless love and steady support Certi cate of Originality I hereby declare that this submission is my own work under my scienti c super-visors, Assoc Prof., Dr Nguyen Xuan Hoai, and Assoc Prof., Dr Luong Chi Mai I declare that, it contains no material previously published or written by another person, except where due reference is made in the text of the thesis In addition, I certify that all my co-authors allow me to present our work in this thesis Hanoi, 2019 PhD student Nguyen Van Truong i Contents List of Figures List of Tables Notation and Abbreviation INTRODUCTION Motivation Objectives Problem statements Outline of thesis BACKGROUND 1.1 Detection of Network Anomalies 1.1.1 1.1.2 1.1.3 1.1.4 1.2 A brief overview of human immune sys 1.3 AIS for IDS 1.3.1 1.3.2 1.4 Selection algorithms 1.4.1 1.4.2 1.5 Basic terms and de nitions 1.5.1 1.5.2 1.5.3 1.5.4 1.5.5 1.5.6 1.5.7 1.5.8 1.6 Datasets 1.6.1 1.6.2 1.6.3 1.6.4 1.7 Summary COMBINATION OF NEGATIVE SELECTION AND POSITIVE SELECTION 2.1 Introduction 2.2 Related works 2.3 New Positive-Negative Selection Algo 2.4 Experiments 2.5 Summary GENERATION OF COMPACT DETECTOR SET 3.1 Introduction 3.2 Related works 3.3 New negative selection algorithm 3.3.1 3.3.2 3.4 Experiments 3.5 Summary FAST SELECTION ALGORITHMS 4.1 Introduction 4.2 Related works 4.3 A fast negative selection algorithm bas 4.4 A fast negative selection algorithm bas 4.5 Experiments 4.6 Summary APPLYING HYBRID ARTIFICIAL IMMUNE SYSTEM FOR NETWORK SECURITY 5.1 Introduction 5.2 Related works 5.3 Hybrid positive selection algorithm wit 5.4 Experiments 5.4.1 5.4.2 5.4.3 5.4.4 5.5 Summary CONCLUSIONS Contributions of this thesis Future works Published works iv BIBLIOGRAPHY v List of Figures 1.1 Classi cation of anomaly-based intrusion detection met 1.2 Multi-layered protection and elimination architecture 1.3 Multi-layer AIS model for IDS 1.4 Outline of a typical negative selection algorithm 1.5 Outline of a typical positive selection algorithm 1.6 Example of a pre x tree and a pre x DAG 1.7 Existence of holes 1.8 Negative selections with 3-chunk and 3-contiguous det 1.9 A simple ring-based representation (b) of a string (a) 1.10 Frequency trees for all 3-chunk detectors 2.1 Binary tree representation of the detectors set generate 2.2 Conversion of a positive tree to a negative one 2.3 Diagram of the Detector Generation Algorithm 2.4 Diagram of the Positive-Negative Selection Algorithm 2.5 One node is reduced in a tree: a compact positive tree h and its conversion (a negative tree) has node (b) 2.6 Detection time of NSA and PNSA 2.7 Nodes reduction on trees created by PNSA on Net ow 2.8 Comparison of nodes reduction on Spambase dataset 3.1 Diagram of a algorithm to generate perfect rcbvl detect 4.1 Diagram of the algorithm to generate positive r-chunk detectors set vi 55 4.2 A pre x DAG G and an automaton M 4.3 Diagram of the algorithm to generate negative r-contiguous d 4.4 An automaton represents 3-contiguous detectors set 4.5 Comparison of ratios of runtime of r-chunk detector-based time of Chunk-NSA 4.6 Comparison of ratios of runtime of r-contiguous detector-ba runtime of Cont-NSA 76 storage does not exceed 1% size of training dataset 2- Time to tune parameters is an expensive factor in PSA2 Depending on training data, it takes about 2-5 hours to choose optimal parameters in the experiments Another experiment is conducted for comparing PSA2’s performance in cases of ring-based and linear-based datasets In line of Table 5.4, performance metrics are of ring string-based PSA2 from Experiment (line in Table 5.3) The best performance metrics for linear string-based PSA2 conducted in the same conditions are in line of the table In this case, ‘ = 40 and optimal values for arguments r, t 1, t2, t3, and t4 are 9, 4, 8, 7, and 10, respectively The results show that ring string-based PSA2 is better than linear string-based PSA2 in terms of three metrics ACC, DR, and FAR Table 5.4: Comparison between ring string-based PSA2 and linear string-based PSA2 Algorithms Ring string-based PSA2 (from Experiment 1) Linear string-based PSA2 5.5 Summary In this chapter, we present a new PSA, called PSA2, for two-class classi cation through a series of works It has four important features that make it unique and alleviate some issues in NSAs Firstly, it uses ring representation instead of linear one for better performance in terms of both detection and accuracy rates Secondly, proposed algorithm used PSA with both type of data, normal samples and abnormal ones, in a uniform framework, while other PSAs use only one type of samples This results good coverage of both self space and nonself one Last but not least, the process of parameters optimization (r, t 1, t2, t3, t4,) as well as the method of using three frequency-related parameters d 1, d2 and d3, play an important role in improving overall performance The new method to map integer values into binary strings is the forth algorithm’s feature To verify the e ectiveness of the proposed approach, two di erent datasets are adopted to validate this approach The results from four experiments indicate that the proposed approach can produce competitive and consistent classifying performance on 77 real datasets Moreover, results form Experiment with only 10% of training dataset rm that PSA2 can detect anomalies in a small amount of labelled data In the future, we are planning to combine our algorithms with some machine learning methods to have better detection performance, as well as reduce training time Moreover, it would be interesting to further develop technique on how to chose optimal parameters as well as to integrate them in new objective functions The main contri-bution of this chapter is accepted to publish in proceedings of a National Conference on Fundamental and Applied IT Research 78 CONCLUSIONS Applying computational intelligence-based techniques is an inevitable trend to build smart IDSs This approach helps computer network more adaptable to continuously changing environment with more sophisticated attacks In this thesis, we show that AIS, a sub eld of computational intelligence, is relatively success in building NIDS at least in simulation stage A series of works is proposed and investigated to improve NSAs for two popular matching rules, r-chunk and r-contiguous Contributions of the thesis The major contributions of this research are: Propose a ring representation of data instead of linear one for better performance in terms of both detection rate and accuracy rate Propose an algorithm PNSA that combines two selection algorithms in a uni- form for compact representation of data Performance of the algorithm is highly guaranteed by the experiment results and theoretical proof Propose a NSA with variable length of detectors, VNSA, to generate a com- plete and non-redundant detector sets as well as reduce detectors storage and classi cation time Propose a r-chunk detector-based NSA, Chunk-NSA, and experimentally and theoretically prove that it is r times faster in data training compared with the most recently published algorithms Propose an algorithm PSA2 to apply a hybrid algorithm that combines PSA and some statistical approaches to achieve better performance of intrusion detection in compared with some recently published works 79 Propose a data conversion to convert data into a suitable binary format One minor contribution of this thesis is proposing an algorithm Cont-NSA on rcontiguous matching rule and proving that it is approximately r times faster in data training compared with that of a recently published algorithm Future works In the future, we would like to: Combine our algorithms with some machine learning methods to have better detection performance Further develop technique that can choose optimal parameters and integrate them in new objective functions for hybrid NIDS Improve proposed algorithms to apply them on other data types with di erent data representations, matching rule is also a future research direction Further optimize Cont-NSA for better detection time O(‘) and optimal training time O(jSj‘) In a nutshell, the thesis has overviewed important works relating to the research topic, has proposed some improvements of selection algorithms, and has veri ed the e ectiveness of proposed algorithms by experiments and proofs Obtained results has been satisfying given research objectives However, the results are also humble and should be improved more by the PhD student in the future The PhD student would like to receive any comments from scientists, and other readers concerned about the subject so that the result of the topic can be increasingly perfect 80 Published works A1 N V Truong and P D Lam, \Improving negative selection algorithm in arti cial immune systems for computer virus detection," Journal of Science and Technology, Thai Nguyen University, 72(06):53{58, 2010 A2 N V Truong, V D Quang and T V Ha, \A fast r-chunk detector-based negative selection algorithm," Journal of Science and Technology, Thai Nguyen University,90(02):55{ 58, 2012 A3 N V Truong and T V Ha, \Another look at r-chunk detector-based negative selection algorithm," Journal of Science and Technology, Thai Nguyen University, 102(02):45{50, 2013 A4 N V Truong, N X Hoai, and L C Mai, \A Novel Combination of Negative and Positive Selection in Arti cial Immune Systems," Vietnam National Univer-sity, Hanoi Journal of Science: Computer Science and Communication Engineering, 31(1):22{31, 2015 A5 N V Truong, P D Lam, and V D Quang, \Some Improvements of Selection Algorithms for Spam Email Filtering," Journal of Science and Technology, Thai Nguyen University, 151(06):85{91, 2016 A6 N V Truong, N X Hoai, \An improved positive selection algorithm for ow-based nd intrusion detection," Proceedings of the The National Conference on Fundamen-tal and Applied IT Research (FAIR), 2019 (Accepted) 81 Bibliography [1] DARPA Dataset https://www.ll.mit.edu/r-d/datasets [accessed 20-Mar-2019] [2] FDFA Datasets.http://www.unsw.adfa.edu.au/australian-centre-for-cyber- security/cybersecurity/ADFA-IDS-Datasets/ [accessed 20-July-2018] [3] KDD99 Dataset http://kdd.ics.uci.edu/databases/kddcup99 [accessed 20- Mar-2018] [4] NSL-KDD Dataset https://www.unb.ca/cic/datasets/nsl.html [accessed 25- July-2019] [5] S Afaneha, R A Zitarb, and A A Hamamic Virus detection using clonal selec-tion algorithm with genetic algorithm (VDC algorithm) Applied Soft Computing, 13:239{246, 2013 [6] M Ayara, J Timmis, R de Lemos, L N de Castro, and R Duncan Nega-tive selection: How to generate detectors In Proceedings of the 1st International Conference on Arti cial Immune Systems (ICARIS), pages 89{98, 2002 [7] A S A Aziz, M Salama, A ella Hassanien, and S E O Hara Detectors generation using genetic algorithm for a negative selection inspired anomaly network intrusion detection system In Proceedings of the FedCSIS, pages 597{602, 2012 [8] K Bache and M Lichman UCI Machine Learning Repository http://archive.ics.uci.edu/ml [accessed 20-July-2016] [9] J Balthrop, F Esponda, S Forrest, and M Glickman Coverage and generaliza-tion in an arti cial immune system In Proceedings of Genetic and Evolutionary Computation Conference (GECCO), pages 3{10, 2002 [10] J Balthrop, S Forrest, and M Glickman Revisiting LISYS: Parameters and normal behavior In Proceedings computation, pages 1045{1050, 2002 of the Congress on evolutionary 82 [11] F Barani A hybrid approach for dynamic intrusion detection in ad hoc networks using genetic algorithm and arti cial immune system In Proceedings of the Iranian Conference on Intelligent Systems (ICIS), pages 1{6, 2014 [12] D K Bhattacharyya and J K Kalita Network anomaly detection: A machine learning perspective CRC Press, 2013 [13] M H Bhuyan, D K Bhattacharyya, and J K Kalita Network anomaly de- tection: methods, systems and tools IEEE communications surveys & tutorials, 16(1):303{336, 2014 [14] R Bronte, H Shahriar, and H M Haddad A signature-based intrusion detection system for web applications based on genetic algorithm In Proceedings of the International Conference on Security of Information and Networks, pages 32{39, 2016 [15] T C Butler, M Kardar, and A K Chakraborty Quorum sensing allows T cells to discriminate between self and nonself Proceedings of the National Academy of Sciences, 110(29):11833{11838, 2013 [16] C Callegari and N Cyprus Statistical approaches for network anomaly detection In Proceedings of the 4th International Conference on Internet Monitoring and Protection (ICIMP), pages 24{28, 2009 [17] M J Chapple, T E Wright, and R M Winding Flow anomaly detection in rewalled networks In Proceedings of the Securecomm and Workshops, pages 1{6, 2006 [18] S Chen Optimized multilevel immune learning algorithm in abnormal detection Information Technology Journal, 12(3):514{517, 2013 [19] D Dasgupta Arti cial Immune Systems and Their Applications Springer- Verlag, Berlin Heidelberg, 1998 [20] D Dasgupta and R Azeem An investigation of negative authentication systems In Proceedings of the 3rd International Conference on Information Warfare and Security, pages 117{126, 2008 83 [21] D Dasgupta and Y Cao An immunogenetic approach to spectra recognition In Proceedings of the Genetic and Evolutionary Computation Conference (GECCO), pages 149{155, 1999 [22] D Dasgupta and S Forrest Novelty detection in time series data using ideas from immunology In Proceedings of the International Conference on Intelligent Systems, pages 82{87, 1996 [23] D Dasgupta and F Gonzalez An immunity-based technique to characterize in-trusions in computer networks IEEE Transactions on Evolutionary Computation, 6:281{291, 2002 [24] D Dasgupta and F Nino A comparison of negative and positive selection algo-rithms in novel pattern detection In Proceedings of the International Conference on Systems, Man, and Cybernetics, pages 125{130, 2000 [25] D Dasgupta and S Saha Password security through negative ltering In Proceed-ings of the International Conference on Emerging Security Technologies (EST), pages 83{89, 2010 [26] D Dasgupta, S Yu, and N S Majumdar MILA-multilevel immune learning al- gorithm In Proceedings of the Genetic and Evolutionary Computation Conference (GECCO), pages 183{194 Springer, 2003 [27] L N de Castro and J Timmis Articial Immune Systems: A New Computational Intelligence Approach Springer-Verlag New York, Inc Secaucus, NJ, USA, 2002 [28] K S Desale and R Ade Genetic algorithm based feature selection approach for e ective intrusion detection system In Proceedings of the International Conference on Computer Communication and Informatics (ICCCI), pages 1{6, 2015 [29] P Dhaeseleer An immunological approach to change detection: Theoretical re-sults In Proceedings of the IEEE Computer Security Foundations Workshop, pages 18{26, 1996 [30] P D’haeseleer, S Forrest, and P Helman An immunological approach to change detection: algorithms, analysis and implications In Proceedings of IEEE Sympo-sium on Security and Privacy, pages 110{119, 1996 84 [31] M Elberfeld and J Textor E cient algorithms for string-based negative selec- tion In Proceedings of the International Conference on Arti cial Immune Systems, pages 109{121, 2009 [32] M Elberfeld and J Textor Negative selection algorithms on strings with e cient training and linear-time classi cation Theoretical Computer Science, 412(6):534 { 542, 2011 [33] F Esponda, E S Ackley, and S Forrest Online negative databases In Proceedings of the International Conference on Arti cial Immune Systems (ICARIS), pages 175{188 Springer, 2004 [34] F Esponda, S Forrest, and P Helman A formal framework for positive and neg-ative detection schemes IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics), 34(1):357{373, 2004 [35] D A Fernandes, M M Freire, P A Fazendeiro, and P R Inacio Applications of arti cial immune systems to computer security: A survey Journal of Information Security and Applications, 35:138 { 159, 2017 [36] S Forrest, S A Hofmeyr, A Somayaji, and T A Longsta A sense of self for UNIX processes In Proceedings of the IEEE Symposium on Research in Security and Privacy, pages 120{128, 1996 [37] S Forrest, B Javornik, R E Smith, and A S Perelson Using genetic algorithms to explore pattern recognition in the immune system Evolutionary Computation, 1:191{211, 1993 [38] Forrest, Stephanie and Perelson, Alan S and Allen, Lawrence and Cherukuri, Rajesh Self-nonself discrimination in a computer In Proceedings of the IEEE Symposium on Security and Privacy, pages 202{212, 1994 [39] Z Fuyong and Q Deyu Run-time malware detection based on positive selection Journal in Computer Virology, 7:267{277, 2011 [40] Z Fuyong and Q Deyu A positive selection algorithm for classi cation Journal Computational Information Systems, 7:207{215, 2012 [41] A A Ghorbani, W Lu, and M Tavallaee Network intrusion detection and pre- vention: concepts and techniques Springer Science & Business Media, 2009 85 [42] F Gonzalez, D Dasgupta, and J Gomez The e ect of binary matching rules in negative selection In Proceedings of the Genetic and Evolutionary Computation Conference (GECCO), pages 195{206, 2003 [43] C Guo, Y.-J Zhou, Y Ping, S.-S Luo, Y.-P Lai, and Z.-K Zhang E cient intrusion detection using representative instances Computers & Security, 39, Part B:255 { 267, 2013 [44] X Hang and H Dai Applying both positive and negative selection to supervised learning for anomaly detection In Proceedings of the Conference on Genetic and Evolutionary Computation (GECCO), pages 345{352, 2005 [45] P K Harmer, P D Williams, G H Gunsch, and G B Lamont An arti cial im- mune system architecture for computer security applications IEEE Transactions on Evolutionary Computation, 6(3):252{280, 2002 [46] S Hofmeyr An immunological model of distributed detection and its application to computer security PhD thesis, The University of New Mexico, ALbuquerque, NM, 1999 [47] S B Inadyuti Dutt and I Maitra Intrusion detection system using arti cial immune system International Journal of Computer Applications, 144(12):19{22, 2016 [48] Z Jadidi, V Muthukkumarasamy, and E Sithirasenan Metaheuristic algorithms based ow anomaly detector In Proceedings of the Asia-Paci c Conference on Communications (APCC), pages 717{722, 2013 [49] Z Jadidi, V Muthukkumarasamy, E Sithirasenan, and K Singh Flow-based anomaly detection using semisupervised learning In Proceedings of the Interna-tional Conference on Signal Processing and Communication Systems (ICSPCS), pages 1{5, 2015 [50] Z Ji Negative Selection Algorithms: from the Thymus to V-detector PhD thesis, The University of Memphis, 2006 [51] Z Ji and D Dasgupta Revisiting negative selection algorithms Evolutionary Computation, 15:223{251, 2007 86 [52] L Jim and M Gregory A review of arti cial immune system based security frameworks for manet International Journal of Communications, Network and System Sciences, 9(1):1{18, 2016 [53] K Jungwon Integrating Articial Immune Algorithms for Intrusion Detection PhD thesis, University College London, 2002 [54] J Kim and P J Bentley An Evaluation of Negative Selection in an Arti cial Immune System for Network Intrusion Detection In Proceedings of the Genetic and Evolutionary Computation Conference (GECCO), pages 1330{1337, 2001 [55] J Kim, P J Bentley, U Aickelin, J Greensmith, G Tedesco, and J Twycross Immune system approaches to intrusion detection { a review Natural Computing, 6(4):413{466, 2007 [56] A Kosmrlj, A K Jha, E S Huseby, M Kardar, and A K Chakraborty How the thymus designs antigen-speci c and self-tolerant T cell receptor sequences Proceedings of the National Academy of Sciences, 105(43):16671{16676, 2008 [57] A Kosmrlj, E L Read, Y Qi, T M Allen, M Altfeld, S G Deeks, F Pereyra, M Carrington, B D Walker, and A K Chakraborty E ects of thymic selection of the T-cell repertoire on HLA class I-associated control of HIV infection Nature, 465(7296):350{354, 2010 [58] V D Kotov and V Vasilyev Immune model based approach for network in- trusion detection In Proceedings of the International Conference on Security of Information and Networks (SIN), pages 233{237, 2010 [59] W Ma, D Tran, and D Sharma Negative selection with antigen feedback in intrusion detection In Proceedings of the International Conference on Arti cial Immune Systems (ICARIS), pages 200{209, 2008 [60] M V Mahoney and P K Chan An analysis of the 1999 DARPA/Lincoln Lab- oratory evaluation data for network anomaly detection In Proceedings of the In-ternational Workshop on Recent Advances in Intrusion Detection, pages 220{237, 2003 [61] C A Mart nez, G I Echeverri, and A G C Sanz Malware detection based on cloud computing integrating intrusion ontology representation In Proceedings of the IEEE Latin-American Conference on Communications, pages 1{6, 2010 87 [62] J McHugh Testing intrusion detection systems: A critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Labo-ratory ACM Transactions on Information and System Security, 3(4):262{294, 2000 [63] T Mehmod and H B M Rais Ant colony optimization and feature selection for intrusion detection In Advances in Machine Learning and Signal Processing, pages 305{312 Springer, 2016 [64] R Murugesan and V N Kumar A Fast Algorithm for Solving JSSP European Journal of Scienti c Research, 64:579{586, 2011 [65] P Ning and S Jajodia Intrusion detection techniques The Internet Encyclopedia, 2003 [66] L X Peng and Y F Chen Positive selection-inspired anomaly detection model with arti cial immune In Proceedings of the International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), pages 56{59, 2014 [67] P H Pisani, A C Lorena, and A C Carvalho Adaptive positive selection for keystroke dynamics J Intell Robotics Syst., 80(1):277{293, 2015 [68] D Poole, A Mackworth, and R Goebel Computational Intelligence: A Logical Approach Oxford University Press, Oxford, UK, 1997 [69] Y Sawaya, A Kubota, and Y Miyake Detection of attackers in services using anomalous host behavior based on tra c ow statistics In Proceedings of the International Symposium on Applications and the Internet (SAINT), pages 353{ 359, 2011 [70] M Sheikhan and Z Jadidi Flow-based anomaly detection in high-speed links us-ing modi ed GSA-optimized neural network Neural Computing and Applications, 24(3-4):599{611, 2014 [71] G C Silva and D Dasgupta A Survey of Recent Works in Arti cial Immune Systems, pages 547{586 World Scienti c, 2016 88 [72] G C Silva, R M Palhares, and W M Caminhas Immune inspired fault detection and diagnosis: A fuzzy-based approach of the negative selection algorithm and participatory clustering Expert Systems with Applications, 39:12474{12486, 2012 [73] K B Sim and D W Lee Modeling of Positive Selection for the Development of a Computer Immune System and a Self-Recognition Algorithm International Journal of Control, Automation, and Systems, 1:453{458, 2003 [74] T S Sobh and W M Mostafa A cooperative immunological approach for de- tecting network anomaly Applied Soft Computing, 11(1):1275 { 1283, 2011 [75] A Sperotto, R Sadre, F Vliet, and A Pras A labeled data set for ow-based intrusion detection In Proceedings of the IEEE International Workshop on IP Operations and Management, pages 39{50, 2009 [76] A Sperotto, G Scha rath, R Sadre, C Morariu, A Pras, and B Stiller An Overview of IP Flow-Based Intrusion Detection IEEE Communications Surveys Tutorials, 12(3):343{356, 2010 [77] T Stibor On the appropriateness of negative selection for anomaly detection and network intrusion detection PhD thesis, TU Darmstadt, 2006 [78] T Stibor, K M Bayarou, and C Eckert An investigation of R-chunk detector generation on higher alphabets In Proceedings of the Genetic and Evolutionary Computation Conference (GECCO), pages 299{307, 2004 [79] T Stibor, P Mohr, J Timmis, and C Eckert Is negative selection appropriate for anomaly detection? In Proceedings of the Genetic and Evolutionary Computation Conference (GECCO), pages 321{328, 2005 [80] T Stibor, J Timmis, and C Eckert A comparative study of real-valued negative selection to statistical anomaly detection techniques Lecture notes in Computer science, 3627:262{275, 2005 [81] Y Tan Anti-Spam Techniques Based on Arti cial Immune System CRC Press, 2016 [82] J Textor E cient negative selection algorithms by sampling and approximate counting In Proceedings of the International Conference on Parallel Problem Solving from Nature, pages 32{41 Springer Berlin Heidelberg, 2012 89 [83] J Textor Search and learning in the immune system: models of immune surveil- lance and negative selection PhD thesis, Lubeck, University, 2012 [84] J Textor, K Dannenberg, and M Liskiewicz A generic nite automata based approach to implementing lymphocyte repertoire models In Proceedings of the Conference on Genetic and Evolutionary Computation (GECCO), pages 129{136, 2014 [85] J Timmis, A Hone, T Stibor, and E Clark Theoretical advances in arti cial immune systems Theoretical Computer Science, 403(1):11{32, 2008 [86] Q A Tran, F Jiang, and J Hu A real-time netFlow-based intrusion detec-tion system with improved BBNN and high-frequency eld programmable gate arrays In Proceedings of the IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pages 201{208, 2012 [87] J Vykopal Flow-based Brute-force Attack Detection in Large and High-speed Networks Dissertations, Masaryk University, 2013 [88] Y Wang Statistical Techniques for Network Security: Modern Statistically- Based Intrusion Detection and Protection IGI Global, 2008 [89] S T Wierzchon Discriminative power of the receptors activated by k-contiguous bits rule Journal of Computer Science and Technology, 1(3):1{13, 2000 [90] S T Wierzchon Generating optimal repertoire of antibody strings in an arti - cial immune system In Proceedings of the Symposium on Intelligent Information Systems, pages 119{133, 2000 [91] P Winter, E Hermann, and M Zeilinger Inductive intrusion detection in ow- based network data using one-class support vector machines In Proceedings of the International Conference on New Technologies, Mobility and Security (NTMS), pages 1{5, 2011 [92] S X Wu and W Banzhaf The use of computational intelligence in intrusion detection systems: A review Applied Soft Computing, 10(1):1{35, 2010 [93] B Xu, W Luo, X Pei, M Zhang, and X Wang On average time complexity of evolutionary negative selection algorithms for anomaly detection In Proceedings 90 of the First ACM/SIGEVO Summit on Genetic and Evolutionary Computation, pages 631{638 ACM, 2009 [94] H Yang, T Li, X Hu, F Wang, and Y Zou A survey of arti cial immune system based intrusion detection The Scienti c World Journal, 2014 [95] X Yang and Z Hui Intrusion detection alarm ltering technology based on ant colony clustering algorithm In Proceedings of the International Conference on Intelligent Systems Design and Engineering Applications (ISDEA), pages 470{ 473, 2015 [96] D Y Yeung and Y Ding Host-based intrusion detection using dynamic and static behavioral models Pattern Recognition, 36:229{243, 2003 [97] Zeng, Jie and Liu, Xiaojie and Li, Tao and Li, Guiyang and Li, Haibo and Zeng, Jinquan A novel intrusion detection approach learned from the change of antibody concentration in biological immune response Applied Intelligence, 35(1):41{62, 2011 [98] D Zhao and W Luo Real-valued negative databases In Proceedings of the European Conference on Arti cial Life (ECAL), pages 884{890, 2013 [99] M Zolotukhin, T Hmlinen, T Kokkonen, and J Siltanen Online detection of anomalous network ows with soft clustering In Proceedings of the International Conference on New Technologies, Mobility and Security (NTMS), pages 1{5, 2015 ... changing environments and changing goals; it learns from experience; also it makes appropriate choices given perceptual limitations and nite computation [68] 8 1.1.4 Tools IDS tools are used... A partial matching rule can support an approximation or a generalization in the algorithms The choice of the matching rule or the threshold in a matching rule must be application speci c and... generated by NSAs is much less than that of self samples, negative selection is obviously a better choice [51] Similar to NSA, a PSA contains two phases: detector generation and detection In the