MINISTRY OF EDUCATION AND TRAINING VIETNAMESE ACADEMY OF SCIENCE AND TECHNOLOGY GRADUATE UNIVERSITY OF SCIENCE AND TECHNOLOGY ———————————— NGUYEN VAN TRUONG IMPROVING SOME ARTIFICIAL IMMUNE ALGORITHMS FOR NETWORK INTRUSION DETECTION THE THESIS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY IN MATHEMATICS Hanoi - 2019 MINISTRY OF EDUCATION AND TRAINING VIETNAMESE ACADEMY OF SCIENCE AND TECHNOLOGY GRADUATE UNIVERSITY OF SCIENCE AND TECHNOLOGY ———————————— NGUYEN VAN TRUONG IMPROVING SOME ARTIFICIAL IMMUNE ALGORITHMS FOR NETWORK INTRUSION DETECTION THE THESIS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY IN MATHEMATICS Major: Mathematical foundations for Informatics Code: 62 46 01 10 Scientific supervisor: Assoc Prof., Dr Nguyen Xuan Hoai Assoc Prof., Dr Luong Chi Mai Hanoi - 2019 Acknowledgments First of all I would like to thank is my principal supervisor, Assoc Prof., Dr Nguyen Xuan Hoai for introducing me to the field of Artificial Immune System He guides me step by step through research activities such as seminar presentations, paper writing, etc His genius has been a constant source of help I am intrigued by his constructive criticism throughout my PhD journey I wish also to thank my co-supervisor, Assoc Prof., Dr Luong Chi Mai She is always very enthusiastic in our discussion promising research questions It is a pleasure and luxury for me to work with her This thesis could not have been possible without my supervisors’ support I gratefully acknowledge the support from Institute of Information Technology, Vietnamese Academy of Science and Technology, and from Thai Nguyen University of Education I thank the financial support from the National Foundation for Science and Technology Development (NAFOSTED), ASEAN-European Academic University Network (ASEA-UNINET) I thank M.Sc Vu Duc Quang, M.Sc Trinh Van Ha and M.Sc Pham Dinh Lam, my co-authors of published papers I thank Assoc Prof., Dr Tran Quang Anh and Dr Nguyen Quang Uy for many helpful insights for my research I thank colleagues, especially my cool labmate Mr Nguyen Tran Dinh Long, in IT Research & Development Center, HaNoi University Finally, I thank my family for their endless love and steady support Certificate of Originality I hereby declare that this submission is my own work under my scientific supervisors, Assoc Prof., Dr Nguyen Xuan Hoai, and Assoc Prof., Dr Luong Chi Mai I declare that, it contains no material previously published or written by another person, except where due reference is made in the text of the thesis In addition, I certify that all my co-authors allow me to present our work in this thesis Hanoi, 2019 PhD student Nguyen Van Truong i Contents List of Figures List of Tables v vii Notation and Abbreviation INTRODUCTION viii Motivation Objectives Problem statements Outline of thesis BACKGROUND 1.1 Detection of Network Anomalies 1.1.1 Host-Based IDS 1.1.2 Network-Based IDS 1.1.3 Methods 1.1.4 Tools 1.2 A brief overview of human immune system 1.3 AIS for IDS 10 1.3.1 AIS model for IDS 10 1.3.2 AIS features for IDS 11 Selection algorithms 12 1.4.1 12 1.4 Negative Selection Algorithms ii 1.4.2 1.5 1.6 1.7 Positive Selection Algorithms 15 Basic terms and definitions 16 1.5.1 Strings, substrings and languages 16 1.5.2 Prefix trees, prefix DAGs and automata 17 1.5.3 Detectors 18 1.5.4 Detection in r-chunk detector-based positive selection 20 1.5.5 Holes 21 1.5.6 Performance metrics 22 1.5.7 Ring representation of data 23 1.5.8 Frequency trees 25 Datasets 26 1.6.1 The DARPA-Lincoln datasets 27 1.6.2 UT dataset 27 1.6.3 Netflow dataset 28 1.6.4 Discussions 28 Summary 29 COMBINATION OF NEGATIVE SELECTION AND POSITIVE SELECTION 30 2.1 Introduction 30 2.2 Related works 31 2.3 New Positive-Negative Selection Algorithm 31 2.4 Experiments 39 2.5 Summary 40 GENERATION OF COMPACT DETECTOR SET 43 3.1 Introduction 43 3.2 Related works 44 3.3 New negative selection algorithm 45 iii 3.3.1 Detectors set generation under rcbvl matching rule 45 3.3.2 Detection under rcbvl matching rule 48 3.4 Experiments 48 3.5 Summary 49 FAST SELECTION ALGORITHMS 51 4.1 Introduction 51 4.2 Related works 52 4.3 A fast negative selection algorithm based on r-chunk detector 52 4.4 A fast negative selection algorithm based on r-contiguous detector 57 4.5 Experiments 62 4.6 Summary 65 APPLYING HYBRID ARTIFICIAL IMMUNE SYSTEM FOR NETWORK SECURITY 66 5.1 Introduction 66 5.2 Related works 67 5.3 Hybrid positive selection algorithm with chunk detectors 69 5.4 Experiments 70 5.4.1 Datasets 71 5.4.2 Data preprocessing 71 5.4.3 Performance metrics and parameters 72 5.4.4 Performance 73 Summary 76 5.5 CONCLUSIONS Contributions of this thesis 78 78 Future works 79 Published works 80 iv BIBLIOGRAPHY 81 v List of Figures 1.1 Classification of anomaly-based intrusion detection methods 1.2 Multi-layered protection and elimination architecture 1.3 Multi-layer AIS model for IDS 10 1.4 Outline of a typical negative selection algorithm 13 1.5 Outline of a typical positive selection algorithm 15 1.6 Example of a prefix tree and a prefix DAG 18 1.7 Existence of holes 22 1.8 Negative selections with 3-chunk and 3-contiguous detectors 23 1.9 A simple ring-based representation (b) of a string (a) 25 1.10 Frequency trees for all 3-chunk detectors 26 2.1 Binary tree representation of the detectors set generated from S 33 2.2 Conversion of a positive tree to a negative one 33 2.3 Diagram of the Detector Generation Algorithm 35 2.4 Diagram of the Positive-Negative Selection Algorithm 37 2.5 One node is reduced in a tree: a compact positive tree has nodes (a) and its conversion (a negative tree) has node (b) 38 2.6 Detection time of NSA and PNSA 40 2.7 Nodes reduction on trees created by PNSA on Netflow dataset 41 2.8 Comparison of nodes reduction on Spambase dataset 41 3.1 Diagram of a algorithm to generate perfect rcbvl detectors set 47 4.1 Diagram of the algorithm to generate positive r-chunk detectors set 55 vi 4.2 A prefix DAG G and an automaton M 4.3 Diagram of the algorithm to generate negative r-contiguous detectors set 61 4.4 An automaton represents 3-contiguous detectors set 4.5 Comparison of ratios of runtime of r-chunk detector-based NSA to runtime of Chunk-NSA 4.6 57 62 63 Comparison of ratios of runtime of r-contiguous detector-based NSA to runtime of Cont-NSA 64 76 storage does not exceed 1% size of training dataset 2- Time to tune parameters is an expensive factor in PSA2 Depending on training data, it takes about 2-5 hours to choose optimal parameters in the experiments Another experiment is conducted for comparing PSA2’s performance in cases of ring-based and linear-based datasets In line of Table 5.4, performance metrics are of ring string-based PSA2 from Experiment (line in Table 5.3) The best performance metrics for linear string-based PSA2 conducted in the same conditions are in line of the table In this case, = 40 and optimal values for arguments r, t1 , t2 , t3 , and t4 are 9, 4, 8, 7, and 10, respectively The results show that ring string-based PSA2 is better than linear string-based PSA2 in terms of three metrics ACC, DR, and FAR Table 5.4: Comparison between ring string-based PSA2 and linear string-based PSA2 Algorithms Ring string-based PSA2 (from Experiment 1) Linear string-based PSA2 5.5 ACC DR FAR 0.9879 0.9977 0.0146 0.9833 0.9973 0.0199 Summary In this chapter, we present a new PSA, called PSA2, for two-class classification through a series of works It has four important features that make it unique and alleviate some issues in NSAs Firstly, it uses ring representation instead of linear one for better performance in terms of both detection and accuracy rates Secondly, proposed algorithm used PSA with both type of data, normal samples and abnormal ones, in a uniform framework, while other PSAs use only one type of samples This results good coverage of both self space and nonself one Last but not least, the process of parameters optimization (r, t1 , t2 , t3 , t4 ,) as well as the method of using three frequency-related parameters d1 , d2 and d3 , play an important role in improving overall performance The new method to map integer values into binary strings is the forth algorithm’s feature To verify the effectiveness of the proposed approach, two different datasets are adopted to validate this approach The results from four experiments indicate that the proposed approach can produce competitive and consistent classifying performance on 77 real datasets Moreover, results form Experiment with only 10% of training dataset confirm that PSA2 can detect anomalies in a small amount of labelled data In the future, we are planning to combine our algorithms with some machine learning methods to have better detection performance, as well as reduce training time Moreover, it would be interesting to further develop technique on how to chose optimal parameters as well as to integrate them in new objective functions The main contribution of this chapter is accepted to publish in proceedings of a National Conference on Fundamental and Applied IT Research 78 CONCLUSIONS Applying computational intelligence-based techniques is an inevitable trend to build smart IDSs This approach helps computer network more adaptable to continuously changing environment with more sophisticated attacks In this thesis, we show that AIS, a subfield of computational intelligence, is relatively success in building NIDS at least in simulation stage A series of works is proposed and investigated to improve NSAs for two popular matching rules, r -chunk and r -contiguous Contributions of the thesis The major contributions of this research are: Propose a ring representation of data instead of linear one for better performance in terms of both detection rate and accuracy rate Propose an algorithm PNSA that combines two selection algorithms in a uniform for compact representation of data Performance of the algorithm is highly guaranteed by the experiment results and theoretical proof Propose a NSA with variable length of detectors, VNSA, to generate a complete and non-redundant detector sets as well as reduce detectors storage and classification time Propose a r -chunk detector-based NSA, Chunk-NSA, and experimentally and theoretically prove that it is r times faster in data training compared with the most recently published algorithms Propose an algorithm PSA2 to apply a hybrid algorithm that combines PSA and some statistical approaches to achieve better performance of intrusion detection in compared with some recently published works 79 Propose a data conversion to convert data into a suitable binary format One minor contribution of this thesis is proposing an algorithm Cont-NSA on r contiguous matching rule and proving that it is approximately r times faster in data training compared with that of a recently published algorithm Future works In the future, we would like to: • Combine our algorithms with some machine learning methods to have better detection performance • Further develop technique that can choose optimal parameters and integrate them in new objective functions for hybrid NIDS • Improve proposed algorithms to apply them on other data types with different data representations, matching rule is also a future research direction • Further optimize Cont-NSA for better detection time O( ) and optimal training time O(|S| ) In a nutshell, the thesis has overviewed important works relating to the research topic, has proposed some improvements of selection algorithms, and has verified the effectiveness of proposed algorithms by experiments and proofs Obtained results has been satisfying given research objectives However, the results are also humble and should be improved more by the PhD student in the future The PhD student would like to receive any comments from scientists, and other readers concerned about the subject so that the result of the topic can be increasingly perfect 80 Published works A1 N V Truong and P D Lam, “Improving negative selection algorithm in artificial immune systems for computer virus detection,” Journal of Science and Technology, Thai Nguyen University, 72(06):53–58, 2010 A2 N V Truong, V D Quang and T V Ha, “A fast r-chunk detector-based negative selection algorithm,” Journal of Science and Technology, Thai Nguyen University,90(02):55– 58, 2012 A3 N V Truong and T V Ha, “Another look at r-chunk detector-based negative selection algorithm,” Journal of Science and Technology, Thai Nguyen University, 102(02):45–50, 2013 A4 N V Truong, N X Hoai, and L C Mai, “A Novel Combination of Negative and Positive Selection in Artificial Immune Systems,” Vietnam National University, Hanoi Journal of Science: Computer Science and Communication Engineering, 31(1):22–31, 2015 A5 N V Truong, P D Lam, and V D Quang, “Some Improvements of Selection Algorithms for Spam Email Filtering,” Journal of Science and Technology, Thai Nguyen University, 151(06):85–91, 2016 A6 N V Truong, N X Hoai, “An improved positive selection algorithm for flow-based intrusion detection,” Proceedings of the The 2nd National Conference on Fundamental and Applied IT Research (FAIR), 2019 (Accepted) 81 Bibliography [1] DARPA Dataset https://www.ll.mit.edu/r-d/datasets [accessed 20-Mar-2019] [2] FDFA Datasets http://www.unsw.adfa.edu.au/australian-centre-for-cyber- security/cybersecurity/ADFA-IDS-Datasets/ [accessed 20-July-2018] [3] KDD99 Dataset http://kdd.ics.uci.edu/databases/kddcup99 [accessed 20-Mar2018] [4] NSL-KDD Dataset https://www.unb.ca/cic/datasets/nsl.html [accessed 25- July-2019] [5] S Afaneha, R A Zitarb, and A A Hamamic Virus detection using clonal selection algorithm with genetic algorithm (VDC algorithm) Applied Soft Computing, 13:239–246, 2013 [6] M Ayara, J Timmis, R de Lemos, L N de Castro, and R Duncan Negative selection: How to generate detectors In Proceedings of the 1st International Conference on Artificial Immune Systems (ICARIS), pages 89–98, 2002 [7] A S A Aziz, M Salama, A ella Hassanien, and S E O Harafi Detectors generation using genetic algorithm for a negative selection inspired anomaly network intrusion detection system In Proceedings of the FedCSIS, pages 597–602, 2012 [8] K Bache and M Lichman UCI Machine Learning Repository http://archive.ics.uci.edu/ml [accessed 20-July-2016] [9] J Balthrop, F Esponda, S Forrest, and M Glickman Coverage and generalization in an artificial immune system In Proceedings of Genetic and Evolutionary Computation Conference (GECCO), pages 3–10, 2002 [10] J Balthrop, S Forrest, and M Glickman Revisiting LISYS: Parameters and normal behavior In Proceedings of the Congress on evolutionary computation, pages 1045–1050, 2002 82 [11] F Barani A hybrid approach for dynamic intrusion detection in ad hoc networks using genetic algorithm and artificial immune system In Proceedings of the Iranian Conference on Intelligent Systems (ICIS), pages 1–6, 2014 [12] D K Bhattacharyya and J K Kalita Network anomaly detection: A machine learning perspective CRC Press, 2013 [13] M H Bhuyan, D K Bhattacharyya, and J K Kalita Network anomaly detection: methods, systems and tools IEEE communications surveys & tutorials, 16(1):303–336, 2014 [14] R Bronte, H Shahriar, and H M Haddad A signature-based intrusion detection system for web applications based on genetic algorithm In Proceedings of the International Conference on Security of Information and Networks, pages 32–39, 2016 [15] T C Butler, M Kardar, and A K Chakraborty Quorum sensing allows T cells to discriminate between self and nonself Proceedings of the National Academy of Sciences, 110(29):11833–11838, 2013 [16] C Callegari and N Cyprus Statistical approaches for network anomaly detection In Proceedings of the 4th International Conference on Internet Monitoring and Protection (ICIMP), pages 24–28, 2009 [17] M J Chapple, T E Wright, and R M Winding Flow anomaly detection in firewalled networks In Proceedings of the Securecomm and Workshops, pages 1–6, 2006 [18] S Chen Optimized multilevel immune learning algorithm in abnormal detection Information Technology Journal, 12(3):514–517, 2013 [19] D Dasgupta Artificial Immune Systems and Their Applications Springer-Verlag, Berlin Heidelberg, 1998 [20] D Dasgupta and R Azeem An investigation of negative authentication systems In Proceedings of the 3rd International Conference on Information Warfare and Security, pages 117–126, 2008 83 [21] D Dasgupta and Y Cao An immunogenetic approach to spectra recognition In Proceedings of the Genetic and Evolutionary Computation Conference (GECCO), pages 149–155, 1999 [22] D Dasgupta and S Forrest Novelty detection in time series data using ideas from immunology In Proceedings of the International Conference on Intelligent Systems, pages 82–87, 1996 [23] D Dasgupta and F Gonzalez An immunity-based technique to characterize intrusions in computer networks IEEE Transactions on Evolutionary Computation, 6:281–291, 2002 [24] D Dasgupta and F Nino A comparison of negative and positive selection algorithms in novel pattern detection In Proceedings of the International Conference on Systems, Man, and Cybernetics, pages 125–130, 2000 [25] D Dasgupta and S Saha Password security through negative filtering In Proceedings of the International Conference on Emerging Security Technologies (EST), pages 83–89, 2010 [26] D Dasgupta, S Yu, and N S Majumdar MILA-multilevel immune learning algorithm In Proceedings of the Genetic and Evolutionary Computation Conference (GECCO), pages 183–194 Springer, 2003 [27] L N de Castro and J Timmis Articial Immune Systems: A New Computational Intelligence Approach Springer-Verlag New York, Inc Secaucus, NJ, USA, 2002 [28] K S Desale and R Ade Genetic algorithm based feature selection approach for effective intrusion detection system In Proceedings of the International Conference on Computer Communication and Informatics (ICCCI), pages 1–6, 2015 [29] P Dhaeseleer An immunological approach to change detection: Theoretical results In Proceedings of the IEEE Computer Security Foundations Workshop, pages 18–26, 1996 [30] P D’haeseleer, S Forrest, and P Helman An immunological approach to change detection: algorithms, analysis and implications In Proceedings of IEEE Symposium on Security and Privacy, pages 110–119, 1996 84 [31] M Elberfeld and J Textor Efficient algorithms for string-based negative selection In Proceedings of the International Conference on Artificial Immune Systems, pages 109–121, 2009 [32] M Elberfeld and J Textor Negative selection algorithms on strings with efficient training and linear-time classification Theoretical Computer Science, 412(6):534 – 542, 2011 [33] F Esponda, E S Ackley, and S Forrest Online negative databases In Proceedings of the International Conference on Artificial Immune Systems (ICARIS), pages 175–188 Springer, 2004 [34] F Esponda, S Forrest, and P Helman A formal framework for positive and negative detection schemes IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics), 34(1):357–373, 2004 [35] D A Fernandes, M M Freire, P A Fazendeiro, and P R In´acio Applications of artificial immune systems to computer security: A survey Journal of Information Security and Applications, 35:138 – 159, 2017 [36] S Forrest, S A Hofmeyr, A Somayaji, and T A Longstaff A sense of self for UNIX processes In Proceedings of the IEEE Symposium on Research in Security and Privacy, pages 120–128, 1996 [37] S Forrest, B Javornik, R E Smith, and A S Perelson Using genetic algorithms to explore pattern recognition in the immune system Evolutionary Computation, 1:191–211, 1993 [38] Forrest, Stephanie and Perelson, Alan S and Allen, Lawrence and Cherukuri, Rajesh Self-nonself discrimination in a computer In Proceedings of the IEEE Symposium on Security and Privacy, pages 202–212, 1994 [39] Z Fuyong and Q Deyu Run-time malware detection based on positive selection Journal in Computer Virology, 7:267–277, 2011 [40] Z Fuyong and Q Deyu A positive selection algorithm for classification Journal Computational Information Systems, 7:207–215, 2012 [41] A A Ghorbani, W Lu, and M Tavallaee Network intrusion detection and prevention: concepts and techniques Springer Science & Business Media, 2009 85 [42] F Gonz´alez, D Dasgupta, and J G´omez The effect of binary matching rules in negative selection In Proceedings of the Genetic and Evolutionary Computation Conference (GECCO), pages 195–206, 2003 [43] C Guo, Y.-J Zhou, Y Ping, S.-S Luo, Y.-P Lai, and Z.-K Zhang Efficient intrusion detection using representative instances Computers & Security, 39, Part B:255 – 267, 2013 [44] X Hang and H Dai Applying both positive and negative selection to supervised learning for anomaly detection In Proceedings of the Conference on Genetic and Evolutionary Computation (GECCO), pages 345–352, 2005 [45] P K Harmer, P D Williams, G H Gunsch, and G B Lamont An artificial immune system architecture for computer security applications IEEE Transactions on Evolutionary Computation, 6(3):252–280, 2002 [46] S Hofmeyr An immunological model of distributed detection and its application to computer security PhD thesis, The University of New Mexico, ALbuquerque, NM, 1999 [47] S B Inadyuti Dutt and I Maitra Intrusion detection system using artificial immune system International Journal of Computer Applications, 144(12):19–22, 2016 [48] Z Jadidi, V Muthukkumarasamy, and E Sithirasenan Metaheuristic algorithms based flow anomaly detector In Proceedings of the Asia-Pacific Conference on Communications (APCC), pages 717–722, 2013 [49] Z Jadidi, V Muthukkumarasamy, E Sithirasenan, and K Singh Flow-based anomaly detection using semisupervised learning In Proceedings of the International Conference on Signal Processing and Communication Systems (ICSPCS), pages 1–5, 2015 [50] Z Ji Negative Selection Algorithms: from the Thymus to V-detector PhD thesis, The University of Memphis, 2006 [51] Z Ji and D Dasgupta Revisiting negative selection algorithms Evolutionary Computation, 15:223–251, 2007 86 [52] L Jim and M Gregory A review of artificial immune system based security frameworks for manet International Journal of Communications, Network and System Sciences, 9(1):1–18, 2016 [53] K Jungwon Integrating Articial Immune Algorithms for Intrusion Detection PhD thesis, University College London, 2002 [54] J Kim and P J Bentley An Evaluation of Negative Selection in an Artificial Immune System for Network Intrusion Detection In Proceedings of the Genetic and Evolutionary Computation Conference (GECCO), pages 1330–1337, 2001 [55] J Kim, P J Bentley, U Aickelin, J Greensmith, G Tedesco, and J Twycross Immune system approaches to intrusion detection – a review Natural Computing, 6(4):413–466, 2007 [56] A Koˇsmrlj, A K Jha, E S Huseby, M Kardar, and A K Chakraborty How the thymus designs antigen-specific and self-tolerant T cell receptor sequences Proceedings of the National Academy of Sciences, 105(43):16671–16676, 2008 [57] A Koˇsmrlj, E L Read, Y Qi, T M Allen, M Altfeld, S G Deeks, F Pereyra, M Carrington, B D Walker, and A K Chakraborty Effects of thymic selection of the T-cell repertoire on HLA class I-associated control of HIV infection Nature, 465(7296):350–354, 2010 [58] V D Kotov and V Vasilyev Immune model based approach for network intrusion detection In Proceedings of the International Conference on Security of Information and Networks (SIN), pages 233–237, 2010 [59] W Ma, D Tran, and D Sharma Negative selection with antigen feedback in intrusion detection In Proceedings of the International Conference on Artificial Immune Systems (ICARIS), pages 200–209, 2008 [60] M V Mahoney and P K Chan An analysis of the 1999 DARPA/Lincoln Laboratory evaluation data for network anomaly detection In Proceedings of the International Workshop on Recent Advances in Intrusion Detection, pages 220–237, 2003 [61] C A Mart´ınez, G I Echeverri, and A G C Sanz Malware detection based on cloud computing integrating intrusion ontology representation In Proceedings of the IEEE Latin-American Conference on Communications, pages 1–6, 2010 87 [62] J McHugh Testing intrusion detection systems: A critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory ACM Transactions on Information and System Security, 3(4):262–294, 2000 [63] T Mehmod and H B M Rais Ant colony optimization and feature selection for intrusion detection In Advances in Machine Learning and Signal Processing, pages 305–312 Springer, 2016 [64] R Murugesan and V N Kumar A Fast Algorithm for Solving JSSP European Journal of Scientific Research, 64:579–586, 2011 [65] P Ning and S Jajodia Intrusion detection techniques The Internet Encyclopedia, 2003 [66] L X Peng and Y F Chen Positive selection-inspired anomaly detection model with artificial immune In Proceedings of the International Conference on CyberEnabled Distributed Computing and Knowledge Discovery (CyberC), pages 56–59, 2014 [67] P H Pisani, A C Lorena, and A C Carvalho Adaptive positive selection for keystroke dynamics J Intell Robotics Syst., 80(1):277–293, 2015 [68] D Poole, A Mackworth, and R Goebel Computational Intelligence: A Logical Approach Oxford University Press, Oxford, UK, 1997 [69] Y Sawaya, A Kubota, and Y Miyake Detection of attackers in services using anomalous host behavior based on traffic flow statistics In Proceedings of the International Symposium on Applications and the Internet (SAINT), pages 353– 359, 2011 [70] M Sheikhan and Z Jadidi Flow-based anomaly detection in high-speed links using modified GSA-optimized neural network Neural Computing and Applications, 24(3-4):599–611, 2014 [71] G C Silva and D Dasgupta A Survey of Recent Works in Artificial Immune Systems, pages 547–586 World Scientific, 2016 88 [72] G C Silva, R M Palhares, and W M Caminhas Immune inspired fault detection and diagnosis: A fuzzy-based approach of the negative selection algorithm and participatory clustering Expert Systems with Applications, 39:12474–12486, 2012 [73] K B Sim and D W Lee Modeling of Positive Selection for the Development of a Computer Immune System and a Self-Recognition Algorithm International Journal of Control, Automation, and Systems, 1:453–458, 2003 [74] T S Sobh and W M Mostafa A cooperative immunological approach for detecting network anomaly Applied Soft Computing, 11(1):1275 – 1283, 2011 [75] A Sperotto, R Sadre, F Vliet, and A Pras A labeled data set for flow-based intrusion detection In Proceedings of the IEEE International Workshop on IP Operations and Management, pages 39–50, 2009 [76] A Sperotto, G Schaffrath, R Sadre, C Morariu, A Pras, and B Stiller An Overview of IP Flow-Based Intrusion Detection IEEE Communications Surveys Tutorials, 12(3):343–356, 2010 [77] T Stibor On the appropriateness of negative selection for anomaly detection and network intrusion detection PhD thesis, TU Darmstadt, 2006 [78] T Stibor, K M Bayarou, and C Eckert An investigation of R-chunk detector generation on higher alphabets In Proceedings of the Genetic and Evolutionary Computation Conference (GECCO), pages 299–307, 2004 [79] T Stibor, P Mohr, J Timmis, and C Eckert Is negative selection appropriate for anomaly detection? In Proceedings of the Genetic and Evolutionary Computation Conference (GECCO), pages 321–328, 2005 [80] T Stibor, J Timmis, and C Eckert A comparative study of real-valued negative selection to statistical anomaly detection techniques Lecture notes in Computer science, 3627:262–275, 2005 [81] Y Tan Anti-Spam Techniques Based on Artificial Immune System CRC Press, 2016 [82] J Textor Efficient negative selection algorithms by sampling and approximate counting In Proceedings of the International Conference on Parallel Problem Solving from Nature, pages 32–41 Springer Berlin Heidelberg, 2012 89 [83] J Textor Search and learning in the immune system: models of immune surveillance and negative selection PhD thesis, Lă ubeck, University, 2012 [84] J Textor, K Dannenberg, and M Li´skiewicz A generic finite automata based approach to implementing lymphocyte repertoire models In Proceedings of the Conference on Genetic and Evolutionary Computation (GECCO), pages 129–136, 2014 [85] J Timmis, A Hone, T Stibor, and E Clark Theoretical advances in artificial immune systems Theoretical Computer Science, 403(1):11–32, 2008 [86] Q A Tran, F Jiang, and J Hu A real-time netFlow-based intrusion detection system with improved BBNN and high-frequency field programmable gate arrays In Proceedings of the IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pages 201–208, 2012 [87] J Vykopal Flow-based Brute-force Attack Detection in Large and High-speed Networks Dissertations, Masaryk University, 2013 [88] Y Wang Statistical Techniques for Network Security: Modern Statistically-Based Intrusion Detection and Protection IGI Global, 2008 [89] S T Wierzcho´ n Discriminative power of the receptors activated by k-contiguous bits rule Journal of Computer Science and Technology, 1(3):1–13, 2000 [90] S T Wierzcho´ n Generating optimal repertoire of antibody strings in an artificial immune system In Proceedings of the Symposium on Intelligent Information Systems, pages 119–133, 2000 [91] P Winter, E Hermann, and M Zeilinger Inductive intrusion detection in flowbased network data using one-class support vector machines In Proceedings of the International Conference on New Technologies, Mobility and Security (NTMS), pages 1–5, 2011 [92] S X Wu and W Banzhaf The use of computational intelligence in intrusion detection systems: A review Applied Soft Computing, 10(1):1–35, 2010 [93] B Xu, W Luo, X Pei, M Zhang, and X Wang On average time complexity of evolutionary negative selection algorithms for anomaly detection In Proceedings 90 of the First ACM/SIGEVO Summit on Genetic and Evolutionary Computation, pages 631–638 ACM, 2009 [94] H Yang, T Li, X Hu, F Wang, and Y Zou A survey of artificial immune system based intrusion detection The Scientific World Journal, 2014 [95] X Yang and Z Hui Intrusion detection alarm filtering technology based on ant colony clustering algorithm In Proceedings of the International Conference on Intelligent Systems Design and Engineering Applications (ISDEA), pages 470– 473, 2015 [96] D Y Yeung and Y Ding Host-based intrusion detection using dynamic and static behavioral models Pattern Recognition, 36:229–243, 2003 [97] Zeng, Jie and Liu, Xiaojie and Li, Tao and Li, Guiyang and Li, Haibo and Zeng, Jinquan A novel intrusion detection approach learned from the change of antibody concentration in biological immune response Applied Intelligence, 35(1):41–62, 2011 [98] D Zhao and W Luo Real-valued negative databases In Proceedings of the European Conference on Artificial Life (ECAL), pages 884–890, 2013 [99] M Zolotukhin, T Hmlinen, T Kokkonen, and J Siltanen Online detection of anomalous network flows with soft clustering In Proceedings of the International Conference on New Technologies, Mobility and Security (NTMS), pages 1–5, 2015 ... changing environments and changing goals; it learns from experience; also it makes appropriate choices given perceptual limitations and finite computation [68] 8 1.1.4 Tools IDS tools are used... A partial matching rule can support an approximation or a generalization in the algorithms The choice of the matching rule or the threshold in a matching rule must be application specific and... generated by NSAs is much less than that of self samples, negative selection is obviously a better choice [51] Similar to NSA, a PSA contains two phases: detector generation and detection In the