As network-based computer systems play increasingly essential roles in modern society, computer crime and computer viruses have become the serious global problems.
In the fight against the hacker and the virus, firewalls and anti-virus software are the most popular solutions. But traditional Anomaly Detection Systems and traditional Intrusion Detection Systems (IDS) lead to serious false negative and false positive selection problems [Axelsson 2000]. Also, massive audit trails are impossible for administrators to analyse manually [Kim & Bentley 1999]. And intruders grow ever more sophisticated.
Observing the natural world has inspired valuable theories. Biology provides sources of models and inspiration for the development of computational systems [de Castro & Timmis 2002]. The human immune system (HIS) fights off attacks in the body from various sources. In recent years, computer security researchers have looked to the immune system to inspire new methods of defence against security attacks. Artificial immune systems (AIS) have been proposed as the basis for effective defence.
While current AISs show great potential for tackling intruders they have been held back by the huge amount of processing involved in some traditional models of natural immune systems [Aickelin 2003]. Immunologists are increasingly finding fault with traditional self/non-self thinking and a new “Danger Theory” (DT) is emerging [Matzinger 1994; Aickelin & Cayzer 2002]. The new theory suggests that the immune system reacts to threats based on the correlation of various (danger) signals and it provides a method of ‘grounding’ the immune response [Aickelin et al 2003]. Researchers are investigating this correlation, to translate DT into the realms of computer security.
My research uses the DT-based AIS in anomaly detection in file systems. As appropriate for an MSc thesis, I introduce some background of computer security knowledge and immune theory, and then hypothesise a model for the application of the DT in the file system; finally I describe an experiment designed to test and evaluate my hypothesis. The high level design of the entire model is introduced in chapters 5, with all parts of the framework shown. Implementation of this entire design is beyond the scope of a one-year MSc project. So I concentrate on the basic part of the danger zone: the neighbourhood monitor, in chapters 6 and 7, and leave the other parts as future work. This is sufficient to provide a close look into the detailed
implementation, and an understanding of the whole model.
Contents
1 Introduction
2 Intrusion Detection and Computer Viruses
2.1 Intrusion Detection Systems
2.2 Anomaly Detection Systems
2.3 Computer Viruses
3 Immune Systems: biological and artificial
3.1 Immune System protection
3.2 Human Immune System
3.3 Artificial Immune System
3.4 Danger Theory
4 File Systems and Process Management
4.1 Introduction
4.2 File Systems
4.3 SMART Technology
4.4 Process Management Systems
5 A Real-time Dynamic Danger Theory Model
5.1 Overview of Research
5.2 Some Definitions
5.3 A Framework for the RDDT Model
5.4 Key Signals Definition
5.5 Definition of FCS
5.6 Immune Response System
5.7 Danger Detection System
5.8 Danger Zone
5.9 Danger Evaluation
6 Realisation of the Neighbourhood Monitor
6.1 Overview of the Neighbourhood Monitor
6.2 Random-Controlled Instance Generation (R-C IGM)
6.3 Dynamic-life Buffer Model (D-L BM)
6.4 An Overview for the Monitors
6.5 Physical Address Monitor (PAM)
6.6 Time Monitor (TM)
6.7 File Length Monitor (FLM)
6.8 Danger Type Library (DtL)
7 Monitor Analysis: Evaluation and Results
7.1 Introduction
7.2 Monitor Analysis Procedure
7.3 Evaluation Procedure
7.4 False rates
7.5 Physical Address Monitor Analysis and Results
7.6 Time Monitor Analysis and Result
7.7 File Length Monitor Analysis and Result
7.8 DtL Analysis and Result
7.9 Evaluation of the Experiment
7.10 Comparison with another approach
7.11 Summary
8 Evaluation of Research
9 Conclusion and Future Work
9.1 Can Danger Theory based AIS help in Anomaly Detection?
9.2 Did D-L BM work appropriately in the experiment?
9.3 What can the RDDT model be used for?
9.4 Future Work
Bibliography
Appendix
A.1. Abbreviations
A.2. Preset DtL
A.3. Additional Data Sets
A.4. Source Code
Download
PDF Ebook A Real-Time Dynamic Danger Theory Model for Anomaly Detection in File Systems
