基于免疫状态转换的网络态势觉察模型的研究

1、基于免疫状态转换的网络态势觉察模型的研究Network based on the immune state transition model of situation awareness1.1 引言1.1 Introduction In the network, with the environment, time, request changes, network security testing requirements can be more efficient, adaptive, scalable, to ensure the integrity of the entire netw

2、ork, confidentiality and effectiveness. Network security detection system is based intrusion detection system based primarily on use of anomaly detection and misuse detection of two techniques. These are very similar to biological immune place, so artificial immune detection for network security has

3、 made certain achievements. Professor Forrest is the first distributed artificial immune system model ARTIS 55 56 57, and the back of Ballet 58 Professor of distributed based on immune principle immune multi-agent computer systems and Kim 59 60 61 Professor dynamic clonal selection-based network int

4、rusion detection model and so on. However, these results are not perfect, there is some defect. If network security detection systems self / non-self using a static description, good adaptability and can not meet the needs of the real network environment, making the system false alarm rate, false ne

5、gative rate is high. On the other hand immune cells were detected (detector) in the course of its evolution out of the lack of dynamic buffering mechanism, some of the important role of intrusion detection detector simply because the original match in a certain period of non-self into the body resul

6、ting from the test device failure tolerance was abandoned. This paper presents an artificial immune-based immune status can transition model of network security situation awareness NSSPM(Network Security Situation Perception Model)，Defined in the model of the change in itself, has changed from the b

7、ody, non-self, antigens, antibodies, vaccines and other concepts to explain the immune cells in the dynamic evolution model of immature detector generation using antibody gene pool recombination mutation and random phase binding method 62, and mature and memory detectors detector set up a 3 immune s

8、tatus: active state, blocking state, waking state, while the establishment of the corresponding state transition process: suspend the process, release process, the activation process . The model solves the computer immune system, autologous, non-dynamic description of the problem from the body, to a

9、chieve the known and unknown network intrusion detection, with a distributed, self-learning, robustness and other characteristics; also proposed based on antibody the memory of the concentration of immunoassay tree node by dynamically adjusting the order, so that each detection, extraction from high

10、 to low according to antibody concentration detector, matching antigen, when the antibody concentration as the network changes the attack, the timely adjust the order of tree nodes, so that high concentrations of low concentration of the detector before the detector to match the antigen, thus reduci

11、ng the number of invalid matches, improve the detection efficiency.1.2 NSSPM体系结构1.2 NSSPM architectureThe model, mainly by antigen set, a collection of immature detectors, mature detector set, memory detector set, since the body and so on. Model consists of two main processes, namely, the immune das

12、hed lines identify the antigen detection process and the realization of the invasion, said the evolution of the immune detection process, these two processes at the same time, they influence each other.Detection process is as follows: IP packet through the collection of antigen-presenting antigens o

13、btained Ag, Ag detection by memory Mb, Tb mature detector test, the Self is divided into self and non self NonSelf, non-self Ag removed from the remaining antigen as the self. The initial experience of self is based on pre-set settings.图 31 NSSPM体系结构图 Figure 3 1 NSSPM system structureThe evolution o

14、f the immune detector is as follows: an initial immature detector set Ib (0) is the pre-set follow-up of the immature immune detector check is part of a collection of randomly generated, in part by the antibodies from recombinant DNA mutation; immature detection of immune cells through the collectio

15、n of after autologous tolerance, if not removed, the detector will be set in mature immune cells; mature detector set of immune cells and antigen in the life cycle reaches a certain threshold affinity , it will become a memory detector, or removed from the mature detector; mature immune cells in the

16、 detector, the detector in a memory of a member of the same time, by decomposing into the antibody fragment gene library. Detector in the memory immune cells and autologous match or if there is no long-term affinity with the antigens will lead to death.1.3网络安全态势觉察模型NSSPM1.3 Network security situatio

17、n awareness model NSSPMIn the biological immune system, immune cells have a certain life cycle, from creation to death through a dynamic process. In the network environment, due to changes in requirements, changes in the environment, etc., the normal and abnormal network behavior of the network beha

18、vior is also changing. Therefore, Figure 31 in the relevant components of the model, autologous, non-self, antigens, antibodies, and so a variety of immune detector changes with time and the changing environment.1.4.1 自体动态变化In a computer network to ensure network security, we must know what is norma

19、l network behavior, and what non-normal network behavior. And because of the demand or changes in the environment, as some previously considered normal network behavior, due to the discovery of new vulnerabilities or enhance the network security requirements, such a network behavior may be prohibite

20、d; the contrary some previously prohibited network behavior , due to the improvement of network security equipment or the need to add new services that may be considered appropriate network behavior is normal network behavior. In this model, the self represents normal network behavior, the represent

21、ative body of non-self suspicious network behavior, which determines the network is not the eternal self, self will be based on the requirements of network security managers to dynamically change. In this model will be unchanged from the body into the body and has changed from self. （3-14）未变自体动态变化Ch

22、anged the dynamic changes of autogenousUnchanged from the initial setting body for the good of self set. The generated flowchart is as follows:（3-15）In the initial state, the self for the pre-set auto set. In , in the times the changed self set to add the newly created self set , the deletion mutati

23、on of autologous , to get t the moment autologous collection. time after a memory detector and mature detector antigen, not the attack is changed from the body, forming ; Similarly, t time, if the detector y and autologous x match, the co-stimulatory determined when x non-self when , since the death

24、 of the body x will form a . variation for the self collection of non-self.Unchanged from the body since becoming a self would be no variation, but the library has changed since the body is always changing. Since the body constantly makes the expansion, more complete, real network environment to mee

25、t the dynamic changes in the case of network behavior, and for some of the network security and application requirements to network behavior becomes the normal case of abnormal network behavior, through the coordination of stimulation, so that the corresponding self death. These greatly reduce the f

26、alse negative rate. False negative refers to the network of illegal actions that normal network behavior.已变自体动态变化Has changed the dynamic changes of autogenousHas changed from the initial empty body, the change process is as follows:（3-16）In time, has become self set to increase from the variation of

27、 the historical collection the variation comes from the body, but from the moment has become self set to remove t moment mutated have changed autologous . the collection of elements x in the time t-1 has been changed since the body is a collection of , but at the moment, the detector and x match, an

28、d x is determined by costimulatory variant non-self.Since the variability have changed greatly since, in this model the cache, if you have changed once again become a non-self when the self, will be released. Have changed since the body is mainly used due to some changes in the network security beha

29、vior often or sometimes acts of temporary safety, improve the system detection efficiency.1.4.2 抗体基因库动态变化G (t) t time on behalf of the antibody gene library, a collection of antibody genes, in the initial state (t = 0) when （3-17）Antibody gene library G (t) for the initial setup of the normal gene p

30、ool to a randomly generated string of probability analysis methods, the antibody gene pool is changing, and adding the memory of the detector to generate new gene fragments brought about, the composition of these gene sets Gnew (t); the same time, memory detectors match due to or from lack of autolo

31、gous activated will die, so also the corresponding gene fragment removed from the antibody gene library, t time the composition of the deleted gene set Gvar (t).1.4.3 未成熟检测器动态变化未成熟检测的产生Detection of the generation of immatureImmature detector is to generate mature detectors, memory detectors based. M

32、ainly by the following 2 ways according to a certain percentage of composition: randomly generated by the combination of antibody fragments produced by Jiyinkuji. This advantage in maintaining the characteristics of previous parent at the same time, it also enabled a new generation of immature detec

33、tor with diversity. （3-18） t time that newly generated immature detector. One that a randomly generated immature detector, is a genetic cross time t generated immature detector. and as the ratio between the generated parameters. Of gene and each randomly selected single crossing point, between two c

34、ross-matching operation, new gene . In order to avoid blind cross, cross only the same type of gene fragments in between. The resulting new immature detector due to genetic advantages of better antibody genes, can be trained to be mature faster detectors, and a better ability to detect antigen.自体耐受S

35、elf toleranceImmature detector changes as follows:（3-19）Immature detector must be through self tolerance, self tolerance process is as follows:（3-20）Where is the tolerance of, greater than or equal 1, that time had never evolved into a mature mature detector set of detectors. Any immature detector m

36、ust withstand the model through negative selection, remove from the body that can identify the immature detector, always experienced the tolerance of immature detectors to join Since the body makes new immature detector tolerance of normal network behavior tolerated, but also can well resolve unexpe

37、cted network events occur.1.4.4 成熟检测器动态变化Mature detector principle of the conversion process between the state ofIf the mature immune detection in the life cycle () within a certain number of matches () of the antigen will be activated and the evolution of the memory immune detector, or death. Matur

38、e detector in its life cycle, matching antigen, also has a dynamic evolutionary process.Mature mature detector detectors, including active state, blocking state mature detector, waking state of maturity of the detector.Mature first in the active state detector can be used for detection. Active state

39、 of immune maturation and antigen match detector, if the life cycle of , the active state of maturity of the detector, the affinity of the accumulation of more than matching threshold , to evolve into memory detector. Matching process with the antigen, if the active state of mature detectors match w

40、ith the same self, the self does not have the same variability, always such an active state of maturity for direct measurement of death.When the active state and has become mature detectors match from the body, we are active in the dynamic state of the cache such detectors, the detector active state

41、 mature mature into blocking state detector. The detector blocking process, if with this blocking state detector matched autologous not convert a non-self, this detector remain blocked; when matching (dynamic) self into non-self, the blocking state of maturity detector is released into waking state

42、mature detector. Among them, remain blocked detector, if in its life cycle has not been released, the judge of his death, blocked state of the detector from the collection will be removed.Mature detector waking state, the first course of its newly added in the blocking of autologous antigen toleranc

43、e, tolerance of awake state through the mature detector will activate the detector for the active state of maturity, not by tolerance based on matching Since the body type of the related operations: and has become self matching waking state detector will again be suspended, is converted to block sta

44、te mature detector; and unchanged from the body matched the wake state detector directly from the waking state detector set removed.1. 各转换状态定义1. The definition of transition stateDefine the state of maturity of the detector, there are several states:Q1 (initial) the initial state of the detector, wh

45、en the antigen with autologous tolerance, by a tolerance of, to get the activation status.Q2 (workon) activated the detector, the detector in this state has a certain life cycle of , in the life cycle of the detector, the affinity with the antigen accumulated to a certain threshold, the state detect

46、or to evolve into mature memory detector;Q3 (holdon) suspended state detector, the detector when activated or released pending the detector, and the match has been changed from the body, into Q3 when the detector to the state;Q4 (release) the release of the state detector, when the detector with the

47、 Q3 state match has been changed into a non-self from the body, the pending release state detector; In addition, the state detector in Q4 if Q3 with it state changes to the Q4 of this state to join this time does not match the self, this detector is activated.Q5 (evolve) the evolution of the state d

48、etector, the detector when the Q2 state, in the life cycle, and the affinity of antigen accumulated to a certain threshold, when the detector to the detector into a memory as the memory of the initial detector start state. .Q6 (death) of the death detector, the detector set in the whole process of e

49、volution, was out of parts.2. 各转换事件说明2. The conversion event thatEach sensor in a different state of circumstances, to experience different events, these events are defined as follows:E1: detection and unchanged from the body match.E2: the detector and has become self match.E3: the detector does not

50、 match with the self.E4: The life cycle of the detector, the affinity threshold is reached.E5: detector over the age of the value of the life cycle.E6: determined by costimulatory have changed the font x mutate into non fonts.E7:, E7 that experienced a tolerance of immature cells in the tolerance of

51、 the event.3. 状态转换图3. State transition diagram4. 状态转换矩阵4. State transition matrix状态 事件Q1（init）Q2(workon)Q3(holdon)Q4(release)Q5(evolve)Q6(death)E1Tb_activeTb_reviveE2Tb_active Tb_reviveE3Tb_activeE4Tb_activeE5Tb_activeTb_waitE6Tb_waitE7IbThe state of maturity of the evolution of the principle of the

52、 detector1. Active state of maturity of the detector dynamicsFigure 36 Flowchart active state mature detector（3-21）Equation (3-21) is the evolution of the detector when the immature detector active after the definition of mature.（3-22）Equation (3-22) that matches each time detection active mature ag

53、e of age increased by 1.（3-23）Equation (3-23) that when the active mature detectors match the antigen encounter, in front of the age increase of 1 on the basis of , the matching also increased the number 1.T time in the active state of maturity of the detector, adding immature mature detector evolve

54、d from the waking state detector and the detector activated mature from the detector, while removing an active state in the evolution of the detector to the memory testing control, active state detector with the same match since the death of the body and the detector is suspended for the blocked sta

55、te detector.2. 阻塞态成熟检测器原理分析2. Blockage principle of state mature detectorFigure 37 mature state detector block diagramInitial state, blocking state mature detector set is empty. In t moment, the set of blocking states of the detector time t-1 detector set blocking state, add the active state of susp

56、ended pending the detector and the detector waking state, the same time, remove the obstruction in the release of state detector detector and death due to prolonged obstruction detector.3. 苏醒态成熟检测器原理分析3. Waking state of maturity of the principle of the detectorInitial state, waking state mature dete

57、ctor set is empty. As shown in Figure 3-8, t time waking state detector set to wake up to the time t-1 detector set state, the release added blocking state detector, the detector also delete waking state evolution process, is converted to an active state and the blocking state detector.Figure 38 Flo

58、wchart waking state mature detector1.4.5 记忆检测器动态变化Memory detector principle of the state of the conversion process betweenWhen the affinity maturation of immune cells to match the threshold , it will evolve into memory detector. Memory detector in the process of matching antigens, the antibody concentration is changing. When the match once a