A Network Intrusion Detection Model Based on Immune Multi-Agent

A new network intrusion detection model based on immune multi-agent theory is established and the concept of multi-agents is advanced to realize the logical structure and running mechanism of immune multi-agent as well as multi-level and distributed detection mechanism against network intrusion, using the adaptability, diversity and memory properties of artificial immune algorithm and combing the robustness and distributed character of multi-agents system structure. The experiment results conclude that this system is working pretty well in network security detection.


Introduction
Along with the rapid development of network technology and fast upgrade of network attack technologies network security has become the focus of this age.However, current intrusion detection technologies [1,2], like statistical analysis, characteristics analysis and expert system etc, can not meet well all the needs.Firstly, the lack of adaptability makes it difficult to detect unknown attacks; Secondly, the lack of robustness leaves each part isolated without communication.Therefore, the building of a detection system with adaptability and robustness is in pressing needs.
Biological Immune System [3] identifies and eliminates foreign bodies intruding into the organism by immune cells.From the aspect of information processing, BIS is a distributed autonomic system and its selflearning, adaptability and robustness serve as important inspirations for the solving of network security problems.In 1974, Jerne [3] brought forth the first mathematical model in immune system, later in 1994, Forrest [4] put forward the concept of computer immune system for the detection of network intrusion, and up to now the artificial immune system based on biological immune theory has been applied extensively in network security.
Agent [5] refers to such entity as possessing perceiv-ing, analyzing and reasoning mechanism.Multi-agent [5,6] system, with fairly strong distributed character, robustness and coordination, realizes problem solving under complicated environment by harmonizing the interaction and cooperation among various separate Agents.
In this article, a new network intrusion detection model based on immune multi-agent (NIDIMA) is established and the concept of immune multi-agent is advanced in the building of logical structure and running mechanism of immune multi-agent to realize multi-level and distributed detection mechanism against network intrusion.This model provides a new way in network safeguard and proves to be an effective solution to network security detection throughout the experiment.

System Principles of the Detection Model Based on Immune Multi-Agent
Apart from inheriting the original characteristics of Agent, immune agent also has the characters of evolution, diversity, tolerance and detection [7,8] properties etc. 1) Evolution: Following the evolution law, IA activates antibodies, which can effectively recognize antigens, into higher form, while eliminates the inefficient one.In this way, the self-learning ability of detection is realized.570 2) Diversity: The matching of antibodies and antigens adopts fuzzy matching [9], with just the need to meet the preset value.The incomplete matching, which realizes the diversity of recognition, enables immune antibodies to recognize various kinds of antigens and in this way, it can produce antibodies covering the whole form space in theory.
3) Tolerability: Immune tolerability refers to the non-response status of immune cells towards the peculiarities revealed by certain kinds of antigens [10].The tolerability of IA is of great significance in the maintaining and balancing of the model.
4) Detection property: The immune system transmits the produced immune cells within each organ in vivo to increase immunologic competence.Network security model based on this mechanism is of great detection ability.
Combined with multi-agent and AIS technology, the detection model constitutes a multi-direction and multi-level intelligent network security model, with its mapping relationship with BIS model as shown in Table 1, and its system structure diagram as shown in Figure 1.
The model adopts large-scale and distributed system structure, and a series of network situation awareness agents and a network security situation evaluation agent is deployed in target networks and its host computer firstly.
Security situation evaluation agent gathers information about the security situation of subordinate subnets and host computers from each security situation awareness agent to evaluate about the whole integrated risks to the whole network, and the information includes the type, quantity, strength and harmfulness of the attacks.
The network security situation awareness agent shown in Figure 1 is itself a sub-network security situation awareness system, defined by recursion, and it mainly monitors on the sub-network security situation within its control, and specifically speaking, real-time monitor on the type, strength and harmfulness of attacks suffered by sub-network.Because there might as well be subnets under subnets, sub-network security situation awareness agents may be composed of sub-network security situation awareness agents at lower level.Eventually, security situation awareness agents, that monitor the specific host computer, are made up of intrusion detection and security situation evaluation of the host computer.
In this architecture, IA distributed at host computer node starts to recognize the intruded events at first, and in case unknown attacks are discovered through learning and memory, information will then be sent to corresponding SMC, while vaccines that has identified new attacks will be distributed to each node within the same network segment to improve the intrusion defense capability of each node.SMC makes analysis on the intrusion information sent by each IA in the network segment and SMC of suffered network segment will send vaccines to Table 1.The relationship between the BIS and the NIDIMA.other non-intruded network segments for early warnings for the realization of whole detection.

System Mechanism of the Network Intrusion Model Based on Immune Multi-Agent
In Figure 2, the logical structure of IA is shown, which includes self antigens, immature immune antibodies, mature immune antibodies and memory immune antibodies etc.The working procedures involve two interplaying and concurrent circulations, which are the circulation of immune antibodies' detection of external antigens and the circulation of immune antibodies' evolution.

The Definition of Immune Elements
Definition 1: Antigens are binary character strings the length of l that are feature-extracted from network IP data packets.Let U={0, 1} l (l>0)， antigen assembly Ag  U, it mainly includes IP address, port and protocol type etc.
Definition 2: The antigen assembly Ag is classified into two substes of self assembly Self (normal network behavior) and non-self assembly Nonself (abnormal network behavior): Antibodies and antigens have binary character strings of the same features and length, the definition of antibody assembly Antibody Ab is a quadruple, among which s means binary string in the length of l, age is the age of antibody, count is the quantity of antigens matched with antibodies, ag is the antigens that are detected by the antibodies.Antibodies are classified into three categories: mature antibodies, memory antibodies and immature antibodies.Mature antibodies, tolerable to self bodies, refer to the antibodies that are not activated by antigens, mature antibodies assembly T Ab  U; memory antibodies evolve from mature antibodies that are not activated, memory antibodies assembly M Ab  U; immature antibodies are antibodies that have not undergone self-tolerance, immature antibodies assembly I Ab  D.
Definition 3: Affinity serves as the main evidence to judge the matching state between antibodiesand antigens, and the calculation formula is as Formula (3), equaling to 1 means matching, or else non-matching.In the formula, x  Ag, y  B, x i , y i are the i-th characters of x, y respec-tively, l is the length of character string,  is the threshold value of affinity matching.

. The Changing Process of Immature Antibodies
Let I be the number of immature antibodies included in I Ab at certain time, the dynamic changing formula of immature antibodies assembly is: The Formula (4) indicates that the changing process of I Ab assembly is divided into 2, that is, inflow and outflow.Inflow is the process of newly produced immature antibodies' joining in I Ab assembly: I = I new ×△t，I new means the production rate of immature antibodies per unit of time.Outflow is the process of removing immature antibodies from I Ab assembly, and there are two directions of outflow: the quantity of immature antibodies decreased out of successful tolerance and evolution into mature antibodies is presented by , and presents the quantity of immature antibodies decreased out of tolerance failure.
In order to avoid matching between antibodies and self bodies, newly produced immature antibodies can only match with antigens after passing self tolerance.The tolerance process is shown as in Formula (5), and 1 means passing self tolerance, 0 means failure of self tolerance, x∈I Ab.

( , ) 1 ( ) 1 match tolerate y Self f x y f
x otherwise

The Changing Process of Mature Antibodies
Let T represent the number of mature antibodies included in T Ab at certain time, and the dynamic changing formula of mature antibodies assembly is: the Formula (6) indicates that the changing of T Ab assembly is divided into two processes: inflow and outflow.The inflow is the process of antibodies' joining the T Ab , and there are two ways: The number increased out of immature antibodies' successful tolerance and evolution is represented by means the number increase out of clonal selection of memory antibodies.Outflow is the process of removing mature antibodies, it also has two directions: the number of memory antibodies that have been evolved from activation is presented as represents the number that die from failed activation.
The mature antibodies assembly T active that have been activated and evolved into memory antibodies is shown in Formula ( 8), and the mature antibodies assembly T dead that have failed in activation is shown in Formula ( 9), among which  is activation threshold, and  is the life cycle of mature antibodies.

The Changing Process of Memory Antibodies
Let M as the memory antibodies quantity contained in M Ab at certain time, and the dynamic changing formula memory antibodies assembly is: Because memory antibodies have infinite life cycle, the change of M b assembly only has the process of inflow, without the outflow process of dead memory cells.The inflow of memory antibodies is conversed by activated mature antibodies T active , active active active active

Immune Surveillance
During the detection process of IA on network behaviors, it mainly adopts mature cells and memory cells to detect antigens, and it is capable to detect non-self antigens efficiently and rapidly, what follow are the detailed steps: 1) Antigen presentation: The feature information of IP packet is extracted from actual network data flow to constitute a binary string in the length of l, which is then put in the antigen assembly Ag as antigen regularly.
2) Using memory antibodies M Ab to detect antigens:

Experiment Results and Performance
ctivation threshold value βand life cycleλbear large on-self bodies that match with memory antibodies are removed, and memory antibodies that have detected self bodies in are also removed.
3) Using mature antibodies n-self antibodies that match with T Ab are removed, and the T Ab that has detected enough antigens in the life cycle is then activated and evolved into memory antibodies M Ab ; The M Ab that has not been activated or detected self elements in life cycle will die.4) Self body assembly upgra ft antigens will join in self body assembly, maintain dynamic self body upgrading, undergo self tolerance with immature antibodies and maintain dynamic evolution of antibodies.

Settings
T work segments of A, B, and composed of 20 host computers of the same configuration.A i , B i (1≤i≤20) means the i-th host computer in A, B segments respectively.The experiment applies part of the data from KDDCUP99 [11]

Analysis
A influence on TP and FP, the test performance of AD-NIIMA, therefore, optimization test should be carried out.
The experiment results are shown in Figure 3, when activation threshold value β is relatively small, and the mature antibodies are activated without thorough learning, FP is relatively bigger; when the life cycle λ is relatively small, the mature antibodies will die without activation and the memory antibodies will be scarce, which in total may cause TP lower.Along with the increase of β and λ, TP increases and FP decreases.However, when βandλare too big, TP decreases instead and FP increases.After through analysis, it is found
In Table 3 and Table 4, the comparison test results of this model and the detection tools matched with the patterns based on, BRO [12], are listed, and from the tables we can infer that the detection model is of higher TP and lower FP, and the types of recognized unknown attacks are more than that of BRO, which demonstrates that this model is of high self-learning and adaptability.
The active defense model for network intrusion based on artificial immune multi-agent put forth in this article has following advantages compared with other network intrusion defense techniques: 1) Self-learning; The memory mechanism and antibodies generation mechanism can not only detect well-known attacks, but also bear recognition ability towards unknown attacks.2) Multi-level; The model has introduced in the concept of vaccine, which can strengthen network nodes and connection between each network segment.3) Robustness; The model applies distributed system structure so that a single node under attack does not impact the detection abilities of other nodes.In a word, the experiment results reveal that the model differs greatly from the isolated and passive defense situation of traditional network security model, and it is a better solution to network security detection.
In Table 4, TP and FP curves of host computer A 2 with self evolution and detection, and the host computer A 3 , using vaccines emitted from A 1 for detection, are list respectively, and from the table we can conclude that in the later phase of experiment, the TP and FP curves of A 2 and A 3 are almost coincident.But in the early phase of the actual experiment, A 2 , that relies on itself for detection, has low detection rate due to a lack of antibodies, and the attacks have made severe damage to the during this exact phase, which is unacceptable for key network node.

NT
Ab to detect antigens: The no de: After detection, the le .Simulation Experiment and Result Analyse .1.Experiment Environment and Parameter he experiment environment is classified into two netd of source, destin .

Figure 3 .
Figure 3.Effect of the activation threshold β and the lifecycle λ.

Figure 4 .
Figure 4. Comparison of detecting effect between solitude evolution and vaccine reception.
in MIT LINCOLN lab as training and test data.The training set is normal network data without any attack, and the test set includes normal data and attack data.The attack data is classified into 4 categories: