An immune genetic model in rule-based state action IDS

Abstract

From the 1999 DARPA's testing results, it is found that one of the most significant drawbacks of intrusion detection systems (IDS) is the low recognizing ratio of new attacks. As rule-base IDS can gain good detecting performance, we build a genetic immune model, which is adaptive to rule-based IDS, to improve the IDS's detecting performance of new attacks. As one successful method, state transition (ST) analysis models penetrations as a series of state changes that lead from initial state to a target compromised state. Using this model of recomposing the ST method to solve the low recognizing ratio problem is presented in this paper. In this model, ST method can be expressed in a double DNA chains pattern. One chain is the system state chain; the other is an action chain. The double twisting chains form a state-action sequence to represent the system state transitions. In order to still gain the recognizing performance of the regular ID systems, we use STAT rules to create the initial non-self (or expert) DNA library, and newly found attacking-rules can still be added to the library. A simple host-based test is also performed to prove the effectiveness of this model.