Computer network intrusion is currently one of the main corporate security problems. Intrusion detection systems face different implementation obstacles, mainly in detection of novel attacks and occurrence of false positives and false negatives. In this line, this work proposes an intrusion detection model that employs the Dendritic Cells Algorithm (DCA). This algorithm, mainly used in anomaly detection, belongs to a new generation based on the Danger Model, a theory which defines the immune response as a biological response to cellular damage caused by nocive agents. DCA works based on the correlation between the collected signals, defined in the scope of the problem, and the antigens, which are suspicious processes, for the subsequent classification of them as normal or abnormal. The algorithm was tested using simulations with an anomalous process, characterized by a ping scan in the network, and a normal process, characterized by a file transfer, executing both isolated and concurrently. Ping scan is originally a tool for network profiling, but has been used for malicious information gathering, aiming at a refinement in the attacks. Its presence in the environment is a significant preliminary indication of an intrusion. In tests, DCA was modified to allow a temporal analysis of the anomaly detection parameter. A large variation of this parameter was observed, which led to frequent false positives. In further tests, the introduction of normalization in the algorithm showed a strong contribution for the anomaly detection improvement and reduction in false positives and false negatives. Finally, a sensitivity and specificity analysis using ROC (Receiver Operating Characteristic) curves was developed, to measure the DCA performance in the tests.
Mendeley saves you time finding and organizing research
There are no full text links
Choose a citation style from the tabs below