Evolutionary Algorithm Approaches for Detecting Computer Network Intrusion ( Extended

Attacks against computer networks are becoming more sophisticated, with adversaries using new attacks or modifying existing attacks. With increased global interconnectivity, reliance on e-commerce, network services, and Internet communication, computer security has become a necessity. Organizations must protect their systems from intrusion and computer-virus attacks. Such protection must detect anomalous patterns by exploiting known signatures while monitoring normal computer programs and network usage for abnormalities. Current antivirus and network intrusion detection solutions can become overwhelmed by the burden of capturing and classifying new viral stains and intrusion patterns. To overcome this problem, a self-adaptive distributed agent-based defense immune system based on biological strategies is developed within a hierarchical layered architecture using genetic algorithms. A prototype interactive system is designed, implemented in Java, and tested. The results validate the use of a distributed-agent biologicalsystem approach toward the computer-security problems of virus elimination and intrusion detection. Also, a intrusion detection variation using evolutionary programming is introduced. This generic research is sponsored by the Defensive Information Warfare Branch, Information Directorate, Air Force Research Laboratory, Rome, NY. In its purest form, intrusion detection (ID) is the process of identifying the presence of unauthorized access to an enterprises computing resources. In practice, ID is broader and includes the detection of: 1) misuse/abuse; unauthorized activities by authorized users (e.g., accessing pornography, theft of information, using corporate resources for personal gain); 2) reconnaissance; determination of systems and services that may be exploitable; 3) penetration; attempt of unauthorized activity to gain access to computing resources; 4) penetration; successful access to computing resources by unauthorized users; 5) trojanization; presence and activity of unauthorized processes; 6) denial of service; an attack that obstructs legitimate access to computing resources.