On the appropriateness of negative selection for anomaly detection and network intrusion detection

English) The immune system is a complex system which protects humans and animals against diseases caused by foreign intruders such as viruses, bacteria and fungi. It appears as if the recognition and protection mechanism of the immune system can lead to the development of novel concepts and techniques for detecting intrusions in computer networks, particularly in the area of anomaly detection. In this thesis, the principle of “negative selection” as a paradigm for detecting intrusions in computer networks and anomaly detection is explored. Negative selection is a process of the immune system, which destroys immature antibodies which are capable of recognizing self-antigens. Antibodies which survive the negative selection process are self-tolerant and are capable of recognizing almost any foreign body substance. Roughly speaking one can say that the negative selection endows the immune system with an ability to distinguish between self and non-self. Abstracting the principle of negative selection, the coding antigens as bit-strings which represent network packets or as real-valued n-dimensional points and antibodies as binary detectors or as hyperspheres, one obtains an immuneinspired technique for use in the above mentioned areas of application. We are talking about artificial immune systems, when principles and processes of the immune system are abstracted and applied for solving problems. In this thesis, we explore the appropriateness of the artificial immune system negative selection for intrusion detection and anomaly detection problems. In the first instance, we describe the immune system negative selection principle, and the subsequent the artificial immune system negative selection principe. We then describe which network information are required to detect an intrusion. Results reveal that previous works that apply the negative selection for this application area, are not appropriate for real-world intrusion detection problems. Moreover we explore if a different antibody-antigen representations, i.e. real-valued n-dimensional points and high-dimensional hyperspheres are appropriate for anomaly detection problems. The results obtained, reveal that negative selection is not appropriate for anomaly detection problems, especially when compared to statistical anomaly detection