Computer Network Security

Published on July 2016 | Categories: Documents | Downloads: 44 | Comments: 0 | Views: 250
of 11
Download PDF   Embed   Report

Comments

Content

Computer Network Security Based on Pattern Recognition Presented by M.P.N. Lakshmi R.Bhavani N. Syamala Sai
ABSTRACT - The major reason for unsatisfied security is that the current network techniques are mainly based on the trade-off among security, convenience and performance. Namely it is impossible to reach the perfection. The latest advances on modern biology immune evolution theory reveal that the key of consummate nature immune mechanism is pathogens recognition based pattern. The basic benefit of pattern recognition to immune system is : what is called pattern is just sort’3 The comparison and recognition based on a sort is certainly more efficient and less wasting than that based on the members of a sort. As all known, the computer network security system is. very similar in functionality to the nature immune system. This article tries to apply the pattern recognition mechanism to the computer network security. the applications of multivariate statistical analysis and genetic algorithm in the implement algorithm of security system are mainly discussed in the article.

Keywords: Network Security, Artificial Immunology, Pattern Recognition, Multivariate Statistics, Genetic Algorithm

1 INTRODUCTION
As more and more applications are deployed, the security of computer networks has been brought into focus and is drawing increasingly attention from researchers. The major reason for

unsatisfied security is that the current network techniques are mainly based on the trade-off among security (including the high efficiencies, the abilities of self-adaptability and self-learning, and tolerances), convenience and performance (including the high efficiencies), namely it is impossible to reach the perfection. So, in practice, we have to compromise security to gain better convenience and performance. Of course, this problem has been existing since the network security issue was raised. And with the rapid augment of network traffic, it becomes more visible. Accordingly it is increasing urgent to solve this problem radically. current and usual security techniques, such as firewall, intrusion detection, access control, and others, We can be cognizant that the techniques of attack identification are basis and core of all security techniques. Therefore, the above problem may sum up to whether a sort of attack identification policy and consequent implement algorithm can be founded, which are effective, efficient, and low consumed at the same time.

2. lessons drowned from the nature immune system
As known by all, the computer network security system is very similar in functionality to the nature immune system: both of them protect the respective system against damage from internally and externally generated threats. Meanwhile, the nature immune system has the perfect immune mechanisms: the high effectivity and efficiencies, the abilities of self-adaptability and self learning, the tolerances, etc. those the computer network security system pursues. So simulating and drawing lessons from the nature immune system may be a feasible policy and techniques route for the computer network security system. 2.1 Negative-selection algorithm Actually, since the early 70’s the researchers have been ongoing to study on the artificial immune network security system. And the focus of study is just on the core

techniques

of

network

security

system

attack

identification

techniques including both policy and algorithm. So far, the typical research result is the negative-selection algorithm (also known as nonself recognition) which is based on the body T-cells immune reaction mechanism. this algorithm can be briefly described as: defining self activities as more as possible firstly. And then detects the nonself activities depending the self activities (Its detail processing flow refers to the reference). Apparently this exclusive algorithm’s most advantage is that it can detect unknown attacks, so it has the abilities of auto-adaptation and auto-learning, just for this, it has become the basic and typical immune algorithm presently. But in experiments, this algorithm has the following problems : (1) As identifying is against self, if the self activities set is not universal set, this algorithm will have high false positive rates. (2) On the contrary. if the set is the huge universal set, the algorithm will be computationally inefficient. (3) In fact, it is impossible to build an universal self set, one reason for this is that the selves probably legitimately changes. for example, the simplest changes in IP address, so this algorithm will inevitably arouse autoimmunity analogous to the natural immune system. Although, Pro. Forrest and other researchers have evolved this algorithm, summarily, this common immune recognition algorithm can not still reach the perfection. 2.2 Inspiration from the biology immune evolution Fortunately, for the difficulties of recognition, the nature immune mechanism brings us new inspirations again the latest advances on modem biology immune evolution theory reveal that the key of nature immune system mechanism is self/non-self identification based pattern. Here, the term pattern means antigen correlative molecule pattern, which has the following properties:

(1) it is possessed by a certain species or several species, not a special structure. (2) It is the antigens’ conservative structural component and necessary to their survival. (3) It is different abstractly from the self-component of the host body. Obviously, because of these features, pattern recognition technique not only can have the biology immune system meet the emergences (There are several thousand sorts of antigens, whereas there only are several hundred sorts of antibodies), but also can help prevent antibody from arousing self-immune disease. so, pattern recognition is the core of the nature immune system with good immune mechanism. Of course, it would be radical reference point to the artificial computer network security system. The more inspiring significances from the pattern recognition of the nature immune system are as follows : (I) What is called pattern’ is just ‘sort’. The comparison and recognition based on a sort is certainly more efficient and less wasting than that based on the members of a sort. (2) As the representation of a sort, a pattern also has the abstract, commonness, and essence, thus the techniques of recognition based on it have tolerances for the superficial characters. So synthetically the techniques of pattern recognition will be able to improve the performance of network wholly thereby resolve radically the previously mentioned problems in the face of the current computer network security (Of course, pattern recognition is not a entire new idea. And usual misuse detection security techniques also detect attack activities depending on known intrusion activities patterns, by matching with patterns. But those patterns are just the simple records of real attack activities, which are more redundant, and haven’t the pattern signatures of abstract, essence and commonness, so those can’t be called patterns strictly).

3 The application of multivariate statistical analysis

Obviously, the attack (corresponding to antigen) pattern library is the most important component of the network security system based on pattern recognition Consequently, the building of attack pattern library is the key of the security techniques. The building of pattern library is just clustering: dividing the happened (or defined) attack activities characteristic observed value into different sets by a sorting rule. Correspondingly, the recognizing of attack based on the attack pattern library is just classifying: classifying a practice network activity into a certain sort attack pattern (or not) by a discriminating rule. As the attack activities usually are described by multiple random variables, to extract and abstract inerratic information from these miscellaneous datum, not only specialized acknowledge is required, but also special tool is needed. Multivariate statistical analysis is the powerful statistic tool. And clustering and classifying is multivariate statistical analysis’ key. So it is feasibility to apply multivariate statistical analysis to the building of the attack pattern library and the recognizing of the attacks.

3.1 Building algorithm of patterns library (namely clustering algorithm) As multivariate statistical clustering algorithm is implemented, main problems or steps include: (1)The selection of characters The random variables on which attack detection depends are usually more and miscellaneous. Under the precondition of no losing valuable information, the measuring subset much relevant to attack should be selected. In this way, the description of activities may be simplified. And the algorithm is more efficient (The selected characters include the source address, the destination address, the communicating program, the total counts of packets, the total counts of bites, and the total counts of SYN packets in the following example). (2) The measure of distance namely the measure of similarity between sort members, which affect directly the affective of clustering. In common use, There are three kinds of measures of distance :Eulerian distance, which is suitable to continuous variables ; matched pairs, which is suitable to two value variables; frequency, which is suitable to discrete variables. Compared, Eulerian distance is more complex, and usually get into valueless punctilio; contrarily, matched pairs are so rough that some valuable information may be

losed ; frequency is well situated ( It is taken for the measure of distance in the following example). The frequency is the number of similar characters between two activities, because the comparison is based on similarity, not equality, the frequency is suitable to both the quantitative characters and the qualitative characters.

3.1.1 An example Here, we selected eleven familiar attack records A,B,C,D,E,F,G,H,J,K,L. The size of there measure subset is ten, The following distance matrix is gotten depending on their comparability:

the result of clustering which may be called the tree of sort is showed as follows :

Apparently, the result of clustering is not uniqued,like the reality. it is a tree of sorts, And levers of the tree are corresponding to the degree of coarse-to-fine sorting. Our interesting is the middling level, namely middling number sorting. And the classifying corresponding to clustering is just in thus level. for example, in distance 5 (The attacks may he divided into 7 sorts in this level).And the top level may he used as the dividing line, which means if a new observed value’s distance to the top level is larger than a setting threshold value, then the possible thing is ( I ) normal activity if the distance is very large; a new attack if the distance is in a certain range (This is because there are some similarities among attacks generally though it is a new attack). Accordingly this recognized new attack may be added to the tree of sorts. So this method has a certain abilities of selfadaptability and self learning. 3.2 Recognizing algorithm of attack (namely classifying algorithm) As mentioned above, classifying should be in a suitable level of sorts firstly, generally the midding level. In practice, we may select such level in which according solution to the attack can be found. Additionally, the classifying is the converse of clustering, according to the clustering, the classifying needs a certain measure of degree of

membership. Multivariate statistic usually take misclassification cost as the measure of classifying. The requirement of prior probability has it he subjectivity. We can use distance identical to clustering as the measure. No more than it is the key to find a way of expressing sort for adopting this method. The weighted mean of sort’s members is a feasible selection. In this way, a sort is equivalent to its all members. So the recognition based on the sort is certainly more effective than that based on the sorts members. Synthetically, the basic algorithm steps of Multivariate statistical analysis may he illustrated by the figure3:

4 Auxiliary of agene algorithm
Apparently the rationality and validity of the patterns is the precondition to build a security system based on patterns. The

patterns got by using Multivariate statistic analysis are abstract, out of the practice. To Guarantee the patterns’ rationality and validity, we need optimize the pattern, for example, eliminating the patterns whose validity is low, and making the patterns whose validity is high have more generation. In addition, the computer network including the men is open, dynamic system. And the attacks to it have a certain randomicities. The effective solution for this is adding properly the diversities of the patterns. Obviously, genetic algorithm based on copying and mutation operator and provided with random diversities and dynamic optimization is the optimum assistant tool to solve this problem. Concretely, utilizing copying operator in the agene algorithm may optimize the patterns, And utilizing mutation operator in the agene algorithm may add the diversities of patterns. In experiments, the main problem is the ascertainment of copying and mutation probability. Perceptibly the coping probability of a pattern should be direct ratio to this pattern’s discriminating ratio, And the variety probability of a pattern should be inverse ratio to this pattern’s discriminating ratio. 5 Analysis of other problems 5.1 Expert knowledge and feedback mechanism In fact, as the mathematic tools, both multivariate statistical analysis and genetic algorithm are general methods independent on specific questions. To solve the practical problem with them it is needed to add corresponding expert knowledge[l2]. For computer network security system, expert knowledge not only includes the computer network specific knowledge, such as the hole of TCP/IP protocol and host system, but also includes the analysis of attackers’ behavior and psychoanalysis, those are also the important aspect affecting attack activity characters. The application of export knowledge mainly is incarnated in algorithm design, specially the enactment and optimization of parameter in algorithm; At the same time, it is necessary to build a effective validation mechanism and

feedback adjustable mechanism. For example, marking the sort pattern’s validity according to happened or double attack activities, then eliminating naturally low validity patterns.

5.2 Distributed implement of the system: Beside pattern recognition, the pertinence-an antibody deal with an antigen, distributed and movable are the key that the natural immune system works efficiently and low costly[ll]. So the implement of computer networks security system should be distributed. At present, mobile agent technique behaving intelligent and self adaptive is the latest development of distributed data process techniques. It can effectly improve the performance of the security system to apply mobile agent technique to distributed network security system[5]. Of course, the security of mobile agent is more important for its arm is just the security itself. The security of mobile agent has two aspects: guarantee itself from attack and no hostility, which are incarnated in the security of data and the legality of agent itself. The former may make use of sign to recognize the identity of data accesser, the latter may make use of authentic mechanism to recognize the identity of agent. 5.3 The ability of trans-platform of techniques: The first one is the ability of trans-platform of pattern library. No matter the attackers or the attacked are under the different platform, such as Windows, Unix/Linux, the according attack activities character is different with the platforms, such as the occupations, but the pattern store is independent on the platforms. How to eliminate the influence of platform environment is the problems to be solved in the algorithm design of building pattern store selecting rational platform parameters probably effective solution; The other one is the ability of trans-platform mobile agent. Because of performing function movably between the different system environment, the

semantic consistency between platforms must be guaranteed for the correction of mobile agent’s activities, which include executing algorithm and data format-the combine of JAVA and XML with should be a good solution. 6.Conclusion The major reason for unsatisfied security is that the current network techniques are mainly based on the tradeoff among security, convenience and performance. Only the perfect security techniques that are effective, efficient, and low consume can solve the current security problem radically. As the techniques of attack identification are the basis and core of all security techniques, the problem may sum up to whether a sort of attack identification policy and consequent implement algorithm can be founded. The security techniques based on pattern recognition has the specialties: selfadaptability, low consume, tolerances and self-learning, and so on, so it can wholly improve the all performance of security system. Of course, the building of the attack pattern store is the precondition. Multivariate statistical analysis and genetic algorithm may be used effective tools. Expert knowledge can help guarantee the rationality and validity of the pattern library. Distributed system implement and the ability of trans-platform of implement techniques are the key to build the system. This article has put forward some solutions of problems mentioned. Of course, our method still needs more works to implement in actual network environment, especially needs collect a large number of attacks activities, which is the most important to guarantee the rationality and validity of the patterns actually.

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close