外文原文-基于免疫的網(wǎng)絡(luò)安全風(fēng)險(xiǎn)評(píng)估

Science in China Ser. F Information Sciences 2005 Vol.48 No.5 557?578 557 An immunity based network security risk estimation LI Tao Department of Computer Science, Sichuan University, Chengdu 610065, China (email: ) Received March 9, 2004; revised July 10, 2005 Abstract According to the relationship between the antibody concentration and the pathogen intrusion intensity, here we present an immunity-based model for the network security risk estimation (Insre). In Insre, the concepts and formal definitions of self, nonself, antibody, antigen and lymphocyte in the network security domain are given. Then the mathematical models of the self-tolerance, the clonal selection, the lifecycle of mature lymphocyte, immune memory and immune surveillance are established. Building upon the above models, a quantitative computation model for network security risk estimation, which is based on the calculation of antibody concentration, is thus presented. By using Insre, the types and intensity of network attacks, as well as the risk level of network security, can be calculated quantitatively and in real-time. Our theoretical analysis and experimental results show that Insre is a good solution to real-time risk evaluation for the network security. Keywords: artificial immune system, intrusion detection, network security, risk estimation. DOI: 10.1360/04yf0140 There are two kinds of risk-estimation methods for the network security: static and real-time. The static methods estimate the network risk through statically evaluating the network value, security holes, and the occurring frequency of security events1, e.g., COBRA1), OCTAVE2, etc. Focusing on the static factors of the target system, the static methods can only make a rough estimation of the security risk that the network faced in the past, and cannot in real-time evaluate the risk of network attacks that the network is vulnerable to. Moreover, they have little ability to detect new coming network attacks, and thus they offer no self-adaptation capability to the complex environment of the net- work security3. In contrast with the research on the static risk-estimation, the research on the real-time risk-evaluation for the network security is still in a groping phase and only limited stud- 1) COBRA: Introduction to Risk Analysis. C the others are derived from Agd, where the deriving methods include gene edit, genetic al- gorithm, etc. Our proposed marrow model is based on the dynamic self tolerance, where the exter- nal system can add new self elements into and remove mutated ones from Self(t) at any time. The model has a good adaptive ability where the process of self tolerance is dy- namic. The newly added self antigens will make the model generate new mature lym- phocytes which tolerate those new self elements. However, the mature lymphocytes, which generates before these new self elements are added into Self(t), may not be toler- ant of these new self elements. Thus, two different lymphocytes may exist in Insre: one is tolerant of a certain antigen, but the other is not. Competition between these cells is arbitrated by the external system (co-stimulation, please refer to eq. (15). 1.4 Clonal selection (24) ( ) |(1),(1)( , )1 , clonebcheck Mty yMtxAg tfy x? ? ( ) |( ), ., cloneb Ttx xT txcount? (25) where ( ) |( , , , 1,( ), b T ty yBy dxd y px p y agexage ycountxcountxP t? (26) ( ) |( ),(1)( , )1, bcheck P tx xTtyAg tfx y? ? (27) ( ) |,( , , 1, ,(1), bb T ty yB ydxd y px p yagexageycountxcount xT t? (28) where simulates the process that the lymphocytes evolve into the next generation cell. is the set of lymphocytes matched by the corresponding antigens, where the affinity between the lymphocyte and antigen is increased. P(t) is the set of lymphocytes matched by antigens, however, the corresponding affinities have not yet been increased. Mclone(t) is the set of memory cells that match nonself antigens and will be cloned at time t. Tclone(t) is the set of mature cells whose affinities exceed the specified threshold ( ) b T t? ( ) b T t? ?(0), where the lymphocytes will be activated, cloned and evolved into memory cells at time t, that is, some new network attacks have been detected. The elements of Mclone(t) and 564 Science in China Ser. F Information Sciences 2005 Vol.48 No.5 557?578 Tclone(t) are also called immune-cell clones, which will clone and generate more lym- phocytes to deal with similar and more intense attacks. There are two possible responses of lymphocytes to antigens. One is the primary re- sponse, which is carried out by mature cells (Tclone) and needs a procedure of accumu- lating affinity, where the mature cells try to learn and recognize the antigens that have not been met before, thus requiring a long learning period. Therefore, the efficiency of the primary response is relatively lower. The other is the secondary response, which is carried out by memory cells (Mclone), and is much faster and stronger than the primary response. Once matching an antigen, the memory cell will be activated immediately. At this time, no more learning process is required. 1.5 Mature-lymphocyte lifecycle _ ,0, ( ) ( )( )( )( )( ),1, b bnewclonenewclonedead t T t T tTtTtTtTtt ? ? ? ? ? ? (29) where ( )( )( )( ), bbb TtTtP tTt? (30) (31) ( ) |,( , .0, .0, .0,( ), newmaturation Tty yBy dxd y py ageycountxIt? _ ( )( ) |( ),(1). , ., clonenewclonenewclonenew TtTtx xTtySelf txd y aMatc? ?h (32) ) |( ), ., . |( ),(1). , . , deadbb Ttx xT t xagexcountx xT tySelf txd yaMatch? ? (33) (1) ( ) _ ( )( )1 ( ) , where,.( ),.0,.0,.0, cloneclone B t Family x clone newi x TtMti bivariationiii Ttx xT x dfx x px agex count ? ? ? ? ? ? ? ? ? ? ? (34) ( ), where , .,. , variation fxddD x ddx d dMatch? (35) ( ) |(1),. , .Family xy yB tx d y dMatch? (36) Eq. (29) depicts the lifecycle of mature lymphocytes, where ( ) b T t? simulates the process that the mature cells evolve into the next generation cells (for , and P(t), please see section 1.4). Tnew(t) is the set of new mature cells generated from the marrow model at time t. Tclone_new(t) is the set of new cells generated by the immune clones, where the new cells undergo a process of variation and self tolerance. Tclone(t) is the set of mature-cell clones that will evolve into memory cells at time t. Tdead(t) is the set of lymphocytes that have not matched enough antigens ( ( ) b T t?( ) b Tt? ?0) in the lifecycle?(0) or classified self antigens as nonself at time t. Mclone(t) is the set of memory-cell clones. Copyright by Science in China Press 2005 An immunity based network security risk estimation 565 The clone process is simulated by where each clone produces _ ( ), clone new T? t (1) (0 ( ) B t ? Family x ? ? ? ? ? )? ? new cells whose antibodies are variated by eq. (35). The number of clone cells is in inverse proportion to the number of cells whose genes are similar to those of the clones in the current system, where Family(x) is the set of lym- phocytes whose antibodies are similar to that of x, and |B(t?1)| is the number of lymphocytes, including memory cells and mature ones, in the current system at time t?1. The process of cell variation is simulated by fvariation(x), where the antibodies of new cells are similar to those of x. The aim of variation is that the new clone lymphocytes can recognize some variations of the caught antigens. Therefore, the diversity of the system is enhanced. In the mature-lymphocyte lifecycle, lymphocytes that have no effective function on classifying antigens are killed through the process of clonal selection. However, lym- phocytes that have good effective function on classifying antigens will evolve into memory cells. Therefore, similar antigens can be detected quickly when they intrude the system again. 1.6 Dynamic immune-memory model (37) _ ,0, ( ) (1)( )( )( ),1, b bdeadnewothermachineclone t Mt MtMtMtTtt ? ? ? ? ? ? where ( )( )( ), bbclone MtMtMt? (38) (39) 12 ( ) |,( ),( , , .0, 1), clonebclone Mtx xMyMtx dy d x py p x agexcounty count? ? ? 1 .1., .( ) |,( , . ., 0 1, ,(1)( ), bb bclone x pxage xageMty yMy dxd y p xage y agexageycountxcount xMtMt ? ? ? ? ? ? ? ? ? ? ? ? ? ? (40) ( ) |( ),(1). , ., deadb Mtx xMtySelf txd y aMatch? ? (41) 1 ( ) |,( ),( , ., .0, ), newbclone Mtx xMyTtxdyd x pxagexcountycount? (42) _ ( ) |,( ) ( , .0, .0, .0), othermachineclonebothermachine clone Ttx xMyTt x dy d x px agexcount ? ? (43) 566 Science in China Ser. F Information Sciences 2005 Vol.48 No.5 557?578 _ (1,.,), ( )( ),where is the number of computers in the network, is the serial number of the current computer, and is the clone i othermachine clone iK i k i clone clo TtTtK kT T ? ? ? of computer . ne i (44) Eq. (37) describes the dynamic evolvement of memory lymphocyte. b M? simulates the process that the memory cells evolve into the next generation cells. Mnew is the set of new memory cells evolved from mature ones. Mdead simulates the death of memory cells: if a memory cell matches an antigen which is confirmed as a self antigen, that is, a false-positive error occurs, then this memory cell will be killed. ( ) clone Mt? is the set of activated memory cells at time t, whose antibody concentration is increased. ( ) b Mt? is the set of memory cells that are not activated by antigens at time t, whose antibody con- centration needs to be decreased. ? (0, natural number) is the antibody-concentration maintaining period of the mem- ory cells. When the memory cell y clones, including the cloning of a new memory cell which has just evolved from a mature one, we increase its antibody concentration according to eq. (39) or eq. (42), where ?1 (0), y.p, and ?2 (0) are, respectively, an antibody concentration increment, the current antibody concentration, and an award fac- tor (monitoring continuous similar attacks). However, if a memory cell does not match any antigen during a period of ,? its antibody concentration will be decreased to zero according to Theorem 1, which means this kind of threat has been eliminated (note, here, x.age indicates how long x is not activated). However, if a memory cell matches an anti- gen again during a period of ,? its antibody concentration will be accumulated (see eq. (39), which means this kind of threat increases continually. _ ( ) othermachine clone T? t is the activated mature-cell set of other machines in the network at time t. When a mature cell is activated by antigens (i.e., a new attack is detected), it will be sent to other machines (just like bacterin). Thus, those machines will be capable of resisting similar network attacks. Tother_machine_clone(t) simulates the process of receiving bacterins from other machines (just like vaccination). The dead of memory cells in the dynamic immune memory model can reduce both false-positive and false-negative error rate. Furthermore, the dynamic immune memory model, alone with the above-proposed models, can overcome the defect of the high error rate in traditional IDSs, enhancing the ability of self-adaptation. Theorem 1. If a memory lymphocyte does not match any antigen and clone itself during a period of ,? its antibody concentration will decrease to zero. Proof. Suppose the memory cell x matches an antigen and clones itself. Then, ac- cording to (39) and (42), x.age = 0. Note that x.age, here, means how many generations that x does not match nonself antigens again. For convenience, suppose Page represents Copyright by Science in China Press 2005 An immunity based network security risk estimation 567 the antibody concentration of x at generation age, where 0.age ? ? Then, according to (40) the antibody concentration Page is 12 23 11 111 (1)(2)(1) 23 11 (2)(3) ageageage ageage PPP ageageage age PPP ageage ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 1 1, ? ? ? ? ?(45) when ,age ? ? Page = 0. Theorem 2. Suppose a memory lymphocyte continuously catches similar antigens (i.e., similar intrusions) for an enough long time, then the corresponding antibody con- centration will go 2 , 1 ? ? 1 where 0 0). That is, the antigens in set Ag are all replaced by new antigens in?steps. Agnew contains the new antigens collected during the update period. AgNonself(t) and AgSelf(t) are, respectively, the set of antigens which are 568 Science in China Ser. F Information Sciences 2005 Vol.48 No.5 557?578 detected as nonself and self antigens at time t. QAg(t) are the antigens that matched by mature lymphocytes, however, those cells are not activated. In other words, QAg(t) con- tains the antigens that are not sure nonself antigens. AgSelf(t) contains QAg(t), which means that an antigen is considered as a self antigen if it is not a sure nonself element. That is, the immune surveillance model adopts an intrusion tolerance strategy. 1.8 Real-time risk evaluation Before discussing the network-security risk, we first give the definition of the relation Consanguinity in Mb: (51) ,| ,. , . b Consanguinityx yx yMxd y dMatch? Given , b XM?, ,x yXx yConsanguinity? X is called a consanguinity class generated by Consanguinity. If X is a consanguinity class and there is no relation Consanguinity between any element in b MX? and the element of X, then X is called a maximal consanguinity class. It is obvious that the relation Consanguinity is reflexive and symmetrical, but not transitive. Let ,x yConsanguinity? i.e., there is a relation Consanguinity between two memory lymphocytes x and y, then we know that x and y have similar antibody genes. Thus, the intrusions detected by x or y should come from the same attack cate- gory. Suppose that each element in Mb is a point in a two-dimensional space. For any , b x yM? if ,x yConsanguinity? then there is an edge between x and y. Thus all elements in Mb can form a graph, which is called consanguinity graph. For convenience, directed edges are replaced by undirected ones and the closed curve from a vertex to itself is ignored when drawing the consanguinity graph. According to the definition of maximal consanguinity class, we have: Theorem 3. An isolated point in the consanguinity graph is a maximal consanguin- ity class; all points in a maximal complete subgraph form a maximal consanguinity class; the two points of an edge, which is not in a maximal complete subgraph, also form a maximal consanguinity class. As Fig. 1 shows, the maximal consanguinity classes are: b, a, c, a, h, c, e, f, c, d, f, g. Fig. 1. Consanguinity graph. Given 12 , n A AA? 1 , bb MM? i bb MM? 1 , j j in A ? ? ? and where 12 , iii XX?, k i X i ? is the set of maximal consanguinity classes in , i b M Copyright by Science in China Press 2005 An immunity based network security risk estimation 569 |, i i Ax x? (i.e., Ai is a maximal consanguinity class in 1 |max(| i t tk xX? ? ? , i b M which has maximum elements) and 1 , b in i MA? ? ? we call ? the maximal consan- guinity genealogy. According to the definition of ?, we have , ij AA? where The above description proves that: 1jin? . Theorem 4. The maximal consanguinity genealogy in Mb is a partition of Mb. As Fig. 1 shows, the maximal consanguinity genealogy in Mb is c, d, f, g, a, h, b, e. Suppose 12 , n A AA? is a maximal consanguinity genealogy in Mb. Let |,. gene ii AddD xA dxd?denote the gene of Ai, that is, gene i Acontains all the antibody genes of the memory cells in Ai. Given 12 , genegenegenegene n AAA? we call gene ? the gene sequence of the maximal consanguinity genealogy in Mb. It is obvious that gene i A and gene ?can be regarded as the basic characteristics of Ai and Mb, respec- tively. According to the definition of gene sequence, as well as Theorem 4, we have Theorem 5. Theorem 5. Any two genes in the gene sequence of the maximal consanguinity genealogy in Mb are different. Theorem 6. Suppose Mb(t) is the set of memory lymphocytes at time t. Then the memory cells in Mb(t) represent the number and types of network attacks that the system has suffered from at time t, where the antibody concentration of memory cells in Mb(t) indicates the security-risk level that the system faces at time t. Proof. Eq. (48) denotes the immune responses, which are generated from the im- mune-cell clones and recognize the antigens. Eqs. (29) and (37) indicate that the mature cells evolving into memory cells are deleted from the mature-cell set immediately when they clone themselves. According to the antibody-repertoire completeness theory24, the set of the immune-cell antibodies in the system can cover the whole antigen space. Therefore, the memory cells in the system record the number and types of the network attacks that the system has suffered from in the past. Eqs. (26), (31) and (34) indicate that the antibody concentration of the mature cell is zero, which means that the cells have not yet met any nonself antigen or the met antigens are not sure nonself antigens. Eqs. (26), (31), (34), (39), (40), (42) and (43) show that only the memory-cell antibody concentration may be greater than zero. From (39) and (40), we know that a continuous increase of the memory-cell antibody concentration means that the system is under a continuous network attack during a period of ? . Since the memory-cell antibody con- centration is accumulated and maintained only during a period of ? (like alert period), if the memory cell is not activated during a period of ? , its antibody concentration will 570 Science in China Ser. F Information Sciences 2005 Vol.48 No.5 557?578 decrease to zero according to Theorem 1. That is, the alert represented by this cell is cleared. Therefore, the memory-cell antibody concentrati