Study of Immune-Based Intrusion Detection Technology in

Research ArticleStudy of Immune-Based Intrusion Detection Technology inVirtual Machines for Cloud Computing Environment

Ruirui Zhang1 and Xin Xiao2

1School of Business Sichuan Agricultural University Chengdu 610000 China2School of Computer Science Southwest Minzu University Chengdu 610000 China

Correspondence should be addressed to Ruirui Zhang zhangruiruiswgmailcom

Received 5 May 2017 Revised 16 August 2017 Accepted 10 September 2017 Published 23 October 2017

Academic Editor Laurence T Yang

Copyright copy 2017 Ruirui Zhang and Xin Xiao This is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in any medium provided the original work is properlycited

Cloud computing platforms are usually based on virtual machines as the underlying architecture the security of virtual machinesystems is the core of cloud computing security This paper presents an immune-based intrusion detection model in virtualmachines of cloud computing environment denoted as IB-IDS to ensure the safety of user-level applications in client virtualmachines In the model system call sequences and their parameters of processes are used and environment information in theclient virtual machines is extracted Then the model simulates immune responses to ensure the state of user-level programswhich can detect attacks on the dynamic runtime of applications and has high real-time performance There are five modulesin the model antigen presenting module signal acquisition module immune response module signal measurement module andinformation monitoring module which are distributed into different levels of virtual machine environment Performance analysisand experimental results show that the model brings a small performance overhead for the virtual machine system and has a gooddetection performance It is applicable to judge the state of user-level application in guest virtual machine and it is feasible to useit to increase the user-level security in software services of cloud computing platform

1 Introduction

Cloud computing has become the mainstream of the nextgeneration of information technology it provides a newand economic technology of allocating and using computingresources Due to huge scale complex software and hardwarestructure third-party data storage and unprecedented open-ness and complexity in cloud computing systems itmakes thesecurity of cloud computing stricter than traditional informa-tion systems If security issues cannot be well solved it willseriously restrict the rapid development of cloud computingand the popularity of cloud computing applications

Cloud computing platforms are usually based on virtualmachines as the underlying architecture the security of vir-tual machine systems is the core of cloud computing securityAt present there are few security researches on virtualmachine system in cloud computing environment and exist-ing researches are briefly introduced

Haeberlen et al put forward the concept of accountablevirtualmachines (AVMs) [1] inwhich programs are executedand related information is recorded to determine whetherprograms are normal This method belongs to static assess-ment and cannot detect the real-time safety of programs

Payne et al [2] presented the Lares system inserting ahook function in the client virtual machine which canproactively monitor events of client virtual machine (VM)This hook function can trigger safety program of securityvirtual machine (privileged VM) which make decisions forevents of client VM The monitoring program is locatedwithin the secure VM and out of the client VM Therefore itbelongs to the out-of-VMmonitoringmethodThismethod isof high security but requires frequent contexts switchingbetween virtual machines which brings greater performancecost and especially does not apply to fine-grainedmonitoring

Sharif et al [3] put forward a common in VMmonitoringframework in which monitoring and judging processes

HindawiMobile Information SystemsVolume 2017 Article ID 2301970 15 pageshttpsdoiorg10115520172301970

2 Mobile Information Systems

run in untrusted guest VM In order to achieve the samesecurity with out-of-VMmonitoringmethod this frameworkuses hardware memory protection mechanism and hardwarevirtualization technology In the guest VM a memory spaceprotected by the VM monitor is divided and used by thesafety monitoring program under controlled conditionsThisframework requires hardware virtualization support

Wang et al [4] put forward a lightweight system namedHookSafe based on VM monitor which is mainly used tomonitor the rootkit attacks of kernel spaces Rootkit attackmodifies the control data or hook function addressHooks areoften dynamically allocatedwith other data and distributed innoncontiguousmemory areas which needs byte-level granu-larity protection while current hardware protection mecha-nism only provides page-level granularity To solve the prob-lem Hooksafe introduced a hook function jump layer whichmaps hooks to a contiguous page-aligned memory space andthen uses the hardware protection mechanism to controlaccess to this block of memory area

The work in [5 6] is also used to detect kernel rootkitsThe work in [5] monitors invariants in controlled flow trans-ferring and constant relationships in data of uncontrolledflow The work in [6] adopts the Daikon tool to deduceinvariants from data structures which are extracted frommemory pages and monitors these invariants to determinethe state of kernels

Bharadwaja et al [7] analyzed the security issues raised byhypercalls in virtualized environments and proposed a Xen-based distributed intrusion detection system which imple-mented filtering operations on hypercalls in the privilegeddomain to achieve security

Srivastava et al [8] studied the use of rootkit to fuzzedsystem calls for virtual machine monitor (VMM) attacks andproposed a Xen-based monitoring system named SherlockThe system overlooks call flows by increasing observationpoints in the process of kernel implementation and automat-ically adjusts the sensitivity according to security needs

Szefer et al [9] proposed the NoHype systemThe systemdoes not require too much involvement of VMM runsVM directly on the underlying hardware and maintainsmultiple virtual machines in order to reduce the possibilityof attacks between virtual machines and security threatscaused by vulnerabilities of VMM The main ideas are asfollows preallocating processor and memory resources useof virtualization IO device small modifications of the clientOS to perform examinations in the system boot processand preventing the client VM from indirect contact with thehardware

Benzina and Goubault-Larrecq [10] pointed out thatDomain 0 is an important loophole of virtualization systemand proposed a role-based access control model This modeldescribes unnecessary activity streams by simple timingformulas which reduces threats of Domain 0 attacks such asTrojan horses

Wang et al [11] proposed a detection method of hiddenprocesses which is based on VMM This method runs thedetection tool out of the VM to be monitored and has highsecurity It gets the underlying status information of VMsto be monitored through VM introspection mechanism

and reconstructs process queues to determine maliciousprocesses

The above works studied security of user procedures inVM and vulnerabilities of VMM and proposed correspond-ing defensive methods However through careful analysiscurrent methods cannot accurately determine the real-timestatus of client VM applications or the security vulnerabilitiesof VMMMost of proposedmethods are for particular attacksand vulnerabilities and cannot effectively deal with threats ofother attacks

Inspired by the immune response mechanism and thedanger theory of the biological immune system this paperpresents an immune-based intrusion detection model invirtual machines of the cloud computing environmentnamed IB-IDS The main contributions of this model areas follows (1) The model introduces the danger theoryinto VM intrusion detection and defines the implementationof danger signals (2) the model can monitor the state ofapplications and detect attacks on the dynamic runtimeof applications which has high real-time performance (3)the model monitors the whole intrusion detection processand makes sure that every module of the model is safelyrunning (4) immune evolutionmechanism and performanceanalysis of the model are described which shows that themodel is effective theoreticallyThe remainder of this paper isorganized as follows The theories of the model includingdescription of the architecture definitions of the modelimplementation mechanism of danger signals implementa-tionmechanism of informationmonitoring and the immuneevolution model are described in Section 2 Performanceanalysis of themodel is showed in Section 3The effectivenessof IB-IDS is verified in Section 4 Finally the conclusion isgiven in the last section

2 Theories of the Model

Virtualization technology is the foundation of cloud comput-ing With the popularity of cloud computing it has receivedmore and more attention Virtualization technology isachieved when there are many virtual machines in one phys-ical machine and each virtual machine runs different oper-ating systems and applications and has good isolation withother virtual machines These are implemented by adding alayer of software called virtual machine monitor (VMM)to the hardware There is usually a virtual machine witha relatively high authority called privileged virtual machine(privileged VM) which can manage and control other clientvirtual machines (Guest VM) to a certain extent Xen [12 13]was developed by the University of Cambridgersquos computerlaboratory It is an open-source project is therefore widelyused in academic research and is also based on a numberof cloud computing platforms such as Amazon EC2 Serviceand Eucalyptus In Xen VMM is called hypervisor andVM iscalled domain the first domainwhich starts together with thehypervisor is called dom0 and other domain is called domUwhich is shown in Figure 1

For a virtual machine system the most common attacksare basically completed using some certain vulnerabilities ofthe system And these attacks are performed by a program or

Mobile Information Systems 3

Hardware

Hypervisor (VMM)

OS kernel OS kernel

Applications

Dom 0

Applications

Dom U

OS kernel

Dom U

Applications

Figure 1 Xen virtual machine system

software which is calledmalware (malicious software) Com-mon malwares are viruses worms Trojan horses and rootk-its Some of them are user-state malicious processes whichdo not affect the operating system kernel some are lurkingin the kernel or process and modifying the memory spaceWhen the system has no defense it is vulnerable to beattacked For example when a program runs we cannot besure that the dynamic data structure changes in the inner coreof the region are reasonable or because of the invasion Theproposed model can detect these kinds of malware

21 Description of the Architecture Due to the high privilegelevels and relatively streamlined structure of the privilegedVM and the hypervisor it is assumed that these two are safeThe main intention of this model is to ensure the safety ofuser-level applications of guest VM The architecture of IB-IDS is shown in Figure 2 This architecture is divided intofour levels the underlying hardware layer theVMMlayer theprivileged VM layer and the guest VM layer Modules of themodel are distributed into these four levels In order to reducecontext switching between dom0 and domU and be able todo fine-grained monitoring antigen presenting module andsignal acquisition module are deployed in every guest VMImmune response module and signal measurement moduleare deployed in the privileged VM These two modules donot need communicating with domU and just get data on aregular basis during execution and are deployed separately indom0 which can reduce the performance cost and improvethe security of dom0 Information monitoring module isdeployed in VMM Because the guest VM is not crediblethe model introduces the information monitoring moduleto supervise the running of antigen presenting moduleand signal acquisition module to ensure the safety of thedetection process

The detection process is as follows First the antigenpresenting module monitors executions of user-level appli-cations in client VMs extracts critical data as antigens anddelivers them to the immune response module in privilegedVM through inter-VM communication mechanism Mean-while the signal acquisition module collects environmentalinformation when the program executes and transmits to thesignal measurement module in privilege VM These opera-tions are performed on a regular basis Then the immune

response module evaluates whether to trigger secondaryresponse based on the set of memory antibodies If it doesinvasion occurs If the secondary response is not triggeredthe signal measurement module will evaluate the currentenvironmentrsquos risk rating through cloud model producedanger signals of different degrees and then determinewhether the invasion happens If it does the model willstart a further initial response to eliminate alien antigensInformation monitoring module periodically runs after thesystem starts through accessing memory spaces of antigenpresentation module and signal acquisition module in orderto ensure that these two modules are not attacked

22 Model Definition In the software system of virtualmachines all the information in the end can be reduced to abinary string and the virtual machine intrusion detection isclassification of the binary string according to certain rulesand a priori knowledge Define that the problem state spaceΩ = ⋃infin119894=1 0 1119894 Based on biological immune principles wedefine the virtual system platform as organism client virtualmachines as immunologic tissues and the user programs invirtual machines as antigens Define that AG sub Ω is the col-lection of antigens The aim of the virtual machine intrusiondetection is to differentiate patterns Given an input pattern119909 119909 isin AG the system detects and makes sure whetherthis pattern belongs to a self or a nonself There are twomistakes in the process of testing false negative which sortsnonselves for selves false positive which classifies selves asnonselves

Forrest et al [14] found out that the execution of criticalprograms can be described by the sequence of system callswhich is also called the execution trace The situation ofsystem calls can reflect behavioral characteristics of theprogram to some extent and the execution trace has a localstability when the program is running Taking system callsand their parameters into account which are up to six in theLinux system regulation we define the process ID the shortsequence of system calls and their parameters as genefragments of antigens

Definition 1 The antigen is defined as a triple ag = ⟨gid pid⟨1199091 1199092 119909119896⟩⟩ which represents the feature vector in thesolution space of the problem domain


Guest VM

Intrusion detection system

Privileged VM

Antigen presentingmodule

Signal acquisitionmodule

Immune responsemodule

Signal measurementmodule

Hypervisor Information monitoringmodule

Hardware

Figure 2 Structure of the intrusion detection model

gid is the unique ID which identifies the client VM pidis the process ID 119909119894 = ⟨sid119894 1199011198941 1199011198942 119901119894119897⟩ (119894 = 1 2 119896)is the gene fragments of antigens sid is the system call IDk is the length of the short system call sequence that is tosay the encoded length of immune cells which reflects orderrelationships of system calls during the execution process 119901119894119895is the parameter of a system call 119894 = 1 2 119896 119895 = 1 2 119897119897 is the number of parameters All the antigens in the spacecompose a collection AG = ⋃infin119894=1 ag119894

It is assumed that normal short sequences that can berecognized by the model are defined as self set 119878 all theunknown short sequences are defined as 119873 abnormal shortsequences that produce danger signals are defined as 119863and short sequences that are judged as invasions are definedas 119868

Then 119878 cap 119873 = 0 119878 cup 119873 = AG Danger theory does notdistinguish between self and nonself only recognizes intru-sion set 119868 = 119863 cap 119873 which triggers immune responses anddoes not respond to harmless set119863 cap 119878

Definition 2 Antibodies can recognize antigens and triggerspecific immune responses Antibodies have the same struc-ture as antigens are used for detecting andmatching antigensand are expressed as ab = ⟨gid pid ⟨1199091 1199092 119909119896⟩⟩ The setof antibodies are defined as AB = ⋃infin119894=1 ab119894Definition 3 The matching rule which is the affinity ofantibody and antigen is indicated as the binding strengthbetween antibody and antigen In this paper we propose animproved 119903-continuous bit matching method

affinity (ab ag)

= 1 119896sum119894=1

119891 (ab119909119894 ag)119896 ge 120573 aggid = abgid agpid = abpid0 others

(1)

where 120573 is the value of matching threshold and 119891(119909 119910) is119903-continuous bit matching method between antibody genefragment 119909119894 and antigen

119891 (119909 119910) = 1 exist119894 119895 119895 minus 119894 ge |119909| 0 lt 119894 le 119895 le 119896 sdot (119897 + 1) 119909119894 = 119910119895 119909119894+1 = 119910119895+1 119909|119909| = 119910119895+|119909|minus10 others (2)


UImmature detectors Mature detectors T

Self set S

GAntibody gene lib

MMemory detectors

Dynamic

Dead

tolerance

Match selfOld enough

Triggered bydanger signals

Clone andmutateGene coding

Delete genes of dead memory detectors

Extract genes of memory detectors

Antigen genefragments

VMenvironmentinformation

Self

Nonself

Figure 3 The immune mechanism of the model

Definition 4 Detector set is defined as 119861 = ⟨ab age⟩ | ab isinAB cap age le agemax where ab is antibody of the detectorage is the age of the detector and agemax is the maximumage of the detector The detector set consists of immaturedetectors mature detectors and memory detectors Theimmature detector which is not subjected to self-tolerancewill evolve into a mature one when it passes self-toleranceThe mature detector will become a memory one after it isactivated

The immature detector set is defined as 119880 = 119909 | 119909 isin 119861 cap119909age lt 120574 where 120574 simulates tolerance period The maturedetector set is defined as119879 = 119909 | 119909 isin 119861cap120574 le 119909age lt agemaxcapforallag isin 119878(affinity(119909ab ag) = 0) The memory detector setis defined as 119872 = 119909 | 119909 isin 119861 cap 119909age = agemax cap forallag isin119878(affinity(119909ab ag) = 0)

In the detector generation process if Affinity(119909 ag) =1 (ag isin 119878) the detector 119909 can describe self and triggersimmune self-reaction which must be removed In the end ofthe process remaining detectors only can describe elementsof the nonself set In the detection process if Affinity(119909 ag) =1 (ag isin 119868) antigen ag can be described by detector 119909triggering the immune response

We use Figure 3 to represent the immune mechanismof the model In the model a new immature detectoris generated by gene coding and the immature detectorevolves into a mature detector by negative selection (self-tolerance) If it matches selves it dies Mature detector hasfixed length of the life cycle If it is activated by danger signalsin the life cycle it evolves into the memory detector andgenerates first response otherwise it dies (deleting thosedetectors which are useless against antigens) The memorydetector has a long life cycle and once it is matched to an

antigen it will be activated immediately and produce secondresponse

23 Implementation Mechanism of Danger Signals Dangertheory emphasizes that danger signals which are generatedfrom environmental changes result in various degrees ofimmune response and the area around signals is calleddanger zoneThemost important issue of introducing dangertheory into intrusion detection systems is the definition ofdanger signals which is how to determine the danger Ina virtual machine environment we select the number ofregular files of system variable 119873reg the memory ratio usedby a process Rss and the number of files reported by lsofcommand 119873files these three environmental values as assess-ments of danger signals and normalize them to real valueintervals between [0 100]

For antigen ag119894 define the function of danger signalDS(ag119894) below This function takes the three environmentalvalues119873reg Rss and119873files as inputs and then generates signalvalues where the antigen is

DS (ag119894) = (1198961119873reg + 1198962119877119904119904 minus 1198963119873files)(1198961 + 1198962 + 1198963) (3)

As can be seen 119873reg and Rss will have a negativeinfluence on the environment and the increase of 119873reg andRss shows that the environment is damaged or the possi-bility of being damaged is larger 119873files will have a positiveinfluence on the environment and the increase of 119873filesshows that the possibility of the environment being normal islarger


The size of the danger zone limits the scope of the immuneresponse and immune cells in the region will be activated toparticipate in the immune response For antigen ag119894 definethe function of the danger zone DA(ag119894) belowThis functionreturns a collection of detectors whose distance from ag119894 isless than r danger

DA (ag119894) = 119909 | 1

(sum119896119895=1 119891 (119909ab119909119895 ag119894) 119896)

le 119903 danger cap 119909 isin 119879

(4)

where r danger is the radius of the danger zoneHow to determine whether the environment is damaged

according to danger signals We took advantage of the cloudmodel to evaluate The cloud model [15] is a probabilisticreasoning tool and is a mathematical transformation modelbetween the qualitative concept expressed by language valuesand quantitative data which has three numerical characteris-tics expectation Ex entropy En and hyperentropy He Basedon the danger signal modeling we use cloud rule generatorand reverse cloud generator to carry out qualitative analysisof environments of guest virtual machines Rule generatorcan be divided into front cloud and rear cloud IF part isthe condition of the rule which is achieved by the frontcloud while THEN part is a result of the rule which isimplemented by the rear cloud The inputs of front cloudare values to be seized and the output is the membership ofsome rule activated by samples which is also input of rearcloud and the output of rear cloud is the conclusion of therule

First danger signals DS(ag119894) were sampled 119898 times ina safe state and an attacked state Based on obtained clouddroplets we got numerical characteristics of front cloudEx119904119894En119904119894He119904119894 and Ex119889119894En119889119894He119889119894 through reverse cloudgenerator If the secure state cloud and dangerous state cloudcover the entire state space then we can use these twoclouds to determine the status of the system This is an idealsituation If these two clouds cannot cover the whole statespace we need to divide the empty part and it can be dividedinto weak secure state cloud and weak dangerous state cloudIn general the closer it is to the center of discourse domainthe smaller the entropy and hyperentropy of clouds are themore it is distant from the center the larger the entropy andhyperentropy are For two clouds which are next to eachother entropy and hyperentropy of the smaller one are 0618times of the greater oneThat is the empirical value So we canget En119897119904119894 En119897119889119894 He119897119904119894 He119897119889119894 According to the ldquo3En rulesrdquo ofthe cloudmodel we can estimate expectations of weak securestate cloud and weak dangerous state cloud Formulas are asfollows

Ex119897119904119894 = Ex119904119894 + 3En119897119904119894 = Ex119904119894 + 3 lowast 0618En119904119894 (5)

Ex119897119889119894 = Ex119889119894 minus 3En119897119889119894 = Ex119889119894 minus 3 lowast 0618En119889119894 (6)

We design rules listing in the following to build the rulegenerator Then we can get the environment and the level ofmembership according to actual value of danger signals

Rule 1 IF danger signal indicator is low THEN the systemis safe and does not elicit the immune response and thecorresponding antibody can be deleted

Rule 2 IF danger signal indicator is comparatively lowTHEN the system is relatively safe and does not elicit animmune response

Rule 3 IF danger signal indicator is comparatively highTHEN the system is relatively in danger and elicits animmune response

Rule 4 IF danger signal indicator is high THEN the sys-tem is in danger elicits an immune response and addscorresponding mature antibody into the memory antibodycollection

When the system triggers the secondary response or dan-ger signals trigger the initial response antibodies will mutatebased on the immune response mechanism to generate newantibodies which have higher affinity with original antigensin order to more quickly identify danger and also generateantibodies which have lower affinity to add into immatureantibody collection in order to ensure the diversity of theimmune system

24 Implementation Mechanism of Information MonitoringAntigen presenting module and signal acquisition moduleare deployed in domU Because Linux is an open-sourceoperating system we can add these twomodules into domUrsquoskernel Informationmonitoringmodule is deployed inVMMTo ensure antigen presentationmodule and signal acquisitionmodulersquos safety the model accesses memory spaces whichthey belong to and performs hash computing of the memorydata The implementation mechanism needs to solve twoimportant issues The first one is how to find the memoryspace which antigen presenting module and signal acquisi-tionmodule belong to and the second is how to use hashing toensure that the two modules are not attacked

VMM is responsible for managing and distributingvarious hardware resources and provides virtual hardwareresources for the upper operating system kernel domUaccesses the physical memory through VMM In Linuxsystem systemmap file is a specific kernel symbol table andlists all the kernel symbolic names and their correspondingvirtual addresses A kernel symbol may be a variable nameor a function name Since antigen presenting module andsignal acquisition module are in domUrsquos kernel space all thevariables and functions which they contain can be foundin systemmap that is to say we can find virtual memoryaddresses of these variables and functions in domU In Xensystem there are three memory structures which are virtualmemory pseudophysical memory and machine memoryVirtual memory means that each process has a separate vir-tual memory address space Pseudophysical memory locates


between virtual memory and machine memory and eachoperating system of domUs believes that pseudophysicalmemory is ldquophysical memoryrdquo In fact machine memory isreal physical memory VMM maintains a M2P (Machine toPhysical) global conversion table and eachdomUmaintains aP2M (Physical to Machine) partial conversion table As canbe seen we can find the pseudophysical address correspond-ing to virtual memory address through domUrsquos page tableand find machine address corresponding to pseudophysicaladdress through domUrsquos P2M table

Through the above method we can find the memoryspace to which antigen presenting module and signal acqui-sition module belong Information monitoring module readscontents of all initialized data read-only data and functionsrsquomemory which belong to the two modules in the order inaccordance with the systemmap file as hash input Hashcomputing can map binary value of arbitrary length to ashorter fixed-length binary value and two different inputscannot be mapped to the same value Therefore we use hashcomputing to ensure the integrity of memory spaces ofantigen presenting module and signal acquisition moduleIn hypervisor we define two variables ℎ119889ag and ℎ119889sig whichstore cumulative hash values of antigen presenting moduleand signal acquisition module and they are calculated asfollows

ℎ119889ag (119894 + 1) = hash (ℎ119889ag (119894)amp 119903ag (119894 + 1)) ℎ119889sig (119895 + 1) = hash (ℎ119889sig (119895)amp 119903sig (119895 + 1))

(7)

In (5) hash(119909) is the hash function amp is a binary stringconcatenation operator 119903ag(119894) is the content of the 119894thmemorysegment of antigen presenting module and ℎ119889ag(119894) is theaccumulative value after 119894 times hash computing for antigenpresenting module Meaning of (6) is by analogy We markthe final cumulative hash values of antigen presenting mod-ule and signal acquisition module stored by hypervisor ina safe state as standard values ℎ1198891015840ag and ℎ1198891015840sig Informa-tion monitoring module periodically is executed Throughcomparing hash values ℎ119889ag and ℎ119889sig which are obtainedwhen the program is running with standard values we candetermine the security of antigen presenting module andsignal acquisition module

25 The Immune Evolution Model

251 Self-Evolution Model

119878 (119905) =

119878first 119905 = 0119878 (119905 minus 1) 119905 mod 120575 = 0119878 (119905 minus 1) cup 119878new (119905) minus 119878unload (119905) minus 119878dead (119905) 119905 gt 0 cap 119905 mod 120575 = 0

119878dead (119905)=

0 119878 (119905 minus 1) cup 119878new (119905) minus 119878unload (119905) lt sizemax

ag | ag isin 119878 (119905 minus 1) cap Eliminate 1003816100381610038161003816119878new (119905) minus 119878unload (119905)1003816100381610038161003816 elements according to some principles others

(8)

where 119878(119905) 119878(119905 minus 1) sub 119878 119905 respectively express the selfset in the moment of 119905 and 119905 minus 1 119878first is the self set inthe initial moment 120575 is the evolutionary cycle of selves Inthe 120575 cycle the self set remains unchanged in the endof 120575 period new elements 119878new will complement such asloading new programs those programs 119878unload(119905) that havebeen uninstalledwill be deleted and part of selves 119878dead(119905)willbe eliminated in order to avoid increases of self set withoutlimit

The computer software system is a huge collection Theself set of a complete software system is too large for thecalculation ability at the present stage of computer and it isvery difficult to find an absolute reliable self set in thedynamic software system The evolution of the self set canmake the model only need to maintain a smaller set of selvesto ensure higher time efficiency according to the existingcomputing capacity In addition because of the continuousevolution of selves nonself elements which mix into selveswill eventually be removed reducing the rate of false negativecaused by incomplete self set

252 Antibody Gene Lib Evolution Model

119866 (119905) = 119866first 119905 = 0119866 (119905 minus 1) minus 119866dead (119905) cup 119866new (119905) 119905 gt 0 (9)

where 119866(119905) 119866(119905 minus 1) sub 119866 respectively express the set of anti-body gene lib in the moment of 119905 and 119905 minus 1 119866first is the initialantibody gene collection which are gene fragments of thesetypical kinds of malware 119866dead(119905) = ⋃119909isin119872dead(119905)

⋃119896119894=1119909ag119909119894is set of mutated genes which should be removed in thetime of 119905 119872dead(119905) is set of memory detectors with falsepositive When mature detector is cloned its gene 119866new(119905) =⋃119909isin119879cloned(119905)⋃119896119894=1119909ag119909119894 will join the antibody gene libraryas the dominant gene 119879cloned(119905) is set of activated maturedetectors

Antibody gene lib is mainly used to improve the gen-eration efficiency of immature detectors In the generationprocess of new immature detectors their antibodies areproduced by gene encodingmeasures so they have the ability


to detect known malware variants reducing the tolerancetime The use of genetic coding produces ldquoBaldwin effectrdquoevolution and learning will enable new individuals to acquiresome of the same characteristics reducing the diversity of thesystem In order to solve this problem a certain proportion of

randomly generated immature detectors are added to ensurethe diversity of the system

253 Immature Detectors Evolution Model

119880 (119905) = 0 119905 = 0119891age (119880 (119905 minus 1)) minus (119880untolerance (119905) cup 119880matured (119905)) cup 119880new (119905) 119905 gt 0

119880untolerance (119905) = 119909 | 119909 isin 119891age (119880 (119905 minus 1)) cap exist119910 isin 119878 (119905 minus 1) (affinity (119909ab 119910) = 1) 119880matured (119905) = 119909 | 119909 isin 119891age (119880 (119905 minus 1) minus 119880untolerance (119905)) cap 119909age gt 120574

(10)

where119880(119905) 119880(119905minus1) sub 119880 respectively express set of immaturedetectors in themoment of 119905 and 119905minus1119891age(119883) (119883 sub 119861)meansadding 1 to the age of every detector in 119883 119880untolerance(119905) is setof immature detectors which does not pass self-tolerance and119880matured(119905) is set ofmature detectorswhich pass self-tolerance119880new(119905) is newly created immature detectors in the time 119905 and

includes two parts completely random-generated detectors(to ensure diversity) and detectors generated by genes encod-ing in the antibody gene lib (to ensure availability)

254 Mature Detectors Evolution Model

119879 (119905) = 0 119905 = 0(119891age (119879 (119905 minus 1)) minus (119879dead (119905) cup 119879cloned (119905))) cup 119880matured (119905) cup 119879permutation (119905) 119905 gt 0119879dead (119905) = 119909 | 119909 isin 119891age (119879 (119905 minus 1)) cap 119909age = agemax cap ∄119910 isin 119873 (119905 minus 1) (119909 isin DA (119910)) 119879cloned (119905) = 119909 | 119909 isin (119891age (119879 (119905 minus 1)) minus 119879dead (119905)) cap exist119910 isin 119873 (119905 minus 1) (119909 isin DA (119910))

119879permutation (119905) = 119891clone mutation (119879cloned (119905) cup 119872cloned (119905))

(11)

where 119879(119905) 119879(119905 minus 1) sub 119879 respectively express the set ofmature detectors in the moment of 119905 and 119905 minus 1 119879dead(119905) isset of mature detectors which are not activated at the endof the life cycle 119879cloned(119905) is set of mature detectors activatedby danger signals 119880matured(119905) is set of new mature detectors119879permutation(119905) is set ofmature detectors which are produced byclonal mutation of activated ones 119891clone mutation(119883) (119883 sub 119879)is clonal variation equation and executes clone and mutationoperation for each element 119909 in X

255 Memory Detectors Evolution Model

119872(119905)= 119872first 119905 = 0

(119872 (119905 minus 1) minus119872dead (119905)) cup 119891age2 (119872cloned (119905)) 119905 gt 0119872dead (119905) = 119909 | 119909 isin 119872 (119905 minus 1) cap exist119910

isin 119878 (119905 minus 1) (affinity (119909ab 119910) = 1)

119872cloned (119905) = 119909 | 119909 isin 119872 (119905 minus 1) cap exist119910isin 119873 (119905 minus 1) (119909 isin DA (119910))

(12)

where 119872(119905)119872(119905 minus 1) sub 119872 respectively express theset of memory detectors in the moment of 119905 and 119905 minus 1119872first is set of initial memory detectors These detectors canbe obtained from common malwares 119872dead(119905) is set ofmemory detectors with false positive in the moment 119905119891age2(119872cloned(119905)) expresses set of newly created memorydetectors 119891age2(119883) (119883 sub 119861) sets the age of each detector in119883to agemax 119872cloned(119905) is set of activated memory detectors inthe time 119905256 Antigen Detection

AG (119905) = AGfirst 119905 = 0(AG (119905 minus 1) minus AGself (119905) minus AGnonself (119905)) cup AGnew (119905) 119905 gt 0

AGnonself (119905) = 119909 | 119909 isin AGchecked (119905) cap exist119910 isin (119879cloned (119905) cup 119872cloned (119905)) (affinity (119910ab 119909) = 1) AGself (119905) = 119909 | 119909 isin AGchecked (119905) cap forall119910 isin (119879 (119905) cup 119872 (119905)) (affinity (119910ab 119909) = 0)

(13)


where AG(119905)AG(119905 minus 1) sub AG respectively express the setof antigens in the moment of 119905 and 119905 minus 1 AGfirst is set ofinitial antigens AGchecked(119905) sub AG(119905) expresses antigens tobe checked in the moment t

3 Performance Analysis of the Model

Set the number of programs in a computer as119873119901 and usuallythe proportion of nonselves is 120588 The size of the self set is|119878| the size of the mature detector set is |119879| and the size ofthe memory detector set is |119872| The matching probabilitybetween any given detector and any given antigen is 119875119898(which is related to the specific matching rule) 119875(119860) is theprobability of occurrence of event 119860Theorem 5 For any detector which passes the self-tolerancethe probability of this detector matching those selves which arenot described is 119875119899 = (1 minus 119875119898)|119878| sdot (1 minus (1 minus 119875119898)119873119901sdot(1minus120588)minus|119878|)Proof Set that 119860 is event ldquothe given detector does not matchany self in the self setrdquo and 119861 is event ldquothe given detectormatches at least one self in the un-described self setrdquo It is clearthat the detector from 119860 is self-tolerated and the detectorfrom 119861 may be not self-tolerated 119875119899 = 119875(119860)119875(119861) In theevent 119860 the number of times 119883 that detectors match selvesmeets the binomial distribution that is to say 119883 sim 119887(119899 119901)where 119899 = |119878| 119901 = 119875119898 Then 119875(119860) = 119875(119883 = 0) =(119875119898)0(1 minus 119875119898)|119878| = (1 minus 119875119898)|119878| In a similar way in the eventB the number of times 119884 that detectors match selves meetsthe binomial distribution that is to say 119884 sim 119887(119899 119901) where119899 = 119873119901 sdot (1 minus 120588) minus |119878| 119901 = 119875119898 Then 119875(119861) = 1 minus 119875(119884 = 0) =1 minus (1 minus 119875119898)119873119901sdot(1minus120588)minus|119878| 119875119899 = 119875(119860)119875(119861) = (1 minus 119875119898)|119878| sdot (1 minus(1 minus 119875119898)119873119901sdot(1minus120588)minus|119878|)Theorem 6 For any given nonself antigen ag the probabilityof this antigen identified correctly is 119875119903 = 1 minus (1 minus119875119898)(|119872|+|119879|)(1minus119875119899) asymp 1 minus 119890minus119875119898(|119872|+|119879|)(1minus119875119899)Proof Set that119860 is event ldquoag matches somememory detectoror some mature detector which is triggered by danger sig-nalsrdquo 119875119903 = 119875(119860) In the event 119860 the number of times 119883 thatantigens match detectors meets the binomial distribution119883 sim 119887(119899 119901) where 119899 = (|119872| + |119879|)(1 minus 119875119899) 119901 = 119875119898 Thememory detector and the mature detector which recognizeselves cannot identify nonselves which is not countingThen119875119903 = 119875(119860) = 1 minus 119875(119883 = 0) = 1 minus (1 minus 119875119898)(|119872|+|119879|)(1minus119875119899)According to Poisson theorem when 119875119898 is small and (|119872| +|119879|)(1 minus 119875119899) is large 119875119903 asymp 1 minus 119890minus119875119898(|119872|+|119879|)(1minus119875119899)Theorem7 For any given nonself antigen ag the probability offalse negative with this antigen is119875neg = (1minus119875119898)(|119872|+|119879|)(1minus119875119899) asymp119890minus119875119898(|119872|+|119879|)(1minus119875119899) for any given self antigen ag the probability offalse positive with this antigen is 119875pos = 1minus (1minus119875119898)(|119872|+|119879|)119875119899 asymp1 minus 119890minus119875119898(|119872|+|119879|)119875119899 Proof ByTheorem 6 119875neg = 1 minus 119875119903 = (1 minus 119875119898)(|119872|+|119879|)(1minus119875119899) asymp119890minus119875119898(|119872|+|119879|)(1minus119875119899) Set that 119860 is event ldquothe given self matches

0

02

04

06

08

1

Pn

0200

400600

8001000

Np 0

100200

300400

|S|

Figure 4 Effect of119873119901 and |119878| on 119875119899 119875119898 = 0025625 120588 = 001

memory detector or mature detectorrdquo Then 119875pos = 119875(119860) Inevent A the number of times 119883 that selves match detectorsmeets the binomial distribution 119883 sim 119887(119899 119901) where 119899 =(|119872| + |119879|)119875119899 119901 = 119875119898 So 119875pos = 119875(119860) = 1 minus 119875(119883 = 0) =(1 minus 119875119898)(|119872|+|119879|)119875119899 According to Poisson theorem when 119875119898 issmall and (|119872| + |119879|)119875119899 is large 119875pos asymp 1 minus 119890minus119875119898(|119872|+|119879|)119875119899 Theorem 8 Selves of the model are completely described atthe macrolevel The spatial complexity of the dynamic toler-ance model producing a fixed number of mature detectors isconstant and the time complexity is linear with the number ofdetectors (excluding immature detectors)

Proof According to (8) the self set evolves with a fixedlength of time slice With the passage of time ⋃infin119905=0 119878(119905) willcover the entire self space which is to say description ofselves at the macrolevel is complete Moreover the size ofthe self set is limited to sizemax Without loss of general-ity considering the extreme case the number of selves is|119878(119905)| = sizemax Drsquohaeseleer et al [16] pointed out thatfor an arbitrary matching rule the spatial complexity ofproducing a fixed number of mature detectors is 119874(119897 sdotsizemax) and the time complexity is 119874(((minus ln(119875neg))(119875119898 sdot(1 minus 119875119898)sizemax)) sdot sizemax) For a specific matching algorithm119875119898 is constant By Theorem 7 119875neg asymp 119890minus119875119898(|119872|+|119879|)(1minus119875119899) ByTheorem 5 119875119899 = (1 minus 119875119898)sizemax sdot (1 minus (1 minus 119875119898)119873119901 sdot(1minus120588)minussizemax)So the time complexity of producing a fixed number ofmature detectors is 119874(((minus ln(119875neg))(119875119898 sdot (1 minus 119875119898)sizemax)) sdotsizemax) = 119874(((|119872| + |119879|)(1 minus 119875119899)(1 minus 119875119898)sizemax) sdot sizemax)= 119874((|119872| + |119879|)(((1 minus 119875119899) sdot sizemax)(1 minus 119875119898)sizemax)) Thatis to say the time complexity of producing a fixed numberof mature detectors is linear with the number of memorydetectors and mature detectors

For a specific matching rule 119875119898 is constant [17] For 119903-continuous bit matching method 119875119898 = 0025625 Figures 4and 5 are theMatlab simulations ofTheorem 5 As can be seenfrom the figures when |119878| is large enough effect of119873119901 and 120588on 119875119899 is small When |119878| = 200119873119901 = 500 120588 = 001 119875119899 lt 1reaches the ideal value

Figure 6 is the Matlab simulation of Theorem 6 As canbe seen from the figure when |119872| and |119879| become large 119875119903increases


0

02

04

06

08

1

Pn

0002

004006

00801

0100

200300

400

|S|

Figure 5 Effect of 120588 and |119878| on 119875119899 119875119898 = 0025625119873119901 = 400

0

02

04

06

08

1

Pr

0100

200300

400

0100

200300

400

|T||M|

Figure 6 Effect of |119872| and |119879| on 119875119903 119875119898 = 0025625 119875119899 = 001

Figures 7 and 8 are the Matlab simulations of Theorem 7As can be seen from the figures with the rise of |119872| and |119879|119875neg decreases and 119875pos increases

Considering simulations of Theorems 5 6 and 7 when|119878| = 200 119873119901 = 500 120588 = 001 |119872| = 100 and |119879| = 100 119875119899 lt1 119875119903 gt 95 119875neg lt 1 119875pos lt 5 reach ideal values

4 Experimental Results and Analysis

In this section we verified the validity of IB-IDS throughexperiments including security analysis effects on the per-formance of programs after joining IB-IDS into the Xenvirtual machine system and intrusion detection efficienciesof IB-IDS Experimental environment is as follows All testswere performed on the ThinkPad T540p notebook Thistype of hardware configuration is an Intel Core i5-4300M260GHz quad-core CPU and 8G of physical memoryXen version number is 441 which manages two domainsprivileged VM dom0 and guest VM dom1 These two virtualmachines run Ubuntu system with the version 1404 and thekernel version of Linux is 313019 Dom0 is allocated fourVCPUand 4Gphysicalmemory andCPU schedulingweightis set to 256 while Dom1 is allocated four VCPU and 1Gphysical memory and CPU scheduling weight is set to 256

In IB-IDS parameters are set as follows Danger signalparameters 1198961 = 1 1198962 = 05 1198963 = minus15 and the radius ofdanger zone 119903 danger = 05 Experiments run 10 times andaveraged results were acquired

0

02

04

06

08

1

0100

200300

400

0100

200300

400

|T||M|

PＨＡ

Figure 7 Effect of |119872| and |119879| on 119875neg 119875119898 = 0025625 119875119899 = 001

0

02

04

06

08

1

0100

200300

400

0100

200300

400

|T||M|

PＪＩＭ

Figure 8 Effect of |119872| and |119879| on 119875pos 119875119898 = 0025625 119875119899 = 001

41 Security Analysis In the architecture description of themodel each module is distributed in different virtualmachines In domU data is collected and then passes todom0 through interdomain communicationmechanismTheauthorization list of Xen canmake sure that a domainrsquos mem-ory space can only be accessed by its authorized domain Inthe model domU is the owner of a ring sharing bufferand dom0 has the only granted permission other domaincannot access Therefore data will not be leaked to otherunauthorized domain and the data transfer process is safe

In paravirtualized Xen domU accesses the hardwareindirectly through dom0 To ensure the safety of the immunecalculation the model passes data to dom0 for computationIn this model we assume that the privileged virtual machineis a trusted node

Some traditional intrusion detection tools typically needto be deployed in a client virtual machine Because the clientvirtual machine is not a trusted node and it is exposed tovarious attacks so the detection tools are also vulnerable Inthis model we assume that the virtual machine monitor isalso a trusted node The memory space of the two moduleswhich are deployed in domUwill be monitored by the virtualmachine monitor

Therefore the monitoring process and results of themodel are reliable

42 Performance Evaluations of the Model The introductionof IB-IDS to a virtual machine system will obviously bring


Table 1 Illustrations of tested parallel programs

Program names Meanings Parameter settingsFFT Computing a fast Fourier transform 119898 = 22 p = 2 119899 = 65536 l = 4

LUSplitting a sparse matrix into a product of a

lower triangular matrix and an uppertriangular matrix

119901 = 2 119899 = 2048 119887 = 16

OceanSimulating movements of an entire oceanthrough the edge of the ocean currents

(noncontiguous block allocation method)119901 = 4 119899 = 258 119905 = 380 119890 = 1119890 ndash 09

Raytrace Path simulation of lights 119901 = 4 envfile = ball4

Barnes Simulating a three-dimensional multibodysystem (eg galaxies) 119901 = 2 fleaves =2

No IB-IDSWith IB-IDS

0500

100015002000250030003500400045005000

Com

pute

tim

e (m

s)

LU Ocean Raytrace BarnesFFT

Figure 9 Testing of parallel programs

some performance cost In cloud computing many applica-tions are executed concurrentlyTherefore this section firstlyuses the appropriate performance test to assess the impact ofIB-IDS on parallel programs In our tests we used the classicSPLASH-2 program group [18 19] The programs are writtenin C are composed of 12 benchmarks and use PThreadparallel modeWe randomly select five procedures for testingand Table 1 gives a brief introduction

Figure 9 shows contrasts of the five benchmarks betweenloading IB-IDS and unloading IB-IDS As can be seen fromthe figure the calculation time of dom1 is longer than theoriginal system and the average increased time is 733 upto 1086 on LU program which indicates that the additionalcost of virtual machine system with integrated IB-IDS isvery small and in the acceptable range Applying IB-IDS tocloud computing platforms will not have significant impacton parallel applications

In IB-IDS the main performance overhead of domU isfrom antigen presenting module and signal acquisitionmodule as well as the operation of passing data to dom0through intervirtual machine communication mechanismThese acts are performed regularly and the cost is lim-ited For example antigen presenting module is a proactivemonitoring program on system call sequence and is not

triggered by every system call Signal acquisition module isthe same Through the event channel domU puts antigensand environmental status into the ring buffer and only if thering buffer is empty it will notify dom0 which will cause acontext switch between domU and dom0 If there is datain the ring buffer Dom0 would have been kept readingand domUrsquos notification is not required So the overhead ofcontext switching is limited In addition implementations ofimmune response module signal measurement module andinformation monitoring module will increase performanceoverhead of dom0 and the impact on domU can be ignored

Then we test the impact of IB-IDS on computationintensive applications In our tests we used set of benchmarkprograms SPEC (Standard Performance Evaluation Corpo-ration) CPU2000 [20] The programs include two parts Oneis CINT2000 against integer computation intensive appli-cations The other is CFP2000 against float applicationsWe choose CINT2000 which has 12 applications And werandomly select five procedures for testing and Table 2 givesa brief introduction

Figure 10 shows contrasts of the five benchmarks whenloading IB-IDS and unloading IB-IDS As can be seen fromthe figure the calculation time of dom1 is longer than theoriginal system and the average increased time is 912up to 1148 on 254gap program Compared with parallelprograms the influence of IB-IDS on the virtual machine islarger but it is still in the acceptable range So IB-IDS can beintegrated in the computation intensive program scenario ofcloud computing

At last we test the impact of IB-IDS on web server In ourtests DomU runs the web server and is composed of apachehttp server and PHP We use the httperf tool [21] to generatecontinuous network requests that can cause the server to beoverloaded Using autobench tool [22] we can run httperffor many times increase the number of requests per secondand extract the output of httperf results Figure 11 showscontrasts of server responses when loading IB-IDS andunloading IB-IDS As can be seen when the frequency ofHTTP request increases the response time of the server afterthe introduction of IB-IDS rises When the HTTP requestfrequency is 100 the increased time is less than 05 s which isacceptable Therefore in the cloud computing platform withthe deployment of a web server IB-IDS system can also beapplied


Table 2 Illustrations of tested computation intensive programs

Program names Meanings164gzip The compression and decompression operations of a set of files175vpr According to specific algorithms placement and routing operations for field-programmable gate array circuit186crafty Chess programs find the next move in view of the board layout252eon Probability ray tracing used to create a 3d object image254gap Solving the problem of correlation analysis and calculation of discrete mathematics


0

20

40

60

80

100

120

Com

pute

tim

e (s)

175vpr 186crafty 252eon 254gap164gzip

Figure 10 Testing of computation intensive programs

43 Comparisons of Detection Rates and False Alarm RatesThis section will test the ability of IB-IDS for detectingattacks Experiments adopt detection rate (DR) and falsealarm rate (FAR) to measure the effectiveness of the systemand to compare with ARTIS model proposed by Glickman etal [17] As a general computer immune system themodel hascharacteristics of diversity distribution dynamic learningadaptability and self-monitoring It consists of a series oflymph nodes and each node independently completes theimmune function Each node contains multiple detectors(a detector is a blend of the nature of B cells T cells andantibodies) ARTIS model draws on a variety of biologicalimmune mechanisms and coordinated stimulus and thedynamic evolution of detectors (immature onesmature onesandmemory ones) make it continuously learningThemodelhas been successfully applied in intrusion detection virusidentification pattern recognition and so forth [17 23]Figure 12 shows the life cycle of detectors

Figures 13 and 14 show comparisons of DR and FARfor IB-IDS and ARTIS in the simulation environment InFigure 13 experiments adopt data with 60 nonselves in every100 antigens where 30 nonselves are just confirmed Thismeans that previously this type of antigen is consideredto be self (normal procedure) and is now thought of asnonself (abnormal procedure) For example unload someattack process instantly and stop providing related services InFigure 14 experiments adopt data with 40 selves in every 100antigens where 20 nonselves are just defined For example

Request rate 100806040200

0

500

1000

1500

2000

2500

3000

3500

4000

4500

Resp

onse

tim

e (m

s)


Figure 11 Testing of web server load

load some new processes to provide new services Experi-mental results show that IB-IDS has higher DR and lowerFAR

Then we adopt wu-ftpd260 program sendmail8120program and some typical rootkit in Linux which are widelydeployed as anomaly detection applications Attacks againstwu-ftpd are the scripting attack of file name matching vul-nerability the attack of getting around access restrictions thescripting attack of site exec vulnerability and so on Attacksagainst sendmail are the sccp attack decode attack remotebuffer overflow attack and so on Some of the representativerootkits include simple hook rootkit inline hook rootkitinline hook complex rootkit and so on Simple hook rootkita rootkit of this type modifies the system call functionrsquos entryaddress to a malicious function When the correspondingsystem call is called the malicious function is executedinstead of the original system call function Inline hookrootkit a rootkit of this type does not modify the system calltable entry address but will replace a few bytes of beginningsystem call function with a jump statement Comparedwith the simple hook rootkit the rootkit is more subtleInline hook complex rootkit a rootkit of this type does not


Randomly generate detectors

Immature detectors

Mature detectors

Memory detectorsDead

Activate

Not match selves

Match antigens

No co-stimulation

Match selves

Match enough

Too oldCostimulation

01111111010000 110101

Figure 12 The life cycle of detectors in ARTIS

ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

Det

ectio

n ra

te (

)

10 15 20 25 30 35 40 45 505Time

Figure 13 Comparisons of DR for IB-IDS and ARTIS

replace the first bytes of the system call function with jumpstatements except the other few bytes for example bytesin the middle Table 3 lists DRs and FARs of IB-IDS andARTIS and variances are in parentheses As can be seenfrom the table IB-IDS has high detection rates and low falsealarm rates under various attacks and is feasible for judgingapplications in client virtual machines

5 Conclusions

Cloud computing platforms are usually based on virtualmachines as the underlying architecture the security of vir-tual machine systems is the core of cloud computing security

ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

False

alar

m ra

te (

)

10 15 20 25 30 35 40 45 505Time

Figure 14 Comparisons of FAR for IB-IDS and ARTIS

Current study on security of user programs and vulnera-bilities of virtual monitors cannot accurately judge the realstate of the client application in the virtual machine At thesame time the proposed defensemethods are only for specificattacks and vulnerabilities and cannot effectively deal withthreats under other attacks This paper presents an immune-based intrusion detection model in virtual machines of thecloud computing environment to ensure safety of user-levelapplications in client virtual machines The model extractssystem call sequences and their parameters of programsabstracts them into antigens and fuses environmental infor-mation of guest virtual machines into danger signals inclient VMs Then immune responses will be performed


Table 3 Detection results

Processes ARTIS IB-IDSDR FAR DR FAR

wu-ftpdfile name matching vulnerability 7612 (511) 1028 (417) 9655 (114) 722 (122)site exec vulnerability 7987 (245) 987 (532) 9731 (123) 665 (201)attack of getting around access restrictions 7754 (477) 1275 (374) 9702 (108) 743 (167)

sendmailsccp attack 7452 (356) 1462 (341) 9811 (125) 515 (163)decode attack 8121 (484) 1572 (387) 9835 (101) 542 (169)remote buffer overflow attack 8245 (546) 1284 (563) 9878 (114) 580 (128)

rootkitsimple hook rootkit 8515 (516) 941 (412) 9999 (0) 0 (0)inline hook rootkit 8245 (682) 1075 (820) 9999 (0) 0 (0)inline hook complex rootkit 7514 (523) 956 (677) 9584 (242) 378 (289)

in the privileged VM During the detection process infor-mation monitoring mechanism will be executed in VMMExperimental results show that the model brings a smallperformance overhead for the virtual machine system andhas a good detection performance It is applicable to judgethe state of user-level application in guest virtual machineand it is feasible to use it to increase the user-level securityin software services of cloud computing platform

Conflicts of Interest

The authors declare that there are no conflicts of interest

Acknowledgments

The authors would like to acknowledge Sichuan AgriculturalUniversity Double Support Project for providing financialaid

References

[1] A Haeberlen P Aditya R Rodrigues and P DruschelldquoAccountable Virtual Machinesrdquo in Proceedings of the In 9thUSENIX Symposium on Operating Systems Design and Imple-mentation (OSDI rsquo10) 2010

[2] B D Payne M Carbone M Sharif and W Lee ldquoLares Anarchitecture for secure active monitoring using virtualizationrdquoin Proceedings of the 2008 IEEE Symposium on Security andPrivacy SP pp 233ndash247 Oakland Calif USA May 2008

[3] M I Sharif W Lee W Cui and A Lanzi ldquoSecure In-VMmonitoring using hardware virtualizationrdquo in Proceedings ofthe 16th ACM Conference on Computer and CommunicationsSecurity CCSrsquo09 pp 477ndash487 Chicago Illi USA November2009

[4] Z Wang X Jiang W Cui and P Ning ldquoCountering kernelrootkits with lightweight hook protectionrdquo in Proceedings ofthe 16th ACM Conference on Computer and CommunicationsSecurity CCSrsquo09 pp 545ndash554 Chicago Ill USA November2009

[5] O S Hofmann A M Dunn S Kim I Roy and E WitchelldquoEnsuring operating system kernel integrity with OSckrdquo inProceedings of the 16th International Conference on ArchitecturalSupport for Programming Languages and Operating SystemsASPLOS 2011 pp 279ndash290 Newport Beach Calif USA March2011

[6] A Baliga V Ganapathy and L Iftode ldquoDetecting kernel-levelrootkits using data structure invariantsrdquo IEEE Transactions onDependable and Secure Computing vol 8 no 5 pp 670ndash6842011

[7] S Bharadwaja W Sun M Niamat and F Shen ldquoCollabra Axen hypervisor based collaborative intrusion detection systemrdquoin Proceedings of the 2011 8th International Conference onInformation Technology New Generations ITNG 2011 pp 695ndash700 Las Vegas NV USA April 2011

[8] A Srivastava A Lanzi J Giffin and D Balzarotti ldquoOperatingsystem interface obfuscation and the revealing of hidden oper-ationsrdquo Lecture Notes in Computer Science (including subseriesLecture Notes in Artificial Intelligence and Lecture Notes inBioinformatics) vol 6739 pp 214ndash233 2011

[9] J Szefer E Keller R B Lee and J Rexford ldquoEliminating thehypervisor attack surface for a more secure cloudrdquo in Proceed-ings of the 18th ACM Conference on Computer and Communica-tions Security CCSrsquo11 pp 401ndash412 Chicago Ill USA October2011

[10] H Benzina and J Goubault-Larrecq ldquoSome Ideas on Virtu-alized System Security and Monitorsrdquo in Data Privacy Man-agement and Autonomous Spontaneous Security vol 6514 ofLecture Notes in Computer Science pp 244ndash258 Springer BerlinHeidelberg Berlin Heidelberg Germany 2011

[11] L Wang H Gao W Liu and Y Peng ldquoDetecting andmanaging hidden process via hypervisorrdquo Jisuanji Yanjiu yuFazhanComputer Research and Development vol 48 no 8 pp1534ndash1541 2011

[12] P Barham B Dragovic K Fraser et al ldquoXen and the art ofvirtualizationrdquo in Proceedings of the 19th ACM Symposium onOperating Systems Principles (SOSP rsquo03) pp 164ndash177 New YorkNY USA October 2003

[13] D ChisnallTheDefinitive Guide to the XenHypervisor PrenticeHall Press Upper Saddle River NJ USA 2007


[14] S Forrest A Perelson L Allen and R Cherukuri ldquoSelf-nonself discrimination in a computerrdquo in Proceedings of the 1994IEEE Computer Society Symposium on Research in Security andPrivacy pp 202ndash212 Oakland Calif USA

[15] L I De-Yi C Y Liu D U Yi and XHan ldquoArtificial intelligencewith uncertaintyrdquo Journal of Software vol 15 no 11 article 22004

[16] P Drsquohaeseleer S Forrest and P Helman ldquoAn immunologicalapproach to change detection algorithms analysis and impli-cationsrdquo in Proceedings of the 1996 IEEE Symposium on Securityand Privacy pp 110ndash119 Oakland Calif USA

[17] M Glickman J Balthrop and S Forrest ldquoA machine learningevaluation of an artificial immune systemrdquo Evolutionary Com-putation vol 13 no 2 pp 179ndash212 2005

[18] S Woo M Ohara E Torrie J Singh and A Gupta ldquoTheSPLASH-2 programs characterization and methodologicalconsiderationsrdquo in Proceedings of the 22nd Annual Interna-tional Symposium on Computer Architecture pp 24ndash36 SantaMargherita Ligure Italy

[19] J P SinghWWeber andA Gupta ldquoSPLASHrdquoACMSIGARCHComputer Architecture News vol 20 no 1 pp 5ndash44 1992

[20] Standard Performance Evaluation Corporation httpwwwspecorg

[21] httperf httpwwwhplhpcomresearchlinuxhttperf[22] autobench httpwwwxenoclastorgautobench[23] J Balthrop S Forrest M E J Newman andMMWilliamson

ldquoTechnological networks and the spread of computer virusesrdquoComputer Science vol 304 no 5670 pp 527ndash529 2004

Submit your manuscripts athttpswwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Distributed Sensor Networks


Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014


ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014


Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Electrical and Computer Engineering

Journal of

Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of



Computational Intelligence and Neuroscience

Industrial EngineeringJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in



run in untrusted guest VM In order to achieve the samesecurity with out-of-VMmonitoringmethod this frameworkuses hardware memory protection mechanism and hardwarevirtualization technology In the guest VM a memory spaceprotected by the VM monitor is divided and used by thesafety monitoring program under controlled conditionsThisframework requires hardware virtualization support

Wang et al [4] put forward a lightweight system namedHookSafe based on VM monitor which is mainly used tomonitor the rootkit attacks of kernel spaces Rootkit attackmodifies the control data or hook function addressHooks areoften dynamically allocatedwith other data and distributed innoncontiguousmemory areas which needs byte-level granu-larity protection while current hardware protection mecha-nism only provides page-level granularity To solve the prob-lem Hooksafe introduced a hook function jump layer whichmaps hooks to a contiguous page-aligned memory space andthen uses the hardware protection mechanism to controlaccess to this block of memory area

The work in [5 6] is also used to detect kernel rootkitsThe work in [5] monitors invariants in controlled flow trans-ferring and constant relationships in data of uncontrolledflow The work in [6] adopts the Daikon tool to deduceinvariants from data structures which are extracted frommemory pages and monitors these invariants to determinethe state of kernels

Bharadwaja et al [7] analyzed the security issues raised byhypercalls in virtualized environments and proposed a Xen-based distributed intrusion detection system which imple-mented filtering operations on hypercalls in the privilegeddomain to achieve security

Srivastava et al [8] studied the use of rootkit to fuzzedsystem calls for virtual machine monitor (VMM) attacks andproposed a Xen-based monitoring system named SherlockThe system overlooks call flows by increasing observationpoints in the process of kernel implementation and automat-ically adjusts the sensitivity according to security needs

Szefer et al [9] proposed the NoHype systemThe systemdoes not require too much involvement of VMM runsVM directly on the underlying hardware and maintainsmultiple virtual machines in order to reduce the possibilityof attacks between virtual machines and security threatscaused by vulnerabilities of VMM The main ideas are asfollows preallocating processor and memory resources useof virtualization IO device small modifications of the clientOS to perform examinations in the system boot processand preventing the client VM from indirect contact with thehardware

Benzina and Goubault-Larrecq [10] pointed out thatDomain 0 is an important loophole of virtualization systemand proposed a role-based access control model This modeldescribes unnecessary activity streams by simple timingformulas which reduces threats of Domain 0 attacks such asTrojan horses

Wang et al [11] proposed a detection method of hiddenprocesses which is based on VMM This method runs thedetection tool out of the VM to be monitored and has highsecurity It gets the underlying status information of VMsto be monitored through VM introspection mechanism

and reconstructs process queues to determine maliciousprocesses

The above works studied security of user procedures inVM and vulnerabilities of VMM and proposed correspond-ing defensive methods However through careful analysiscurrent methods cannot accurately determine the real-timestatus of client VM applications or the security vulnerabilitiesof VMMMost of proposedmethods are for particular attacksand vulnerabilities and cannot effectively deal with threats ofother attacks

Inspired by the immune response mechanism and thedanger theory of the biological immune system this paperpresents an immune-based intrusion detection model invirtual machines of the cloud computing environmentnamed IB-IDS The main contributions of this model areas follows (1) The model introduces the danger theoryinto VM intrusion detection and defines the implementationof danger signals (2) the model can monitor the state ofapplications and detect attacks on the dynamic runtimeof applications which has high real-time performance (3)the model monitors the whole intrusion detection processand makes sure that every module of the model is safelyrunning (4) immune evolutionmechanism and performanceanalysis of the model are described which shows that themodel is effective theoreticallyThe remainder of this paper isorganized as follows The theories of the model includingdescription of the architecture definitions of the modelimplementation mechanism of danger signals implementa-tionmechanism of informationmonitoring and the immuneevolution model are described in Section 2 Performanceanalysis of themodel is showed in Section 3The effectivenessof IB-IDS is verified in Section 4 Finally the conclusion isgiven in the last section

2 Theories of the Model

Virtualization technology is the foundation of cloud comput-ing With the popularity of cloud computing it has receivedmore and more attention Virtualization technology isachieved when there are many virtual machines in one phys-ical machine and each virtual machine runs different oper-ating systems and applications and has good isolation withother virtual machines These are implemented by adding alayer of software called virtual machine monitor (VMM)to the hardware There is usually a virtual machine witha relatively high authority called privileged virtual machine(privileged VM) which can manage and control other clientvirtual machines (Guest VM) to a certain extent Xen [12 13]was developed by the University of Cambridgersquos computerlaboratory It is an open-source project is therefore widelyused in academic research and is also based on a numberof cloud computing platforms such as Amazon EC2 Serviceand Eucalyptus In Xen VMM is called hypervisor andVM iscalled domain the first domainwhich starts together with thehypervisor is called dom0 and other domain is called domUwhich is shown in Figure 1

For a virtual machine system the most common attacksare basically completed using some certain vulnerabilities ofthe system And these attacks are performed by a program or


Hardware

Hypervisor (VMM)

OS kernel OS kernel

Applications

Dom 0

Applications

Dom U

OS kernel

Dom U

Applications










Guest VM


Privileged VM






Hardware






affinity (ab ag)

= 1 119896sum119894=1


(1)





Self set S

GAntibody gene lib

MMemory detectors

Dynamic

Dead

tolerance








Self

Nonself













DA (ag119894) = 119909 | 1

(sum119896119895=1 119891 (119909ab119909119895 ag119894) 119896)


(4)


















(7)




119878 (119905) =


119878dead (119905)=



(8)














(10)






(11)



119872(119905)= 119872first 119905 = 0




(12)




(13)





0

02

04

06

08

1

Pn

0200

400600

8001000

Np 0

100200

300400

|S|







0

02

04

06

08

1

Pn

0002

004006

00801

0100

200300

400

|S|


0

02

04

06

08

1

Pr

0100

200300

400

0100

200300

400

|T||M|







0

02

04

06

08

1

0100

200300

400

0100

200300

400

|T||M|

PＨＡ


0

02

04

06

08

1

0100

200300

400

0100

200300

400

|T||M|

PＪＩＭ












119901 = 2 119899 = 2048 119887 = 16






0500

100015002000250030003500400045005000

Com

pute

tim

e (m

s)














0

20

40

60

80

100

120

Com

pute

tim

e (s)






0

500

1000

1500

2000

2500

3000

3500

4000

4500

Resp

onse

tim

e (m

s)







Immature detectors

Mature detectors


Activate

Not match selves

Match antigens

No co-stimulation

Match selves

Match enough


01111111010000 110101


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

Det

ectio

n ra

te (

)

10 15 20 25 30 35 40 45 505Time



5 Conclusions


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

False

alar

m ra

te (

)

10 15 20 25 30 35 40 45 505Time












Acknowledgments


References































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in




Hardware

Hypervisor (VMM)

OS kernel OS kernel

Applications

Dom 0

Applications

Dom U

OS kernel

Dom U

Applications










Guest VM


Privileged VM






Hardware






affinity (ab ag)

= 1 119896sum119894=1


(1)





Self set S

GAntibody gene lib

MMemory detectors

Dynamic

Dead

tolerance








Self

Nonself













DA (ag119894) = 119909 | 1

(sum119896119895=1 119891 (119909ab119909119895 ag119894) 119896)


(4)


















(7)




119878 (119905) =


119878dead (119905)=



(8)














(10)






(11)



119872(119905)= 119872first 119905 = 0




(12)




(13)





0

02

04

06

08

1

Pn

0200

400600

8001000

Np 0

100200

300400

|S|







0

02

04

06

08

1

Pn

0002

004006

00801

0100

200300

400

|S|


0

02

04

06

08

1

Pr

0100

200300

400

0100

200300

400

|T||M|







0

02

04

06

08

1

0100

200300

400

0100

200300

400

|T||M|

PＨＡ


0

02

04

06

08

1

0100

200300

400

0100

200300

400

|T||M|

PＪＩＭ












119901 = 2 119899 = 2048 119887 = 16






0500

100015002000250030003500400045005000

Com

pute

tim

e (m

s)














0

20

40

60

80

100

120

Com

pute

tim

e (s)






0

500

1000

1500

2000

2500

3000

3500

4000

4500

Resp

onse

tim

e (m

s)







Immature detectors

Mature detectors


Activate

Not match selves

Match antigens

No co-stimulation

Match selves

Match enough


01111111010000 110101


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

Det

ectio

n ra

te (

)

10 15 20 25 30 35 40 45 505Time



5 Conclusions


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

False

alar

m ra

te (

)

10 15 20 25 30 35 40 45 505Time












Acknowledgments


References































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in




Guest VM


Privileged VM






Hardware






affinity (ab ag)

= 1 119896sum119894=1


(1)





Self set S

GAntibody gene lib

MMemory detectors

Dynamic

Dead

tolerance








Self

Nonself













DA (ag119894) = 119909 | 1

(sum119896119895=1 119891 (119909ab119909119895 ag119894) 119896)


(4)


















(7)




119878 (119905) =


119878dead (119905)=



(8)














(10)






(11)



119872(119905)= 119872first 119905 = 0




(12)




(13)





0

02

04

06

08

1

Pn

0200

400600

8001000

Np 0

100200

300400

|S|







0

02

04

06

08

1

Pn

0002

004006

00801

0100

200300

400

|S|


0

02

04

06

08

1

Pr

0100

200300

400

0100

200300

400

|T||M|







0

02

04

06

08

1

0100

200300

400

0100

200300

400

|T||M|

PＨＡ


0

02

04

06

08

1

0100

200300

400

0100

200300

400

|T||M|

PＪＩＭ












119901 = 2 119899 = 2048 119887 = 16






0500

100015002000250030003500400045005000

Com

pute

tim

e (m

s)














0

20

40

60

80

100

120

Com

pute

tim

e (s)






0

500

1000

1500

2000

2500

3000

3500

4000

4500

Resp

onse

tim

e (m

s)







Immature detectors

Mature detectors


Activate

Not match selves

Match antigens

No co-stimulation

Match selves

Match enough


01111111010000 110101


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

Det

ectio

n ra

te (

)

10 15 20 25 30 35 40 45 505Time



5 Conclusions


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

False

alar

m ra

te (

)

10 15 20 25 30 35 40 45 505Time












Acknowledgments


References































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in





Self set S

GAntibody gene lib

MMemory detectors

Dynamic

Dead

tolerance








Self

Nonself













DA (ag119894) = 119909 | 1

(sum119896119895=1 119891 (119909ab119909119895 ag119894) 119896)


(4)


















(7)




119878 (119905) =


119878dead (119905)=



(8)














(10)






(11)



119872(119905)= 119872first 119905 = 0




(12)




(13)





0

02

04

06

08

1

Pn

0200

400600

8001000

Np 0

100200

300400

|S|







0

02

04

06

08

1

Pn

0002

004006

00801

0100

200300

400

|S|


0

02

04

06

08

1

Pr

0100

200300

400

0100

200300

400

|T||M|







0

02

04

06

08

1

0100

200300

400

0100

200300

400

|T||M|

PＨＡ


0

02

04

06

08

1

0100

200300

400

0100

200300

400

|T||M|

PＪＩＭ












119901 = 2 119899 = 2048 119887 = 16






0500

100015002000250030003500400045005000

Com

pute

tim

e (m

s)














0

20

40

60

80

100

120

Com

pute

tim

e (s)






0

500

1000

1500

2000

2500

3000

3500

4000

4500

Resp

onse

tim

e (m

s)







Immature detectors

Mature detectors


Activate

Not match selves

Match antigens

No co-stimulation

Match selves

Match enough


01111111010000 110101


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

Det

ectio

n ra

te (

)

10 15 20 25 30 35 40 45 505Time



5 Conclusions


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

False

alar

m ra

te (

)

10 15 20 25 30 35 40 45 505Time












Acknowledgments


References































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in





DA (ag119894) = 119909 | 1

(sum119896119895=1 119891 (119909ab119909119895 ag119894) 119896)


(4)


















(7)




119878 (119905) =


119878dead (119905)=



(8)














(10)






(11)



119872(119905)= 119872first 119905 = 0




(12)




(13)





0

02

04

06

08

1

Pn

0200

400600

8001000

Np 0

100200

300400

|S|







0

02

04

06

08

1

Pn

0002

004006

00801

0100

200300

400

|S|


0

02

04

06

08

1

Pr

0100

200300

400

0100

200300

400

|T||M|







0

02

04

06

08

1

0100

200300

400

0100

200300

400

|T||M|

PＨＡ


0

02

04

06

08

1

0100

200300

400

0100

200300

400

|T||M|

PＪＩＭ












119901 = 2 119899 = 2048 119887 = 16






0500

100015002000250030003500400045005000

Com

pute

tim

e (m

s)














0

20

40

60

80

100

120

Com

pute

tim

e (s)






0

500

1000

1500

2000

2500

3000

3500

4000

4500

Resp

onse

tim

e (m

s)







Immature detectors

Mature detectors


Activate

Not match selves

Match antigens

No co-stimulation

Match selves

Match enough


01111111010000 110101


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

Det

ectio

n ra

te (

)

10 15 20 25 30 35 40 45 505Time



5 Conclusions


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

False

alar

m ra

te (

)

10 15 20 25 30 35 40 45 505Time












Acknowledgments


References































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in







(7)




119878 (119905) =


119878dead (119905)=



(8)














(10)






(11)



119872(119905)= 119872first 119905 = 0




(12)




(13)





0

02

04

06

08

1

Pn

0200

400600

8001000

Np 0

100200

300400

|S|







0

02

04

06

08

1

Pn

0002

004006

00801

0100

200300

400

|S|


0

02

04

06

08

1

Pr

0100

200300

400

0100

200300

400

|T||M|







0

02

04

06

08

1

0100

200300

400

0100

200300

400

|T||M|

PＨＡ


0

02

04

06

08

1

0100

200300

400

0100

200300

400

|T||M|

PＪＩＭ












119901 = 2 119899 = 2048 119887 = 16






0500

100015002000250030003500400045005000

Com

pute

tim

e (m

s)














0

20

40

60

80

100

120

Com

pute

tim

e (s)






0

500

1000

1500

2000

2500

3000

3500

4000

4500

Resp

onse

tim

e (m

s)







Immature detectors

Mature detectors


Activate

Not match selves

Match antigens

No co-stimulation

Match selves

Match enough


01111111010000 110101


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

Det

ectio

n ra

te (

)

10 15 20 25 30 35 40 45 505Time



5 Conclusions


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

False

alar

m ra

te (

)

10 15 20 25 30 35 40 45 505Time












Acknowledgments


References































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in









(10)






(11)



119872(119905)= 119872first 119905 = 0




(12)




(13)





0

02

04

06

08

1

Pn

0200

400600

8001000

Np 0

100200

300400

|S|







0

02

04

06

08

1

Pn

0002

004006

00801

0100

200300

400

|S|


0

02

04

06

08

1

Pr

0100

200300

400

0100

200300

400

|T||M|







0

02

04

06

08

1

0100

200300

400

0100

200300

400

|T||M|

PＨＡ


0

02

04

06

08

1

0100

200300

400

0100

200300

400

|T||M|

PＪＩＭ












119901 = 2 119899 = 2048 119887 = 16






0500

100015002000250030003500400045005000

Com

pute

tim

e (m

s)














0

20

40

60

80

100

120

Com

pute

tim

e (s)






0

500

1000

1500

2000

2500

3000

3500

4000

4500

Resp

onse

tim

e (m

s)







Immature detectors

Mature detectors


Activate

Not match selves

Match antigens

No co-stimulation

Match selves

Match enough


01111111010000 110101


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

Det

ectio

n ra

te (

)

10 15 20 25 30 35 40 45 505Time



5 Conclusions


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

False

alar

m ra

te (

)

10 15 20 25 30 35 40 45 505Time












Acknowledgments


References































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in







0

02

04

06

08

1

Pn

0200

400600

8001000

Np 0

100200

300400

|S|







0

02

04

06

08

1

Pn

0002

004006

00801

0100

200300

400

|S|


0

02

04

06

08

1

Pr

0100

200300

400

0100

200300

400

|T||M|







0

02

04

06

08

1

0100

200300

400

0100

200300

400

|T||M|

PＨＡ


0

02

04

06

08

1

0100

200300

400

0100

200300

400

|T||M|

PＪＩＭ












119901 = 2 119899 = 2048 119887 = 16






0500

100015002000250030003500400045005000

Com

pute

tim

e (m

s)














0

20

40

60

80

100

120

Com

pute

tim

e (s)






0

500

1000

1500

2000

2500

3000

3500

4000

4500

Resp

onse

tim

e (m

s)







Immature detectors

Mature detectors


Activate

Not match selves

Match antigens

No co-stimulation

Match selves

Match enough


01111111010000 110101


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

Det

ectio

n ra

te (

)

10 15 20 25 30 35 40 45 505Time



5 Conclusions


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

False

alar

m ra

te (

)

10 15 20 25 30 35 40 45 505Time












Acknowledgments


References































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in




0

02

04

06

08

1

Pn

0002

004006

00801

0100

200300

400

|S|


0

02

04

06

08

1

Pr

0100

200300

400

0100

200300

400

|T||M|







0

02

04

06

08

1

0100

200300

400

0100

200300

400

|T||M|

PＨＡ


0

02

04

06

08

1

0100

200300

400

0100

200300

400

|T||M|

PＪＩＭ












119901 = 2 119899 = 2048 119887 = 16






0500

100015002000250030003500400045005000

Com

pute

tim

e (m

s)














0

20

40

60

80

100

120

Com

pute

tim

e (s)






0

500

1000

1500

2000

2500

3000

3500

4000

4500

Resp

onse

tim

e (m

s)







Immature detectors

Mature detectors


Activate

Not match selves

Match antigens

No co-stimulation

Match selves

Match enough


01111111010000 110101


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

Det

ectio

n ra

te (

)

10 15 20 25 30 35 40 45 505Time



5 Conclusions


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

False

alar

m ra

te (

)

10 15 20 25 30 35 40 45 505Time












Acknowledgments


References































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in








119901 = 2 119899 = 2048 119887 = 16






0500

100015002000250030003500400045005000

Com

pute

tim

e (m

s)














0

20

40

60

80

100

120

Com

pute

tim

e (s)






0

500

1000

1500

2000

2500

3000

3500

4000

4500

Resp

onse

tim

e (m

s)







Immature detectors

Mature detectors


Activate

Not match selves

Match antigens

No co-stimulation

Match selves

Match enough


01111111010000 110101


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

Det

ectio

n ra

te (

)

10 15 20 25 30 35 40 45 505Time



5 Conclusions


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

False

alar

m ra

te (

)

10 15 20 25 30 35 40 45 505Time












Acknowledgments


References































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in







0

20

40

60

80

100

120

Com

pute

tim

e (s)






0

500

1000

1500

2000

2500

3000

3500

4000

4500

Resp

onse

tim

e (m

s)







Immature detectors

Mature detectors


Activate

Not match selves

Match antigens

No co-stimulation

Match selves

Match enough


01111111010000 110101


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

Det

ectio

n ra

te (

)

10 15 20 25 30 35 40 45 505Time



5 Conclusions


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

False

alar

m ra

te (

)

10 15 20 25 30 35 40 45 505Time












Acknowledgments


References































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in





Immature detectors

Mature detectors


Activate

Not match selves

Match antigens

No co-stimulation

Match selves

Match enough


01111111010000 110101


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

Det

ectio

n ra

te (

)

10 15 20 25 30 35 40 45 505Time



5 Conclusions


ARTISIB-IDS

0

10

20

30

40

50

60

70

80

90

100

False

alar

m ra

te (

)

10 15 20 25 30 35 40 45 505Time












Acknowledgments


References































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in












Acknowledgments


References































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in




















Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in










Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in



Documents

Study of Immune-Based Intrusion Detection Technology in