1、Science in China Ser.F Information Sciences 2005 Vol.48 No.5 557?578 557 An immunity based network security risk estimation LI Tao Department of Computer Science,Sichuan University,Chengdu 610065,China(email:)Received March 9,2004;revised July 10,2005 Abstract According to the relationship between t
2、he antibody concentration and the pathogen intrusion intensity,here we present an immunity-based model for the network security risk estimation(Insre).In Insre,the concepts and formal definitions of self,nonself,antibody,antigen and lymphocyte in the network security domain are given.Then the mathem
3、atical models of the self-tolerance,the clonal selection,the lifecycle of mature lymphocyte,immune memory and immune surveillance are established.Building upon the above models,a quantitative computation model for network security risk estimation,which is based on the calculation of antibody concent
4、ration,is thus presented.By using Insre,the types and intensity of network attacks,as well as the risk level of network security,can be calculated quantitatively and in real-time.Our theoretical analysis and experimental results show that Insre is a good solution to real-time risk evaluation for the
5、 network security.Keywords:artificial immune system,intrusion detection,network security,risk estimation.DOI:10.1360/04yf0140 There are two kinds of risk-estimation methods for the network security:static and real-time.The static methods estimate the network risk through statically evaluating the ne
6、twork value,security holes,and the occurring frequency of security events1,e.g.,COBRA1),OCTAVE2,etc.Focusing on the static factors of the target system,the static methods can only make a rough estimation of the security risk that the network faced in the past,and cannot in real-time evaluate the ris
7、k of network attacks that the network is vulnerable to.Moreover,they have little ability to detect new coming network attacks,and thus they offer no self-adaptation capability to the complex environment of the net-work security3.In contrast with the research on the static risk-estimation,the researc
8、h on the real-time risk-evaluation for the network security is still in a groping phase and only limited stud-1)COBRA:Introduction to Risk Analysis.C&A Systems Security Ltd.http:/www.ca-systems.zetnet.co.uk/risk.htm Copyright by Science in China Press 2005 558 Science in China Ser.F Information Scie
9、nces 2005 Vol.48 No.5 557?578 ies are available.In 1997,Jonsson and Olovsson4 analyzed the attacker behavior based on Markov model,and estimated the system reliability according to the probability that the system was breached by the attackers.In 1999,Ortalo et al.5 proposed a security hole evaluatio
10、n method based on the privilege graph for the known security vulnerabili-ties in UNIX.In 2002,Madan et al.6 presented a state transition model to depict the system states when the system suffered from network intrusions,and then proposed a method to evaluate the security holes and reliability.In 200
11、4,Chu et al.7 presented a method between the static and real-time evaluation for the network security.This model can roughly estimate the network security according to some simple sudden-change events,such as the change of operating conditions,the loss of components,and etc.The above methods mainly
12、aim at the evaluation for network reliability according to the probability or time cost that the known security holes were breached by the attackers.However,they cannot correctly evaluate the system risk that the network is facing.For example,they cannot estimate the risk that the network is facing
13、but not breached,and can do nothing about DDoS attacks.Furthermore,they cannot effectively distinguish the different kinds of intrusions,and have no detecting ability for the unknown intrusions.As a result,the effectiveness and real-time ability of these methods cannot satisfy the requirements of th
14、e network security risk estimation in the real network environment.There is actually a direct analogy between the computer network security and the biological immune system(BIS)in a human body.Both have to maintain stability in a changing environment8?13.In 1958,Burnet14 presented the Clonal Selecti
15、on Theory,which first expounded the characteristics of immune response:only the cells activated by antigens can carry out the clonal procedure.In 1993,Kepler and Perelson15 devel-oped the Clonal Selection Theory,and discussed the Somatic Hypermutation Theory,which is an important variation in the cl
16、onal selection.In 1994,Forrest et al.16 proposed Negative Selection Algorithm(NSA).Later,Hofmeyr and Forrest et al.17?19 presented a general framework for Artificial Immune System(AIS),and built a Computer Immune System(CIS)based on ARTIS,which is called LISYS and has greatly promoted the re-search of CIS.ARTIS has made a great impact on CIS researches.For example,using mobile-agents to monitor the network activities,Dasgupta and Harmer et al.20,21 built an agent-based CIS architecture upon ARTI
