A TOLL-LIKE RECEPTOR BASED NETWORK INTRUSION DETECTION SYSTEM

Abstract

Computer and network security attacks are growing at a very rapid rate due to the complicated and advanced strategies by intruders to gain access to data and network resources. Intrusion Detection Systems (IDSs) are designed to overcome security threats by monitoring network traffic and identifying abnormalities on the network. Thus IDSs operate in a similar fashion as Biological Immune System (BIS), whose purpose is to defend and protect the body from harmful pathogens in our environment. Artificial Immune System(AIS), a research area inspired by BIS has potentials to produce very effective anomaly detection models but existing research has mostly focused on the use of concepts from the simplex version of the BIS, leading to high false positive and false negative rates despite the robustness and scalability of the BIS. This research employed a Toll-Like receptor (TLR) bio-inspired algorithm. This algorithm is a more biologically realistic algorithm because it is inspired by both innate and adaptive immune sub-system of the BIS. The algorithm was validated on two different network intrusion datasets (NSL-KDD'99 and UNSW-NB15). Prior to the validation of the algorithm, there was a need for data pre-processing; this involved the discretization using entropy dicretization technique, as well as feature selection using two statistical feature selection methods: Filter and wrapper methods. ANOVA F-Test was employed as the filter method, whilst decision tree was used as internal evaluator for the wrapper method. The output from the feature selection systems served as input to the immune based network intrusion detection system, where the feature sets with best accuracy were chosen to process signals suitable for the processing of immune system based algorithm (TLR) for the detection of anomaly in a computer network. In the developed model, the recipient of these signals determines the antigen level of differentiation into semi-mature dendritic cell (smDC) or mature dendritic cell (mDC). To compare the antigen context of smDCs and mDC with the naive T-cell (nTC), a one class Support Vector Machine (SVM) which uses similarity to predict values of any new data point was adopted. Finally, feature selection classifiers (filter and wrapper) as well as the immune based classifiers (filterTLR and wrapperTLR) were built. The performance of the models were evaluated using Accuracy, Recall, Precision and F1 measure. The filterTLR and wrapperTLR were compared with the feature selection classifiers, achieving a margin of 0. 49% and 3.19%, and 1.46% and 1.28% lower than the immune based classifiers on both datasets. The developed immune based classifiers were also compared with dendritic cell algorithm (DCA), which recorded 49.67% accuracy on NSL-KDD'99 dataset, a margin on 31.4% and 39.3% lower than those of TLR classifiers. This research established a bio-inspired toll-like receptor intrusion detection model capable of detecting network traffics (packets) intended to compromise the computer network