An Artificial Immune System-Inspired Multiobjective Evolutionary Algorithm with Application to the Detection of Distributed Computer Network Intrusions

Today\u27s predominantly-employed signature-based intrusion detection systems are reactive in nature and storage-limited. Their operation depends upon catching an instance of an intrusion or virus after a potentially successful attack, performing post-mortem analysis on that instance and encoding it into a signature that is stored in its anomaly database. The time required to perform these tasks provides a window of vulnerability to DoD computer systems. Further, because of the current maximum size of an Internet Protocol-based message, the database would have to be able to maintain 25665535 possible signature combinations. In order to tighten this response cycle within storage constraints, this thesis presents an Artificial Immune System-inspired Multiobjective Evolutionary Algorithm intended to measure the vector of trade-off solutions among detectors with regard to two independent objectives: best classification fitness and optimal hypervolume size. Modeled in the spirit of the human biological immune system and intended to augment DoD network defense systems, our algorithm generates network traffic detectors that are dispersed throughout the network. These detectors promiscuously monitor network traffic for exact and variant abnormal system events, based on only the detector\u27s own data structure and the ID domain truth set, and respond heuristically. The application domain employed for testing was the MIT-DARPA 1999 intrusion detection data set, composed of 7.2 million packets of notional Air Force Base network traffic. Results show our proof-of-concept algorithm correctly classifies at best 86.48% of the normal and 99.9% of the abnormal events, attributed to a detector affinity threshold typically between 39-44%. Further, four of the 16 intrusion sequences were classified with a 0% false positive rate

Randomised Algorithms on Networks

Networks form an indispensable part of our lives. In particular, computer networks have ranked amongst the most influential networks in recent times. In such an ever-evolving and fast growing network, the primary concern is to understand and analyse different aspects of the network behaviour, such as the quality of service and efficient information propagation. It is also desirable to predict the behaviour of a large computer network if, for example, one of the computers is infected by a virus. In all of the aforementioned cases, we need protocols that are able to make local decisions and handle the dynamic changes in the network topology. Here, randomised algorithms are preferred because many deterministic algorithms often require a central control. In this thesis, we investigate three network-based randomised algorithms, threshold load balancing with weighted tasks, the pull-Moran process and the coalescing-branching random walk. Each of these algorithms has extensive applicability within networks and computational complexity within computer science. In this thesis we investigate threshold-based load balancing protocols. We introduce a generalisation of protocols in [2, 3] to weighted tasks. This thesis also analyses an evolutionary-based process called the death-birth update, defined here as the Pull-Moran process. We show that a class of strong universal amplifiers does not exist for the Pull-Moran process. We show that any class of selective amplifiers in the (standard) Moran process is a class of selective suppressors under the Pull-Moran process. We then introduce a class of selective amplifiers called Punk graphs. Finally, we improve the broadcasting time of the coalescing-branching (COBRA) walk analysed in [4], for random regular graphs. Here, we look into the COBRA approach as a randomised rumour spreading protocol

Vulnerability analysis of AIS-based intrusion detection systems using genetic and evolutionary hackers

In this thesis, an overview of current intrusion detection methods, evolutionary computation, and immunity-based intrusion detection systems (IDSs) is presented. An application named Genetic Interactive Teams for Intrusion Detection Design and Analysis (GENERTIA) is introduced which uses genetic algorithm (GA)-based hackers known as a red team in order to find vulnerabilities, or holes, in an artificial immune system (AlS)-based IDS. GENERTIA also uses a GA-based blue team in order to repair the holes it finds. The performance of the GA-based hackers is tested and measured according to the number of distinct holes that it finds. The GA-based red team�s behavior is then compared to that of 12 variations of the particle swarm optimization (PSO)-based red team named SWO, SW0+, SW1, SW2, SW3, SW4, CCSWO, CCSW0+, CCSW1, CCSW2, CCSW3, and CCSW4. Each variant of the PSO-based red team differs in terms of the way that it searches for holes in an IDS. Through this test, it is determined that none of the red teams based on PSO perform as well as the one based on a GA. However, two of the twelve PSO-based red teams, CCSW4 and SW0+, provide hole finding capabilities closest to that of the GA. In addition to the ability of the different red teams to find holes in an AlS-based IDS, the search behaviors of the GA-based hackers, PSO-based hackers that use a variable called a constriction coefficient, and PSO-based hackers that do not use the coefficient are compared. The results of this comparison show that it may be possible to implement a red team based on a hybrid �genetic swarm� that improves upon the performance of both the GA- and PSO-based red teams

Go viral or go broadcast? Characterizing the virality and growth of cascades

Quantifying the virality of cascades is an important question across disciplines such as the transmission of disease, the spread of information and the diffusion of innovations. An appropriate virality metric should be able to disambiguate between a shallow, broadcast-like diffusion process and a deep, multi-generational branching process. Although several valuable works have been dedicated to this field, most of them fail to take the position of the diffusion source into consideration, which makes them fall into the trap of graph isomorphism and would result in imprecise estimation of cascade virality inevitably under certain circumstances. In this paper, we propose a root-aware approach to quantifying the virality of cascades with proper consideration of the root node in a diffusion tree. With applications on synthetic and empirical cascades, we show the properties and potential utility of the proposed virality measure. Based on preferential attachment mechanisms, we further introduce a model to mimic the growth of cascades. The proposed model enables the interpolation between broadcast and viral spreading during the growth of cascades. Through numerical simulations, we demonstrate the effectiveness of the proposed model in characterizing the virality of growing cascades. Our work contributes to the understanding of cascade virality and growth, and could offer practical implications in a range of policy domains including viral marketing, infectious disease and information diffusion.Comment: 10 pages, 15 figures, 1 tabl