Using Sequence Analysis to Perform Application-Based Anomaly Detection within an Artificial Immune System Framework

The Air Force and other Department of Defense (DoD) computer systems typically rely on traditional signature-based network IDSs to detect various types of attempted or successful attacks. Signature-based methods are limited to detecting known attacks or similar variants; anomaly-based systems, by contrast, alert on behaviors previously unseen. The development of an effective anomaly-detecting, application based IDS would increase the Air Force\u27s ability to ward off attacks that are not detected by signature-based network IDSs, thus strengthening the layered defenses necessary to acquire and maintain safe, secure communication capability. This system follows the Artificial Immune System (AIS) framework, which relies on a sense of self , or normal system states to determine potentially dangerous abnormalities ( non self ). A method for anomaly detection is introduced in which self\u27 is defined by sequences of events that define an application\u27s execution path. A set of antibodies that act as sequence detectors are developed and used to attempt to identify modified data within a synthetic test set