The Journal of China

Universities of Posts and

Telecommunications
April 2014, 21(2): 83–90
www.sciencedirect.com/science/journal/10058885 http://jcupt.xsw.bupt.cn

Integrated intrusion detection model based on artificial immune

ZHANG Ling1, 2 ( ), BAI Zhong-ying1, LU Yun-long1, ZHA Ya-xing1, LI Zhen-wen1

1. School of Computer Science, Beijing University of Posts and Telecommunications, Beijing 100876, China
2. Zhengzhou University of Light Industry, Zhengzhou 450000, China

Abstract
The author puts forward an integrated intrusion detection (ID) model based on artificial immune (IIDAI), a vaccination
strategy based on the significance degree of genes and a method to generate initial memory antibodies with rough set (RS).
IIDAI integrates two kinds of intrusion detection mode: misuse detection and anonymous detection. Misuse detection and
anonymous detection are applied to detect the known and the unknown attacks, respectively. On the basis of IIDAI model,
an ID algorithm is presented. Simulation shows that the IIDAI has better performance than traditional ID methods in
feasibility and effectiveness. It is very prone to achieve a higher convergence rate by using the vaccination strategy.
Moreover, RS can remove the redundancy attributes and increase the detection speed. It can also increase detection rate by
applying the integrated method.

Keywords ID, RS, artificial immune, vaccination

1 Introduction dynamic clonal selection (DynamiCS) algorithm [6].

Intrusion detection system (IDS) is used to detect
unwanted attempts during the process of accessing,
manipulating, and disabling computer system by either
authorized users or external perpetrators, mainly through
the network, such as the Internet. For the past few years,
many techniques, such as neural network, fuzzy theory [1],
RS [2], genetic algorithm [3], artificial immune theory etc.,
were applied in IDS. It is shown that artificial immune is
with following advantages: distribution, adaptability,
dynamic balance and self-organization. The biological
immune system was proved to be an effective method for
intrusion detection.
In 1974, American biologist, therapist and immunologist,
Jerne firstly proposed the pioneering immune network
theory [4]. Later on, Hofmeyr et al. constructed an
artificial immune system (ARTIS) framework, and
generalized to network for protecting the hosts [5].
Moreover, they also proposed a network intrusion
detection system. Soon afterwards, Kim et al. designed a
Received date: 08-10-2013
Corresponding author: ZHANG Ling, E-mail: ll790217@163.com
DOI: 10.1016/S1005-8885(14)60290-9
Recently, Li demonstrated the formal description of the
dynamic artificial immune system and designed an
immune based dynamic intrusion detection (IDID) [7],
discussed the different parameters for the artificial immune
system. Yan proposed an artificial immune-based intrusion
detection model by using vaccination (IIDV) strategy [8].
Chen et al. proposed a system by means of the
combination of dendritic cell algorithm and negative
selection algorithm [9]. The imitation of human immune
system has been drawing more attention recently, but those
researches in aspect of the detection rate are lack of
considerations. Factually, through researching the model, it
is shown that there exists a most significant difference
between artificial immune system and network
immune-based IDS. It is worth nothing that the latter is
more colossal and complex with high speed than the
formers. Consequently it needs massive detected packets.
For example, the access speed can reach 1 Gbit/s ~10
Gbit/s, and the number of packets arrives to 3 000 in one
second [10]. Generally speaking, detection rate, stability
and convergence rate are three key points for constructing
the model of intrusion detection.
Enlightened by those works of Refs. [6–8], it is rational
84 The Journal of China Universities of Posts and Telecommunications
to apply the misuse detection and anomaly detection to
detect known or unknown attacks effectively. First, the
misuse detection and anomaly detection is applied to
detecting known or unknown attacks effectively,
respectively. But it will take long time on anomaly
detection. Consequently, misuse detection must be carried
out before the anomaly detection is implemented. Second,
removing redundancy attribute is an important factor to
increase the detection speed. Usually it can be achieved by
machine learning algorithm such as Bayesian classification,
fuzzy clustering algorithm, rock clustering algorithm, RS,
etc. Especially, RS theory has vast of unique traits. In 1982,
Pawlak firstly proposed RS to reduce the attribution of
important contents. With development of information
science, many researchers paid more attention to the
application of RS theory in the fields of artificial
intellegence, such as knowledge discovery, data mining
and pattern recognition. Importantly, RS plays an
important role in data mining for obtaining data clustering,
forming equivalent sets, and generating decision-making
rules which are called memory antigens [11]. For the
samples of incomplete, uncertain, small sampling data, RS
has obvious merits in erasuring the redundant attributes to
get effective initial memory antibodies.
The artificial intellegence [6] and RS algorithms are
repeated according to actual needs of intrusion detection.
And IIDAI method is demonstrated in detail. Three merits
are given below:
1) By using RS the redundancy attributes and generate
initial memory antibodies can be removed. The time
complexity of the algorithm is reduced and the detection
speed is also improved.
2) Enlightened by RS theory, the definition of the
antigen decision table is given. The significance degree of
gene and the vaccination extraction scheme is proposed
based on above definition. Moreover, vaccinations are
generated to improve the convergence speed of the
detection algorithm by means of this method.
3) Method of generating immature antibodies is
improved. It can select the best ones among the memory
antibodies, which are cloned, and varied to improve the
stability of the detection algorithm.
2 The definitions
2.1 Antigens decision table
In Ref. [12], antibody information decision table, the
2014
equivalence relation, approximation, antibodies attribute
dependency and significance degree of gene are defined as
follows.
Definition 1 Antigen g ∈ A , A ⊂ {0,1}l , ( l ∈ N ,
l > 0 ), A is the antigen set, g is the binary string with
length l, the value of antigen g denotes the character of
attribute.
Definition 2 Antibody b ∈ B , B ⊂ {0,1}l , antibody
gene a ∈ {0,1}1 , e ∈ N , B{< d , s, e, c >} , s ∈ {00, 01,10} .
B is the antibody set, and s denotes the status of antibody,
whose values include: 00, 01 and 10, e is the age of
antibody, c is the matching number. B = BI ∪ BT ∪ BM ,
BI is the set which consists of immature antibodies,
BI = {I I ∈ B, I s = 00} , BT is the set including mature
antibodies, BT = {T T ∈ B, Ts = 01} , BM is the memory
antibody set, BM = {M M ∈ B, M s = 10} .
Definition 3 Let Sself and Snself be the sets of normal
and abnormal behaviors, respectively. Obviously, we have
Sself ∩ S nself = ∅ , Sself ∪ S nself = A .
The affinity of g and b means the bonding strength
between antigen and antibody, denoted that fit (b, g).
Definition 4 fit (b, g) can be calculated by Euclidean
distance:
l
fit(b, g ) = ∑ (g i
− bi ) 2 (1)
i =1
where, gi and bi are the ith bit of antigen g and antibody b,
respectively.
Definition 5 An antibody decision information system
is defined as T =< U , C ∪ D, V , f > , where:
1) Nonempty domain U = {b1 , b2 ,..., bn } , b1 , b2 ,..., bn
are antibodies, B ⊂ U , B is antibodies population.
2) Conditional attributes subset C = {x1 , x2 ,..., xm },
(m<l) is decision attributes subset.
3) D = {0,1} , if the value is 0, the antibody is self,
otherwise the antibody is non-self, and C ∩ D = ∅ .
4) V = ∪ x , V is called the domain of antibody.
x∈C ∪ D
5) f : U × (C ∪ D) → V , f is an information function,
and ∀x ∈ C ∪ D . b ∈ U and f ( x, b) ∈ V .
Definition 6 Every subset of antibodies B ' ⊂ B
decides a binary equivalent relation I ( B ') , which is
denoted as:
I ( B ') = {(b, b ') ∈ U × U⏐∀b ∈ B, f ( x, b) = f (b ', x)} .
U is divided into k classes by I ( B ') , each class
Issue 2 ZHANG Ling, et al. / Integrated intrusion detection model based on artificial immune 85

combines one type of antibodies, that is: ⎧ 1 s'

I ( B ') = {B1 ', B2 ',..., Bk '}; k≤n (2) ⎪1; s' ∑ (sig(bik' ' )bik' ' ) > α , α≥0.8

Definition 7 The set of antibodies in the lower

⎪
⎪
∑
i ' =1
k ' i ' =1
sig(bi ' )
⎪
approximation consists of all antibodies, which certainly vk ' = ⎨ 1 s'
(6)
belong to the set, while the upper approximation contains ⎪ 0; s' ∑ (sig(bik' ' )bik' ' ) < β , β ≤0.2

all antibodies, which may belong to the set.

An antibody information decision table: T =< U ,
C ∪ D, V , f > , ∀B ⊆ U , the lower approximation of B
is: P ( B) = ∪ {Bi′1 Bi′1 ∈ U / ( I ( B ') ∧ Bi′1 ∈ B )},
∗
..., k .
Definition 8 Let an antibody information decision
table T =< U , C ∪ D, V , f > , B ⊆ U , P* ( B ) is the lower
approximation the of antibody set B, the positive domain
of decision attribute D is defined as follows:
OB ( D) = ∪ P∗ ( B ) (3)
B∈U / D
Definition 9 The attribute dependency of antibodies is
defined as Eq. (4).
O(C , D)
r (C , D) = (4)
U ⎧⎪v k ' ; v k ' = 0 or 1
O (C , D ) is the number of elements in positive region
O (C , D ) , U is the number of all elements of antibody
decision information table.
Definition 10 The significance degree of antibody
gene in decision table is defined as: let an antibody
information decision table T =< U , C ∪ D, V , f > ,
⎪
⎪
∑i =1
sig(bik' ' ) i =1
⎪*; other
⎩
If the value of α is too large or the value of β is too
i1 = 1, 2, small, most of the vaccinations are not so good, on the
contrary, all the genes of vaccination is fixed, the diversity
of antibodies cannot be promised. So the criterions of
assessment is referred to set the value α≥0.8, β ≤0.2 .
Definition 13 Vaccine inoculation operator: vaccine
inoculation operator is to replace the gene in the same
location with the excellent genes of vaccination [8].
Let a be an antibody gene, v is a vaccination, the
vaccination inoculation operator is denoted as â = aΘv ,
â the antibody which is calculated with the operator
defined. The calculation Θ is shown as Eq. (7):
aˆ = b k ' Θv k ' = ⎨ k ' (7)
⎪⎩b ; v = *
k'
Let v be the vaccination of the antibody population.
After the antibody is inoculated, the method of evaluating
the new antibody is shown in Eq. (8).
n
E (v) = E ′(v) + ∑ (fit(aˆ , g ) − fit(a, g )) (8)
i ' =1

{b1 , b2 ,..., bn ' } , 1≤n′≤n , is the antibodies population, bik' ' ,
1≤i ′≤n′ , 1≤k ′≤l , denotes the k ′th gene of the i ′th
antibody bi ' , let a = bik' ' , for antibody attribute D, the
significance degree of antibody gene a is:
F (a, C , D) = F (bi ' , C , D) = r (C , D) − r ((C − {bi ' }), D)
In Eq. (8), E ′(v) is the value of the fitness of antibody
before inoculation, fit is the function with which the
affinity between antigen and antibody can be calculated,
and â is the one after inoculation.
(5)
3 IIDAI model

2.2 Vaccination inoculation 3.1 The evolution model

Definition 11 v ∈ {0,1,*}l , ( l ∈ , l > 0 ), v is defined
as a string with length l which is coded with character 0, 1
and *, vk ' is the k ′th of v.
Definition 12 Vaccination extraction operator: let
b1 , b2 ,..., bs ' be the excellent antibody in population
{b1 , b2 ,..., bn } with certain evaluating criterions, sig(bik' ' )
is the significance degree of gene bik' ' to decision
attributes, the definition of vaccination extraction operator
is in Eq. (6):
The ID evolution model based on artificial immune is
described as a four-tuple Ω = ( A, B, V , Θ) , where
A = {Sself , S nself } , B = BI ∪ BT ∪ BM and V are the sets
of antigens, antibodies and vaccinations, Θ represents of
the vaccination inoculation operator. The evolution mode
is a dynamic cyclical process of ‘production,
differentiation, proliferation and apoptosis’. Each antigen
and antibody is going to change from moment to moment.
Thus, all the antigens, antibodies and the vaccinations are
dynamically ever-changing in the evolution model. The
evolution model is shown in Fig. 1.
86 The Journal of China Universities of Posts and Telecommunications
Fig. 1 The evolution model
3.2 Process of the model
The processes of the model are described as below:
Step 1 The generation of memory antibodies
According to RS algorithm the memory antibodies can
be generated from antigens. If the decision value is 0, the
antibodies are saved as memory antibodies, denoted that
set self, else non-self.
Step 2 Collecting the antigen
If collecting the antigen do not match with the non-self
based on misuse detection method, then continuing the
algorithm. Else alerted and terminated.
Step 3 Anomaly detection
Anomaly detection is implemented, if the lifecycle of
vaccination operation is T1, then go to Step 4, else go to
Step 2.
Step 4 Extracting a part of some excellent memory
antibodies to generate immature ones by Gauss mutation.
Step 5 Extracting a part of some excellent memory
antibodies to generate immature ones by crossing and
variation operations.
Step 6 Generating some immature antibodies with
random function.
Step 7 Judging whether the age of immature antibody
exceeds the life cycle threshold T2.
If not, goes to Step 8. Else dies by apoptosis.
Step 8 Matching immature antibody with self-antigen
If the immature antibody does not match with any
self-antigen, then it becomes a mature one. Else dies by
apoptosis.
Step 9 Judging whether the number of detection
antigens is higher than the threshold θ.
2014
If yes, the mature antibody is active, else it dies by
apoptosis.
Step 10 Translating mature antibodies to memory
antibody according to the value of co-stimulation (CSM),
then updating the population with optimal strategy and go
to Step 9.
Step 11 Extracting memory antibodies dynamically
for every other cycle T3.
Step 12 Vaccinating the mature, go to Step 2.
There are 6 key steps in antibody evolution model,
which are described as follows:
1) Generation of memory antibodies
In RS, the decision attributes reduction algorithm is a
kind of currency reduction method based on the
significance degree of attributes. The article analyzes the
known data, complete the incomplete data table, and
deduce the incomplete table of data to get the effective
decision rule table, which is called memory antibodies
population. The processes are described as follows:
a) By Definition 5, all the records are transformed to
normal strings. The method of the transformation will be
given in Sect. 4.1.
b) According to Eq. (2) and Definition 7, the binary
equivalent relation I( B ′ ) and the core of the decision
attribute are calculated.
c) Then we can get the positive domination O(C,D)
according to Eq. (3).
d) The significance degree of attribute can be calculated
by Eq. (5), the significance degree of gene can also be got.
e) The final antigen decision table will be obtained by
the algorithm based on the significance degree of attributes.
If the decision value is 0, the antigen is saved as initial
memory antibody, at the same time, the significance
degree of gene is saved.
RS is introduced in ID for two purposes: on one hand,
the redundant attributes are deleted, and the length of
antibody will become shorter, therefore the detection speed
will be higher. On the other hand, the initial memory
antibodies are obtained randomly with the traditional
method, and then the detection rate is lower. RS is applied
to generating the initial memory antibodies to promise a
higher detection rate. The final decision rules (memory
antibodies) will be given in Sect. 4.2.
2) Vaccination strategy
The objects which are inoculated are mature antibodies.
The memory antibodies which have higher fitness are
extracted for vaccination operation according to Eq. (7).
Issue 2 ZHANG Ling, et al. / Integrated intrusion detection model based on artificial immune
After the vaccination, Eq. (8) is used to evaluate the new
antibodies, if the new ones can detect the antigens more
effectively than the antibodies which are not inoculated,
and the new antibodies are excellent vaccinations. Let
b ∈ BT , b is the mature antibody, a is the antibody gene
of b, and a is inoculated, and the affinity is calculated. If
fit(a Θ v, g ) > fit(a, g ) , then b is replaced by the new
antibody, else the old antibody is kept. The significance
degree of gene is calculated by the significance degree of
attribute.
3) Translation from mature antibodies to memory
antibodies
For mature antibody in BT, in its lifecycle T2, if the
mature one matches non-self, namely bc>θ (θ is the
threshold value of activation), b is activated, or else dies
away naturally.
After b is activated, the CSM signal is used to judge
whether the mature antibodies may change into memory
antibodies. Within certain time, if there is no CSM signal,
bT will be died naturally. In order to avoid high false rate
of alarming, the CSM signal is needed.
4) Obtaining next general immature antibodies
The next generation antibodies are generated from the
antibodies which already exited within the iteration
circulation. In order to ensure the optimal antibodies, the
strategy is as follows:
a) The memory antibodies are divided into several
categories. In each category, better memory antibodies are
selected to be operated with gauss mutation, and the
mutated individuals are saved as next generation immature
antibodies population.
b) Part individuals in antibody population are chosen for
crossing and variation operation, then they are saved as
immature antibodies population.
c) The random function is applied to get some immature
antibodies, and those immature antibodies are added into
immature antibodies population.
The purposes of the strategy above are: one side, the
diversity of antibodies is ensured, and the local
convergence is avoided, on the other side, too much copy
of antibodies is limited, the detection rate is increased also.
5) Dividing memory antibodies into different
populations
To obtain good vaccinations, the memory antibodies
need to be classified, namely BM = ∪ BM j ' . Each set
stands for one type of antibody population. The method
87
used to classify the antibodies is: in certain period, in
Ref. [8], the rock clustering algorithm is used.
6) Extraction of different vaccinations
The iteration of algorithm will increase the load of the
system, so in certain period, a vaccination extraction
operation is applied to extract memory antibodies. For
each subset, the vaccination vi is extracted, and added into
the vaccination set.
The classification of vaccinations is to detect different
types of attacks effectively and to obtain excellent
antibody population. The operation is separately done with
different types of invasion types to ensure that this kind of
intrusion behaviors will be detected.
3.3 Complexity of algorithm
In this section the authors will analyze the time and
space complexity of the proposed algorithm. Let Nt, Na, Ns,
Nm, Nn and J be the number of training samples, antigens,
self-antibodies, memory antibodies, non-memory
antibodies and detectors’ attributes, respectively. The
length of detectors and input antigen signal are denoted by
L1 and L.
The time complexity of RS algorithm is O(241 N t2 L)
during the process of calculating OB ( D) , calculating the
significance degree of attribute and generating the memory
antibodies with RS algorithm, respectively. Moreover, The
time complexity of detection antigens is O(NaNmL1), but it
is increased to O(2 J N t2 L) after M interactions. It is
known that when J<41 and after one interaction, the time
complexity of our IIDAI algorithm is less than one of IIDV.
Once the vaccinations are inoculated, initial memory
antibodies will only be generated in the beginning,
therefore the total time complexity of IIDAI is O(NaNmL1).
The space complexity of IIDAI is related with
generating memory antibodies by means of RSA. Owing
to N1 is a high value, the space complexity of DynamiCS
and IIDV is O(NnL(Nn+ Na)) after an interaction, but one
of the antigens decision table is O(Nt L) in the process of
generating memory antibodies. Thus, the space complexity
of IIDAI is O(Nt L).
The comparisons among DynamiCS, IIDV and IIDAI
algorithms are shown in Table 1.
Table 1 The complexity of algorithms
Algorithm Time complexity Space complexity
DynamiCS in Ref. [6] O(NaNmL) O ((Nn+ Nm)L)
IIDV in Ref. [8] O(NaNmL) O ((Nn+ Nm)L)
IIDAI O(Na NsL1) O(NtL)
88 The Journal of China Universities of Posts and Telecommunications 2014

As we all known, a prominent merit of RSA is
eliminating redundancies, therefore the length of memory
antibodies decreases, namely L>L1. It is concluded that our
proposed algorithm based on RSA can improve the
detection speed and the effectiveness of obtaining memory
antibodies from Table 1.
However, much space is needed because of the large
amount of antigens in the process of training the data.
Once the memory antibodies are generated, the space of
IIDAI is equal to the other two algorithms. Thus, it is
worth sacrificing certain space complexity in order to
improve the detection speed.
From Table 2, the length of antibodies is 92 bit.
2) The parameters
There are 4 parameters which have great influences on
the performance of the algorithm IIDAI: the length of
memory antibodies L1, tolerant patients T1 (the lifecycle of
immature antibody), the lifecycle of mature antibody T2
and activation threshold θ. The value of L1 is given in
Sect. 4.2 by the experiment.
In Ref. [6, 8–9], the other parameters are set as: T1 is
40 s, T2 is 50 s and θ is 5. The amount of non-memory
antibodies is 250, the affinity calculation is adopted by
Eq. (1), and the radius of detector is 10 bit.

4 Simulations 4.2 The generation of memory antibodies

4.1 Experiential datasets
The experiential data are from ‘10% KDD99’ dataset. 50
million records are adopted in the simulations. About 80%
of records S1 are used for training to get decision rules, the
others (20% of records set) are included in set S2 ,which
are used as testing data. The testing data are divided into 5
groups. Each set has 2 million data. The timestamp will be
added to each record in order to simulate the detection that
one record is sampled per second in testing data.
1) Antigens
The data domains are converted to binary strings which
are used to represent antigens [13], the methods of
conversation are shown in Table 2.
Table 2 The construction of antigens table
Item Conversion method
TCP, UDP and ICMP are
Protocol_type
replaced by 01,11,11
According to the initials, the
strings are converted into 1 to
Service
66, and convert into a binary
string
According to the initials, the
strings are converted into 1 to
Duration
11, and transformed to binary
string
Wrong fragment Convert into a binary string
Urgent Convert into a binary string
Represented as 000, 001, 010,
Logged in
011
File creations Convert into a binary string
Shells Convert into a binary string
Access files Convert into a binary string
Multiple 100, and convert into a
Srv diff host rate
binary string
{Land, logged in,
flag ,root shell, is guest 0 and 1
login, is hot login }
Lower is 00,middle is 01, high
Others
is 10 and higher is 11
The decision table has 41 conditional attributes, while
some attributes are unimportant, if all the attributes are
considered in detection, the length of the antibodies is
92 bit, and the time complexity and space complexity will
increase also. So it is necessary to delete the unimportant
attributes.
The reduction algorithm based on RS is used to deal
with the antibody information decision table S1, and to get
the simplest decision table. After reduction, there are 10
attributes, which are: {protocol type, service, flag, serror
rate, srv serror rate, srv rerror rate, same srv rate, srv diff
host rate, dst host diff srv rate, dst host same src port rate}.
The decision rules before reduction and after reduction are
given in Table 3. After reduction, the length of antibodies L
is 28 bit.
Length/bit
Table 3 The number of decision rules
2 Type Before reduction After reduction
Self 20 000 324
Non-self 20 000 785
7
In Table 3, after reduction by RS, the number of
antibody decision rules obviously decreases. In accordance
4
with the important degree of rules, all the decision rules
2 whose decision attribute value is 0, and 315 rules are
2
sorted by matching number from high to low.
3
With RSA, we obtain 324 memory antibodies, while in
4
2 Ref. [6], the number is 1 035 in Ref. [8], and the number is
3 1 235. At the same time, the length of memory antibody is
7 28 bit, but in Ref. [8], the length is 128 bit. In Sect. 3.3,
from the algorithm’s time complexity, with RS, the time
1
complexity of detection decreased. In this section, the
conclusion is that: the method of generating the memory
2
antibody can be used to remove the redundancy, and make
Issue 2 ZHANG Ling, et al. / Integrated intrusion detection model based on artificial immune 89

the length of memory antibody much less, which will between IIDAI with IIDV obtains the result that except
increase the detection rate. U2L, all the average TP of IIDAI is higher than IIDV, and
the average FP is lower than IIDV. The conclusion is that
4.3 The abnormal detection results the detection performance of IIDAI is better.

The datasets S2 are divided into five groups, and each 4.5 Convergence rate
group of data is running for 10 times. And the values of
true positive detection rate (TP) and false positive In Sect. 3.2, a method of generating memory antibodies
detection rate (FP) are calculated to get the average, which is described, and an integrated way is used to extract the
are used to evaluate algorithm above. The results are vaccinations. The two methods are applied to improve the
shown in Table 4. convergence speed of detection. In this section, for giving
Table 4 The values of TP and FP different numbers of interaction, simulations are
Algorithm Set TP/(%) FP/(%) implemented to get the TP which is used to observe the
1 97.65 1.5 convergence speed.
2 96.85 1.2
3 97.26 1.4 After different interactions, the experiment results of
IIDAI 4 95.87 0.95 IIDAI, DynamiCS [6] and IIDAI are shown in Fig. 2.
5 97.70 0.91
Average 97.07 1.19 IIDAI can achieve a higher detection rate in a shorter time,
Variance 0.005 64 0.000 69
Average 93.16 1.38
namely the convergence speed is faster than the other two
DynamiCS in Ref. [6]
Variance 0. 181 5 0. 007 48 algorithms. In the meantime, it is important that when the
Average 96.93 1.36
IIDV in Ref. [8]
Variance 0.028 9 0.059 2
number of interaction is 0, the TP arrived 72.3%, for the
reason that the effective memory antibodies are obtained
In Table 4, it can be concluded that: the average value of with IIDAI. It is concluded that IIDAI’s stability is better
TP of IIDAI is up 3.91% than DynamiCS [6], and is up than DynamiCS [6] and IIDV [8].
0.34% than IIDV, the average value of FP is 0.19% below
to DynamiCS [6], and is 0.17% to IIDV [8]. The stability
of algorithm is evaluated with the variances, so it is
obvious that IIDAI is more stable than the others.

4.4 The abnormal detection results of different attacks

The testing data set includes 16 types of attacking

samples: Dos, R2L, U2L and Probe. For every type of
attack, the data are running for testing for 10 times, and the
comparisons among the three algorithms are shown in
Table 5. Fig. 2 The comparisons of TP
Table 5 Comparisons of different algorithms
TP/(%) FP/(%) 4.6 The detection results in simulation environment
Type DynamiCS IDV in IID DynamiCS IDV in IID
in Ref [6] Ref.[8] AI in Ref. [6] Ref. [8] AI
In order to verify the feasibility and effectiveness of the
Dos 93.50 97.33 98.17 1.30 1.05 0.79
R2L 93.14 93.70 95.27 6.24 5.13 2.73 method IIDAI, we learn from the MIT Lincoln Laboratory
U2L 94.33 97.50 95.87 0.72 0.69 0.87
Probe 92.25 96.25 96.15 0.89 0.78 0.71
and set up the experimental platform. In the experiment，
we collect 500 records. The results are shown in Table 6.
In Table 5, the results of different types of attacks drawn
Table 6 The results of detection
from experiment are shown, and the comparisons among
Type Number TP/(%) Average TP/(%)
DynamiCS [6], IIDV [8] and IIDAI are also given. Normal 265 100.0
Probe 107 98.0
After compare IIDAI with DynamiCS, it is found that R2L 13 69.0
96.2
the average TP of IIDAI is higher than DynamiCS, and the Vulnerability 63 90.4
Dos 29 75.9
average FP is lower than DynamiCS. The comparing U2R 23 100.0
90 The Journal of China Universities of Posts and Telecommunications
Five kinds of attacks from simulation environment are
got, each kind of attacks are tested. The tests show that:
with IIDAI, the detection rate reached 96.2% in simulated
environment. In summary, the method IIDAI is feasible,
and is of good performance in simulation environment.
5 Conclusions
In this article, the authors proposed a new IIDAI model.
First, the RS approach is introduced in order to increase
the ID speed. Meanwhile, an overall comparison is made
among IIDAI, DynamiCS [6] and IIDV [8]. Analysis
shows that the time complexity decreases, however,
sacrificing certain space complexity is needed in order to
improve the detection speed. Second, to improve the
detection performances such as high TP rate and low FP
rate, the significance degree of antibody gene is defined.
Then a vaccination strategy based on the significance
degree of gene is given. Furthermore, simulation on the
KDD99 shows that the TP rate and FP rate can achieve
97.07% and 1.19%, respectively. Third, in order to
increase the detection convergence speed, the improved
method of is used for selecting excellent memory
antibodies to generate immature antibodies, which is
different from the selecting randomly from immature
memory antibodies. Also simulations show that the
detection rate can reach 96.2% in real simulation
environment. In summary, our proposed IIDAI method is
feasible, and has better performances. In the future, we
will focus on the research of applying IIDAI method to the
cloud computing environment.
Acknowledgements
This work was supported by the National Natural Science
2014
Foundation of China (61161140320).
References
1. Shingo M, Chen C, Lu N N, et al. An intrusion-detection model based on
fuzzy class-association-rule mining using genetic programming network.
IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications
and Reviews, 2011, 41(1): 130−139
2. Li L, Zhao K N. A new intrusion detection system based on rough set theory
and fuzzy support vector machine. Proceedings of the 3rd International
Workshop on Intelligent Systems and Applications (ISA’11), May 28−29,
2011, Wuhan, China. Piscataway, NJ, USA: IEEE, 2011: 5p
3. Afaneh S, Zitar R A, Al-Hamami A. Virus detection using clonal selection
algorithm with genetic algorithm (VDC algorithm). Applied Soft
Computing, 2013, 13(1): 239−246
4. Denning D E. An intrusion detection model. IEEE Transactions on Software
Engineering, 1987, 13 (2): 222−232
5. Hofmeye S A, Forrest S. Architecture for an artificial immune system.
Evolutionary Computation, 2000, 8(4): 443−473
6. Kim J, Bentley P J. Towards an artificial immune system for network
intrusion detection: an investigation of dynamic clonal selection.
Proceedings of the 2002 Congress on Evolutionary Computation (CEC’02):
Vol 2, May 12−17, 2002, Honolulu, HI, USA. Piscataway, NJ, USA: IEEE,
2002: 1015−1020
7. Li T. Dynamic detection for computer virus based on immune system.
Science in China Series F: Information Sciences, 2008, 51(10): 1475−1486
8. Yan X H. An artificial immune-based intrusion detection model using
vaccination strategy. Acta Electronica Sinica, 2009, 37(4): 780−785 (in
Chinese)
9. Chen Y B, Feng C, Zhang Q, et al. Integrated artificial immune system for
intrusion detection. Journal on Communications, 2012, 33(2): 125−131 (in
Chinese)
10. Sperotto A, Mandjes M, Sadre R, et al. Autonomic parameter tuning of
anomaly-based IDSs: an SSH case study. IEEE Transactions on Network
and Service Management, 2012, 9(2): 128−141
11. Pawlak Z, Gzymala-Busse J, Slowinski R, et al. Rough sets.
Communications of the ACM, 1995, 38(11): 88−95
12. Qian J, Miao D Q, Zhang Z H. Knowledge reduction algorithms in cloud
computing. Chinese Journal of Computers, 2011, 34(12): 2332−2343 (in
Chinese)
13. Zhang L, Bai Z Y, Luo S S, et al. Integrated intrusion detection model based
on rough set and artificial immune. Journey on Communications, 2013,
34(9): 166−176 (in Chinese)
(Editor: WANG Xu-ying)