Technical Report: DCC-2007-02

A Network Intrusion Detection System based on the Tunable Activation Threshold theory

Mario J. Antunes and Manuel E. Correia

DCC-FC & LIACC, Universidade do Porto
R. do Campo Alegre 1021/1055 , 4169-007 Porto, Portugal
Phone: +351 220402926 , Fax: 351 22 402 950
E-mail: {mantunes,mcc}@ncc.up.pt

April 2007

Abstract

The main activity of Network Intrusion Detection System (NIDS) consists in analysing the flow of network packets and identify which ones are part of an ongoing attack or intrusion. Two major problems related with NIDS deployment are the distinction between normal and abnormal activity in the network and the detection of new kind of attacks that have not occurred previously. Several approaches have been applied to solve the problem, with relative success, including machine learning, data mining, statistical and those inspired in the immune system. In spite of the large body of research done on this subject, the literature evidences some problems these approaches have when applied to real world networks. These are mainly due to performance and scalability issues. In this paper we present negative selection and danger theory as two of the major immunological approaches applied so far to the field of intrusion detection. We present what we believe are their major limitations under this context and propose a new NIDS framework based on the Grossman's Tunable Activation Threshold (TAT) theory. This theory is based on the general idea that in the immune system T-cells activation thresholds are adjusted dynamically and this adjustment is based on the recent history of T-cells and APCs interactions.