Multi-level immunity-based intrusion detection and risk evaluation model

A multi-level immunity-based distributed intrusion detection and risk evaluation model is presented. To improve the ability of network environment adaptation, intrusion detection systems are deployed in detection hosts and disposed concentratedly by a central detection server. An immune detector simulates immunocytes in a biological immune system and its evolutionary process simulates an advancement mechanism of antibodies. A second-level immune detector set mechanism that may improve local detection ability is proposed. The central detection server receives vaccines and vaccinates detection hosts. It globally detects unknown attacks. Network risk is computed at different levels to totalize the attack risk of the whole network. To decrease alarm information flood, finger print information library and alarm classification are proposed. Simulation experiments show that the proposed model has the ability to advance the network environment adaptation performance of intrusion detection host, decrease alarm flood and false alarm rate, and provide a new way to evaluate the risk of network and host in quantity.