Distributed agents model for intrusion detection based on AIS

Knowledge-Based Systems 22 (2009) 115–119

Contents lists available at ScienceDirect

Knowledge-Based Systems journal homepage: www.elsevier.com/locate/knosys

Distributed agents model for intrusion detection based on AIS Jin Yang a,b,*, XiaoJie Liu b, Tao Li b, Gang Liang b, SunJun Liu b a b

School of Computer Science, Sichuan Normal University, Chengdu 610068, China School of Computer Science, Sichuan University, Chengdu 610065, China

a r t i c l e

i n f o

Article history: Received 7 February 2007 Received in revised form 30 June 2008 Accepted 13 July 2008 Available online 19 July 2008 Keywords: Network security Intrusion detection system (IDS) Agents Artificial immune systems (AIS)

a b s t r a c t Artificial immune systems (AIS) is a complicated system with the ability of self-adapting, self-learning, self-organizing, parallel processing and distributed coordinating, and it also has the basic function to distinguish self and non-self and clean non-self. One significant feature of the theory immunology is the ability to adapt to changing environments and dynamically learning continuously. Inspired by the theory of artificial immune systems, a novel model of Agents of Network Danger Evaluation is presented. The concepts and formal definitions of immune cells are given, and dynamically evaluative equations for self, antigen, immune tolerance, mature-lymphocyte lifecycle and immune memory are presented, and the hierarchical and distributed management framework of the proposed model are built. Furthermore, the idea of dynamic immunological surveillance period is applied for enhancing the self-learning ability to adapt continuously variety environments. The experimental results show that the proposed model has the features of real-time processing that provide a good solution for network surveillance. Ó 2008 Elsevier B.V. All rights reserved.

1. Introduction Current solutions of defense for network security are mostly static methods, which are used to collect, analyze and extract evidences after attacks. The approach includes virus detection, frangibility evaluation, and firewall etc. They rely upon collecting and analyzing the viruses’ specimens or intrusion signatures with some traditional techniques [1], such as statistical analysis, characteristics analysis, neural network, and data mining, etc. Network firewalls are another way of defense against an attack. However, these approach result in a slow reaction time to new threats [2]. Being lack of self-learning and self-adapting abilities, they can only prevent those known network intrusions, and can do nothing for those unknown intrusions. In the real network environment, the incursion threat is rise as well as the attack class number is increase. As a result, these models results in a slow reaction time to adjust response when facing the increasing number of new network attacks. Artificial immune systems (AIS) is a now receiving more attention and is realized as a new research hotspot of biologically inspired computational intelligence approach after the genetic algorithms, neural networks and evolutionary computation in the research of Intelligent Systems [3]. Burnet proposed clone Selection Theory in 1958 [4]. Negative Selection Algorithm and the concept of computer immunity were proposed by Forrest in 1994 [5]. It is known that the artificial immune system has lots of appealing features [6,7] such as diversity, dynamic, parallel management,

* Corresponding author. E-mail address: [email protected] (J. Yang). 0950-7051/$ - see front matter Ó 2008 Elsevier B.V. All rights reserved. doi:10.1016/j.knosys.2008.07.005

self-organization and self-adaptation that has been widely used in the fields such as [8] data mining, network security, pattern recognition, learning and optimization etc. Artificial immune systems (AIS) is a complicated system with the ability of self-adapting, self-learning, self-organizing, parallel processing and distributed coordinating, and it also has the basic function to distinguish self and non-self and clean non-self. The problems in the field of computer security and artificial immune systems have the astonishing similarity of keeping the system stable in a continuous changing environment. Artificial immune system can use biological immune theoretic for references to search and design relevant models and algorithms to solve the various problems occurred in the field of computer security. One of the most attractive applications for agents is distributed information management, particularly in intelligent computing fields. Agents can reduce the latency of redundant communication, avoid network transmission of intermediate data, and thus complete the overall task much faster than a traditional client/server solution. The interesting features of agents are their abilities to move from one host to another and to learn from experience, and continuously selflearn, and to cooperate. Combined with AIS concepts agents give promising solutions for building intelligent network security systems. This paper presents the design of agent model based on artificial immunity theory as applied to the network security. 2. The agents model based on AIS During the last decade, some of the attacks are more sophisticated than in years before, and IDS systems have call for a new

116

J. Yang et al. / Knowledge-Based Systems 22 (2009) 115–119

way and took place of important segment of network defense. Artificial immune systems (AIS) is a complicated system with the ability of self-adapting, self-learning, self-organizing, parallel processing and distributed coordinating, and it also has the basic function to distinguish self and non-self and clean non-self. The crossover between biology and computer science can be fruitful for both disciplines: computers can be used to model biological systems to improve our understanding of those systems, and we can use an understanding of the mechanisms underlying biological systems to improve the way we design computer systems. Some ways and means based AIS were been bring forward used on the problem of intrusion detection in computer security, for example, [9–13]. But they often seek to protect an information system from violations of the system’s security policy by statistical anomaly detection. Yes. The model of normal behavior can be based on any observable behavior of the system. However, the sets of self (normal network behaviors) and nonself (abnormal network behaviors) have few changes after they have been defined in many immune-based models or methods for IDS [14]. In fact, it is very difficult to give an exactly one-off definition for self and nonself in most practical applications. Furthermore, the roles of self and nonself may exchange at times (e.g., the legal network behaviors today may be dangerous tomorrow). Therefore, it is necessary to update the definitions of self and nonself at times. In this paper, we put forward a distributed agents model for intrusion detection based on artificial immune systems, i.e. the DAMIDAIS. In this paper, the dynamic evolution models and the corresponding recursive equations of self, antigen, immune-tolerance, lifecycle of mature agent, and immune memory are presented. In this section we describe an application of agents to distributing information and defense for network securities. In our architecture, we propose a hierarchical structure of intelligent agents. The complete system architecture is represented in Fig. 1. Here is the description of the system functioning and agents cooperation scheme. Sensor Agents: The lower-level components of the intrusion detection module are sensor agents. But sensor agents are the main situation in our model as well as in the proposed system. These agents reside on hosts and monitor various surrounding environment, which mainly means searching for abnormal behavior, as such behavior are the main location of intrusion related information. Analyzer Agents: Analyzer agents are intermediate components responsible for controlling the sensors in their monitoring process. They gather intrusion events generated by all sensors running on the host. Their main capability is to correlate different local events in time from different monitored resource. Analyzer agents are the platform independent components and they accumulate and weigh the information gathered by the sensors agents. Manager Agents: The manager is a higher-level

component of the architecture. The manager maintains the overall architectures and implements the information synthesis gathered by analyzer agents and alert agents. Messages Agents: These agents are created by the sensor, and they carry the messages package and deliver them to the other sensors. Alert Agents: An alert agent is built of several blocks including time-stamps corresponding to the creation time of the alert message, the detection time of the intrusion, the alarm information such as IP packets, network connection, network flux, CPU status, system status, user status, processes status, swap status, and memory status etc. Then we expatiate how the agents work as following. There are many similarities between computer security system and biological immune system (BIS) [9]. A biological immune system can produce antibodies to resist pathogens through B cells distributing all over the human body. And T cells can regulate the antibody concentration. Simulating biological immune system, we place a certain amount of immune cells (viz. Sensor Agents) into the network, and perceive the surrounding environment. Distributed agents are deployed on the sensitive host that needs more security and protection in the network. These hosts are monitored and can be provided forensics analysis once there are some attacks on them. In other words, the Sensor Agent simulates the lymphocyte to be used as a detector to recognize nonself antigens. As B-lymphocytes consist of mature and memory ones, the Sensor Agents are divided into mature and memorySensor Agent. The memory Sensor Agent will match the antigens at first and eliminate nonself antigens. The memory Sensor Agent has an unlimited lifecycle except they match the newly created selfs. Obviously, a considerable number of memory Sensor Agent will be generated in the end. Mature cells either evolve into memory ones or die before they exceed the lifecycle. As soon as the Sensor Agent detect an attack, the cells begin clone and generate a mass of similar cells in order to defend from fiercer network attacks and warn the dangerous level of the network. While the network danger become abating, the corresponding numbers of cell antibodies will decrease at the same time. The Agents’ amount and type reflect the attack’s intensity and type suffered by the network intrusion. In this model, the Agents can be categorized, according to the evolvement progress of the Sensor Agents themselves, into 3 types, viz. immature, mature and memory detectors. Fig. 2 shows the Agents structure and dynamic evolvement, and the relationship and the process of evolution of these Sensor Agents will be expatiated in detail in the following.

2.1. The definition of antigen, antibody, self and non-self In the model, we define antigens (Ag) to be the features of network actions and services, and given by [15]:

Ag ¼ fagjag 2 Dg;

Manager Agent Alert Agent

Analyzer Agent

Network Layer Host Layer

Message Agent Sensor Agent

Sensor Agent Fig. 1. The functional architecture.

Sensor Agent

D ¼ f0; 1gl

ð1Þ

Antigens are fixed-length binary strings extracted from the IP packets transferred in the network [16]. The antigen consists of the source and destination IP addresses, port number, protocol type, IP flags, IP overall packet length, TCP/UDP/ICMP fields, etc. The structure of an antibody is the same as that of an Antigen. For intrusion detection, the nonself set (Nonself) represents IP packets from a computer network attack, while the self set (Self) is normal sanctioned network service transactions and nonmalicious background clutter. Set Ag contains two subsets, Self # Ag and Nonself # Ag such that

Self [ Nonself ¼ Ag;

Self \ Nonself ¼ U

ð2Þ

For the convenience using the fields of a antigen x, a subscript operator ‘‘.” is used to extract a specified field of x, where

117

J. Yang et al. / Knowledge-Based Systems 22 (2009) 115–119

Ag Nonself

belong to Self Antigen Presentation Ag detect

detect

Memory detectors set Mb

Mature detectors set Tb

activation too old

match Self

match Self Dead

Self set Immature detectors set Ib

dynamic tolerance

Ccommunication between Cells

match Self

Fig. 2. The dynamic evolvement of agents.

x:fieldname ¼ the value of filed fieldname x

ð3Þ

2.3. The dynamic mature agent model

ð4Þ

Mat SA ðtÞ ¼

In DAMIDAIS, all the agents form a Set Agent called SA.

SA ¼ f< d; age; count > jd 2 D; age 2 N; count 2 Ng

where d is the antibody gene that is used to match an antigen, age is the age of agent d, count (affinity) is the number of agent matched by antibody d, and N is the set of nature numbers. SA contains two subsets: mature and memory, respectively, the set MatSA and set MemSA. A mature SA is a SA that is tolerant to self but is not activated by antigens. A memory SA evolves from a mature one that matches enough antigens in its lifecycle. Therefore,

SA ¼ Mat SA [ MemSA ;

Mat SA \ MemSA ¼ /

ð5Þ

Mat SA ¼ fxjx 2 SA; 8y 2 Self ;



/ t¼0 Mat 0SA ðtÞ [ Mat new ðtÞ  Matactive ðtÞ  Mat dead ðtÞ t P 1

ð14Þ

y:age ¼ x:age þ 1;y:count ¼ x:countg SðtÞ ¼ fxjx 2 Mat 00SA ðtÞ;9y 2 SAðt  1Þ;< x:d;y >2 Matchg

ð15Þ ð16Þ

S0 ðtÞ ¼ fyjy 2 SA;x 2 SðtÞ;y:d ¼ x:d;y:age ¼ x:age; y:count ¼ x:count þ 1g ð17Þ Mat new ðtÞ ¼ fyjy 2 SA;y:d ¼ x:d;y:age ¼ 0;y:count ¼ 0;x 2 Imaturation ðtÞg ð18Þ Mat active ðtÞ ¼ fxjx 2 S0 ðtÞ;x:count P bg

ð< x:d; y >R Match ^ x:count < hÞg

ð6Þ

MemSA ¼ fxjx 2 SA; 8y 2 Self ; ð< x:d; y >R Match ^ x:count P hÞg

ð19Þ

Mat dead ðtÞ ¼ fxjx 2 Mat 0SA ðtÞ ^ ðx:age > k;x:count < bÞg [ fxjx 2 Mem00SA ðtÞ ^ 9y 2 SAðt  1Þ;< x:d;y >2 Matchg

ð7Þ

where b > 0) represents the activation threshold. Match is a match relation defined by

Match ¼ f< x; y > jx; y 2 D; fmatch ðx; yÞ ¼ 1g

ð8Þ

In the course, h is the threshold of the affinity for the activated Agents. The affinity function fmatch(x, y) may be any kind of Hamming, Manhattan, Euclidean, and r-continuous matching, etc. In this model, we taker-continuous matching algorithm to compute the affinity of mature Agents. The matching functions utilize the following definitions:

8 > < 1 9i; j; j  i P r ^ 0 < i < j 6 l; xi ¼ yi ; fmatch ðx; yÞ ¼ xiþ1 ¼ yiþ1 ;    ; xj ¼ yj > : 0 otherwise

ð9Þ

The r-continuous matching is commonly used method for measuring the distance between bit strings to product a better similarity coefficient.

ð13Þ

00 Mat 0SA ðtÞ ¼ MASA ðtÞ  SðtÞ [ S0 ðtÞ 00 Mat SA ðtÞ ¼ fyjy 2 SA;x 2 Mat SA ðt  1Þ;x:age < k;y:d ¼ x:d;

ð20Þ

Eq. (13) depicts the lifecycle of the mature agent, simulating the process that the mature agents evolve into the next generation. All mature agents have a fixed lifecycle (k). If a mature agent matches enough antigens (Pb) in its lifecycle, it will evolve to a memory agent. However, the agent will be eliminated and replaced by new generated mature agent if they do not match enough antigens in their lifecycle. Matnew(t) is the generation of new mature SA. Matdead(t)is the set of SA that haven’t match enough antigens (6b) in lifecycle or classified self antigens as nonself at time t. S0 (t)simulates that the mature SA undergo one step of evolution. S00 (t) indicates that the mature SA are getting older. Matactive(t) is the set of the least recently used mature SA which degrade into memory SA and be given a new age T > 0 and count b > 1. Because the degraded memory SA has better detection capability than mature SA, it is better to form a memory SA. When the same antigens arrive again, they will be detected immediately by the memory SA. In the mature agent lifecycle, the inefficient agents on classifying antigens are killed through the process of clone selection. Therefore, the method can enhance detection efficiency when the abnormal behaviors intrude the system again.

2.2. The dynamic model of self 2.4. The dynamic memory agent model In a real-network environment some network services and activities are often change, which were permitted in the past but may be forbidden at the next time.

 Self ðtÞ ¼

fx1 ; x2 ; :::; xn g

t¼0

Self ðt  1Þ  Selfvariation ðtÞ [ Selfnew ðtÞ t P 1

ð10Þ

Selfvariation ðtÞ ¼ fxjx is the self antigent forbidden at time tg ð11Þ Selfnew ðtÞ ¼ fxjx is the self antigent permitted at time tg

ð12Þ

MemSA ðtÞ ¼



/

t¼0

Mem0SA ðt  1Þ [ Memnew ðtÞ [ Memfrom other ðtÞ t P 1

Mem0SA ðtÞ ¼ Mem00SA ðtÞ [ Memclone ðtÞ  Mdead ðtÞ Mem00SA ðtÞ ¼ fyjy 2 MemSA ;y:d ¼ x:d;y:age ¼ x:age þ 1; y:count ¼ x:count;x 2 MemSA ðt  1Þ  Memclone ðtÞg Mdead ðtÞ ¼ fxjx 2 Mem00SA ðtÞ;9y 2 SAðt  1Þ;fmatch ðx:d;yÞ ¼ 1g

ð21Þ ð22Þ ð23Þ ð24Þ

118

J. Yang et al. / Knowledge-Based Systems 22 (2009) 115–119

20000

0.8

Danger

16000

Packets/s

1

SYNFLOOD LAND SMURF

12000 8000

0.4 0.2

4000 0

0.6

0 1

11

21

31

41

51

61

71

81

91

1

11

21

31

41

51

61

71

81

91

Time

Time

Fig. 3. The left figure is the network suffering from the three typical incursions for instance and the right is the line of the network dangers obtained by DAMIDAIS at these incursions. Danger changes when attack levels changes. The rise in attack levels is accompanied by a corresponding increase in Danger, as implies the bad network security. On the other hand, if attack levels decline, Danger decreases accordingly after seconds of delay. Therefore, the network can stays on guard even when the attacks occur once again during a very short time.

Memclone ðtÞ ¼ fxjx 2 MemSA ;y 2 Memclone ðtÞ;x:d ¼ y:d; x:age ¼ 0;x:count ¼ y:count þ 1Þg

3. Experimental results and analysis

ð25Þ 3.1. Experimental environment and evaluation indicators

Memnew ðtÞ ¼ fxjx 2 MemSA ;y 2 Mat active ðtÞ;x:d ¼ y:d;x:age ¼ 0; x:count ¼ y:countg

ð26Þ

Eq. (21) depicts the dynamic evolution of memory Agent. Mem0SA ðtÞ simulates the process that the memory SA evolve into the next generation ones. Memnew is the set of memory SA that is activated by antigens lately. These mature agent matched by an antigen will be activated immediately and turn to a memory agent. Memdead(t) is the memory agent that be deleted if it matches a known self antigen. Memclone is the reproduced memory SA when the agent distinguish a antigens. Memfrom_other(t) is the memorySA that transformed from other computers. The k indicates that the ID number of the computer. Therefore, the dynamic model of memory agent has enhanced the ability of self-adaptation for the system.

Experiments of attack simulation were also carried out in our Laboratory. To prove the intrusion detection performance, and reduce both false positive error rate and false negative error rate in contrast to the traditional NIDS techniques, we developed some series experiments. An antigen was defined as a fixed length binary string composed of the source/destination IP address, port number, protocol type, IP flags, IP overall packet length, TCP/ UDP/ICMP fields, and etc. The network was attacked by 20 kinds of attacks, such as Syn Flood, Land, Smurf, and Teardrop. A total of 20 computers in a network were under surveillance. The task aimed to detect network attacks. Here are the coefficients for the model. We user-contiguous bits matching rule (r = 8) for computing the affinity, n = 40 (the size of initial self set), and n = 4 (the number of new generated immature cells). The activation threshold is b; tolerance period is k; the clone rate equal 5%; the cross rate equal 0.105; the variation probability pm equal 0.103.

2.5. The process of immunological surveillance

3.2. Results and analysis

The DAMIDAIS simulate the process that metabolism and competition of the cells organism through the use of continuous renovation and enrichment process, that is, activation and death cells. Therefore, system evaluates the network security by perceiving the danger around of them. The values of MatSA and MemSA reflect the intensity of intrusion in current network. The bigger the value MatSA and MemSA are, the more serious the network intrusion degree is. Through distinguishing the type of MatSA and MemSA, we can know different kinds of network intrusion. The values of k and b reflect the activity degree of the mature cell. Let nij(t) be the numbers of ith computers detect attacking at time t. Let xi(0 6 xi 6 1) be the importance coefficient of ith computer in the network and aj(0 6 aj 6 1) be the danger coefficient of the jth kind of attack in the network. Then, we can define the attack intensity Rj(t) of the jth kind of attack and the corresponding network danger ri(t) as follows:

Fig. 3 illustrates the levels of 3 kinds of attacks and depicts the evaluation of the network danger in DAMIDAIS. Another series of experiments were carried out to testify the feasibility of our resolution as the following. Take SYNFLOOD attack, as an example, where the IP addresses of the target server and the attack machine are 192.168.0.1 and 192.168.0.24. Table 1 shows a portion of the evidences extracted by DAMIDAIS in real time.

Memfrom other ðtÞ ¼ fxjx 2 MemSA ;y 2 [i¼ð1;...;KÞ;i–k Memiclone ðtÞ; x:d ¼ y:d;x:age ¼ 0;x:count ¼ 0g MemSA ¼ fxjx 2 SA; 8y 2 Self ;ð< x:d;y >R Match ^ x:count P hÞg

2 P 1 1 þ eaj i xi nij ðtÞ 2 P r i ðtÞ ¼ 1  an j j ij 1þe

Rj ðtÞ ¼

ð27Þ ð28Þ

ð29Þ ð30Þ

Therefore, Eqs. (29) and (30), we can get network danger situation and evaluate network security at real time.

4. Remarks In this paper, we have presented a model of network security based upon the theory of artificial immune system. To enhance the packet dumping efficiency, we utilize distributed agents to capture the network traffic in real time, and we have also illustrated the advantages of this model than traditional models. The concepts and formal definitions of immune cells are given. And we have quantitatively depicted the dynamic evolutions of self, antigens, immune-tolerance, and the immune memory. Additionally, the model utilized a distributed and multi-hierarchy framework to provide an effective solution for the network intrusion. Finally, the experimental results show that the proposed model has the features of real-time processing, self-adaptively, thus providing a promising solution for network security.

119

J. Yang et al. / Knowledge-Based Systems 22 (2009) 115–119 Table 1 Portion of evidences collected by DAMIDAIS for Syn flood Result of evidences Attack time IP packets

Apr 9 20:22:17 2006 tcp52:54:ab:39:02:db ? 00:20:ed:63:16:e6 192.168.0.24:256 ? 192.168.0.1:23.S. tcp52:54:ab:39:02:db ? 00:20:ed:63:16:e6 192.168.0.24:512 ? 192.168.0.1:23.S. tcp52:54:ab:39:02:db ? 00:20:ed:63:16:e6 192.168.0.24:768 ? 192.168.0.1:23.S. . . .. . . 110 total, 2 running, 108 sleeping, 0 stopped, 0 zombie 93,715 packets/second 70.9% user, 2.3% system, 0.0% nice, 97.6% id, 0.2% wa, 0.0% hi, 0.0% si Lower 90.3% Root, Aisids, ftp, . . ., the total number is 16 56 processes: 55 sleeping, 1running, 0zom 522,072 k av, 26,432 k used, 495,640 k free 512,292 k av, 93,063 k used, 419,228 k free, ok shrd, 45,420 k actv, 1152 k in_d

Tasks Network flux CPU status System status Users status Processes Swap status Memory status PID

USER

PR

NI

VIRT

RES

SHR

STAT

% CPU

% MEM

TIME+

COMMAND

5642 5646 1 2 ... ... 1727

IDS IDS Root Root ... ... Root

15 16 16 34

0 0 0 19

60,812 42,204 2444 0

2500 7604 560 0

1300 6484 480 0

S S S S

2.0 2.0 0.0 0.0

5.1 1.5 0.1 0.0

0:32.81 0:00.35 0:00.64 0:00.00

nautilus eggcups init ksoftirqd/0

15

0

0

0

0

S

0.0

0.0

0:00.07

kjournald

References [1] A. Pilz, J. Swoboda, Network management information models, AEUInternational Journal of Electronics and Communications 58 (2004) 165– 171. [2] E. Jonsson, T. Olovsson, A quantitative model of the security intrusion process based on attacker behavior, IEEE Transactions on Software Engineering 23 (1997) 235–245. [3] L.N. De Castro, F.J. Von Zuben, J.G.A. de Deus, The construction of a boolean competitive neural networks using ideas from immunology, Neurocomputing 50 (2003) 51–85. [4] F.M. Burnet, The Clone Selection Theory of Acquired Immunity, Cambridge University Press, (1959), 76–132. [5] S. Forrest, A.S. Perelson, L. Allen, Self-nonself discrimination in a computer, in: Proceedings of IEEE Symposium on Research in Security and Privacy, Oakland, (1994) 202–212. [6] T.B. Kepler, A.S. Perelson, Somatic hyper mutation in B cells: an optimal control treatment, Theoretical Biology (1993) 37–64. [7] J. Kim, P. Bentley, The artificial immune model for network intrusion detection, in: 7th European Congress on Intelligent Techniques and Soft Computing, 1999.

[8] J.Y. Wu, Artificial immune system for solving constrained global optimization problems, in: Proceedings of the 2007 IEEE Symposium on Artificial Life, CIALife, 2007, pp. 92–99. [9] S.A. Hofmeyr, S. Forrest, Architecture for an artificial immune system, Evolutionary Computation 8 (2000) 443–473. [10] B.K. Panigrahi, S.R. Yadav, S. Agrawal, et al., A clonal algorithm to solve economic load dispatch, Electric Power Systems Research. 77 (10) (2007) 1381–1389. [11] M. Lehmann, W. Dilger, Controlling the heating system of an intelligent home with an artificial immune system, Artificial Immune Systems, Proceedings 4163 (2006) 335–348. [12] P.N. Neumann, P. Porras, Experience with EMERALD to DATE, in: Proceedings 1st USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, California, April, 1999, pp. 73–80. [13] D. Dasgupta, Advances in artificial immune systems, IEEE Computational Intelligence Magazine 1 (4) (2006) 40–49. [14] B. Sirisanyalak, O. Sornil, An artificial immunity-based spam detection system, in: Evolutionary Computation. CEC 2007. IEEE Congress on 25–28 September, 2007, pp. 3392–3398. [15] T. Li, An Introduction to Computer Network Security, first ed., Publishing House of Electronics Industry, Beijing, 2004. [16] T. Li, An immunity based network security risk estimation, Science in China Series F Information Sciences 48 (5) (2005) 557–578.