Artificial Immune System Based Intrusion Detection: Innate Immunity using an Unsupervised Learning Approach 1 Farhoud Hosseinpour, 2 Payam Vahdani Amoli, 3 Fahimeh Farahnakian, 4 Juha Plosila and 5 Timo Hämäläinen 1 Corresponding Author, 3 and 4 Department of Information Technology, University of Turku, Finland. {farhos;fahfar;juplos}@utu.fi 2 and 5 Faculty of Information Technology, University of Jyväskylä, 40100, Jyväskylä, Finland. 2 pavahdan@student.jyu.fi 5 timo.t.hamalainen@jyu.fi Abstract This paper presents an intrusion detection system architecture based on the artificial immune system concept. In this architecture, an innate immune mechanism through unsupervised machine learning methods is proposed to primarily categorize network traffic to “self” and “non-self” as normal and suspicious profiles respectively. Unsupervised machine learning techniques formulate the invisible structure of unlabeled data without any prior knowledge. The novelty of this work is utilization of these methods in order to provide online and real-time training for the adaptive immune system within the artificial immune system. Different methods for unsupervised machine learning are investigated and DBSCAN (density-based spatial clustering of applications with noise) is selected to be utilized in this architecture. The adaptive immune system in our proposed architecture also takes advantage of the distributed structure, which has shown better self-improvement rate compare to centralized mode and provides primary and secondary immune response for unknown anomalies and zero-day attacks. The experimental results of proposed architecture is presented and discussed. Keywords: Distributed intrusion detection system, Artificial immune system, Innate immune system, Unsupervised learning 1. Introduction Anomaly-based intrusion detection systems (IDS) have been broadly researched as defensive techniques to address the detection of unknown or zero-day attacks. Unlike misuse-based or signature- based types of IDS, which take advantage of the predetermined signature of known attacks, anomaly- based IDS deals with the detection of new types of attack that are unknown to the system. This process is done by detecting variation in the systems' behavior from a previously defined normal system profile. However, it is subject to false alarms as a result of the difficulty in defining the normal state during training. An increasing detection rate with fewer false alarms became an important challenge in the design of anomaly-based IDS. The artificial immune system (AIS) comprises promising techniques in the form of biologically inspired computing that is applied to solving various problems in the information security field. The AIS is inspired by the human immune system (HIS), which has the ability to distinguish internal cells and molecules of the body from foreign pathogens, so called self and non-self respectively, and protects the body against diseases [1]. In the human body the HIS mainly does this without any prior knowledge of attacking pathogens and their structure. As self and non-self discrimination is a significant attribute in the AIS, it is proposed that it is utilized in designing efficient anomaly-based IDS [2]–[4]. The AIS suggests a multi-layered protection structure for protecting computer networks against attack, like HIS protection against foreign pathogens in the human body [5]. This protection is accomplished through Innate or Adaptive mechanisms. Innate immunity is immediate; it is the first line of defense for the HIS and provides non-specific protection. Therefore, it has no prior knowledge of specific outsiders. The adaptive immune response, on the other hand, is antigen-specific and is trained using a pre-defined profile of specific attacks [6]. Adaptive immunity also includes a “memory” that makes future responses against a specific antigen more efficient [7]. International Journal of Digital Content Technology and its Applications(JDCTA) Volume 8, Number 5, October 2014 Artificial Immune System Based Intrusion Detection: Innate Immunity using an Unsupervised Learning Approach Farhoud Hosseinpour, Payam Vahdani Amoli, Fahimeh Farahnakian, Juha Plosila, Timo Hämäläinen 1