detectionnode.java

基于人工免疫原理的入侵检测系统框架

/*=================
 * Copyright (C) 2001  Dennis Chao
 *
 * Lisys is a program that monitors TCP SYN packets to detect network
 * traffic anomalies.
 *
 * Licensed under the GNU General Public License (GPL), version 2 or
 * higher.  Please see the COPYING and PATENT files included with the
 * Lisys distribution, which can be found at:
 *
 *   http://www.cs.unm.edu/~judd/lisys/
 *
 * Also, the current text of the GPL can be found at: 
 *
 *   http://www.gnu.org/copyleft/gpl.html
 * 
 * Note that Lisys has NO WARRANTY!
 *=================*/

package edu.unm.cs.lisys.detection;

import edu.unm.cs.lisys.debug.*;
import edu.unm.cs.lisys.detection.bip.*;
import edu.unm.cs.lisys.detection.bif.*;
import edu.unm.cs.lisys.detection.matchrule.*;
import edu.unm.cs.lisys.util.*;

import java.lang.System;
import java.util.*;
import java.io.*;

/**==========
 * DetectionNode.java
 *   Base class that implements basic Lisys detection node features.
 *   Each node contains a vector of Detectors. This is a butchered
 *   version of NewDetectionNode.java.
 *
 * The main public methods are:
 *   boolean isAnomalous(BinaryInputPattern bip)
 *   void costimulate(BinaryInputPattern bip) 
 *
 * Here are the people who have worked on this code in the order they
 * have worked on it:
 *   @author Todd Kaplan <kaplan@cs.unm.edu>
 *   @author Hajime Inoue <hinoue@cs.unm.edu>
 *   @author Dennis Chao <dlchao@cs.unm.edu>
 *   @author Justin Balthrop <judd@cs.unm.edu>
 *==========*/
 
public class DetectionNode implements Serializable
{
    // input from constructor
    private int          _nNumDetectors;        // total number of detectors
    private MatchRule    _mMatchRule;           // match rule
    private String       _szBipType;            // BIP type
    private String       _szBifType;            // BIF type
    private int          _nBipLength;           // length of BIPs
    private long         _nRandomSeed;          // used to seed random
    private boolean      _bUseMemory;           // use memory?
    private int          _nMaxMemoryDetectors;  // maximum memory detectors
    private int          _nTolerizationPeriod;  // time it takes to tolerize
    
    // Detector arguments
    private int     _nActivationThreshhold = 10;
    private int     _nCostimulationDelay;
    private double  _dDeathProbability;
    private double  _dMatchDecay;
    private int     _nMinMatchLength;
    
    // state
    private int     _nNumMemoryDetectors;  // number of memory detectors
    private double  _dSensitivityLevel;    // sensitivity level
    private double  _dSensitivityDecay;  
    private double  _dSensitivityIncrement;
    public  Vector  _vDetectors;           // list of detectors
    private KnuthRandom       _random;     // random number generator
    private BinaryInputFilter _bif;        // binary input filter

    // Statistics
    private long  _nNumBipsReceived;     // number of BIPs seen
    private long  _nNumAnomalies;        // number of anomalous BIPs seen
    private long  _nNumDetectorsKilled;  // number of detectors killed

    // Accessor functions
    public long    getNumBipsReceived()    { return _nNumBipsReceived; }
    public long    getNumAnomalies()       { return _nNumAnomalies; }
    public double  getSensitivityLevel()   { return _dSensitivityLevel; }
    public int     getNumDetectors()       { return _nNumDetectors; }
    public int     getNumMemoryDetectors() { return _nNumMemoryDetectors; }
    public long    getNumDetectorsKilled() { return _nNumDetectorsKilled; }
    public int     getTolerizationPeriod() { return _nTolerizationPeriod; }

    public void setTolerizationPeriod(int n) { 
	_nTolerizationPeriod = n; 
	for (Enumeration detectors = _vDetectors.elements(); 
	     detectors.hasMoreElements(); ) {
	    Detector detector = (Detector) detectors.nextElement();
	    detector.setTolerizationPeriod((int)_nTolerizationPeriod);
	}
    }
    
    public int getNumMatureDetectors() {
	int nummature = 0;
	for (Enumeration detectors = _vDetectors.elements(); 
	     detectors.hasMoreElements(); ) {
	    Detector detector = (Detector) detectors.nextElement();
	    if (!detector.isImmature()) nummature++;
	}
	return nummature;
    }
    
    public int getNumActivatedDetectors() {
	int numactivated = 0;
	for (Enumeration detectors = _vDetectors.elements(); 
	     detectors.hasMoreElements(); ) {
	    Detector detector = (Detector) detectors.nextElement();
	    if (detector.isActivated()) numactivated++;
	}
	return numactivated;
    }
    
    public void printMatureDetectors() {
	for (Enumeration detectors = _vDetectors.elements(); 
	     detectors.hasMoreElements(); ) {
	    Detector detector = (Detector) detectors.nextElement();
	    if (!detector.isImmature()) {
		System.err.println(detector.toString());
	    }
	}
    }
    
    /**==========
     * DetectionNode:
     *   Constructor that reads in the parameters from the supplied
     *   filename, initializes them, and sets things like the 
     *   biptype.
     *==========*/
    public DetectionNode(int nNumberOfDetectors, 
			 MatchRule mMatchRule,
			 String szBipType,
			 String szBifType,
			 int nBipLength, 
			 int nTolerizationPeriod, 
			 boolean bUseMemory,
			 int nMaxMemoryDetectors,
			 double dSensitivityIncrement,
			 double dSensitivityDecay,
			 long nRandomSeed,
			 int activationThreshhold,
			 int costimulationDelay,
			 double deathProbability,
			 int minMatchLength,
			 double matchDecay)
    {
	// Grab our state from the constructor arguments.
	_nNumDetectors = nNumberOfDetectors;
	_nNumDetectorsKilled = 0;
	_mMatchRule = mMatchRule;
	_szBipType = szBipType;
	_szBifType = szBifType;
	_nBipLength = nBipLength;
	_bUseMemory = bUseMemory;
	_nMaxMemoryDetectors = nMaxMemoryDetectors;
	_nRandomSeed = nRandomSeed;
	_dSensitivityIncrement = dSensitivityIncrement;
	_dSensitivityDecay = dSensitivityDecay;
	
	// Detector variables
	_nActivationThreshhold = activationThreshhold;
	_nCostimulationDelay = costimulationDelay;
	_dDeathProbability = deathProbability;
	_nMinMatchLength = minMatchLength;
	_dMatchDecay = matchDecay;
	_nTolerizationPeriod = nTolerizationPeriod;
	
	// initialize
	_nNumMemoryDetectors = 0;
	_dSensitivityLevel = 0;
	_nNumBipsReceived = 0;
	_nNumAnomalies = 0;
	_random = new KnuthRandom(_nRandomSeed);
	try {
	    _bif = ((BinaryInputFilter)
		    Class.forName(_szBifType).newInstance()).constructFilter
		    (_random, _nBipLength);
	} 
	catch (Exception e) {
	    Debug.exception(this, e);
	}			
	
	_vDetectors = new Vector();
	
	// Generate individual detectors.
	for(int i=0; i < _nNumDetectors; i++) {
	    Detector detector = new Detector(_bif, 
					     _mMatchRule, 
					     _random,
					     _nActivationThreshhold,
					     _nCostimulationDelay,
					     _nTolerizationPeriod,
					     _dDeathProbability,
					     _nMinMatchLength,
					     _dMatchDecay,
					     _szBipType);
	    _vDetectors.addElement(detector);
	}    
	
	Debug.verbose("Tolerization period = " + nTolerizationPeriod);
	
    }
    
    /**==========
     * isAnomalous:
     *   Determines whether the binary input pattern is anomalous or not.
     *   Memory competition occurs only when detectors are costimulated.
     *
     * @see #costimulate
     * @param bip the binary input pattern to classify
     * @return true if the bip is classified as anomalous
     *==========*/
    public boolean isAnomalous(BinaryInputPattern bip)
    {
	boolean alarm = false;
	boolean sensitivityEffect = false;
        
	_nNumBipsReceived++;
	
	for (Enumeration detectors = _vDetectors.elements(); 
	     detectors.hasMoreElements(); ) {
	    Detector detector = (Detector) detectors.nextElement();
	    
	    switch (detector.respondToBip(bip, _dSensitivityLevel)) {
	    case Detector.ACTIVATED: 
		alarm = true;
		break;
		
	    case Detector.ADJUST_SENSITIVITY:
		sensitivityEffect = true;
		break;
		
	    case Detector.DIE:
		Debug.verbose(this.toString() + ": DETECTOR DIES");
		_nNumDetectorsKilled++;
		detector.recreate(_bif,
				  _mMatchRule, 
				  _nActivationThreshhold,
				  _nCostimulationDelay,
				  _nTolerizationPeriod,
				  _dDeathProbability,
				  _nMinMatchLength,
				  _dMatchDecay,
				  _szBipType);
		break;

	    default:  
		break;
	    }
	}
	
	// Adjust the sensitivity level if appropriate.
	if (sensitivityEffect || alarm)
	    _dSensitivityLevel += _dSensitivityIncrement;
	
	// Decay the sensitivity level.  The decay factor is generally
	// less than 1.0 and the sensitivity level can't go below
	// zero.
	_dSensitivityLevel -= _dSensitivityDecay;
	if (_dSensitivityLevel < 0) _dSensitivityLevel = 0;
	
	if (alarm) {
	    _nNumAnomalies++;
	    return true;
	} 
	else {
	    return false;
	}
    }
    
    /**==========
     * costimulate:
     *   Checks to see what detectors were activated by bip and
     *   costimulates them. Any detector that has its activated flag
     *   set and that matches the bip will be costimulated and enter
     *   the memory competition.
     *
     * @param bip the binary input pattern to be costimulated 
     *==========*/
    public void costimulate(BinaryInputPattern bip) 
    {
	// Randomly select some memory to be replaced, if we have
	// reached the limit.

	int demoteMemoryRank = 1;
	int demoteMemoryIndex = 0;
        
	if (_bUseMemory) {
	    demoteMemoryRank = _random.intRange(_nMaxMemoryDetectors);
	}
	
	int countMemoryDetectors = 0;  // The number of memory detectors we've seen.
	int maxMatchLength = 0;
	int competitionWinner = -1;
        
	Enumeration detectors = _vDetectors.elements();
        
	int dIndex = 0;
	while (detectors.hasMoreElements()) {
	    Detector detector = (Detector) detectors.nextElement();
	    if (detector.costimulate(bip)) {  
		// This detector matches the bip.
		if (detector.getMatchLength() > maxMatchLength) { 
		    // This detector is the best match so far.
		    competitionWinner = dIndex;
		    maxMatchLength = detector.getMatchLength();
		}
	    }

	    if (detector.isMemory()) {
		countMemoryDetectors++;
		if (countMemoryDetectors == demoteMemoryRank) {
		    // This is the memory detector that will be
		    // demoted if necessary.
		    demoteMemoryIndex = dIndex;
		}
	    }
	    dIndex++;
	}
	
	if (_bUseMemory && (competitionWinner > -1)) {
	    Detector winningDetector =
		(Detector) _vDetectors.elementAt(competitionWinner);
	    // Now we make the winning detector into a memory
	    // detector, if it isn't already memory.
	    if (!winningDetector.isMemory()) { 
		winningDetector.setMemory(true);
		if (countMemoryDetectors < _nMaxMemoryDetectors) {  
		    // We have increased the total number of memory
		    // detectors since the memory isn't already full.
		    _nNumMemoryDetectors++; 
		}
		else { 
		    // We already have full set of memory detectors,
		    // so we demote the previously randomly selected
		    // detector.
		    ((Detector) _vDetectors.elementAt(demoteMemoryIndex)).setMemory(false);
		}
	    }
	}
    }    
};