图 3 7 阻塞态成熟检测器流程图

初始状态，阻塞态成熟检测器集合为空。在t 时刻，阻塞态检测器集合为t-1时刻阻塞态检测器集合中,添加活跃态挂起的检测器以及苏醒态挂起的检测器，同时，删除阻塞态检测器中释放的检测器以及因阻塞时间过长而死亡的检测器。

3. 苏醒态成熟检测器原理分析

初始状态，苏醒态成熟检测器集合为空。如图3-8所示，t 时刻苏醒态检测器集合为向t-1时刻苏醒态检测器集合中,添加阻塞态释放的检测器，同时删除苏醒态检测器进化过程中，转换为活跃态和阻塞态的检测器。

图 3 8苏醒态成熟检测器流程图

1.4.5 记忆检测器动态变化

记忆检测器状态间转换过程的原理分析

成熟免疫细胞当亲和力达到匹配阀值 时，将进化为记忆检测器。记忆检测器在匹配抗原过程中，其抗体浓度在不断变化。当再次遇到匹配抗原时，其浓度将升高，以抵御抗原；相反，若指定周期内，记忆检测器没有匹配相应抗原，其浓度将降低。

记忆免疫检测器分为活跃态记忆检测器，阻塞态记忆检测器，苏醒态记忆检测器。活跃态记忆检测器一旦匹配到抗原就会被立即激活。

当活跃态记忆检测器与不变自体匹配时，由于不变自体不具有变异性，该活跃态记忆检测器直接死亡。当活跃态记忆检测器与已变自体匹配时，该活跃态记忆检测器转换为阻塞态记忆检测器，当与之匹配的自体没有转换为非自体时，仍保持阻塞状态；当与之匹配的自体转换为非自体时，该阻塞态记忆检测器被释放，转换为苏醒态记忆检测器。当阻塞态记忆检测器集合中包括的数量超过设定范围时，将阻塞时间最长(超过生命阈值 )而未被释放的阻塞态记忆检测器删除。

苏醒态记忆检测器首先与在其阻塞过程中新加入的自体抗原进行耐受，通过耐受的苏醒态记忆检测器转换为活跃态记忆检测器，未通过耐受的根据与之匹配的自体类型进行相应操作：与已变自体匹配则再次挂起，转换为阻塞态记忆检测器；与未变自体匹配则直接被删除。

1.4 对比实验

ARTIS模型是人工免疫理论中比较著名的模型之一，采用否定选择算法。本文提出的NSSPM模型，在生成未成熟检测器时采用交叉变异、成熟检测检测器状态转换、记忆检测器状态转换和抗体浓度变化，下面从TP以及检测速度对二者进行比较。

实验目的：

生成未成熟检测器时部分从抗体基因库变异和状态转换机制对系统检测率TP的影响。

实验方法：

在单位某一个实验网络中，实验模拟对网络进行synflood、land、smurf、teardrop等20多种攻击，其中所发包中非自体串和自体串的比例为8:2，即每发送 100 个数据包中夹杂 80 个非自体，其中非自体中有30个是从已变自体演变而来的，有10个是新确定的非自体，这 40 个非自体是刚刚确定的,也就是之前这些类型的 IP 包被认为是正常的，现在被认为是非法的网络行为。

图 3 15状态转换机制对模型性能影响对比实验图

实验结果及其分析：图 3 15表明各检测器集合基本稳定后，当有已变自体变异为非自体时，NSSPM模型相对于ARTIS，有较高的TP值，曲线图显示NSSPM模型算法检测率稳定且无任何抖动现象。这是因为在在NSSPM模型中，加入状态变化，减少了检测器的进化时间，更快地对非自体进行识别。另外在生成未成熟检测器时，采用部分从抗体基因库变异而来，使得未成熟检测器可以更快进化，同时对于变异的抗原识别也更快。

1.5 本章小结

本章提出了一种新型的基于免疫的网络安全态势觉察模型，在模型中增加了已变自体、未变自体、成熟检测器的状态转换、记忆检测器的状态转换，未成熟检测器部分从抗体基因库变异而来。另外将我们改变得模型与传统ARTIS模型进行比较，实验证明本模型更能快速得识别抗原，有更高的检测率。

Network based on the immune state transition model of situation awareness

1.1 Introduction

In the network, with the environment, time, request changes, networksecurity testing requirements can be more efficient, adaptive, scalable, to ensure the integrity of the entire network, confidentiality and effectiveness. Network securitydetection system is based intrusiondetection system based primarily on use of anomaly detection and misusedetection of two techniques. These are very similar to biological immune place, so artificial immune detection for networksecurity has made certain achievements. Professor Forrest is the first distributed artificial immune system model ARTIS[55][56][57], and later Professor Ballet[58] immune theory based multi-agent distributed computer immune system, and Professor Kim[59][60][61] dynamic clonal selection-based networkintrusiondetection model and so on. However, these results are not perfect, there is some defect. If network
securitydetection systems self / non-self using a static description, good adaptability and can not meet the needs of the real networkenvironment, making the system false alarm rate, false negative rate is high. On the other hand immune cells were detected (detector) in the course of its evolution out of the lack of dynamic buffering mechanism, some of the important role of intrusiondetection detector simply because the original match in a certain period of non-self into the body resulting from the test devicefailure tolerance was abandoned.

This paper presents an Artificial Immune allows the immune state transitionnetworksecurity situation awareness model NSSPM (Network Security Situation Perception Model), defined in the model of the change in itself, has changed from the body, non-self, antigens, antibodies, vaccines, etc. concept, described the dynamic evolution model of immune cells, the generation of immaturedetector antibody libraries by recombination and random mutation combined method[62], and for the mature and memory detectors detector set up the immune status of three : active state, blocking state, waking state, while the establishment of the corresponding state transition process: suspend the process, release process, the activation process. The model solves the computer immune system, autologous, non-dynamic description of the problem from the body, to achieve the known and unknown networkintrusiondetection, with a distributed, self-learning, robustness and other characteristics; also proposed based on antibody the memory of the concentration of immunoassay tree node by dynamically adjusting the order, so that each detection, extraction from high to low according to antibody "n.集中，专心">concentrationdetector, matching antigen, when the antibody concentration as the network changes the attack, the timelyadjust the order of tree nodes, so that high concentrations of low concentration of the detector before the detector to match the antigen, thus reducing the number of invalid matches, improve the detection efficiency.

1.2 NSSPM architecture

The model, mainly by antigen set, a collection of immaturedetectors, maturedetector set, memory detector set, since the body and so on. Model consists of two main processes, namely, the immune dashed lines identify the antigen detection process and the realization of the invasion, said the evolution of the immune detection process, these two processes at the same time, they influence each other.

Detection process is as follows: IP packet through the collection of antigen-presenting antigens obtained Ag, Ag detection by memory Mb, Tb maturedetector test, the Self is divided into self and non self NonSelf, non-self Ag removed from the remaining antigen as the self. The initial experience of self is based on pre-set settings.

Activation of the human

body match or long-lost

3 1 NSSPM architecture diagram

The evolution of the immune detector is as follows: an initial immaturedetector set Ib (0) is the pre-set follow-up of the immature immune detector check is part of a collection of randomly generated, in part by the antibodies from recombinant DNA mutation; immaturedetection of immune cells through the collection of α after autologous tolerance, if not removed, the detector will be set in mature immune cells; maturedetector set of immune cells and antigen in the life cycle reaches a certain thresholdaffinity , it will become a memory detector, or removed from the maturedetector; mature immune cells in the detector, the detector in a memory of a member of the same time, by decomposing into the antibody fragment gene library. Detector in the memory immune cells and autologous match or if there is no long-term affinity with the antigens will lead to death.

1.3 Network security situation awareness model NSSPM

In the biological immune system, immune cells have a certain life cycle, from creation to death through a dynamic process. In the networkenvironment, due to changes in requirements, changes in the environment, etc., the normal and abnormalnetworkbehavior of the networkbehavior is also changing. Therefore, Figure 31 in the relevant components of the model, autologous, non-self, antigens, antibodies, and so a variety of immune detector changes with time and the changing environment.

1.4.1 Dynamic change of autologous

In a computernetwork to ensure networksecurity, we must know what is normalnetworkbehavior, and what non-normalnetworkbehavior. And because of the demand or changes in the environment, as some previously" target="_blank" title="ad.预先；以前">previously considered normalnetworkbehavior, due to the discovery of new vulnerabilities or enhance the networksecurity requirements, such a networkbehavior may be prohibited; the contrary some previously" target="_blank" title="ad.预先；以前">previously prohibited networkbehavior , due to the improvement of networksecurityequipment or the need to add new services that may be considered appropriatenetworkbehavior is normaltarget="_blank" title="n.网状物 vt.联播">networkbehavior. In this model, （self）Representative of normalnetworkbehavior from the body,（non-self） representatives of non-self suspiciousnetworkbehavior, which determines the network is not the eternal self, self management in accordance with the requirements of networksecurity and dynamic change. In this model will be unchanged from the body into the body and has changed from self.



（3-14）

Changed the dynamic changes of autogenous

Unchanged from the initialsetting body for the good of self set. The generated flowchart is as follows:



（3-15）

In the initial state, Autologous for the pre-set auto set,.In , in the times the changed self set to add the newly created self set , the deletion mutation of autologous , to be moment of self set. time through the memory detectors and sophisticated detector antigen, not the attack is changed from the body, the formation of ; the same, time if the detector (y) and autologous (x) match, the co-stimulatory determined at the time (x) non-self, the self (x) will die, the formation of . is the variability from the collection of non-self.

Unchanged from the body since becoming a self would be no variation, but the library has changed since the body is always changing. Since the body constantly makes the expansion, more complete, real networkenvironment to meet the dynamic changes in the case of networkbehavior, and for some of the networksecurity and application requirements to networkbehavior becomes the normal case of abnormalnetworkbehavior, through the coordination of stimulation, so that the corresponding self death. These greatly reduce the false negative rate. False negative refers to the network of illegal actions that normalnetworkbehavior.

Has changed the dynamic changes of autogenous

Has changed from the initial empty body, the change process is as follows:



（3-16）

In time, has become self set to increase from the mutation history of the collection in the variation comes from the body, while from the time has changed from the body set to remove t time mutation that has been Variable autologous . x elements in the set time in the last t-1 has been changed since the body is set , but in the t time, matching the detector and x, and x is determined by costimulatory variant non-self.

Since the variability have changed greatly since, in this model the cache, if you have changed once again become a non-self when the self, will be released. Have changed since the body is mainly used due to some changes in the networksecuritybehavior often or sometimes acts of temporary safety, improve the systemdetection efficiency.

1.4.2 Dynamic change of antibody gene library

G (t) t time on behalf of the antibody gene library, a collection of antibody genes, in the initial state (t = 0) when



（3-17）

Antibody gene library G (t) for the initial setup of the normal gene pool, to the probability of a randomly generated string of way . t> 0, the antibody gene pool is changing, and adding the memory of the detector to generate new gene fragments brought about, the composition of these gene sets Gn w(t)e; the same time, memory detectors match due to or from lack of autologous activated will die, so also the corresponding gene fragment removed from the antibody gene library, t time the composition of the deleted gene set Gvar(t).

1.4.3 Dynamics of immaturedetector

Detection of the generation of immature

Immaturedetector is to generatematuredetectors, memory detectors based. Mainly by the following 2 ways according to a certain percentage of composition: randomly generated by the combination of antibody fragments produced by Jiyinkuji. This advantage in maintaining the characteristics of previous parent at the same time, it also enabled a new generation of immaturedetector with diversity.



（3-18）

t that time the newly generated immaturedetector. Where that a randomly generated immaturedetector, is a genetic cross time t generated immaturedetector. and is the ratio between the generated parameters. Gene fragment and , the randomselection of a single crossing point, between two cross-matching operations, new gene fragments . In order to avoid blind cross, cross only the same type of gene fragments in between. The resulting new immaturedetector due to genetic advantages of better antibody genes, can be trained to be mature faster detectors, and a better ability to detect antigen.

Self tolerance

Immaturedetector changes as follows:



（3-19）

Immaturedetector must be through self tolerance, self tolerance process is as follows:



（3-20）

Where , tolerance of, greater than or equal 1, that moment has never evolved into a maturematuredetector set of detectors. Any immaturedetector must withstand the model through negativeselection, remove from the body that can identify the immaturedetector, time experienced tolerance of immaturedetectors to add

Since the body makes new immaturedetector tolerance of normalnetworkbehavior tolerated, but also can well resolveunexpectednetwork events occur.

1.4.4 Dynamics maturedetector.

Mature detector principle of the conversion process between the state of

If the mature immune detection in the life cycle ( ) within a certain number of matches ( ), the antigen will be activated and the evolution of the memory immune detector, or death. Mature detector in its life cycle, matching antigen, also has a dynamic evolutionary process.

Mature maturedetector detectors, including active state, blocking state maturedetector, wake state maturedetector.

Mature first in the active state detector can be used for detection. Active state of immune maturation and antigen match detector, if in the life cycle ( ), the active state of maturity of the detector, accumulating more than match the affinitythreshold ( ) to evolve into memory detector. Matching process with the antigen, if the active state of maturedetectors match with the same self, the self does not have the same variability, always such an active state of maturity for direct measurement of death.

When the active state and has become maturedetectors match from the body, we are active in the dynamic state of the cache such detectors, the detector active state maturemature into blocking state detector. The detector blocking process, if with this blocking state detector matched autologous not convert a non-self, this detector remain blocked; when matching (dynamic) self into non-self, the blocking state of maturitydetector is released into waking state maturedetector. Among them, remain blocked detector, if in its life cycle has not been released, the judge of his death, blocked state of the detector from the collection will be removed.

Mature detector waking state, the first course of its newly added in the blocking of autologous antigen tolerance, tolerance of awake state through the maturedetector will activate the detector for the active state of maturity, not by tolerance based on matching Since the body type of the related operations: and has become self matching waking state detector will again be suspended, is converted to block state maturedetector; and unchanged from the body matched the wake state detector directly from the waking state detector set removed.

1. The definition of transition state

Define the state of maturity of the detector, there are several states:

Q1 (initial) the initial state of the detector, when the antigen with autologous tolerance by a tolerance of, to get the activation status.

Q2 (workon) activated the detector, the detector in this state has a certain life cycle, in the life cycle of the detector and antigen affinity accumulated to a certain threshold, the state of maturity to evolve into memory detector detector;

Q3 (holdon) suspended state detector, the detector when activated or released pending the detector, and the match has been changed from the body, into Q3 when the detector to the state;

Q4 (release) the release of the state detector, when the detector with the Q3 state match has been changed into a non-self from the body, the pendingrelease state detector; In addition, the state detector in Q4 if Q3 with it state changes to the Q4 of this state to join this time does not match the self, this detector is activated.

Q5 (evolve) the evolution of the state detector, the detector when the Q2 state, in the life cycle, and the affinity of antigen accumulated to a certain threshold, when the detector to the detector into a memory as the memory of the initialdetector start state.

Q6 (death) of the death detector, the detector set in the whole process of evolution, was out of parts.

2. The conversion event that

Each sensor in a different state of circumstances, to experience different events, these events are defined as follows:

E1: detection and unchanged from the body match.

E2: the detector and has become self match.

E3: the detector does not match with the self

E4: the life cycle of the detector, the affinitythreshold is reached.

E5: Detector over the age of the value of the life cycle..

E6:: , Sure has changed through the costimulation of autologous x mutate into a non-self.

E7: , E7 said that tolerance of immature cells experienced a period of tolerance event.