Anomaly-based detection techniques have a high number of false positives, which degrades the detection performance. To address this issue, we propose a distributed intrusion detection system, named ISM-AC, based on anomaly detection using artificial immune system and attack graph correlation. To analyze network traffic, we use negative selection, clonal selection, and immune network algorithms to implement an agent-based detection system. ISM-AC leverages the programmability of software-defined networking to reduce the false positive rate. Our findings show that ISM-AC achieves better detection performance for denial of service, user to root, remote to local, and probe attack classes. Alert correlation plays a key role in this achievement.

基于异常的检测技术具有大量的误报，这会降低检测性能。为了解决这个问题，我们提出了一种分布式入侵检测系统，称为ISM-AC，它基于使用人工免疫系统和攻击图相关性的异常检测。为了分析网络流量，我们使用否定选择，克隆选择和免疫网络算法来实现基于代理的检测系统。ISM-AC利用软件定义网络的可编程性来降低误报率。我们的发现表明，ISM-AC在拒绝服务，用户到root，远程到本地以及探测攻击类别方面具有更好的检测性能。警报关联在此成就中起关键作用。