Detecting danger: Applying a novel immunological concept to intrusion detection systems

Please download to get full document.

View again

of 3
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Document Description
Detecting danger: Applying a novel immunological concept to intrusion detection systems
Document Share
Document Tags
Document Transcript
   Poster Proceedings of ACDM 2004    Engineers’ House, Bristol, UK    DETECTING DANGER: APPLYING A NOVEL IMMUNOLOGICAL CONCEPT TOINTRUSION DETECTION SYSTEMS   Julie Greensmith, Uwe Aickelin & Jamie TwycrossASAP Group, School Of Computer Science,University Of Nottingham, UK.{jqg, uxa, jpt}   INTRODUCTION  In recent years computer systems have becomeincreasingly complex and consequently thechallenge of protecting these systems has becomeincreasingly difficult. Various techniques have been implemented to counteract the misuse of computer systems in the form of firewalls, anti-virus software and intrusion detection systems.The complexity of networks and dynamic natureof computer systems leaves current methods withsignificant room for improvement.Computer scientists have recently drawninspiration from mechanisms found in biologicalsystems and, in the context of computer security,have focused on the human immune system (HIS).The human immune system provides an exampleof a robust, distributed system that provides a highlevel of protection from constant attacks. Byexamining the precise mechanisms of the humanimmune system, it is hoped the paradigm willimprove the performance of real intrusiondetection systems.This paper presents an introduction to recentdevelopments in the field of immunology. Itdiscusses the incorporation of a novelimmunological paradigm, Danger Theory, and howthis concept is inspiring artificial immune systems(AIS). Applications within the context of computer security are outlined drawing direct reference to theunderlying principles of Danger Theory and finally,the current state of intrusion detection systems isdiscussed and improvements suggested. DANGER THEORY AND THE HUMANIMMUNE SYSTEM  Since 1959, the central dogma of immunology hasstated that the human immune system reacts toentities that are not part of the organism. Thereforethe decision to react is a result of the HISclassifying its own cells as  self  and everything elseas nonself  [5]. The HIS performs the classification by recognising proteins found on the surface of foreign cells (known as antigens). Foreign cells aredifferent to cells present in the host (known as self-antigens) in structure and shape.There are numerous instances however where thisclassification fails. For example, the intestinal tractis exposed to many different bacteria and food,neither of which are classically defined as `self', butneither of which produce an immune response. Inaddition, the model of self-nonself discriminationcannot explain the phenomena of auto-immunediseases. In the example of multiple sclerosis, theHIS attacks certain cells that it classifies as `self’.In 1994, Polly Matzinger [4] postulated that in thisinstance, the HIS was not reacting to self or nonself  but was due to a protection mechanism of   sensing danger  . The manner in which danger is detectedforms the basis of the Danger Theory.The Danger Theory does not deny the existence of self-nonself discrimination but rather states thereare other contributory factors involved in theinitiation of an immune response. It is now believedthat the HIS responds to certain danger signals produced as a result of cellular  necrosis ; theunexpected stress and/or death of a cell.Cell death is a natural process that occurs within the body as a result of homeostatic regulation. This process however comes from a pre-programmedand highly controlled mechanism, known as apoptosis . The Danger Theory proposes that themechanisms behind cell death can cause different biochemical reactions that in turn can causedifferent danger signals. It is believed that thesesignals may facilitate an immune response. Thiscontroversial paradigm shift within theimmunology community may offer a potentialexplanation for many scenarios where the self-nonself model fails. ARTIFICIAL IMMUNE SYSTEMS  Most biologically inspired artificial immunesystems based on the HIS have relied on the self-nonself model. Algorithms derived using thismodel have been largely successful [2]. Artificialimmune systems have been developed for a widerange of applications from data mining toinformation security. In many cases, theapplications have produced results comparable to,or better than, other standard techniques.For example, the negative selection of immunecells in the thymus for self-nonself recognition wasapplied in the Lisys system and used as a network intrusion detection tool [3]. This system classifiednormal user behaviour as self and all other    Poster Proceedings of ACDM 2004    Engineers’ House, Bristol, UK     behaviour as nonself. However, this approach didnot scale as well as expected for use in a large,dynamic environment. One explanation for the poor  behaviour may be that certain processes, essentialfor immune functionality, were not incorporated. THE APPLICATION OF DANGER THEORYTO INTRUSION DETECTION  Intrusion detection systems (IDS) are designed todetect events that occur in a computer system thatmay compromise its integrity or confidentiality [7].IDS are frequently sub-divided into two categories: misuse detection and anomaly detection . Misusedetection techniques examine both network andsystem activity for known instances of misusethrough the use of signature matching algorithms.This technique is effective at detecting attacks thatare already known. However, novel attacks areoften missed giving rise to  false negatives .Anomaly detection systems rely on constructing amodel of user behaviour that is considered‘normal’. This is achieved by using a combinationof statistical or machine learning methods toexamine network traffic or system calls and processes. The detection of novel attacks is moresuccessful using the anomaly detection approach asany behaviour not defined as normal is classified asan intrusion. However, ‘normal’ behaviour in alarge, dynamic system is not well defined andchanges over time. This often results in asignificant number of false alarms known as  false positives . The reduction of false positives is a keychallenge that the Danger Theory may be able toaddress.It is proposed that the incorporation of the Danger Theory into intrusion detection techniques would produce a system able to respond effectively toknown threats and novel attacks, and also reducethe amount of false positives common in anomalydetection systems. [6]. The Danger Theory proposes that the HIS detects danger signals andresponds based on the correlation of these signals.A similar concept could be used in IDS. It wouldrely on being able to produce a system capable of classifying behaviour as apoptotic or  necrotic .Apoptotic behaviour could be defined as low level,noisy alerts, which on their own do not form anysignificant misbehaviour, but are often the prerequisite for an attack. Necrotic alerts could be produced for a more serious attack wheresignificant system damage was taking place [1].Other danger signals relating to the physical systemitself may also be incorporated into this model. The potential for improvement in this area and thesuccessful correlation of such alerts will perhaps provide both improved intrusion detection systemsand artificial immune systems. CONCLUSION  In the field of developing artificial immune systemsfor computer security, Danger Theory may providesignificant improvements to current intrusiondetection techniques. Work is currently being performed into exactly how danger signals can beidentified in the HIS. It is hoped the results of thisresearch will yield a clearer view on what danger signals are in vivo , how they can be translated for detecting danger within computer systems in silico ,to implement more effective computer securitysystems. ACKNOWLEDGEMENTS  This project is a collaboration between theUniversity of Nottingham, University Of The WestOf England, University College London, Hewlett-Packard Labs, Bristol and Gianni Tedesco. The project is supported by the EPSRC(GR/S47809/01). Thanks to Gillan Cash for hishelpful comments on this article. REFERENCES   1. Aickelin U., Bentley P., Cayzer S., Kim J.and McLeod J., 2003, ‘Danger Theory:The Link between AIS and IDS?’, inProceedings ICARIS-2003, 2ndInternational Conference on ArtificialImmune Systems}, 147-155.2. De Castro, L.N. and Timmis, J., 2002,‘Artificial Immune Systems: A NewComputational Approach, Springer-Verlag, London. UK. 3. Hofmeyr S. and Forrest S., 2000,‘Architecture for an Artificial ImmuneSystem’, Evolutionary Computation, 8,(4),443-473. 4. Matzinger P., 2002, ‘The Danger Model:A Renewed Sense of Self’, Science, 296,301-305. 5. Medzhitov R. and Janeway C, 2000,‘How does the immune system distinguishself from nonself?’, Seminars inImmunology, 12, 185-188. 6. Twycross J., 2004, ‘Immune Systems,Danger Theory and Inrusion Detection’, to be presented at the AISB 2004Symposium on Immune System andCognition (ImmCog-04) , Leeds, U.K.   Poster Proceedings of ACDM 2004    Engineers’ House, Bristol, UK    7. Venter H. and Eloff J., 2003, ‘ATaxonomy for Information SecurityTechnologies’, Computers & Security, 22,(4), 299-307.
Similar documents
View more...
Search Related
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks