A Danger-Based Approach to Intrusion Detection

We propose a protocol for intrusion detection in distributed systems based on a relatively recent theory in immunology called danger theory. Based on danger theory, immune response in natural systems is a result of sensing corruption as well as sensing unknown substances. In contrast, traditional self-nonself discrimination theory states that immune response is only initiated by sensing nonself (unknown) patterns. Danger theory solves many problems that could only be partially explained by the traditional model. Although the traditional model is simpler, such problems result in high false positive rates in immune-inspired intrusion detection systems. We believe using danger theory in a multi-agent environment that computationally emulates the behavior of natural immune systems is effective in reducing false positive rates. We first describe a simplified scenario of immune response in natural systems based on danger theory and then, convert it to a computational model as a network protocol. In our protocol, we define several immune signals and model cell signaling via message passing between agents that emulate cells. Most messages include application-specific patterns that must be meaningfully extracted from various system properties. We finally provide a few rules of thumb to simplify the task of pattern extraction in most distributed systems. “Do not just declare things to be irreducibly complex...” Richard Dawkins

[1]  T. Heath Basic immunology , 1978, Nature.

[2]  Jeffrey O. Kephart,et al.  A biologically inspired immune system for computers , 1994 .

[3]  Peter J. Bentley,et al.  Danger Is Ubiquitous: Detecting Malicious Activities in Sensor Networks Using the Dendritic Cell Algorithm , 2006, ICARIS.

[4]  Stephanie Forrest,et al.  Architecture for an Artificial Immune System , 2000, Evolutionary Computation.

[5]  Peter J. Bentley,et al.  Detecting interest cache poisoning in sensor networks using an artificial immune algorithm , 2010, Applied Intelligence.

[6]  Alan S. Perelson,et al.  Self-nonself discrimination in a computer , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[8]  Julie Greensmith,et al.  Articulation and Clarification of the Dendritic Cell Algorithm , 2006, ICARIS.

[9]  P. Delves,et al.  The Immune System , 2000 .

[10]  P. Matzinger,et al.  Essay 1: The Danger Model in Its Historical Context , 2001, Scandinavian journal of immunology.

[11]  Alan S. Perelson,et al.  The immune system, adaptation, and machine learning , 1986 .

[12]  Peter J. Bentley,et al.  The Human Immune System and Network Intrusion Detection , 1999 .

[13]  Julie Greensmith,et al.  Introducing Dendritic Cells as a Novel Immune-Inspired Algorithm for Anomoly Detection , 2005, ICARIS.

[14]  Dipankar Dasgupta,et al.  Immunity-Based Intrusion Detection System: A General Framework , 1999 .

[15]  Fernando José Von Zuben,et al.  Learning and optimization using the clonal selection principle , 2002, IEEE Trans. Evol. Comput..

[16]  Jean-Yves Le Boudec,et al.  An artificial immune system approach with secondary response for misbehavior detection in mobile ad hoc networks , 2005, IEEE Transactions on Neural Networks.

[17]  Hossein Pedram,et al.  A DDoS-Aware IDS Model Based on Danger Theory and Mobile Agents , 2009, 2009 International Conference on Computational Intelligence and Security.

[18]  P. Matzinger Tolerance, danger, and the extended family. , 1994, Annual review of immunology.

[19]  Gregg H. Gunsch,et al.  An artificial immune system architecture for computer security applications , 2002, IEEE Trans. Evol. Comput..

[20]  Fan Chung Graham,et al.  Maximizing data locality in distributed systems , 2006, J. Comput. Syst. Sci..

[21]  Tao Li,et al.  Distributed agents model for intrusion detection based on AIS , 2009, Knowl. Based Syst..