Detecting Anomalous Process Behaviour Using Second Generation Artificial Immune Systems

Artificial Immune Systems have been successfully applied to a number of problem domains including fault tolerance and data mining, but have been shown to scale poorly when applied to computer intrusion detection despite the fact that the biological immune system is a very effective anomaly detector. This may be because AIS algorithms have previously been based on the adaptive immune system and biologically-naive models. This paper focuses on describing and testing a more complex and biologically-authentic AIS model, inspired by the interactions between the innate and adaptive immune systems. Its performance on a realistic process anomaly detection problem is shown to be better than standard AIS methods (negative-selection), policy-based anomaly detection methods (systrace), and an alternative innate AIS approach (the DCA). In addition, it is shown that runtime information can be used in combination with system call information to enhance detection capability.

[1]  Vern Paxson,et al.  A high-level programming environment for packet trace anonymization and transformation , 2003, SIGCOMM '03.

[2]  Jonathan Timmis,et al.  Application Areas of AIS: The Past, The Present and The Future , 2005, ICARIS.

[3]  A. Iwasaki,et al.  Toll-like receptor control of the adaptive immune responses , 2004, Nature Immunology.

[4]  Julie Greensmith,et al.  Dendritic Cells for Anomaly Detection , 2006, 2006 IEEE International Conference on Evolutionary Computation.

[5]  Stephanie Forrest,et al.  Infect Recognize Destroy , 1996 .

[6]  Julie Greensmith,et al.  Articulation and Clarification of the Dendritic Cell Algorithm , 2006, ICARIS.

[7]  Gu Ji-yan,et al.  The Dendritic Cell Algorithm , 2011 .

[8]  Uwe Aickelin,et al.  Towards a Conceptual Framework for Innate Immunity , 2005, ICARIS.

[9]  Julie Greensmith,et al.  The dendritic cell algorithm , 2007 .

[10]  Christopher Krügel,et al.  Anomalous system call detection , 2006, TSEC.

[11]  Jonathan Timmis,et al.  Artificial Immune Systems: A New Computational Intelligence Approach , 2003 .

[12]  M. Kapsenberg Dendritic-cell control of pathogen-driven T-cell polarization , 2003, Nature Reviews Immunology.

[13]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[14]  Uwe Aickelin,et al.  libtissue - implementing innate immunity , 2006, 2006 IEEE International Conference on Evolutionary Computation.

[15]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[16]  Debin Gao,et al.  On Gray-Box Program Tracking for Anomaly Detection , 2004, USENIX Security Symposium.

[17]  R. Germain An innately interesting decade of research in immunology , 2004, Nature Medicine.

[18]  Stephanie Forrest,et al.  Operating system stability and security through process homeostasis , 2002 .

[19]  Jamie Paul Twycross,et al.  Integrated innate and adaptive artificial immune systems applied to process anomaly detection , 2007 .

[20]  Thomas Stibor,et al.  On the appropriateness of negative selection for anomaly detection and network intrusion detection , 2006 .

[21]  Julie Greensmith,et al.  Immune system approaches to intrusion detection – a review , 2004, Natural Computing.