Information fusion for anomaly detection with the dendritic cell algorithm
Introduction
Dendritic cells (DCs) are natural anomaly detectors. In this paper we present a dendritic cell algorithm (DCA) approach to information fusion, combining key elements of immunological theory with the engineering principles of data fusion. In the human immune system, DCs have the power to suppress or activate the immune system by correlation of signals representing their environment, combined with locality markers in the form of antigens. Antigens are proteins in structure and are any protein to which the immune system can potentially respond. These cells are responsible for the detection of pathogens in the human body through the correlation of information (in the form of molecular signals) within the environment. By using an abstraction of DC behaviour, similar detection properties are shown, resulting in an algorithm capable of performing anomaly detection. The resultant algorithm uses a set of weights derived or the processing of input signals from actual immunological data, generated through an interdisciplinary collaboration with immunologists [32].
DCs in particular are suitable as inspiration for intrusion detection for two reasons. Firstly, DCs themselves perform an intrusion detection role within the human immune system. Secondly, DCs perform their function with low rates of false positives and high rates of true positives – properties essential to any anomaly detection technique. In essence, DCs are multi-sensor data fusion agents through processing environmental molecular signals. This makes them ideal inspiration for the development of a data fusion algorithm.
The DCA was introduced in 2005 [8] and has demonstrated potential as a classifier for static machine learning data [8], as a simple port scan detector under experimental conditions [10] and in real time [9]. Our results show that the DCA can successfully detect anomalous processes forming a port scan attack. The DCA is inspired by the human immune system and is termed an artificial immune system (AIS). While the majority of AIS algorithms do not perform data fusion, idiotypic network models are used for the purpose of robotic control [12]. Although belonging to the field of artificial immune systems, the DCA differs from other immune inspired anomaly detection algorithms in a number of significant ways:
- •
The algorithm is based on cutting edge experimental immunology.
- •
DCs combine multiple signals to assess the current context of their environment.
- •
Asynchronously DCs sample another data-stream (antigen) to be combined with the fused signals.
- •
The correlation between context and antigen leads to the detection of anomalies.
- •
Unlike other anomaly detection algorithms, there is no pattern matching based on string similarity metrics.
The aims of this paper are threefold: to model artificial DCs drawing inspiration from the DCs of the human immune system; to present a resultant algorithm through a formalised description; and to apply the algorithm to an example anomaly detection problem. As this algorithm is a novel algorithm, it is not yet fully characterised. As a result, fine grained analysis of the selection of weights and comparison to other standard techniques are not discussed in this paper. Please refer to [11] for further experiments.
In this paper The DCA is applied to the detection of a port scan, which forms a convenient small-scale computer security problem. Section 2 contains relevant background information regarding the problem of port scans and current scanning detection techniques. Section 3 presents the biological inspiration of the DCA, a summary of relevant developments in immunology, and rudimentary DC biology. This is followed by Sections 4 From, 5 The dendritic cell algorithm, describing the abstraction process, a formalised description of the DCA and its implementation as an anomaly detector. This is followed by experimentation with its application as a port scan detector. Section 6 includes a sensitivity analysis of a selection of parameters. The paper concludes with a discussion of the results of the port scan investigation and suggestions for future work.
Section snippets
Anomaly detection and port scanning
One notable application area of multi-sensor data fusion is anomaly detection, a technique used in Intrusion Detection, which uses behaviour based approaches to detect abuse and misuse of computer systems. Traditional approaches to computer security have relied on signature based approaches for the detection of intruders. Network based intrusion detection systems (IDS) such as Snort [25] cross reference patterns of network packets against a database of known intrusions. If a packet matches any
The immune system: A DC’s perspective
The human immune system is a complex and robust system, viewed as a homeostatic protection agent [5]. It seeks out harmful pathogens, clearing them from the body and performing maintenance and repair. Classically the immune system is sub-divided into two distinct systems: the innate and adaptive immune system.
The innate immune system contains a variety of cells including macrophages and DCs amongst others [14]. The innate immune system is the first line of defence against attack from invading
From in vivo to in silico
Through close collaboration with immunologists [32], we have abstracted what we believe to be the essential features of DC biology. DCs are examined from a cellular perspective, which includes the differentiation states, interaction with signals and antigen. Representations of signals, antigen and the different DC states form the core of this abstraction. The following properties of DC function are used, and summarised in Fig. 2:
- •
Signals and antigen:
- (1)
Exposure to signals initiates maturity of an
- (1)
The dendritic cell algorithm
The DCA is an algorithm which uses a population of agent-like, software-based artificial DCs which combine data from disparate sources. This description of the DCA is based on an implemented version of the algorithm made possible through the use of the libtissue framework [30].
PSI: ping scan investigation
The purpose of this investigation is as follows:
- (1)
To apply the DCA to anomaly detection through bio-inspired data fusion.
- (2)
To show how the system responds to the modification of signal mappings.
- (3)
To understand the sensitivity of the system parameters and the sensitivity of the weights of the signal processing function.
In this paper, port scanning is used as a model intrusion, and is described in Section 2. The DCA is applied to the detection of an outgoing port scan across a range of IP addresses,
Analysis
In experiment M1 distinct differences are shown in the behaviour of the algorithm for the detection of normal and anomalous processes. The MCAV for the anomalous processes is significantly larger than the MCAV of the normal. This is encouraging as it shows that the DCA can differentiate between two different types of process based on environmentally derived signals. In experiment M2 the PAMP and danger signals were switched. In comparison with the results presented for experiment M1, the MCAV
Conclusions and future work
In this paper the DCA is described in detail and interesting facets of the algorithm are presented. The DCA combines inspiration from the immune system with principles of information fusion to produce an effective anomaly detection technique. The importance of careful signal selection has been highlighted through signal mapping experiment. The DCA is somewhat robust to misrepresentation of the activating danger and PAMP signals, but care must be taken to select a suitable safe signal as an
Acknowledgement
This project is supported by the EPSRC, Grant Number GR/S47809/01. DC photographs provided by Dr. Julie McLeod and colleagues at UWE, UK. Graphic design by Mark Hammonds.
References (32)
- et al.
Death by design: apoptosis, necrosis and autophagy
Current Opinion in Cell Biology
(2004) An innate sense of danger
Seminars in Immunology
(1998)- U. Aickelin, P. Bentley, S. Cayzer, J. Kim, J. McLeod, Danger theory: the link between ais and ids, in: Proceedings of...
- G. Bakos, V.H. Berk, Early detection of internet worm activity by metering icmp destination unreachable messages, in:...
- P. Bentley, J. Greensmith, S. Ujjin, Two ways to grow tissue for artificial immune systems, in: Proceedings of the...
- R. Clayton, Stopping spam by extrusion detection, in: Proceedings of the First Conference on Email and Anti Spam,...
Tending Adam’s Garden: Evolving the Cognitive Immune Self
(2004)An innately interesting decade of research in immunology
Nature Medicine
(2004)- J. Greensmith, U. Aickelin, S. Cayzer, Introducing dendritic cells as a novel immune-inspired algorithm for anomaly...
- J. Greensmith, U. Aickelin, J. Twycross, Articulation and clarification of the dendritic cell algorithm, in:...
Architecture for an artificial immune system
Evolutionary Computation
Immunobiology: the immune system in health and disease
Approaching the asymptote? Evolution and revolution in immunology
Cold Spring Harbor Symposia on Quantitative Biology
Cited by (103)
Medical image fusion with deep neural networks
2024, Scientific ReportsMedical Image Fusion with Deep Neural Networks
2023, Research SquareNature-Inspired Computing: Scope and Applications of Artificial Immune Systems Toward Analysis and Diagnosis of Complex Problems
2023, Studies in Computational Intelligence