Sensing danger: Innate immunology for intrusion detection

https://doi.org/10.1016/j.istr.2007.10.003Get rights and content

Abstract

The immune system provides an ideal metaphor for anomaly detection in general and computer securities in particular. Based on this idea, artificial immune systems have been used for a number of years for intrusion detection, unfortunately so far with little success. However, these previous systems were largely based on immunological theory from the 1970s and 1980s and over the last decade our understanding of immunological processes has vastly improved. In this paper we present two new immune-inspired algorithms based on the latest immunological discoveries, such as the behaviour of Dendritic Cells. The resultant algorithms are applied to real-world intrusion problems and show encouraging results. Overall, we believe that there is a bright future for these next-generation artificial immune algorithms.

Introduction

Artificial immune systems (AISs) provide an ideal inspiration for computer security in general and intrusion detection systems (IDSs) in particular. AISs have been successfully applied to a number of problem domains including fault tolerance, data mining and computer security (Kim et al., 2007). The algorithms central to many AISs and in particular those applied to computer security (Hofmeyr and Forrest, 2000) were based on relatively simplistic models of T-cells, such as the negative selection algorithm. Unfortunately, these simple algorithms have been shown to scale poorly and produce low detection rates often with excessive false positive rates. This effect has been proven both experimentally (Kim and Bentley, 2001) and theoretically (Stibor, 2006). A general overview of this area of research is given in Kim et al. (2007).

Yet, the biological immune system is a very effective anomaly detector – surely we should be able to build AISs which do the same? This is the puzzle that started our work some five years ago through the so-called ‘Danger Project’ (EPSRC GR/S47809/01). Our conclusion then was that AIS algorithms to date have largely been inspired by the adaptive immune system and by biologically naïve models. We hypothesised that new research in AIS needs to focus on building more biologically realistic algorithms which are inspired by both the innate and the adaptive immune systems. This is as both of these components of the human immune system are vital to the high level of protection the immune system provides to the host. This paper gives a summary of the work that has happened so far towards the goal of discovering the ‘missing link’ between AIS and IDS.

The aim of this paper is to provide an overview of two algorithms developed as part of the Danger Project – the Dendritic Cell Algorithm (DCA) and the Toll-like Receptor Algorithm (TLR). Both algorithms were developed in parallel within the scope of the project. Whilst using similar immunological concepts for inspiration, both algorithms focus on different aspects of innate immunology to form the basis of the algorithms. In this paper the motivation for the development of both algorithms is provided in Section 2, in addition to relevant immunological context information. This is followed by a summary of the development of both algorithms. Finally we conclude with a qualitative comparison between the two algorithms and suggest future directions for the developed systems.

Section snippets

Background

The motivation of the Danger Project was to understand the actual intrusion detection mechanisms employed by the immune system and to capture the essence of these mechanisms through an abstraction process. These abstract models are implemented to form feasible algorithms, capable of performing a useful computational function. In order to achieve this, an in-depth understanding had to be achieved in an emerging concept in immunology known as the ‘Danger Theory’. The Danger Theory (Matzinger, 1994

The libtissue system

The aim of this section is to summarise the implementation of libtissue, a prototype software system for building second-generation AISs and applying them to real-world problems. The libtissue software allows researchers to implement AISs as multi-agent systems and analyse the behaviour of these systems when they are applied to real-world problems. This API framework uses the notion of compartmentalisation (Twycross and Aickelin, 2006) and tissue to give the system a sense of embodiment.

This

The TLR algorithm

The ‘TLR’ algorithm is based on innate immune principles and includes abstracted versions of T-cells, naively implemented DCs, negative selection, tissue compartments and lymph nodes. This work encompasses concepts drawn from central tolerance and from the signal model from the infectious non-self theory (Medzhitov and Janeway, 2002). The TLR algorithm is based on two populations of interacting cells, namely DCs and T-cells. The DCs implemented in TLR collect antigen from an antigen store, and

The Dendritic Cell Algorithm (DCA)

The DCA is based on an abstract model of DC behaviour, initially presented in Greensmith et al. (2005). In nature, DCs perform the function of antigen presentation, where debris found in tissue are collected by DCs, processed to form antigen and presented to the adaptive immune system in combination with context information. The context information is derived through the DCs' processing of various signals, found in the tissue at the time of antigen collection (Lutz and Schuler, 2002). As a

Discussion and conclusions

In this paper we have presented the development and application of two algorithms based on the Danger Theory, namely the TLR algorithm and the DCA. Both algorithms employ abstract concepts inspired by innate immunology. In particular, models of DCs are used and abstract computational implementations of these models form the cornerstone of both algorithms. DCs are crucial to the protection provided by the natural human immune system and therefore we believe these cells to have an important role

Acknowledgments

This project is supported by the EPSRC, grant number GR/S47809/01, UCL, UWE and HPLabs.

Dr Uwe Aickelin received a Management Science degree from the University of Mannheim, Germany, in 1996 and a European Master and PhD in Management Science from the University of Wales, Swansea, UK, in 1996 and 1999, respectively.

Immediately following his PhD, he joined the University of the West of England in Bristol, where he worked for three years in the Mathematics Department as a lecturer in Operational Research. In 2002, he accepted a lectureship in Computer Science at the University of

References (25)

  • M.B. Lutz et al.

    Immature, semi-mature and fully mature dendritic cells: which signals induce tolerance or immunity?

    Trends in Immunology

    (2002)
  • Aickelin U, Cayzer S. The danger theory and its application to artificial immune systems. In: Proceedings of the 1st...
  • CERT

    Advisory CA-2000-13 two input validation problems in FTPD

  • Greensmith J, Aickelin U, Cayzer S. Introducing dendritic cells as a novel immune-inspired algorithm for anomaly...
  • Greensmith J, Aickelin U, Twycross J. Articulation and clarification of the dendritic cell algorithm. In: ICARIS-06,...
  • Greensmith J, Twycross J, Aickelin U. Dendritic cells for anomaly detection. In: CEC-06, Vancouver, Canada; 2006. p....
  • Greensmith J, Aickelin U. Dendritic cells for SYN scan detection. In: Proceedings of the genetic and evolutionary...
  • J. Greensmith

    The dendritic cell algorithm

    School of Computer Science, PhD thesis. UK

    (2007)
  • Greensmith J, Aickelin U, Tedesco G. Information fusion and anomaly detection with the dendritic cell algorithm....
  • Hobbit

    Bugtraq. The FTP bounce attack

  • Hofmeyr S, Forrest S. Immunity by design. In: Proceedings of GECCO; 1999. p....
  • S. Hofmeyr et al.

    Architecture for an artificial immune system

    Evolutionary Computation

    (2000)
  • Cited by (0)

    Dr Uwe Aickelin received a Management Science degree from the University of Mannheim, Germany, in 1996 and a European Master and PhD in Management Science from the University of Wales, Swansea, UK, in 1996 and 1999, respectively.

    Immediately following his PhD, he joined the University of the West of England in Bristol, where he worked for three years in the Mathematics Department as a lecturer in Operational Research. In 2002, he accepted a lectureship in Computer Science at the University of Bradford, mainly focusing on computer security. Since 2003 he works for the University of Nottingham in the School of Computer Science where he is now a Reader in Computer Science and Director of the Inter-disciplinary Optimisation Laboratory.

    Dr Aickelin currently holds an EPSRC Advanced Fellowship focusing on Artificial Immune Systems, anomaly detection and mathematical modelling. In total, he has been awarded over £2 million EPSRC research funding as Principal Investigator (including an Adventure Grant and two IDEAS Factory projects) on topics including Artificial Immune Systems, Danger Theory, Computer Security, Robotics and Agent Based Simulation. Dr Aickelin is an Associate Editor of the IEEE Transactions on Evolutionary Computation, the Assistant Editor of the Journal of the Operational Research Society and an Editorial Board member of Evolutionary Intelligence.

    Dr Julie Greensmith is a Post-doctoral researcher at the University of Nottingham. She gained a BSc in Pharmacology from the University of Leeds, UK in 2002 and a MSc in Multidisciplinary Informatics in 2003, also from the University of Leeds. Following a brief spell in industry working for HP Labs, Bristol, she completed a PhD in Computer Science at the University of Nottingham in 2007.

    It was during this time as an MSc student that she became interested in Artificial Immune Systems, which led onto her PhD research, under the supervision of Dr Uwe Aickelin. Her research was performed through an interdisciplinary project which aimed to improve Artificial Immune Systems through the incorporation of a principle known as the Danger Theory. As part of this work, she has developed a means of intrusion detection which is based on an algorithm abstracted from the behaviour of the Dendritic cells of the human immune system. As a Post-doctoral researcher, her work now involves extending this algorithm, producing a formal analysis of its behaviour and applying it to real-time problems including earthquake prediction and numerous computer security applications. This research is conducted through Dr Aickelin's EPSRC Advanced Fellowship which focuses on Artificial Immune Systems, anomaly detection and mathematical modeling.

    View full text