Applied Soft Computing 11 (2011) 12751283

Contents lists available at ScienceDirect

Applied Soft Computing

journal homepage: www.elsevier.com/locate/asoc

A cooperative immunological approach for detecting network anomaly

Tarek S. Sobh a, , Wael M. Mostafa b
a
Information Systems Department, Egyptian Armed Forces, Cairo, Egypt
b
Computer Science Department, Faculty of Computers and Information, Cairo University, Egypt

a r t i c l e i n f o a b s t r a c t

Article history: Technology and biological systems have now bi-directional relation that each benets from the other.
Received 9 October 2007 Biological systems naturally enjoy many attractive features and inherent intelligence that t in solving
Received in revised form 10 March 2010 many research problems. The natural immune system as one of those biological systems is considered a
Accepted 14 March 2010
good source of inspiration to articial defense systems. It has its own intelligent mechanisms to detect
Available online 19 March 2010
the foreign bodies and ght them and without it, an individual cannot live, even just for several days. The
new types of network attacks evolved and became more complex, severe and hard to detect. This resulted
Keywords:
in increasing need for network defense systems, and especially those with unordinary approaches or with
Network security
Intrusion Detection System
ability to face the dynamic nature of new and continuously changing network threats.
Articial Immune In this work we investigate different AIS theories and show how to combine different ideas to solve
Danger Theory problems of network security domain. An Intrusion Detection System (IDS) that apply those ideas was
built and tested in a real-time environment to test the pros and cons of Articial Immune System (AIS)
and clarify its applicability. Also some investigation on the vaccination biological process is introduced.
A special module was built to perform this process and check its usage and how it could be formulated
in articial life.
2010 Elsevier B.V. All rights reserved.

1. Introduction
Since Ishiguro published the rst Articial Immune System (AIS)
computational model in 1994 [1], several new AIS models have
been proposed to solve different kinds of problems such as cluster-
ing, data analysis, and classication. Nowadays, AISs have become
a well established area of research in the eld of Articial Immune
Systems. Inspired by the mammalian immune system, AIS seek to
use observed immune components and processes as metaphors
to produce systems that encapsulate a number of desirable prop-
erties of the natural immune system. These systems are then
applied to solve problems in a wide variety of domains [18,22,27].
There are a number of motivations for using the immune system
as inspiration for data mining; these include recognition, diver-
sity, memory, self-regulation, dynamic protection and learning
[5].
The objective of this paper is to investigate more on the
immunological theories such as self/non-self and danger theories
and their appropriateness for network security domain like other
soft computing approaches that was used in this domain such as
neural network and fuzzy systems. We also tried to propose how we
Corresponding author. Tel.: +20 0224097545.
E-mail addresses: tarekbox2000@yahoo.com,
tarekbox2000@gmail.com (T.S. Sobh).
can use many theories in one system as different detection engines
and make decisions based on consolidated output from different
detectors. The work also included dening new term in the eld
which is vaccination. This biological process though widely used
in natural life was not introduced before in articial life. We tried
to provide simple model of vaccination module and show how it
could be incorporated with other modules.
The paper is structured as follows: Section 2 explains some
background information about immune system while Section 3
explains some background information about Intrusion Detection
System. Section 4 states some related works, Section 5 illustrates
the proposed system idea and architecture, Section 6 discuss sys-
tem results, and Section 7 is a comparative study. Finally, Section 7
contains conclusion.
2. Articial Immune System
AIS are computational systems, inspired by theoretical
immunology and observed immune functions, which are applied to
complex problem domains [18,22,27]. AIS were developed from the
eld of theoretical immunology in the mid-1980. It was suggested
that computer science (CS) might look at the Immune System. Those
systems undergo a lot of evolution since then and many researchers
tried to use this metaphor in solving a wide variety of problems.
AIS use many biologically inspired algorithms and theories. Exam-
ples of algorithms are Negative Selection, Positive Selection, and

1568-4946/$ see front matter 2010 Elsevier B.V. All rights reserved.
doi:10.1016/j.asoc.2010.03.004
1276 T.S. Sobh, W.M. Mostafa / Applied Soft Computing 11 (2011) 12751283
Fig. 1. Framework for AIS design.
Clonal Selection. Examples of theories are Self/Non-Self Theory and
Danger Theory [9,14,22,32].
The immune system is a natural, rapid and effective defense
mechanism for a given host against infections. It consists of a two-
tier line of defense, these are known as the innate immune system
and adaptive immune system. The innate immune system is the
rst line of defense against several types of microorganisms and is
considered essential to the control of common bacterial infections.
The adaptive immune system can detect novel attacks and contain
memory so the response time for same attacks is decreased. While
the adaptive immune response results in immunity against new
attacks and re-infection to the same infectious agent, the innate
immune response remains constant along the lifetime of an indi-
vidual, independent of antigenic exposure. However, the cells of
the innate immune system have a crucial role in the initiating and
regulating of the adaptive immune response [18,22,27].
When people thought of natural immune system as a new source
of inspiration for CS applications, they found a lot of appealing
features for many application domains. The immune system is
diverse, which greatly improves robustness, on both a population
and individual level. For example, different people are vulnerable
to different microbes. It is distributed, consisting of many compo-
nents that interact locally to provide global protection, so there is
no central control and hence no single point of failure. It is error tol-
erant in that a few mistakes in classication and response are not
catastrophic. It is dynamic, i.e. individual components are contin-
ually created, destroyed, and are circulated throughout the body,
which increases the temporal and spatial diversity of the immune
system allowing it to discard components that are useless or dan-
gerous and improve on existing components. It is self-protecting,
i.e. the same mechanisms that protect the body also protect the
immune system itself; and it is adaptable, i.e. it can learn to recog-
nize and respond to new microbes, and retain a memory of those
microbes to facilitate future responses [7,15].
According to the mentioned features and others the AIS frame-
work is used in a wide range of applications such as Scheduling,
Diagnosis, Optimization, Learning, Virus Detection and Network
Intrusion detection. Specically the last two domains are the most
direct applications of AIS according to the similar functionalities of
the natural and articial systems.
AIS design framework has specic steps in solving problems as
shown below in Fig. 1. To solve a specic problem those steps are
typically followed after mapping them to the problem domain. The
First Step is to determine the problem domain that for example
in our case is building an anomaly based IDS [6,11]. The Second
Step is to represent the problem elements in an immune-like form.
For example we used a vector of communication packet data (i.e.
Source IP and Port, Destination IP and Port and Used Protocol) as the
biological cell in natural immune system. The Third Step is to mea-
sure the afnity or tness of the different cells that were formed in
step number 2 in order to rene and order them. This step needs
development of an equation to judge the cells based on the objec-
tive of the solution. The Fourth Step is to pick an algorithm or more
than one that is best r for the application domain from the set of
algorithms offered by the AIS framework.
Immunology is a big branch of science that has its own theories.
As any other kind of science there are always debates about old
theories and new ones and if they really represent a good under-
standing of the nature. The most important theories that we deal
with in this paper are the old Self/Non-Self Theory and the relatively
new Danger Theory (DT).
2.1. Self/Non-Self Theory
It has been long observed that when pathogens, destructive
microorganisms such as viruses or bacteria, enter the body, the
immune system removes them and returns the body to a healthy
state. Naturally then, the purpose of the immune system is often
seen as that of a protector or defender of the body. Since the
immune system reacts to pathogens (non-self in immunological
terms) but not to the body (self), it also seems logical to conclude
that the immune system provides this protection by discriminat-
ing self from non-self. Defense by self/non-self discrimination has
formed the basis of the majority of immunological models since the
middle of the last century, and this view of the immune system is
still widely accepted by immunologists today [31]. Earlier models
of immunity were based around the idea that host constituents
(self) are ignored by the immune system, while other elements
(non-self), such as pathogens, foreign substances or altered self,
are reacted to [8,9,15].
From immunological point of view the Self/Non-Self Theory could
not help in some situations like: (Matzinger) [http://wikipedia.org/
wiki/Polly Matzinger]:
The human body changes over its lifetime and thus self changes
as well. Therefore, the question arises whether defenses against
non-self learned early in life might be auto-reactive later.
Other aspects that seem to be at odds with the traditional view-
point are autoimmune diseases and certain types of tumors that
are fought by the immune system (both attacks against self) and
successful transplants (no attack against non-self).
There is no immune reaction to foreign bacteria in the gut or to
the food we eat although both are foreign entities. Conversely,
some auto-reactive processes are useful, for example against self-
molecules expressed by stressed cells.
The denition of self is problematic realistically, self is conned
to the subset actually seen by the lymphocytes during matura-
tion.
So the Danger Theory was proposed to give a different under-
standing.
2.2. Danger Theory
The Danger Theory main idea is that the immune system recog-
nizes danger rather than non-self. The screening is accomplished
post-production through an external danger signal. Thus the pro-
duction of auto-reactive antibodies (which react to self) is allowed
[22,24]. If an (e.g. auto-reactive) antibody matches a stimulus in
the absence of danger, it is removed. Thus harmless antigens are
tolerated, and changing self-accommodated.
The Danger Theory provides an alternative view of the activation
of the immune system [24]. Unlike the detection of non-self anti-
gens or pathogenic molecules, the danger model proposes that the
immune system detects the presence of danger signals, released
as a result of necrotic cell death within the host tissue. Necrosis
is the result of cellular damage and stress caused by pathogenic
infection or exposure to extreme conditions. The metabolites of
internal cell components are thought to form the danger signals
 T.S. Sobh, W.M. Mostafa / Applied Soft Computing 11 (2011) 12751283
Fig. 2. First and second generation Articial Immune Systems (AISs) [12].
and are released into the surround buffer uid. The cell membrane
loses its integrity, releasing its contents (e.g. DNA, mitochondria)
into the surrounding tissue uid [9,26]. The Danger Theory pro-
poses that the immune system is sensitive to changes in the danger
signal concentration in the tissue. Conversely, when then tissue
is healthy, cells die in a controlled manner, known as apopto-
sis. Immunosuppressive molecules (safe signals) are released as
an indicator of normality in the tissue. In essence, the Danger
Theory consists of active suppression while the tissue is healthy,
combined with rapid activation on receipt of necrotic danger sig-
nals.
Recently the term Second Generation AIS was coined by
Twycross [12]. The idea as shown in Fig. 2 is to view the immune
system as two interacting subsystems: the innate and adaptive
immune systems. This emphasizes the role of the innate system
which is largely responsible for the control of the adaptive system.
A rst generation AIS employs algorithms inspired by the biological
adaptive immune system, while a second generation AIS employs
algorithms inspired by both the biological innate and adaptive
immune systems. The relationship is inclusive in that second gen-
eration AISs combine existing adaptive-inspired algorithms with
new innate-inspired algorithms.
3. Intrusion Detection System
A typical Intrusion Detection System (IDS) functions are to
acquire information about its environment to analyze system
behavior, discover security breaches, attempted breaches, and open
vulnerabilities that could lead to potential breaches [6,11,27,30].
IDS as shown in Fig. 3 is composed mainly of Analyzer to audit the
network data, Detection Engines to make decisions based on avail-
Fig. 4. Classication of IDS.
1277
Fig. 3. Components of IDS.
able data and system experience (intelligence), and a Resolver that
combine detection engines results and alert the user or log an entry
in DB.
IDS may be classied according to approach, structure and so
on. As shown in Fig. 4 there are many factors that affect the design
goals of IDS [30]. In this paper the focus is on the approach based
classication. In this classication we have 2 system types:
Misuse based IDS in which there are ways to represent attacks in
the form of a pattern or a signature so that even variations of the
same attack can be detected. They can detect many or all known
attack patterns, but they are of little use for unknown attack
methods. Expert systems, Key Stroke Monitoring, Model based
IDS, State transition analysis and Pattern Matching are examples
of used techniques in this type of IDS.
Anomaly detection based IDS which assume that all intrusive
activities are necessarily anomalous. Anomalous activities that
are not intrusive are agged as intrusive. Intrusive activities that
are not anomalous result in false negatives (events are not agged
intrusive, though they actually are). This type of IDS is computa-
tionally expensive because of the overhead of keeping track of,
and possibly updating several system prole metrics [27]. Statis-
1278 T.S. Sobh, W.M. Mostafa / Applied Soft Computing 11 (2011) 12751283

Fig. 5. The dynamic evolvement of agents [14].

Fig. 6. LISYS architecture [4].

tical approaches, Data Mining, Rate Limiting and Soft Computing
are examples of used techniques in this type of IDS.
4. Related work
Several works can detect network anomaly using AIS [4,13,14].
All of them were based in immunological approaches but with dif-
ferent implementations and architectures. The ultimate goal was
always to make a system that is very close to the humane system,
which is naturally rich with features like Robustness, Congura-
bility, Extendibility, Scalability, Adaptability, Global Analysis and
Efciency [9,14,21,23].
4.1. DAMIDAIS
Yang et al. [14] combined agent model with AIS concepts to
give promising solution for building intelligent network security
systems.
Authors put forward a distributed agents model for intrusion
detection based on Articial Immune Systems, i.e. the DAMIDAIS.
The dynamic evolution models and the corresponding recursive
equations of self, antigen, immune-tolerance, lifecycle of mature
agent and immune memory are presented. DAMIDAIS contains
hierarchical structure of intelligent agents these agents are Sen-
sor Agents, Analyzer Agents, Manager Agents, Messages Agents

Fig. 7. The architecture of libtissue [13].

 T.S. Sobh, W.M. Mostafa / Applied Soft Computing 11 (2011) 12751283
and Alert Agents. Fig. 5 shows the dynamic evolvement process
of agents.
To enhance the packet dumping efciency, DAMIDAIS utilize
distributed agents to capture the network trafc in real time and
it has quantitatively depicted the dynamic evolutions of self, anti-
gens, immune-tolerance, and the immune memory.
4.2. LISYS
This system was based on the Self/Non-Self Theory. It used the
negative selection algorithm to differentiate detectors [4,17,29].
Each detector is represented as shown in Fig. 6 as the data path
triple (Source IP: Port, Destination IP: Port, Protocol).
LISYS system encodes the Source IP, destination IP and port
number of server during TCP connections using a 49-bit string in
binary formats. By observing normal TCP connections LISYS sys-
tem can obtain a set of self-strings. In addition, negative selection
algorithm generates detector strings to match intruder connections
that may happen [28].
4.3. Libtissue
Libtissue is a software system for implementing and evaluating
AIS algorithms on real-world monitoring and control problems. AIS
algorithms are implemented as multi-agent systems of cells, anti-
gen and signals interacting within tissue compartments. Input data
is provided by sensors which monitor a system under surveillance,
and cells are actively able to affect the monitored system through
response mechanisms. Libtissue provides a general implementa-
tion framework within which many different AIS algorithms can
be instantiated. Libtissue is being used at the University of Notting-
ham to explore the application of a range of novel immune-inspired
algorithms to problems in intrusion detection [4,13]. The architec-
ture of libtissue is shown in Fig. 7.
5. System design
The idea behind the proposed system is to combine more than
one theory and technique of immunology in one place. The coop-
eration of those techniques helped in composing a multi-layered
defense system that could adapt with continuous surrounding
changes. Mainly we used the self/non-self and the danger theo-
ries beside a vaccination unit inspired from natural immunology.
The two theories support two different viewpoints in immunol-
ogy world. However, in computer science domain we believe that
the two viewpoints could both be incorporated into one system and
build up cooperating components that benet from each other. The
vaccination unit role is the same as the one in nature. It is aimed to
adapt the behavior of the system against new or evolved attacks.
This combination guarantees that there is no single point of defense
and more adaptive response to environmental changes.
If we apply the above idea to security domain and specically if
we take Smurf attack as an example we will notice that trafc from
a foreign source raise suspect for the network administrator. But if
this is combined by high variance from normal trafc then a danger
signal should be raised and some action may be needed.
5.1. System components
The system works and detects attacks in real-time mode. It con-
tinuously sniffs data from the network and inspects the data against
two databases. The rst database contains set of self-detectors that
were collected and analyzed in monitored environment to form
the basic set of packets and data that the system may deal with.
The second database contains proles of normal usage for system
resources (network connections, contacted ports and so on). This
1279
Fig. 8. Flow chart of the vaccination process.
database is built to create a base that help in classifying what is
normal from up normal usage. After each packet comparison with
those 2 sources the results of the comparisons is sent to a decision
maker module that decides if there is no attack or degree of cer-
tainty if there is one. Fig. 9 demonstrates the system modules and
data ow between them.
The system modules are:
1. Sniffer Module (SM): Captures packets from the network line and
analyze each packet components. The data is sniffed online and
then sent to the detection module to be examined for possible
attacks. This module was built using open source library called
SharpPcap. The sniffed data could also be fed to the system ofine
in case of high trafc volumes and results are saved in log le.
2. Non-self Detector Module (NSDM): Compares the captured
packet with the self-set database. It calculates the match (afn-
ity) of the packet against each packet in the set of self-packets.
Then, it reports the maximum match (afnity) value. This max-
imum matching value is then compared against a matching
threshold to detect if this newly captured packet is known to
the system or foreign. This is from security domain viewpoint
considered the misuse or signature based detection unit. The
comparison is done between portions of two packets and not the
whole packets. This is needed to rapid the comparison process
especially in real time and to avoid unnecessary elds compar-
isons overhead. The determination of important elds is based
on study of characteristics of different network attacks.
3. Danger Detector Module (DDM): Compares the current system
usage prole against the normal system usage in the prole
database and check for deviations and measure the degree of this
deviation. This is from security domain viewpoint considered the
anomaly based detection module that can detect novel and new
attacks through detecting changes in normal behavior. This mod-
ule also has a role in tuning the self-database mentioned below
as it identies sources that has caused danger signals. Then, it
reports those sources so they are removed if they were recorded
as members of the self-database. This role represents how the
different theories (Self/Non-Self and Danger) could cooperate
and adapt each other.
4. Vaccination Module (VM): This module works similar to vacci-
nation process in human beings. It is responsible for updating
the knowledge of the system (i.e. thresholds, proled resources,
etc.) by analyzing the behavior of an attack in a monitored
environment and checking the ability of the system to respond
1280 T.S. Sobh, W.M. Mostafa / Applied Soft Computing 11 (2011) 12751283

Fig. 9. Single host dynamics.

to that attack. Based on the system response certain actions
shall be taken to improve the system abilities. This adds more
dynamic behavior to the system and enables early detection
of new attacks. Fig. 8 shows in brief the proposed vaccination
process steps.
5. Decision Making Module (DMM): This module combine the
results of the above two detectors and produce consolidated
result with some analysis of the source of the attack, what may
be the real cause of the attack and the name of the attack if this
attack is known to the system. In this module the cooperation
between the two detection modules is important. They not only
cooperate in forming the nal decision but in also updating each
other.
6. Response Module (RM): This module is responsible for taking
appropriate actions. Actions may be in the form of updating
databases or alerting other hosts in the network. For example
in order to simulate natural immune system ability of faster
response for repeated attacks, this module stamps the attack
signature and removes it from the safe list if it was there. So reac-
tion for the same attack will be faster if seen again. The response
module could also be modied to work as a prevention system
by taking online actions to stop the attack immediately but this
will introduce more overhead on the performance of the system.
7. Self-database (SDB): This DB captures the set of safe packets. It
consists of columns for Source IP, source port, destination IP, des-
tination port and protocol. Each new packet is compared to the

Fig. 10. The proposed system ow chart.

 T.S. Sobh, W.M. Mostafa / Applied Soft Computing 11 (2011) 12751283 1281

Fig. 11. The physical test bed.

Table 1
Attacks and attached system resources.

Attack characteristic Attack name Resource to be watched

Access ratio of common to uncommon ports Nmap Port Watch number of ports that are contacted in
specied intervals and detect variance
Ratio of incoming to outgoing trafc volume Smurf Watch network trafc in specied intervals
per second and detect variance
Same change in specic performance object on UDP Storm Watch in and out trafc in specied interval
two/more computers on the network
Sudden failure seen in using a system resource ARP Poison Watch errors messages in reaching
like network, les and memory destinations

content of this DB to check if it resembles any member of this
safe set. This DB can be formed online in a monitored environ-
ment or ofine from trusted historical data. The DB is updated
when needed based on decision making module actions.
8. Prole Database (PDB): This DB captures the prole of system
usage to compose a baseline that can be compared against any
up normal behavior. The proles are time-dependent to reect
real usage. The DB may contain columns for number of connec-
tions, number of contacted ports and number of error messages
of unreachable hosts. The proles can be updated by the user
or by monitoring the system usage and performing statistical
operations.
other hosts in the network, updating the repositories of detectors,
performing some analysis on the attack pattern to generate a for-
mula for detecting similar but with slight changes attacks and so
on.
The database of self-set is composed using monitored environ-
ment. The proposed system enables users to load the self-set from
a le or capture the set online. To compose the prole database, the
system monitors user behavior and system resources. The prole
can be created upon user request. Initial resources to be monitored
are based on study of different attacks and similar phenomena that
affect system resources [2,3].

6. Results
The above DBs contain the backend data that the system relies
on to detect attacks. The DBs may be composed online or ofine
The proposed system was implemented and tested on a physi-
from previously composed les. The system allows the user to
cal network as shown below in Fig. 11 composed of several hosts
change the structure of the DBs in order to allow more generic
behind a rewall and connected to the internet through ADSL
detection (i.e. the user may add a new system resource to be proled
modem. All hosts used windows as operating system and connected
or remove an existing one).
using Ethernet network.
The proposed software was tested on some real network attacks
5.2. System ow chart as shown in Table 1 that show variance from normal users prole.

As discussed in the main idea section and shown above in

Fig. 9, the system will contain two repositories of detectors. The
rst set of detectors in the proposed system will be represented
as a binary vector for the communication triple (Source IP and
Port, Destination IP and Port, Protocol). Those will represent the
self-set and will undergo continuous updates as a result of dis-
covered attacks or false positives. The second set will hold set of
usage proles that captures system variables. Variance from those
proles with a certain percentage will be a sign of danger exis-
tence. As shown in Fig. 10 below when a new packet arrives to
the host it will be tested if it stimulates a non-self or a danger
signal. Those signals if exist are raised to the DMM with sig-
nals degree of certainty. The DMM can then take actions based
on those two sources of information. Actions to be taken can be
in the form of logging danger source and description, alerting Fig. 12. The high variance in trafc issue a danger signal.
1282 T.S. Sobh, W.M. Mostafa / Applied Soft Computing 11 (2011) 12751283
Fig. 13. Packet sources vs. # of connections & # of attacks.
Fig. 14. The number of false positives decreases through time according to updating
the self-set using the DDM.
In Fig. 12 an example of high variance in connections that issue
danger alerts that DDM detect and take actions by alerting and
updating self-set database.
Whenever a danger signal is issued the source(s) of the signal are
reported to the system in order to be matched with the self-set. This
helps in rectifying the self-set members and keep only those Source
IPs that enjoy high trust. It is not mandatory that the highest Source
IP in connecting to the system to be the most attacking machine as
attacks depend on high signal in short period and not low signals
for long periods as shown in Fig. 13.
The self-set of packets has a vital role in increasing the degree
of certainty of attacks. In the beginning of the system startup it
produces large number of false positives but afterwards the DDM
helps in redening the set as shown in Fig. 14.
Also there are two system variables that affect the system per-
formance. The rst is the self-set of detectors (trusted packets
signatures) size which when increased will decrease the system
Fig. 15. The effect of self-DB size on system performance.
performance as shown below in Fig. 15 but will also decrease the
number of false positives, so mid-size sets is acceptable especially
if the system is distributed on several hosts that can inform each
other of incoming attack. The second is the matching threshold of
new coming packets with self-set packets. Here very low and very
high values are not desirable.
7. Comparative study
The previous work has three major roots, and consequently
three distinct philosophies [16]:
1. Methods inspired by the immune system that employ conven-
tional algorithms, for example, IBMs virus detector [17,19].
2. The negative selection paradigm as introduced by Forrest et al.
[10,32] and Somayaji et al. [25].
3. Approaches that exploit the Danger Theory [20].
Most of the related work [4,13,14,17,19] use the negative selec-
tion approach which have many drawbacks such as scaling issues,
high false positive rates and complexity issues [9]. But, one attrac-
tive feature of the negative selection as Hart and Timmis [9] said
the ability to only use a single class of data on which to train
the system, certain investigations would seem to indicate that the
second class is needed to tune the system.
However, in this work we use both negative selection and Dan-
ger Theory approach to overcome the drawbacks of the negative
selection approach only. We can dynamically update normal prole
according to network changes. Moreover, according to our experi-
mental results the number of false positive alerts decrease through
time due to updating the self-set using the DDM.
The proposed model works in real time while some of the related
work detects anomaly ofine. In addition, some of other related
works are not applicable to a real world. For example, LISYS looks at
the Source IP and ports number only, which is insufcient to detect
many types of attacks while this work capable to detect many types
of attacks such as Nmap Port, Smurf, UDP Storm and ARP Poison.
We look forward for future enhancements in the direction
of fully automating vaccination module to be able to produce
advanced report of suspected trafc and react based on that report
without manual interaction. Finally, in this work we did not imple-
ment our model as agent-based and plane in future to develop next
version as agent-based.
8. Conclusions
This paper showed that many theories from the natural systems
might be combined to serve as a base for more reliable Intrusion
Detection Systems. The dependence on two or more sources of data
and analyzing those sources helped the decision making unit a lot
to take more assured actions. The paper mainly discussed the Dan-
ger Theory and the Self/Non-Self Theory and showed how their
ideas may be applied in an IDS system. The proposed system could
effectively catch attacks with clear signatures and detect the source
of attacks so they are recognized in black list if they made further
attacks.
By using the theory of Articial Immune Systems, a novel model
of a cooperative immunological approach for detecting network
anomaly is presented. The experimental results show that the pro-
posed model has the features of real-time processing that provide
a good solution for self-set network members in order to keep
high trust network member without false alarm. Furthermore, the
adaptability feature of the system that was inherited from the
natural immune system enabled dynamic control of the system
variables by manual or by the semi-automated vaccination mod-
 T.S. Sobh, W.M. Mostafa / Applied Soft Computing 11 (2011) 12751283 1283

ule. This allowed dynamic response for threats and attacks which [15] J.C. Galeano, A. VelozaSuan, F.A. Gonzlez, A comparative analysis of articial
means autonomic defense system rather than centralized ISD sys- immune network models, in: GECCO05, Washington, DC, USA, June 2529,
2005.
tem. [16] J. Greensmith, U. Aickelin, J. Twycross, Immune system approaches to intrusion
The system performance is fair specially if it is implemented as a detectiona review, in: Proceedings of ICARIS-2004, 3rd International Con-
distributed one with many hosts with different sets of detectors and ference on Articial Immune Systems, LNCS 3239, Catalania, Italy, 2004, pp.
316329.
linked via secure messaging channel. Future enhancement may be [17] J. Kephart, A biologically inspired immune system for computers, in: Proceed-
in the direction of fully automating vaccination module to be able ings of the Fourth International Workshop on Synthesis and Simulation of
to produce advanced report of the trafc and react based on that Living Systems, Articial Life IV, 1994, pp. 130139.
[18] L.N. DeCastro, J. Timmis, Articial Immune Systems: A New Computational
report without manual interaction. Intelligence Approach, Springer, 2002.
[19] J. Le Boudec, S. Sarajanovic, An articial immune system approach to mis-
References behavior detection in mobile ad-hoc networks, Technical Report IC/2003/59,
Ecole Polytechnique Federale de Lausanne, 2003.
[20] P. Matzinger, Tolerance, danger, and the extended family, Annual Review of
[1] A. Ishiguro, S. Ichikawa, Y. Uchikawa, A gait acquisition of six-legged robot
Immunology 12 (1994) 9911045.
using immune networks, in: Proceedings of International Conference on Intel-
[21] M. Reza Ahmadi, An intrusion prediction technique based on co-evolutionary
ligent Robotics and Systems (IROS 94), vol. 2, Munich, Germany, 1994, pp.
immune system for network security (CoCo-IDP), International Journal of Net-
10341041.
work Security 9 (November (3)) (2009) 290300.
[2] A. Patcha, J.-M. Parka, Network anomaly detection with incomplete audit data,
[22] M. Swimmer, Using the danger model of immune systems for distributed
Computer Network 51 (September (13)) (2007) 39353955.
defense in modern data networks, Computer Networks 51 (2007) 13151333,
[3] S. Axelsson, Intrusion detection systems: a survey and taxonomy, Technical
2007.
Report No. 99-15, Chalmers University of Technology, Sweden, 1999.
[23] P. Garca-Teodoro, J. Daz-Verdejo, G. Maci-Fernndez, E. Vzquez, Anomaly-
[4] J. Balthrop, S. Forrest, M. Glickman, Revisiting LISYS: parameters and normal
based network intrusion detection: Techniques, systems and challenges,
behaviour, in: Proceedings of the Congress on Evolutionary Computation, 2002.
Computer & Security 28 (2009) 1828.
[5] D. Dasgupta, An overview of Articial Immune Systems, in: D. Dasgupta (Ed.),
[24] P. Matzinger, The danger model: a renewed sense of self, Science 296 (2002)
Articial Immune Systems and Their Applications, Springer, 1999, pp. 321.
301304.
[6] D. Dasgupta, Immunity-based intrusion detection systems: a general frame-
[25] A. Somayaji, S. Hofmeyr, S. Forrest, Principles of a computer immune sys-
work, in: Proceeding of the 22nd National Information Systems Security
tem, in: Proceeding of New Security Workshop, Langdale, Cumbria, 1997,
Conference (NISSC), October 1999.
pp. 7582.
[7] D. Dasgupta, F. Gonzalez, An immunity-based technique to characterize intru-
[26] T.R. Mosmann, A.M. Livingstone, Dendritic cells: the immune information man-
sions in computer networks, IEEE Transactions on Evolutionary Computation
agement experts, Nature Immunology 5 (6) (2004) 564566.
(2002).
[27] S.X. Wu, W. Banzhaf, The use of computational intelligence in intrusion detec-
[8] M. Ebner, H. Breunig, J. Albert, On the use of negative selection in an articial
tion systems: a review, Applied Soft Computing 10 (2010) 135.
immune system, in: Proceedings of GECCO-2002, New York, USA, July 2002.
[28] S.T. Powers, J. He, A hybrid articial immune system and Self Organising Map
[9] E. Hart, J. Timmis, Application areas of AIS: the past, the present and the future,
for network intrusion detection, Information Sciences 178 (2008) 30243042.
Applied Soft Computing 8 (2008) 191201.
[29] S.A. Hofmeyr, S. Forrest, Immunity by design: an articial immune system, in:
[10] S. Forrest, A.S. Perelson, L. Allen, R. Cherukuri, Selfnonself discrimination in
Proceedings of the Genetic and Evolutionary Computation Conference (GECCO),
a computer, in: Proceedings of the IEEE Symposium on Security and Privacy,
Morgan-Kaufmann, San Francisco, CA, 1999, pp. 12891296.
IEEE Computer Society, 1994, p. p. 202.
[30] T.S. Sobh, Wired and wireless intrusion detection system: classications, good
[11] F. Seredynski, P. Bouvry, Anomaly detection in TCP/IP networks using immune
characteristics and state-of-the-art, Computer Standards & Interfaces 28 (6)
systems paradigm, Computer Communications 30 (2007) 740749.
(2006) 670694.
[12] J.P. Twycross, Integrated innate and adaptive articial immune systems applied
[31] T. Pradeu, E.D. Carosella, The self model and the conception of biological identity
to process anomaly detection, Ph.D. Thesis, January 2007.
in immunology, Biology and Philosophy 21 (2) (2006) 235252.
[13] J. Twycross, U. Aickelin, Libtissueimplementing innate immunity, in: CEC
[32] Z.J. August, Negative selection algorithms: from the thymus to V-detector, A
2006, IEEE Congress, 1621 July 2006, Evolutionary Computation (2006).
Dissertation Presented for the Doctor of Philosophy Degree the University of
[14] J. Yang, X.J. Liu, T. Li, G. Liang, S.J. Liu, Distributed agents model for intrusion
Memphis, 2006.
detection based on AIS, Knowledge-Based Systems 22 (2009) 115119, 2009.