Académique Documents
Professionnel Documents
Culture Documents
a r t i c l e i n f o a b s t r a c t
Article history: Technology and biological systems have now bi-directional relation that each benets from the other.
Received 9 October 2007 Biological systems naturally enjoy many attractive features and inherent intelligence that t in solving
Received in revised form 10 March 2010 many research problems. The natural immune system as one of those biological systems is considered a
Accepted 14 March 2010
good source of inspiration to articial defense systems. It has its own intelligent mechanisms to detect
Available online 19 March 2010
the foreign bodies and ght them and without it, an individual cannot live, even just for several days. The
new types of network attacks evolved and became more complex, severe and hard to detect. This resulted
Keywords:
in increasing need for network defense systems, and especially those with unordinary approaches or with
Network security
Intrusion Detection System
ability to face the dynamic nature of new and continuously changing network threats.
Articial Immune In this work we investigate different AIS theories and show how to combine different ideas to solve
Danger Theory problems of network security domain. An Intrusion Detection System (IDS) that apply those ideas was
built and tested in a real-time environment to test the pros and cons of Articial Immune System (AIS)
and clarify its applicability. Also some investigation on the vaccination biological process is introduced.
A special module was built to perform this process and check its usage and how it could be formulated
in articial life.
2010 Elsevier B.V. All rights reserved.
1. Introduction can use many theories in one system as different detection engines
and make decisions based on consolidated output from different
Since Ishiguro published the rst Articial Immune System (AIS) detectors. The work also included dening new term in the eld
computational model in 1994 [1], several new AIS models have which is vaccination. This biological process though widely used
been proposed to solve different kinds of problems such as cluster- in natural life was not introduced before in articial life. We tried
ing, data analysis, and classication. Nowadays, AISs have become to provide simple model of vaccination module and show how it
a well established area of research in the eld of Articial Immune could be incorporated with other modules.
Systems. Inspired by the mammalian immune system, AIS seek to The paper is structured as follows: Section 2 explains some
use observed immune components and processes as metaphors background information about immune system while Section 3
to produce systems that encapsulate a number of desirable prop- explains some background information about Intrusion Detection
erties of the natural immune system. These systems are then System. Section 4 states some related works, Section 5 illustrates
applied to solve problems in a wide variety of domains [18,22,27]. the proposed system idea and architecture, Section 6 discuss sys-
There are a number of motivations for using the immune system tem results, and Section 7 is a comparative study. Finally, Section 7
as inspiration for data mining; these include recognition, diver- contains conclusion.
sity, memory, self-regulation, dynamic protection and learning
[5].
The objective of this paper is to investigate more on the 2. Articial Immune System
immunological theories such as self/non-self and danger theories
and their appropriateness for network security domain like other AIS are computational systems, inspired by theoretical
soft computing approaches that was used in this domain such as immunology and observed immune functions, which are applied to
neural network and fuzzy systems. We also tried to propose how we complex problem domains [18,22,27]. AIS were developed from the
eld of theoretical immunology in the mid-1980. It was suggested
that computer science (CS) might look at the Immune System. Those
systems undergo a lot of evolution since then and many researchers
Corresponding author. Tel.: +20 0224097545. tried to use this metaphor in solving a wide variety of problems.
E-mail addresses: tarekbox2000@yahoo.com, AIS use many biologically inspired algorithms and theories. Exam-
tarekbox2000@gmail.com (T.S. Sobh). ples of algorithms are Negative Selection, Positive Selection, and
1568-4946/$ see front matter 2010 Elsevier B.V. All rights reserved.
doi:10.1016/j.asoc.2010.03.004
1276 T.S. Sobh, W.M. Mostafa / Applied Soft Computing 11 (2011) 12751283
than one that is best r for the application domain from the set of
algorithms offered by the AIS framework.
Immunology is a big branch of science that has its own theories.
As any other kind of science there are always debates about old
theories and new ones and if they really represent a good under-
standing of the nature. The most important theories that we deal
with in this paper are the old Self/Non-Self Theory and the relatively
new Danger Theory (DT).
Fig. 2. First and second generation Articial Immune Systems (AISs) [12].
and are released into the surround buffer uid. The cell membrane
loses its integrity, releasing its contents (e.g. DNA, mitochondria)
into the surrounding tissue uid [9,26]. The Danger Theory pro-
poses that the immune system is sensitive to changes in the danger
signal concentration in the tissue. Conversely, when then tissue
is healthy, cells die in a controlled manner, known as apopto-
sis. Immunosuppressive molecules (safe signals) are released as
Fig. 3. Components of IDS.
an indicator of normality in the tissue. In essence, the Danger
Theory consists of active suppression while the tissue is healthy,
combined with rapid activation on receipt of necrotic danger sig- able data and system experience (intelligence), and a Resolver that
nals. combine detection engines results and alert the user or log an entry
Recently the term Second Generation AIS was coined by in DB.
Twycross [12]. The idea as shown in Fig. 2 is to view the immune IDS may be classied according to approach, structure and so
system as two interacting subsystems: the innate and adaptive on. As shown in Fig. 4 there are many factors that affect the design
immune systems. This emphasizes the role of the innate system goals of IDS [30]. In this paper the focus is on the approach based
which is largely responsible for the control of the adaptive system. classication. In this classication we have 2 system types:
A rst generation AIS employs algorithms inspired by the biological
adaptive immune system, while a second generation AIS employs Misuse based IDS in which there are ways to represent attacks in
algorithms inspired by both the biological innate and adaptive the form of a pattern or a signature so that even variations of the
immune systems. The relationship is inclusive in that second gen- same attack can be detected. They can detect many or all known
eration AISs combine existing adaptive-inspired algorithms with attack patterns, but they are of little use for unknown attack
new innate-inspired algorithms. methods. Expert systems, Key Stroke Monitoring, Model based
IDS, State transition analysis and Pattern Matching are examples
3. Intrusion Detection System of used techniques in this type of IDS.
Anomaly detection based IDS which assume that all intrusive
A typical Intrusion Detection System (IDS) functions are to activities are necessarily anomalous. Anomalous activities that
acquire information about its environment to analyze system are not intrusive are agged as intrusive. Intrusive activities that
behavior, discover security breaches, attempted breaches, and open are not anomalous result in false negatives (events are not agged
vulnerabilities that could lead to potential breaches [6,11,27,30]. intrusive, though they actually are). This type of IDS is computa-
IDS as shown in Fig. 3 is composed mainly of Analyzer to audit the tionally expensive because of the overhead of keeping track of,
network data, Detection Engines to make decisions based on avail- and possibly updating several system prole metrics [27]. Statis-
tical approaches, Data Mining, Rate Limiting and Soft Computing 4.1. DAMIDAIS
are examples of used techniques in this type of IDS.
Yang et al. [14] combined agent model with AIS concepts to
4. Related work give promising solution for building intelligent network security
systems.
Several works can detect network anomaly using AIS [4,13,14]. Authors put forward a distributed agents model for intrusion
All of them were based in immunological approaches but with dif- detection based on Articial Immune Systems, i.e. the DAMIDAIS.
ferent implementations and architectures. The ultimate goal was The dynamic evolution models and the corresponding recursive
always to make a system that is very close to the humane system, equations of self, antigen, immune-tolerance, lifecycle of mature
which is naturally rich with features like Robustness, Congura- agent and immune memory are presented. DAMIDAIS contains
bility, Extendibility, Scalability, Adaptability, Global Analysis and hierarchical structure of intelligent agents these agents are Sen-
Efciency [9,14,21,23]. sor Agents, Analyzer Agents, Manager Agents, Messages Agents
4.2. LISYS
4.3. Libtissue
Libtissue is a software system for implementing and evaluating database is built to create a base that help in classifying what is
AIS algorithms on real-world monitoring and control problems. AIS normal from up normal usage. After each packet comparison with
algorithms are implemented as multi-agent systems of cells, anti- those 2 sources the results of the comparisons is sent to a decision
gen and signals interacting within tissue compartments. Input data maker module that decides if there is no attack or degree of cer-
is provided by sensors which monitor a system under surveillance, tainty if there is one. Fig. 9 demonstrates the system modules and
and cells are actively able to affect the monitored system through data ow between them.
response mechanisms. Libtissue provides a general implementa- The system modules are:
tion framework within which many different AIS algorithms can
be instantiated. Libtissue is being used at the University of Notting- 1. Sniffer Module (SM): Captures packets from the network line and
ham to explore the application of a range of novel immune-inspired analyze each packet components. The data is sniffed online and
algorithms to problems in intrusion detection [4,13]. The architec- then sent to the detection module to be examined for possible
ture of libtissue is shown in Fig. 7. attacks. This module was built using open source library called
SharpPcap. The sniffed data could also be fed to the system ofine
5. System design in case of high trafc volumes and results are saved in log le.
2. Non-self Detector Module (NSDM): Compares the captured
The idea behind the proposed system is to combine more than packet with the self-set database. It calculates the match (afn-
one theory and technique of immunology in one place. The coop- ity) of the packet against each packet in the set of self-packets.
eration of those techniques helped in composing a multi-layered Then, it reports the maximum match (afnity) value. This max-
defense system that could adapt with continuous surrounding imum matching value is then compared against a matching
changes. Mainly we used the self/non-self and the danger theo- threshold to detect if this newly captured packet is known to
ries beside a vaccination unit inspired from natural immunology. the system or foreign. This is from security domain viewpoint
The two theories support two different viewpoints in immunol- considered the misuse or signature based detection unit. The
ogy world. However, in computer science domain we believe that comparison is done between portions of two packets and not the
the two viewpoints could both be incorporated into one system and whole packets. This is needed to rapid the comparison process
build up cooperating components that benet from each other. The especially in real time and to avoid unnecessary elds compar-
vaccination unit role is the same as the one in nature. It is aimed to isons overhead. The determination of important elds is based
adapt the behavior of the system against new or evolved attacks. on study of characteristics of different network attacks.
This combination guarantees that there is no single point of defense 3. Danger Detector Module (DDM): Compares the current system
and more adaptive response to environmental changes. usage prole against the normal system usage in the prole
If we apply the above idea to security domain and specically if database and check for deviations and measure the degree of this
we take Smurf attack as an example we will notice that trafc from deviation. This is from security domain viewpoint considered the
a foreign source raise suspect for the network administrator. But if anomaly based detection module that can detect novel and new
this is combined by high variance from normal trafc then a danger attacks through detecting changes in normal behavior. This mod-
signal should be raised and some action may be needed. ule also has a role in tuning the self-database mentioned below
as it identies sources that has caused danger signals. Then, it
5.1. System components reports those sources so they are removed if they were recorded
as members of the self-database. This role represents how the
The system works and detects attacks in real-time mode. It con- different theories (Self/Non-Self and Danger) could cooperate
tinuously sniffs data from the network and inspects the data against and adapt each other.
two databases. The rst database contains set of self-detectors that 4. Vaccination Module (VM): This module works similar to vacci-
were collected and analyzed in monitored environment to form nation process in human beings. It is responsible for updating
the basic set of packets and data that the system may deal with. the knowledge of the system (i.e. thresholds, proled resources,
The second database contains proles of normal usage for system etc.) by analyzing the behavior of an attack in a monitored
resources (network connections, contacted ports and so on). This environment and checking the ability of the system to respond
1280 T.S. Sobh, W.M. Mostafa / Applied Soft Computing 11 (2011) 12751283
to that attack. Based on the system response certain actions 6. Response Module (RM): This module is responsible for taking
shall be taken to improve the system abilities. This adds more appropriate actions. Actions may be in the form of updating
dynamic behavior to the system and enables early detection databases or alerting other hosts in the network. For example
of new attacks. Fig. 8 shows in brief the proposed vaccination in order to simulate natural immune system ability of faster
process steps. response for repeated attacks, this module stamps the attack
5. Decision Making Module (DMM): This module combine the signature and removes it from the safe list if it was there. So reac-
results of the above two detectors and produce consolidated tion for the same attack will be faster if seen again. The response
result with some analysis of the source of the attack, what may module could also be modied to work as a prevention system
be the real cause of the attack and the name of the attack if this by taking online actions to stop the attack immediately but this
attack is known to the system. In this module the cooperation will introduce more overhead on the performance of the system.
between the two detection modules is important. They not only 7. Self-database (SDB): This DB captures the set of safe packets. It
cooperate in forming the nal decision but in also updating each consists of columns for Source IP, source port, destination IP, des-
other. tination port and protocol. Each new packet is compared to the
Table 1
Attacks and attached system resources.
Access ratio of common to uncommon ports Nmap Port Watch number of ports that are contacted in
specied intervals and detect variance
Ratio of incoming to outgoing trafc volume Smurf Watch network trafc in specied intervals
per second and detect variance
Same change in specic performance object on UDP Storm Watch in and out trafc in specied interval
two/more computers on the network
Sudden failure seen in using a system resource ARP Poison Watch errors messages in reaching
like network, les and memory destinations
content of this DB to check if it resembles any member of this other hosts in the network, updating the repositories of detectors,
safe set. This DB can be formed online in a monitored environ- performing some analysis on the attack pattern to generate a for-
ment or ofine from trusted historical data. The DB is updated mula for detecting similar but with slight changes attacks and so
when needed based on decision making module actions. on.
8. Prole Database (PDB): This DB captures the prole of system The database of self-set is composed using monitored environ-
usage to compose a baseline that can be compared against any ment. The proposed system enables users to load the self-set from
up normal behavior. The proles are time-dependent to reect a le or capture the set online. To compose the prole database, the
real usage. The DB may contain columns for number of connec- system monitors user behavior and system resources. The prole
tions, number of contacted ports and number of error messages can be created upon user request. Initial resources to be monitored
of unreachable hosts. The proles can be updated by the user are based on study of different attacks and similar phenomena that
or by monitoring the system usage and performing statistical affect system resources [2,3].
operations.
6. Results
The above DBs contain the backend data that the system relies
on to detect attacks. The DBs may be composed online or ofine
The proposed system was implemented and tested on a physi-
from previously composed les. The system allows the user to
cal network as shown below in Fig. 11 composed of several hosts
change the structure of the DBs in order to allow more generic
behind a rewall and connected to the internet through ADSL
detection (i.e. the user may add a new system resource to be proled
modem. All hosts used windows as operating system and connected
or remove an existing one).
using Ethernet network.
The proposed software was tested on some real network attacks
5.2. System ow chart as shown in Table 1 that show variance from normal users prole.
7. Comparative study
ule. This allowed dynamic response for threats and attacks which [15] J.C. Galeano, A. VelozaSuan, F.A. Gonzlez, A comparative analysis of articial
means autonomic defense system rather than centralized ISD sys- immune network models, in: GECCO05, Washington, DC, USA, June 2529,
2005.
tem. [16] J. Greensmith, U. Aickelin, J. Twycross, Immune system approaches to intrusion
The system performance is fair specially if it is implemented as a detectiona review, in: Proceedings of ICARIS-2004, 3rd International Con-
distributed one with many hosts with different sets of detectors and ference on Articial Immune Systems, LNCS 3239, Catalania, Italy, 2004, pp.
316329.
linked via secure messaging channel. Future enhancement may be [17] J. Kephart, A biologically inspired immune system for computers, in: Proceed-
in the direction of fully automating vaccination module to be able ings of the Fourth International Workshop on Synthesis and Simulation of
to produce advanced report of the trafc and react based on that Living Systems, Articial Life IV, 1994, pp. 130139.
[18] L.N. DeCastro, J. Timmis, Articial Immune Systems: A New Computational
report without manual interaction. Intelligence Approach, Springer, 2002.
[19] J. Le Boudec, S. Sarajanovic, An articial immune system approach to mis-
References behavior detection in mobile ad-hoc networks, Technical Report IC/2003/59,
Ecole Polytechnique Federale de Lausanne, 2003.
[20] P. Matzinger, Tolerance, danger, and the extended family, Annual Review of
[1] A. Ishiguro, S. Ichikawa, Y. Uchikawa, A gait acquisition of six-legged robot
Immunology 12 (1994) 9911045.
using immune networks, in: Proceedings of International Conference on Intel-
[21] M. Reza Ahmadi, An intrusion prediction technique based on co-evolutionary
ligent Robotics and Systems (IROS 94), vol. 2, Munich, Germany, 1994, pp.
immune system for network security (CoCo-IDP), International Journal of Net-
10341041.
work Security 9 (November (3)) (2009) 290300.
[2] A. Patcha, J.-M. Parka, Network anomaly detection with incomplete audit data,
[22] M. Swimmer, Using the danger model of immune systems for distributed
Computer Network 51 (September (13)) (2007) 39353955.
defense in modern data networks, Computer Networks 51 (2007) 13151333,
[3] S. Axelsson, Intrusion detection systems: a survey and taxonomy, Technical
2007.
Report No. 99-15, Chalmers University of Technology, Sweden, 1999.
[23] P. Garca-Teodoro, J. Daz-Verdejo, G. Maci-Fernndez, E. Vzquez, Anomaly-
[4] J. Balthrop, S. Forrest, M. Glickman, Revisiting LISYS: parameters and normal
based network intrusion detection: Techniques, systems and challenges,
behaviour, in: Proceedings of the Congress on Evolutionary Computation, 2002.
Computer & Security 28 (2009) 1828.
[5] D. Dasgupta, An overview of Articial Immune Systems, in: D. Dasgupta (Ed.),
[24] P. Matzinger, The danger model: a renewed sense of self, Science 296 (2002)
Articial Immune Systems and Their Applications, Springer, 1999, pp. 321.
301304.
[6] D. Dasgupta, Immunity-based intrusion detection systems: a general frame-
[25] A. Somayaji, S. Hofmeyr, S. Forrest, Principles of a computer immune sys-
work, in: Proceeding of the 22nd National Information Systems Security
tem, in: Proceeding of New Security Workshop, Langdale, Cumbria, 1997,
Conference (NISSC), October 1999.
pp. 7582.
[7] D. Dasgupta, F. Gonzalez, An immunity-based technique to characterize intru-
[26] T.R. Mosmann, A.M. Livingstone, Dendritic cells: the immune information man-
sions in computer networks, IEEE Transactions on Evolutionary Computation
agement experts, Nature Immunology 5 (6) (2004) 564566.
(2002).
[27] S.X. Wu, W. Banzhaf, The use of computational intelligence in intrusion detec-
[8] M. Ebner, H. Breunig, J. Albert, On the use of negative selection in an articial
tion systems: a review, Applied Soft Computing 10 (2010) 135.
immune system, in: Proceedings of GECCO-2002, New York, USA, July 2002.
[28] S.T. Powers, J. He, A hybrid articial immune system and Self Organising Map
[9] E. Hart, J. Timmis, Application areas of AIS: the past, the present and the future,
for network intrusion detection, Information Sciences 178 (2008) 30243042.
Applied Soft Computing 8 (2008) 191201.
[29] S.A. Hofmeyr, S. Forrest, Immunity by design: an articial immune system, in:
[10] S. Forrest, A.S. Perelson, L. Allen, R. Cherukuri, Selfnonself discrimination in
Proceedings of the Genetic and Evolutionary Computation Conference (GECCO),
a computer, in: Proceedings of the IEEE Symposium on Security and Privacy,
Morgan-Kaufmann, San Francisco, CA, 1999, pp. 12891296.
IEEE Computer Society, 1994, p. p. 202.
[30] T.S. Sobh, Wired and wireless intrusion detection system: classications, good
[11] F. Seredynski, P. Bouvry, Anomaly detection in TCP/IP networks using immune
characteristics and state-of-the-art, Computer Standards & Interfaces 28 (6)
systems paradigm, Computer Communications 30 (2007) 740749.
(2006) 670694.
[12] J.P. Twycross, Integrated innate and adaptive articial immune systems applied
[31] T. Pradeu, E.D. Carosella, The self model and the conception of biological identity
to process anomaly detection, Ph.D. Thesis, January 2007.
in immunology, Biology and Philosophy 21 (2) (2006) 235252.
[13] J. Twycross, U. Aickelin, Libtissueimplementing innate immunity, in: CEC
[32] Z.J. August, Negative selection algorithms: from the thymus to V-detector, A
2006, IEEE Congress, 1621 July 2006, Evolutionary Computation (2006).
Dissertation Presented for the Doctor of Philosophy Degree the University of
[14] J. Yang, X.J. Liu, T. Li, G. Liang, S.J. Liu, Distributed agents model for intrusion
Memphis, 2006.
detection based on AIS, Knowledge-Based Systems 22 (2009) 115119, 2009.