Académique Documents
Professionnel Documents
Culture Documents
net/publication/315861769
CITATION READS
1 783
1 author:
Peter Wlodarczak
University of Southern Queensland
17 PUBLICATIONS 42 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Peter Wlodarczak on 23 November 2018.
Peter Wlodarczak ✉
( )
1 Introduction
The human body has a remarkably effective defense mechanisms, the immune system
(IS), that detects a wide range of harmful agents, called pathogens, such as viruses,
parasites, and microbes. The IS has the capability to distinguish pathogens from healthy
tissue. The skin fends off external threats to our body similarly to a firewall. It is
constantly renewed and adaptive. Our bodies are police states; the IS constantly monitors
the internal environment. In the absence of a working IS, even minor infections can take
hold and prove fatal [4].
The IS consists of an innate immune system and a much younger adaptive immune
system (AIS). Innate immunity is present in both, vertebrates and invertebrates, whereas
the adaptive immune system is found only in invertebrates [4]. If a pathogen breaches
physical barriers of the body, the innate immune system provides an immediate, but
non-specific response. It is not capable of conferring long-lasting immunity. If a
pathogen evades the innate immune system, the AIS is activated. The AIS can generate
a pathogen specific, tailored response. It is antigen-specific, and the response is remem‐
bered in case the same pathogen enters the body a second time. It can then provide a
quick, antigen specific response. The immune system is capable of learning, memory,
and pattern recognition [5]. Similarly, the AIS acts as the immune system memory.
The AIS consists of lymphocytes. The major types are B-cells and T-cells. B cells
identify pathogens when antibodies on their surface bind to a specific foreign antigen.
In the case of an antigen entering the body, the immune system activates signal molecules
that attract specialized immune cells, called killer T cells, to the site of infection. The
killer T cells destroy cells that are infected by viruses and other pathogens or other
dysfunctional cells. An AIS detects and neutralizes malware such as Trojans or ransom‐
ware by quarantining or erasing it. This function is analogous to the functions in biolog‐
ical systems of natural killer cells, which kill cells infected with known or unknown
viruses, and of macrophages, which phagocytize bacteria [17]. When B cells and T cells
are activated, they begin to replicate, and some of their offspring become long-lived
memory cells. A cyber IS imitates this behavior. It has adaptive and memory function‐
ality and recognizes cyber threats using pattern recognition.
single second [15]. They combine physical devices with the Internet and form cyber-
physical systems. Data-injection attacks can degrade the operational reliability and
security of any cyber-physical infrastructures [20].
APTs are a set of sophisticated stealth hacking processes used for cyber-espionage
or cyber-sabotage. Zero-day exploits are undisclosed vulnerabilities which leave the
author with “zero days” to create a patch or find a workaround. They are often traded
on the dark web and at the time of attack no security patch exists yet. They are uniquely
featured by the stealthy, continuous, sophisticated and well-funded attack process for
long-term malicious gain, which render the current defense mechanisms inappli‐
cable [18].
An intrusion occurs when an attacker attempts to gain entry into or disrupt the normal
operations of an information system, almost always with the intent to do harm [23].
Today’s cyber-attacks fall into three categories:
• attacks by cyber criminals who want to enrich themselves by stealing credit card
information, hacking into bank accounts etc.
• hacktivists such as the Anonymous group who have a political agenda
• commercial groups that are engaged in cyber-warfare such as cyber-espionage (The
Dukes) [1] or sabotage (Stuxnet) [2]
They are usually highly qualified, highly motivated and are often government or
agency-sponsored or supported. For instance, Stuxnet, that destroyed the uranium
enrichment facilities in Natanz, Iran, was purportedly developed by the NSA and the
Mossad. However, neither country confirmed its involvement. Natanz was not even
connected to any external network. Not only was Stuxnet much more complex than any
other piece of malware seen before, it also followed a completely new approach that’s
no longer aligned with conventional confidentiality, integrity, and availability
thinking [2].
Conventional cyber security systems such as classic firewalls, intrusion detection
systems or end-point protection do not suffice anymore since they cannot detect zero-
day attacks or ATP since these exploit new, unknown vulnerabilities. To meet today’s
cyber security needs, a cyber defense system needs the capability to recognize and repel
unknown attacks and adapt to new threats without disrupting the business. Because we
have no way of knowing all vulnerabilities, the only resources we can use to learn attack
patterns are the sequences of events correlated with the cyber-attacks [3]. Cyber
immunity is a bio-inspired approach based on the human AIS that is capable of learning
and detecting attacks with unknown signatures (Fig. 1). It mimics the AIS using machine
learning techniques by learning normal network behavior and detecting anomalies based
on what it has learned. It should be noted that “immune system” is used as a metaphor.
There is no analogy between biological and artificial immune systems in the “mecha‐
nisms” of innate and adaptive immunity [17].
202 P. Wlodarczak
Cyber immune systems detect attacks not based on their signature but based on anoma‐
lies detected in normal network traffic. They have learning and memory capabilities to
detect and remember so far unknown attacks. They belong to the family of cyber security
systems. Cyber security is the set of technologies and processes designed to protect
computers, networks, programs, and data from attack, unauthorized access, change, or
destruction [11]. Cyber immune systems usually adopt ML techniques. ML techniques
have the advantage that rules do not need to be programmed, hardcoded, by the
programmer, but they can learn the rules themselves. They can also learn new rules
during runtime, in case new, so far unknown anomalies occur.
consists of perceptrons, the neurons, that are interconnected. The connections represent
the axons. The basic idea of a perceptron is to find a linear function f such that:
f (x) = wT x + b
where f(x) > 0 for one class and f(x) < 0 for the other class. The weights w = (w1, w2,
…, wm) and the bias b are adjusted during training until a loss function converges [10].
Perceptrons are organized into a hierarchical structure to form multilayer percep‐
trons, a type of ANN, to represent nonlinear decision boundaries [10]. The fact that
humans can solve many classification problems with astounding ease must lie in the fact
that neurons in the brain are massively interconnected, allowing a problem to be decom‐
posed into subproblems that can be solved at the neuron level [9]. This behavior is
imitated by an ANN. The data is represented at a higher abstraction level as it passes
through the layers of the ANN. In an ANN the connections are weighted. During training,
the weights w are adjusted until the classification accuracy is satisfactory.
To evaluate the learners, different measures such as the classification accuracy, f-
score, kappa statistics etc. are used. These statistics are compared to select the best
performing learner. Training a learner it is a highly iterative process and typically many
iterations are needed until satisfactory results are obtained.
that a certain deviant pattern is malicious. It constantly updates its results based on new
evidence. It can cut off an attacking agent by observing it and detecting what information
the agent is after and where it came from.
One of the most important tasks in data mining is to select the observation points.
This process is called feature extraction or feature engineering. In many data analysis
tasks, it is useful to select and use only the relevant feature [13]. Feature extraction
reduces the data volumes that need to be analyzed to data relevant to the problem at
hand. It improves both, the training and the classification performance.
Feature Extraction.
Network traffic consists of several layers. The Internet uses the TCP/IP protocol. TCP/
IP is a four-layer network protocol. It consists of a link layer, an Internet layer, a Trans‐
port and an Application layer. A cyber immune system typically analyzes the Internet
and the Application layer. At the Internet layer, IP packets are transmitted. An IP packet
is composed of the IP (i.e., transport layer) header and the IP payload. The IP payload
might contain data or other, encapsulated higher level protocols such as Network File
System (NFS), Server Message Block (SMB), Hypertext Transfer Protocol (HTTP),
BitTorrent, Post Office Protocol (POP) Version 3, Network Basic Input/Output System
(NetBIOS), telnet, and Trivial File Transfer Protocol (TFTP) [11]. The payload may
contain malicious code such as viruses, Trojans or ransomware that can infect a target
system and make it unusable. A cyber IS needs to look at the connection data, from
where to where packages are sent, and at the payload to detect malicious content. If
unusual patterns are detected, it triggers an alarm or interrupts the network connection.
Unusual patterns at the Internet layer are for instance connections from countries that
usually do not connect to specific servers, or changes in connection frequencies or data
transfer volumes that indicate that for instance a cyber espionage attack is under way
and data is illegally transmitted to an unknown external system.
At the Application layer, connected end-point programs such as transaction or
payment systems exchange information. Analyzing the application data exchange is
used to detect for instance fraud, money laundering or online payment scams. Cyber IS
usually do not analyze the content of the transactions since there are specialized solutions
for detecting cyber fraud. They rather look at the connection patterns to detect abnormal
behavior. Contrary to the human adaptive IS, where T killer cells neutralize infected
cells, typically cyber IS do not destroy contaminated data. They use end-point protection
tools to quarantine infected attachments, or they may trigger an alarm in case they
detected an anomaly.
Usually, one feature alone is not enough to determine if an attack is under way.
Attacks on web-scale platforms usually have a behavioral signature, made up of the
series of steps involved in committing the fraud [21]. For instance, a payment to an
untrusted country is not enough to determine cyber fraud since the payment might be
legitimate. Many features need to be observed and evaluated to determine if a cyber
crime is under way with a high probability. The features are grouped, clustered, into
behavioral descriptors such as IP addresses that are associated with users and sessions.
These behavioral signatures that represent the features are extracted on a per-entity and
per-time-segment basis [21].
Cyber Immunity 205
Anomaly Detection.
Atypical network on the Internet has a lot of data traffic. To be effectively analyzed,
traffic must be grouped, for instance into email, file transfer or streaming traffic. Each
group has a different rule set since email attachments and audio and video streaming
have a different attack potential. Profiling modules perform clustering algorithms or
other data-mining and machine learning methods to group similar network connections
and search for dominant behaviors [3]. These clusters are associated with the behavioral
signature, the features, to detect anomalies. An anomaly can then be a suspicious attach‐
ment, unusual network traffic from an untrusted source or a traffic pattern from a country
where a lot of cyber criminality originates.
Clustering is usually done using unsupervised ML techniques. Typical unsupervised methods
include k-means clustering and hierarchical clustering. The traffic is grouped into centroids. In k-
means clustering, k is the number of centroids. The centroid is the barycenter of the cluster. It parti‐
tions observations into k clusters (Fig. 2). The clusters are created using a distance measure such as
the squared Euclidean distance. Distance can be the closeness of traffic in terms of time, source
address or traffic frequencies. To evaluate the cluster, metrics such as the Dunn index, Davies-
Bouldin or Silhouette index can be used. They measure the density of the centroids and the distance
between them to assure well separateness. Clustering is a preparation step for the actual anomaly
detection.
Anomaly detection happens in real-time since many attacks are “smash and run”. An attacker
breaks into a system, collects data and disconnects again. They also often use a third-party system
from where they issue the attack to obfuscate the origin. That’s why a cyber IS cannot only look at
the connection data, i.e. the IP header, but has to scan the payload for malware. An anomaly is a
deviation from “normal” network traffic that the learner has learned over a certain period of time.
However, an anomaly is not necessarily a threat and often a cyber forensic specialist has to analyze
206 P. Wlodarczak
the anomaly to determine if there is really a threat. The analyst feedback is then injected into the
training loop of the learner.
The full training lifecycle is depicted in the following Fig. 3:
The trained and deployed AIS continues to detect new anomalies. As new anomalies
are detected, the learner is updated with new thread signatures. The signatures are shared
with other AIS to make them “immune” against new threads.
3 Challenges
Because of the endless security challenges, computer and communication systems have
to continue to incorporate new approaches, methods, and techniques to process data
securely for all its users [22]. Researchers are attempting to solve two of the largest
problems in network profiling: the huge amount of network traffic flows and the diffi‐
culties in detecting patterns in the traffic data and in the learned patterns [3]. Finding
vulnerability patterns is a challenging task, and typically, during training, a high false
positive rate is obtained, and training has to continue until an acceptable rate is achieved.
A cyber IS is not fully automated. A security analyst has to verify certain automatically
detected potential cyber-attacks for their thread potential during training. There are
always cases where human judgement must be applied, and a cyber forensic specialist
has to analyze the attack.
Since many new attacks have unknown patterns, it is difficult to evaluate a trained
learner. An attack pattern might change during the attack. For instance, in a cyber
espionage attack, the stolen data might not be transferred to one single server or the data
might be transferred over a longer period to camouflage unusually high data volumes.
Usually ML schemes are tested using synthetic data to simulate an attack. This makes
it hard to predict how well a trained learner will perform on a new, unseen attack pattern.
Cybersecurity systems are vulnerable to autoimmunity attacks due to design flaws
or bugs in the source code. In humans, autoimmunity happens when the agent is so
similar to components of our body, so the IS cannot distinguish between own and foreign
tissue and attacks own organs. This can also happen in a cyber IS. However, autoim‐
munity in a cyber IS results in false positives, not necessarily in a destruction of the IS
system itself.
Lastly, a cyber IS must be Big Data ready to handle the high volumes and speed at
which data traffic is generated. The IoT with millions of connected devices will produce
Cyber Immunity 207
unprecedented amounts of data. Interconnected smart things will become the major data
producers and consumers instead of humans [15]. The data traffic cannot be indexed
such as databases to speed up searches. Instead, they have to apply the pattern matching
algorithms directly to the real-time data. This requires enough processing power to
handle all the traffic. Also, a pattern might only be suspicious if it repeats over time. The
cyber IS has to record the traffic data so it can correlate real-time data with historic data.
NoSQL databases that do not have tables and relations such as traditional relational
databases have consistently performed better on these tasks. That’s why they are the
first choice for cyber IS systems.
4 Conclusions
Cyber-intrusions pose a constant threat to today’s computer systems, and the number of
intrusions increases every year [25]. This creates a demand for cyber security systems
that can quickly react to new, unprecedented attack patterns. A cyber immune system
can detect and adapt to new, unknown threats. However, it is an addition to classic cyber
defense systems, they are not a replacement for traditional firewall, intrusion detection
or end-point protection solutions. For instance, whereas it can detect attacks with
unknown signatures, it is not capable of detecting unauthorized use of administrator
rights since this is considered normal behavior. AIS have to seamlessly integrate into
day to day security operations.
Since they learn unseen attack patterns during operations, they often share new,
learned anomalies with other cyber IS systems. They exploit the “wisdom of the crowd”
by using distributed threat databases and update them with newly detected exploits. Due
to the distributed nature and the high availability requirement cloud solutions are a good
choice for distributed cyber IS solutions. There are already early implementations of
cloud-based cyber immunity solutions with learning capabilities [14]. However, they
are still prone to high false positive rates, and human judgement is still required in many
cases. However, it is to be expected that cognitive technologies will mature soon enough
to significantly slow down cybercriminals and the accuracy, whether or not a current
security “offense” can be associated with an attack, will increase in the near future.
Some bio-inspired cyber defense systems such as the one described in this paper are
based on the AIS. Other bio-inspired cyber security systems have been based on swarm
intelligence [6]. Some are building models mimicking the mechanisms in the biological
immune system to better understand its natural processes and simulate its dynamical
behavior in the presence of antigens/pathogens [7].
Bio-inspired approaches are highly scalable, use lightweight architectures, and are
less resource-constrained compared to traditional security solutions [6]. Whereas there
are already cyber immune systems available on the market [12, 21, 24] and there have
been patents [8], the area of cyber immunity is still in its infancy and more research is
required, specifically to avoid the typically high number of false positives.
208 P. Wlodarczak
References