See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/315861769

Cyber Immunity - A Bio-Inspired Cyber Defense System

Conference Paper  in  Lecture Notes in Computer Science · April 2017

DOI: 10.1007/978-3-319-56154-7_19

CITATION READS

1 783

1 author:

Peter Wlodarczak
University of Southern Queensland 
17 PUBLICATIONS   42 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Social Media Mining View project

Big Data Analysis View project

All content following this page was uploaded by Peter Wlodarczak on 23 November 2018.

The user has requested enhancement of the downloaded file.

 Cyber Immunity
A Bio-Inspired Cyber Defense System

Peter Wlodarczak ✉
( )

University of Southern Queensland, West Street, Toowoomba, QLD 4350, Australia

wlodarczak@gmail.com

Abstract. Bio-inspired computing is an active field of research since nature has

found solutions for many real-world problems where research so far struggled to
develop effective implementations. A new area of research is cyber immunity. Cyber
immune systems try to mimic the adaptive immune system of humans and animals
because of its capability to detect and fend off new, unseen pathogens. Today’s cyber
security systems provide an effective defense mechanism against cyber-attacks.
However, traditional firewall and intrusion detection systems often struggle to detect
and repel so far unknown attacks. A cyber immune system can mitigate this short‐
coming by detecting new, unknown cyber-attacks and by providing a powerful
defense mechanism. This paper describes the recent advances in cyber immune
systems and their underlying, bio-inspired technologies.

Keywords: Bio-inspired computing · Cyber immunity · Adaptive Immune

System · Machine Learning

1 Introduction

Bio-inspired computing is an area of research in computer science that aims to build

systems modeled after biological phenomenon. Bio-inspired computing uses computers
to model nature and simultaneously the study of nature to improve the usage of
computers [16]. Bio-inspired computing includes genetic algorithms based on evolu‐
tionary processes, Artificial Intelligence (AI) and Artificial Neural Networks (ANN),
sensor networks (sensory organs) or artificial immune systems. A recent area of research
is cyber immunity based on the human adaptive immune system. Cyber immune systems
often use Machine Learning (ML) methods, an area of AI. ML is bio-inspired since it
is imitating human learning capabilities on computers. This paper describes an approach
for cyber immunity based on AI using ML techniques.

1.1 The Human Immune System

The human body has a remarkably effective defense mechanisms, the immune system
(IS), that detects a wide range of harmful agents, called pathogens, such as viruses,
parasites, and microbes. The IS has the capability to distinguish pathogens from healthy
tissue. The skin fends off external threats to our body similarly to a firewall. It is

© Springer International Publishing AG 2017

I. Rojas and F. Ortuño (Eds.): IWBBIO 2017, Part II, LNBI 10209, pp. 199–208, 2017.
DOI: 10.1007/978-3-319-56154-7_19
200 P. Wlodarczak

constantly renewed and adaptive. Our bodies are police states; the IS constantly monitors
the internal environment. In the absence of a working IS, even minor infections can take
hold and prove fatal [4].
The IS consists of an innate immune system and a much younger adaptive immune
system (AIS). Innate immunity is present in both, vertebrates and invertebrates, whereas
the adaptive immune system is found only in invertebrates [4]. If a pathogen breaches
physical barriers of the body, the innate immune system provides an immediate, but
non-specific response. It is not capable of conferring long-lasting immunity. If a
pathogen evades the innate immune system, the AIS is activated. The AIS can generate
a pathogen specific, tailored response. It is antigen-specific, and the response is remem‐
bered in case the same pathogen enters the body a second time. It can then provide a
quick, antigen specific response. The immune system is capable of learning, memory,
and pattern recognition [5]. Similarly, the AIS acts as the immune system memory.
The AIS consists of lymphocytes. The major types are B-cells and T-cells. B cells
identify pathogens when antibodies on their surface bind to a specific foreign antigen.
In the case of an antigen entering the body, the immune system activates signal molecules
that attract specialized immune cells, called killer T cells, to the site of infection. The
killer T cells destroy cells that are infected by viruses and other pathogens or other
dysfunctional cells. An AIS detects and neutralizes malware such as Trojans or ransom‐
ware by quarantining or erasing it. This function is analogous to the functions in biolog‐
ical systems of natural killer cells, which kill cells infected with known or unknown
viruses, and of macrophages, which phagocytize bacteria [17]. When B cells and T cells
are activated, they begin to replicate, and some of their offspring become long-lived
memory cells. A cyber IS imitates this behavior. It has adaptive and memory function‐
ality and recognizes cyber threats using pattern recognition.

1.2 Problem Description

In today’s world, where more and more devices are connected to the Internet, cyber
security has gained unprecedented importance since attacks can be executed instantly,
over long distances without the need to transport weapons over distance to deploy them.
New forms of cyber-attacks such as Advanced Persistent Threats (APT) and zero-day
exploits pose a serious risk for devices such as smart sensors, machines or whole
construction sites that communicate through the Internet. The Internet of Things (IoT),
or Industry 4.0, where cyber-physical systems communicate and cooperate with each
other, expose devices that often use legacy code or firmware that was not originally
developed with cyber threats in mind. These facilities were often built without the ability
to communicate, and no security measures were implemented. Connectivity was often
added after they were constructed exposing them to cyber-threats. The need to open the
previously closed production sites offers a whole new attack surface for cyber criminals
and the need for effective tools to fence off smart factories, or power grids has never
been higher. The amount of data produced on the Internet is ever increasing and
analyzing it for malware has become a serious challenge. The Internet of Things (IoT)
is about millions of connected, communicating and exchanging objects, scattered all
over the world and generating tremendous amounts of data using their sensors every
 Cyber Immunity 201

single second [15]. They combine physical devices with the Internet and form cyber-
physical systems. Data-injection attacks can degrade the operational reliability and
security of any cyber-physical infrastructures [20].
APTs are a set of sophisticated stealth hacking processes used for cyber-espionage
or cyber-sabotage. Zero-day exploits are undisclosed vulnerabilities which leave the
author with “zero days” to create a patch or find a workaround. They are often traded
on the dark web and at the time of attack no security patch exists yet. They are uniquely
featured by the stealthy, continuous, sophisticated and well-funded attack process for
long-term malicious gain, which render the current defense mechanisms inappli‐
cable [18].
An intrusion occurs when an attacker attempts to gain entry into or disrupt the normal
operations of an information system, almost always with the intent to do harm [23].
Today’s cyber-attacks fall into three categories:
• attacks by cyber criminals who want to enrich themselves by stealing credit card
information, hacking into bank accounts etc.
• hacktivists such as the Anonymous group who have a political agenda
• commercial groups that are engaged in cyber-warfare such as cyber-espionage (The
Dukes) [1] or sabotage (Stuxnet) [2]
They are usually highly qualified, highly motivated and are often government or
agency-sponsored or supported. For instance, Stuxnet, that destroyed the uranium
enrichment facilities in Natanz, Iran, was purportedly developed by the NSA and the
Mossad. However, neither country confirmed its involvement. Natanz was not even
connected to any external network. Not only was Stuxnet much more complex than any
other piece of malware seen before, it also followed a completely new approach that’s
no longer aligned with conventional confidentiality, integrity, and availability
thinking [2].
Conventional cyber security systems such as classic firewalls, intrusion detection
systems or end-point protection do not suffice anymore since they cannot detect zero-
day attacks or ATP since these exploit new, unknown vulnerabilities. To meet today’s
cyber security needs, a cyber defense system needs the capability to recognize and repel
unknown attacks and adapt to new threats without disrupting the business. Because we
have no way of knowing all vulnerabilities, the only resources we can use to learn attack
patterns are the sequences of events correlated with the cyber-attacks [3]. Cyber
immunity is a bio-inspired approach based on the human AIS that is capable of learning
and detecting attacks with unknown signatures (Fig. 1). It mimics the AIS using machine
learning techniques by learning normal network behavior and detecting anomalies based
on what it has learned. It should be noted that “immune system” is used as a metaphor.
There is no analogy between biological and artificial immune systems in the “mecha‐
nisms” of innate and adaptive immunity [17].
202 P. Wlodarczak

2 Framework of a Cyber Immune System

Cyber immune systems detect attacks not based on their signature but based on anoma‐
lies detected in normal network traffic. They have learning and memory capabilities to
detect and remember so far unknown attacks. They belong to the family of cyber security
systems. Cyber security is the set of technologies and processes designed to protect
computers, networks, programs, and data from attack, unauthorized access, change, or
destruction [11]. Cyber immune systems usually adopt ML techniques. ML techniques
have the advantage that rules do not need to be programmed, hardcoded, by the
programmer, but they can learn the rules themselves. They can also learn new rules
during runtime, in case new, so far unknown anomalies occur.

2.1 Machine Learning

ML is a branch of cognitive computing, which is a subarea of Artificial Intelligence (AI).

Cognitive science and linguistics emerged as fields at roughly the same time as artificial
intelligence, all deeply influenced by the advent of the computer [19]. Cognitive
computing has adaptive and learning capabilities, and contextual understanding of
elements such as text meaning or domain knowledge. These capabilities make cognitive
computing ideal for cyber immunity solutions. They belong to the family of cognitive
security solutions. ML is essentially a series of advanced statistics applied to historic
data to determine the likely future. In cyber ISs, they predict the probability that a certain
network traffic pattern or data transfer is malicious and needs to be discarded. Whereas
humans learn from experience, computers learn from data. ML schemes have to be
trained using training data. During training, they learn rules inductively; the rules do not
need to be programmed. ML techniques are adopted when there are too many rules to
be programmed by a developer or when the rules are too complicated.
There are many different ML techniques. Popular ML schemes include naïve Bayes,
Artificial Neural Network (ANN), Support Vector Machine (SVM), Logistic Regression
(LR) and decision tree induction learners. Usually, several schemes are trained, and the
best performing learner is then used for real-time analysis. It is important to notice that
many ML schemes such as ANN, SVM and LR are probabilistic models. They return
probabilities that a certain behavior is abnormal. Naïve Bayes classifier is a generative,
probabilistic model whereas Logistic Regression and SVN are discriminative probabil‐
istic models. They don’t allow to generate samples from the joint distribution of the
observed variable x and dependent unobserved variable y. Decision trees are non-prob‐
abilistic prediction models.
A learning cycle goes through several phases. First, the data is collected and pre-
processed. During pre-processing, the data set is purified from irrelevant data. Relevance
filtering is an important step since most ML schemes are prone to overfitting. Overfitting
happens if the learner gets too complicated and starts to capture noise. The learner is
trained by using the purified data set. The training data is also called the truth data or
gold data. The basic idea is to find a function that classifies network traffic into normal
and deviant, malicious behavior. This is called binary classification. For instance, a ANN
 Cyber Immunity 203

consists of perceptrons, the neurons, that are interconnected. The connections represent
the axons. The basic idea of a perceptron is to find a linear function f such that:

f (x) = wT x + b

where f(x) > 0 for one class and f(x) < 0 for the other class. The weights w = (w1, w2,
…, wm) and the bias b are adjusted during training until a loss function converges [10].
Perceptrons are organized into a hierarchical structure to form multilayer percep‐
trons, a type of ANN, to represent nonlinear decision boundaries [10]. The fact that
humans can solve many classification problems with astounding ease must lie in the fact
that neurons in the brain are massively interconnected, allowing a problem to be decom‐
posed into subproblems that can be solved at the neuron level [9]. This behavior is
imitated by an ANN. The data is represented at a higher abstraction level as it passes
through the layers of the ANN. In an ANN the connections are weighted. During training,
the weights w are adjusted until the classification accuracy is satisfactory.
To evaluate the learners, different measures such as the classification accuracy, f-
score, kappa statistics etc. are used. These statistics are compared to select the best
performing learner. Training a learner it is a highly iterative process and typically many
iterations are needed until satisfactory results are obtained.

2.2 Cyber Immune System

Virus DNA changes, so the immune system has to adapt to recognize the signature of
the virus. Similarly, in cyber security, we have to deal with an ever-evolving adversary.
Since the attack is unknown, we cannot learn the signature of the attack from previous
ones. Instead of learning attack signatures, a cyber IS learns what normal network traffic
looks like over an extended period of time. Once trained, it calculates the probability

Fig. 1. Comparison of biological and artificial immune system

204 P. Wlodarczak

that a certain deviant pattern is malicious. It constantly updates its results based on new
evidence. It can cut off an attacking agent by observing it and detecting what information
the agent is after and where it came from.
One of the most important tasks in data mining is to select the observation points.
This process is called feature extraction or feature engineering. In many data analysis
tasks, it is useful to select and use only the relevant feature [13]. Feature extraction
reduces the data volumes that need to be analyzed to data relevant to the problem at
hand. It improves both, the training and the classification performance.

Feature Extraction.
Network traffic consists of several layers. The Internet uses the TCP/IP protocol. TCP/
IP is a four-layer network protocol. It consists of a link layer, an Internet layer, a Trans‐
port and an Application layer. A cyber immune system typically analyzes the Internet
and the Application layer. At the Internet layer, IP packets are transmitted. An IP packet
is composed of the IP (i.e., transport layer) header and the IP payload. The IP payload
might contain data or other, encapsulated higher level protocols such as Network File
System (NFS), Server Message Block (SMB), Hypertext Transfer Protocol (HTTP),
BitTorrent, Post Office Protocol (POP) Version 3, Network Basic Input/Output System
(NetBIOS), telnet, and Trivial File Transfer Protocol (TFTP) [11]. The payload may
contain malicious code such as viruses, Trojans or ransomware that can infect a target
system and make it unusable. A cyber IS needs to look at the connection data, from
where to where packages are sent, and at the payload to detect malicious content. If
unusual patterns are detected, it triggers an alarm or interrupts the network connection.
Unusual patterns at the Internet layer are for instance connections from countries that
usually do not connect to specific servers, or changes in connection frequencies or data
transfer volumes that indicate that for instance a cyber espionage attack is under way
and data is illegally transmitted to an unknown external system.
At the Application layer, connected end-point programs such as transaction or
payment systems exchange information. Analyzing the application data exchange is
used to detect for instance fraud, money laundering or online payment scams. Cyber IS
usually do not analyze the content of the transactions since there are specialized solutions
for detecting cyber fraud. They rather look at the connection patterns to detect abnormal
behavior. Contrary to the human adaptive IS, where T killer cells neutralize infected
cells, typically cyber IS do not destroy contaminated data. They use end-point protection
tools to quarantine infected attachments, or they may trigger an alarm in case they
detected an anomaly.
Usually, one feature alone is not enough to determine if an attack is under way.
Attacks on web-scale platforms usually have a behavioral signature, made up of the
series of steps involved in committing the fraud [21]. For instance, a payment to an
untrusted country is not enough to determine cyber fraud since the payment might be
legitimate. Many features need to be observed and evaluated to determine if a cyber
crime is under way with a high probability. The features are grouped, clustered, into
behavioral descriptors such as IP addresses that are associated with users and sessions.
These behavioral signatures that represent the features are extracted on a per-entity and
per-time-segment basis [21].
 Cyber Immunity 205

Anomaly Detection.
Atypical network on the Internet has a lot of data traffic. To be effectively analyzed,
traffic must be grouped, for instance into email, file transfer or streaming traffic. Each
group has a different rule set since email attachments and audio and video streaming
have a different attack potential. Profiling modules perform clustering algorithms or
other data-mining and machine learning methods to group similar network connections
and search for dominant behaviors [3]. These clusters are associated with the behavioral
signature, the features, to detect anomalies. An anomaly can then be a suspicious attach‐
ment, unusual network traffic from an untrusted source or a traffic pattern from a country
where a lot of cyber criminality originates.
Clustering is usually done using unsupervised ML techniques. Typical unsupervised methods
include k-means clustering and hierarchical clustering. The traffic is grouped into centroids. In k-
means clustering, k is the number of centroids. The centroid is the barycenter of the cluster. It parti‐
tions observations into k clusters (Fig. 2). The clusters are created using a distance measure such as
the squared Euclidean distance. Distance can be the closeness of traffic in terms of time, source
address or traffic frequencies. To evaluate the cluster, metrics such as the Dunn index, Davies-
Bouldin or Silhouette index can be used. They measure the density of the centroids and the distance
between them to assure well separateness. Clustering is a preparation step for the actual anomaly
detection.

Fig. 2. k-means clustering

Anomaly detection happens in real-time since many attacks are “smash and run”. An attacker
breaks into a system, collects data and disconnects again. They also often use a third-party system
from where they issue the attack to obfuscate the origin. That’s why a cyber IS cannot only look at
the connection data, i.e. the IP header, but has to scan the payload for malware. An anomaly is a
deviation from “normal” network traffic that the learner has learned over a certain period of time.
However, an anomaly is not necessarily a threat and often a cyber forensic specialist has to analyze
206 P. Wlodarczak

the anomaly to determine if there is really a threat. The analyst feedback is then injected into the
training loop of the learner.
The full training lifecycle is depicted in the following Fig. 3:

Fig. 3. AIS training cycle

The trained and deployed AIS continues to detect new anomalies. As new anomalies
are detected, the learner is updated with new thread signatures. The signatures are shared
with other AIS to make them “immune” against new threads.

3 Challenges

Because of the endless security challenges, computer and communication systems have
to continue to incorporate new approaches, methods, and techniques to process data
securely for all its users [22]. Researchers are attempting to solve two of the largest
problems in network profiling: the huge amount of network traffic flows and the diffi‐
culties in detecting patterns in the traffic data and in the learned patterns [3]. Finding
vulnerability patterns is a challenging task, and typically, during training, a high false
positive rate is obtained, and training has to continue until an acceptable rate is achieved.
A cyber IS is not fully automated. A security analyst has to verify certain automatically
detected potential cyber-attacks for their thread potential during training. There are
always cases where human judgement must be applied, and a cyber forensic specialist
has to analyze the attack.
Since many new attacks have unknown patterns, it is difficult to evaluate a trained
learner. An attack pattern might change during the attack. For instance, in a cyber
espionage attack, the stolen data might not be transferred to one single server or the data
might be transferred over a longer period to camouflage unusually high data volumes.
Usually ML schemes are tested using synthetic data to simulate an attack. This makes
it hard to predict how well a trained learner will perform on a new, unseen attack pattern.
Cybersecurity systems are vulnerable to autoimmunity attacks due to design flaws
or bugs in the source code. In humans, autoimmunity happens when the agent is so
similar to components of our body, so the IS cannot distinguish between own and foreign
tissue and attacks own organs. This can also happen in a cyber IS. However, autoim‐
munity in a cyber IS results in false positives, not necessarily in a destruction of the IS
system itself.
Lastly, a cyber IS must be Big Data ready to handle the high volumes and speed at
which data traffic is generated. The IoT with millions of connected devices will produce
 Cyber Immunity 207

unprecedented amounts of data. Interconnected smart things will become the major data
producers and consumers instead of humans [15]. The data traffic cannot be indexed
such as databases to speed up searches. Instead, they have to apply the pattern matching
algorithms directly to the real-time data. This requires enough processing power to
handle all the traffic. Also, a pattern might only be suspicious if it repeats over time. The
cyber IS has to record the traffic data so it can correlate real-time data with historic data.
NoSQL databases that do not have tables and relations such as traditional relational
databases have consistently performed better on these tasks. That’s why they are the
first choice for cyber IS systems.

4 Conclusions

Cyber-intrusions pose a constant threat to today’s computer systems, and the number of
intrusions increases every year [25]. This creates a demand for cyber security systems
that can quickly react to new, unprecedented attack patterns. A cyber immune system
can detect and adapt to new, unknown threats. However, it is an addition to classic cyber
defense systems, they are not a replacement for traditional firewall, intrusion detection
or end-point protection solutions. For instance, whereas it can detect attacks with
unknown signatures, it is not capable of detecting unauthorized use of administrator
rights since this is considered normal behavior. AIS have to seamlessly integrate into
day to day security operations.
Since they learn unseen attack patterns during operations, they often share new,
learned anomalies with other cyber IS systems. They exploit the “wisdom of the crowd”
by using distributed threat databases and update them with newly detected exploits. Due
to the distributed nature and the high availability requirement cloud solutions are a good
choice for distributed cyber IS solutions. There are already early implementations of
cloud-based cyber immunity solutions with learning capabilities [14]. However, they
are still prone to high false positive rates, and human judgement is still required in many
cases. However, it is to be expected that cognitive technologies will mature soon enough
to significantly slow down cybercriminals and the accuracy, whether or not a current
security “offense” can be associated with an attack, will increase in the near future.
Some bio-inspired cyber defense systems such as the one described in this paper are
based on the AIS. Other bio-inspired cyber security systems have been based on swarm
intelligence [6]. Some are building models mimicking the mechanisms in the biological
immune system to better understand its natural processes and simulate its dynamical
behavior in the presence of antigens/pathogens [7].
Bio-inspired approaches are highly scalable, use lightweight architectures, and are
less resource-constrained compared to traditional security solutions [6]. Whereas there
are already cyber immune systems available on the market [12, 21, 24] and there have
been patents [8], the area of cyber immunity is still in its infancy and more research is
required, specifically to avoid the typically high number of false positives.
208 P. Wlodarczak

References

1. Eronen, P.: Russian hybrid warfare (2016). http://www.defenddemocracy.org/content/

uploads/documents/Russian_Hybrid_Warfare.pdf
2. Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011)
3. Dua, S.: Data Mining and Machine Learning in Cybersecurity. CRC Press, Boca Raton (2011)
4. Parham, P.: The Immune System. Garland Science, New York (2014)
5. Farmer, J.D., Packard, N.H., Perelson, A.S.: The immune system, adaptation, and machine
learning. Physica D 22(1), 187–204 (1986)
6. Bitam, S., Zeadally, S., Mellouk, A.: Bio-inspired cybersecurity for wireless sensor networks.
IEEE Commun. Mag. 54(6), 68–74 (2016)
7. Dasgupta, D.: Advances in artificial immune systems. IEEE Comput. Intell. Mag. 1(4), 40–
49 (2006)
8. Hill, D.W., Lynn, J.T.: Adaptive system and method for responding to computer network security attacks
(2000)
9. Witten, I.H., Frank, E., Hall, M.A.: Data Mining, 3rd edn. Elsevier, Burlington (2011)
10. Wlodarczak, P., Soar, J., Ally, M.: Multimedia data mining using deep learning, pp. 190–196
(2015)
11. Buczak, M.A., Guven, G.: A survey of data mining and machine learning methods for cyber security
intrusion detection. IEEE Commun. Surv. Tutor. 18(2), 1153–1176 (2016)
12. Darktrace: The enterprise immune system (2016). https://www.darktrace.com/
13. Runkler, T.A.: Data Analytics. Springer, Wiesbaden (2012)
14. IBM launches Watson for Cyber security beta program. IBM (2016). http://www-03.ibm.com/
press/us/en/pressrelease/51189.wss. Accessed 19 Dec 2016
15. Karkouch, A., et al.: Data quality in internet of things: a state-of-the-art survey. J. Netw.
Comput. Appl. 73, 57–81 (2016)
16. Pintea, C.-M.: Bio-inspired computing. In: Pintea, C.-M. (ed.) Advances in Bio-inspired
Computing for Combinatorial Optimization Problems, pp. 3–19. Springer, Heidelberg (2014)
17. Okamoto, T., Tarao, M.: Toward an artificial immune server against cyber attacks. Artif. Life
Robot. 21(3), 351–356 (2016)
18. Hu, P., Li, H., Fu, H., Cansever, D., Mohapatra, P.: Dynamic defense strategy against
advanced persistent threat with insiders, pp. 747–755. IEEE Xplore Digital Library (2015)
19. Graves, A., Wayne, G., Danihelka, I.: Neural Turing Machines. Google DeepMind, London
(2014)
20. Khalid, H.M., Peng, J.C.H.: A Bayesian algorithm to enhance the resilience of WAMS applications against
cyber attacks. IEEE Trans. Smart Grid 7(4), 2026–2037 (2016)
21. Veeramachaneni, K., Arnaldo, I., Korrapati, V., Bassias, C., Li, K.: AI^2: training a big data
machine to defend, pp. 49–54 (2016)
22. Kose, U.: An artificial intelligence perspective on ensuring cyber-assurance for the internet
of things. In: Cyber-Assurance for the Internet of Things, p. 249 (2016)
23. Gupta, A., Bhati, B.S., Jain, V.: Artificial intrusion detection techniques: a survey. Int. J.
Comput. Netw. Inf. Secur. 6(9), 51 (2014)
24. Musliner, D.J., Rye, J.M., Thomsen, D., McDonald, D.D., Burstein, M.H., Robertson, P.:
FUZZBUSTER: towards adaptive immunity from cyber threats. In: Fifth IEEE Conference
on Self-Adaptive and Self-Organizing Systems Workshops, pp. 137–140 (2016)
25. Musliner, D.J., Friedman, S.E., Marble, T., Rye, J.M., Boldt, M.W., Pelican, M.: Self-
adaptation metrics for active cybersecurity. In: IEEE 7th International Conference on Self-
Adaptation and Self-Organizing Systems Workshops, pp. 53–58 (2013)

View publication stats