Field of the Disclosure
The embodiments described herein relate to a method and system of a Dendritic Cell Algorithm module using the Dendritic Cell Algorithm to detect malware in computer systems.
Description of the Related Art
Malware (viruses, trojans, “advanced persistent threats,” etc.) represents a significant potential risk in embedded network systems, such as, for example, computer networks in factory control systems. Safeguarding the integrity of a given network is often an important task for ensuring the overall safety of critical systems. As a result, detection of viruses and malware is an increasingly critical task in embedded systems.
Unfortunately, recent trends demonstrate that malware creators are willing to dedicate significant time and resources to the dissemination of malware, and the malware can often be cloaked and hidden in sophisticated ways. Further, continual development of malware requires users to continually take action to update additional malware protection in an effort to protect their devices and/or systems. Usefully, viruses and hosts have been waging an on-going war in the biological domain for many millennia. The outcome of the biological war has been a remarkably sophisticated and subtle system that can quickly detect, attack, and kill harmful invaders, while managing to avoid not only damage to the self, but also not killing other symbiotic organisms in the body.
Artificial immune systems (AIS) are a collection of algorithms developed from models or abstractions of the function of the cells of the human immune system. One category of AIS is based on the Danger Theory, and includes the Dendritic Cell Algorithm (DCA), which is based on the behavior of Dendritic Cells (DCs) within the human immune system. DCs have the power to suppress or activate the immune system through the correlation of signals from an environment, combined with location markers in the form of antigen. The function of a DC is to instruct the immune system to act when the body is under attack, policing the tissue for potential sources of damage. DCs are natural anomaly detectors, they are the sentinel cells of the immune system. The DCA has demonstrated potential as a static classifier for a machine learning data set and anomaly detector for real-time port scan detection.
The DCA has been described in a number of references, including Greensmith, Aickelin and Twycross, Articulation and Clarification of the Dendritic Cell Algorithm. In Proc. of the 5th International Conference on Artificial Immune Systems, LNCS 4163, 2006, pp. 404-417. The following features of the DCA differentiate the algorithm from other AIS algorithms: (1) multiple signals are combined and are a representation of environment or context information; (2) signals are combined with antigen in a temporal and distributed manner; (3) pattern matching is not used to perform detection, unlike negative selection; and (4) cells of the innate immune system are used as inspiration, not the adaptive immune cells, and unlike clonal selection, no dynamic learning is attempted.
As described in the DCA literature, DCs can perform various functions, depending on their state of maturation. Modulation between these maturation states is facilitated by the detection of signals within the tissue, namely: (1) danger signals, (2) pathogenic associated molecular patterns (PAMPs), (3) apoptotic signals (safe signals), and (4) inflammatory cytokines. The DCA has been implemented successfully in various localized applications, which have made use of danger signals, PAMPs, and safe signals. Existing DCA implementations have used only a single signal vector as an indication of the state of the environment. The single signal vector is made up of a vector of four floating point values, representing PAMP, danger, safe and inflammation.
In an actual implementation of the DCA it may be necessary to have multiple indicators, each of which describes one feature of the environment. For instance, in an embedded network, indicators that indicate the status of various aspects, such as overall bandwidth utilization, recent network traffic endpoints, and time since last heartbeat event, may all contribute to the state of the environment. The DCA's performance, with respect to true and false positives, is often improved by adding additional indicators to be considered by the DCA. This mimics the behavior of the human immune system, where the dendritic cell has upwards of fifteen to twenty different indicators, called Toll-Like Receptors (TLRs), each one evolved to detect a specific feature or a small set of features. (e.g. one TLR has evolved to target features only found on the tuberculosis bacterium).
Present applications of the DCA typically consider only one or two outputs of feature indicators. There has been very little development on combining feature indicators together to analyze the status of the environment or system. Instead, the DCA may use a mean of all the indicator outputs. As a result, one very “strong” indicator output, also referred to herein as a “strong” signal or even multiple “strong” indicator outputs may be drowned out by a large number of “nominal” indicator outputs, also referred to herein as “nominal” signals.