Security of computer systems and its interconnecting networks have become a major issue in recent years due to the menace caused by hackers (a person or group of persons that uses computers to gain unauthorized access to data).
For a successful attack or intrusion, hackers may employ the use of Malware (Viruses, Trojans or Worms). They may also exploit vulnerabilities that exist in currently used data processing or communication systems and the protocols that govern their data exchange.
As employed herein, “intrusion” is the act of gaining unauthorized access to a system or a network of systems. This unauthorized act may originate from within the system or network. It can also originate from systems or networks that are external to the current system being protected.
Though a secured network built around user authentication, data encryption, and firewall systems have been able to protect companies and individuals from external and in some degree internal attacks, computer hackers continuously find ways to subvert these systems to attack networks and its interconnected computers. A protection system like the firewall is vulnerable to errors in configuration and ambiguous or undefined security policies leaving behind some exploitable weaknesses. Intrusion detection system (IDS), therefore, becomes a necessity as an additional wall for protecting systems despite the prevention techniques.
Currently, several commercial IDSs are successful in detecting intrusions that have signatures that are known a priori. These kinds of IDS are known as signature based IDS. However, conventional IDSs (like the signature-based IDS) are typically unable to detect the occurrence of a cyber-attack or intrusion for which they have not been programmed to detect explicitly (i.e., for which they have no signatures for).
Emerging ways to solve intrusion detection problem (and the problems associated with the use of signature-based IDSs) involves using algorithms that exist in a branch of Artificial Intelligence called Artificial Immune System (AIS).
AIS is a developing area of artificial intelligence. Originally AIS set out to find efficient abstractions of processes found in the human immune system (HIS) but, more recently, it is becoming interested in modeling the biological processes and in applying immune algorithms to bioinformatics problems. The Self-nonself (SNS) and the Danger Theory (DT) model are two immunology models that have successfully been utilized in AIS in the design of IDS systems to detect network attacks.
The Self-nonself (SNS) model focuses on the adaptive nature of the immune system, i.e., it uses the adaptive immune system and its memory or self-learning capability. In this model, the B cells (which are called detectors in AIS) would have antigen specific receptors that can recognize non-self or foreign bodies and in turn initiate an immune system response that is specific to the system where this AIS model is applied. In this technique, the first step involves randomly generating detectors (which is the AIS's equivalent of B cell in HIS). These detectors that are still immature are then exposed to a set of self-structures. Any detector that reacts or matches any member of the self set is eliminated. The remaining members of the detector set that were unreactive with any member of the self set become mature detectors. This detector selection technique is called negative selection and the algorithm used to perform this computation is called a Negative Selection Algorithm (NSA) which is described in some references, including S. A. Hofmeyr and S. Forrest, “Architecture for an artificial immune system,” Evolutionary Computation, vol. 8, no. 4, pp. 443-473, 2000.
Unlike the detection of non-self antigens or pathogenic molecules, the danger theory (DT) model proposes that the immune system detects the presence of danger signals, released as a result of necrotic cell death within the host tissue. Necrosis is the result of cellular damage and stress caused by pathogenic infection or exposure to extreme conditions. The DT proposes that the immune system is sensitive to changes in the danger signal concentration in the tissue. This model has been abstracted into multiple mathematical algorithms one of which is called the Dendritic Cell Algorithm (DCA). The DCA (described in some references, including Greensmith, Aickelin, and Twycross, “Articulation and Clarification of the Dendritic Cell Algorithm.” In Proc. of the 5th International Conference on Artificial Immune Systems, LNCS 4163, 2006, pp. 404-417) is a population-based system, with each agent in the system, represented as a cell called the Dendritic Cells (DC). Each cell can collect data items, termed antigen, and the processing of values of the input signal. The combination of the input signals forms cumulative output signals of the DCs. The population of cells is used to correlate co-occurring and disparate data sources, effectively combining the ‘suspect’ data (antigen) with ‘evidence’ in the form of signals. Each DC has the capability to combine the relative proportions of input signals to produce its set of output signals. Input signals to the DCA are pre-categorized into three main signals called the pathogenic associated molecular patterns (PAMP) signal, Danger signal, and the Safe signal. These signals have been ordered based on the level of malicious activity they represent. PAMP signal indicates that there exists to a high degree of certainty, malicious activity, while Danger signal indicates that there exists an anomalous activity, but with little certainty, and Safe signal means that there is no occurrence of any anomalous activity.
Present applications of the NSA and the DCA typically consider how either DCA or NSA can be used to protect computing systems. There has been little development on combining both NSA and DCA together to combat the security issues in a data processing system or network.