Gianni Tedesco

Immune system approaches to intrusion detection --- a review

The use of artificial immune systems in intrusion detection is an appealing concept for two reasons. First, the human immune system provides the human body with a high level of protection from invading pathogens, in a robust, self-organised and distributed manner. Second, current techniques used in computer security are not able to cope with the dynamic and increasingly complex nature of computer systems and their security. It is hoped that biologically inspired approaches in this area, including the use of immune-based systems will be able to meet this challenge. Here we review the algorithms used, the development of the systems and the outcome of their implementation. We provide an introduction and analysis of the key developments within this field, in addition to making suggestions for future research.

Information fusion for anomaly detection with the dendritic cell algorithm

Dendritic cells are antigen presenting cells that provide a vital link between the innate and adaptive immune system, providing the initial detection of pathogenic invaders. Research into this family of cells has revealed that they perform information fusion which directs immune responses. We have derived a dendritic cell algorithm based on the functionality of these cells, by modelling the biological signals and differentiation pathways to build a control mechanism for an artificial immune system. We present algorithmic details in addition to experimental results, when the algorithm was applied to anomaly detection for the detection of port scans. The results show the dendritic cell algorithm is successful at detecting port scans.

Diophantine benchmarks for the b-cell algorithm

The B-cell algorithm (BCA) due to Kelsey and Timmis is a function optimization algorithm inspired by the process of somatic mutation of B cell clones in the natural immune system. So far, the BCA has been shown to be perform well in comparison with genetic algorithms when applied to various benchmark optimisation problems (finding the optima of smooth real functions). More recently, the convergence of the BCA has been shown by Clark, Hone and Timmis, using the theory of Markov chains. However, at present the theory does not predict the average number of iterations that are needed for the algorithm to converge. In this paper we present some empirical convergence results for the BCA, using a very different non-smooth set of benchmark problems. We propose that certain Diophantine equations, which can be reformulated as an optimization problem in integer programming, constitute a much harder set of benchmarks for evolutionary algorithms. In the light of our empirical results, we also suggest some modifications that can be made to the BCA in order to improve its performance.

Data Reduction in Intrusion Alert Correlation

Network intrusion detection sensors are usually built around low level models of network traffic. This means that their output is of a similarly low level and as a consequence, is difficult to analyze. Intrusion alert correlation is the task of automating some of this analysis by grouping related alerts together. Attack graphs provide an intuitive model for such analysis. Unfortunately alert flooding attacks can still cause a loss of service on sensors, and when performing attack graph correlation, there can be a large number of extraneous alerts included in the output graph. This obscures the fine structure of genuine attacks and makes them more difficult for human operators to discern. This paper explores modified correlation algorithms which attempt to minimize the impact of this attack.

An Immune Inspired Network Intrusion Detection System Utilising Correlation Context

Network Intrusion Detection Systems (NIDS) are computer systems which monitor a network with the aim of discerning malicious from benign activity on that network. While a wide range of approaches have met varying levels of success, most IDSs rely on having access to a database of known attack signatures which are written by security experts. Nowadays, in order to solve problems with false positive alerts, correlation algorithms are used to add additional structure to sequences of IDS alerts. However, such techniques are of no help in discovering novel attacks or variations of known attacks, something the human immune system (HIS) is capable of doing in its own specialised domain. This paper presents a novel immune algorithm for application to the IDS problem. The goal is to discover packets containing novel variations of attacks covered by an existing signature base.