Peter J. Bentley

'Danger Theory: The Link between AIS and IDS?'

We present ideas about creating a next generation Intrusion Detection System (IDS) based on the latest immunological theories. The central challenge with computer security is determining the difference between normal and potentially harmful activity. For half a century, developers have protected their systems by coding rules that identify and block specific events. However, the nature of current and future threats in conjunction with ever larger IT systems urgently requires the development of automated and adaptive defensive tools. A promising solution is emerging in the form of Artificial Immune Systems (AIS): The Human Immune System (HIS) can detect and defend against harmful and previously unseen invaders, so can we not build a similar Intrusion Detection System (IDS) for our computers? Presumably, those systems would then have the same beneficial properties as HIS like error tolerance, adaptation and self-monitoring. Current AIS have been successful on test systems, but the algorithms rely on self-nonself discrimination, as stipulated in classical immunology. However, immunologist are increasingly finding fault with traditional self-nonself thinking and a new ‘Danger Theory’ (DT) is emerging. This new theory suggests that the immune system reacts to threats based on the correlation of various (danger) signals and it provides a method of ‘grounding’ the immune response, i.e. linking it directly to the attacker. Little is currently understood of the precise nature and correlation of these signals and the theory is a topic of hot debate. It is the aim of this research to investigate this correlation and to translate the DT into the realms of computer security, thereby creating AIS that are no longer limited by self-nonself discrimination. It should be noted that we do not intend to defend this controversial theory per se, although as a deliverable this project will add to the body of knowledge in this area. Rather we are interested in its merits for scaling up AIS applications by overcoming self-nonself discrimination problems.

Immune system approaches to intrusion detection --- a review

The use of artificial immune systems in intrusion detection is an appealing concept for two reasons. First, the human immune system provides the human body with a high level of protection from invading pathogens, in a robust, self-organised and distributed manner. Second, current techniques used in computer security are not able to cope with the dynamic and increasingly complex nature of computer systems and their security. It is hoped that biologically inspired approaches in this area, including the use of immune-based systems will be able to meet this challenge. Here we review the algorithms used, the development of the systems and the outcome of their implementation. We provide an introduction and analysis of the key developments within this field, in addition to making suggestions for future research.

Finding acceptable solutions in the pareto-optimal range using multiobjective genetic algorithms

This paper investigates the problem of using a genetic algorithm to converge on a small, user-defined subset of acceptable solutions to multiobjective problems, in the Pareto-optimal (P-O) range. The paper initially explores exactly why separate objectives can cause problems in a genetic algorithm (GA). A technique to guide the GA to converge on the subset of acceptable solutions is then introduced.

Towards an artificial immune system for network intrusion detection: an investigation of clonal selection with a negative selection operator

The paper describes research towards the use of an artificial immune system (AIS) for network intrusion detection. Specifically, we focus on one significant component of a complete AIS, static clonal selection with a negative selection operator, describing this system in detail. Three different data sets from the UCI repository for machine learning are used in the experiments. Two important factors, the detector sample size and the antigen sample size, are investigated in order to generate an appropriate mixture of general and specific detectors for learning non-self antigen patterns. The results of series of experiments suggest how to choose appropriate detector and antigen sample sizes. These ideal sizes allow the AIS to achieve a good non-self antigen detection rate with a very low rate of self antigen detection. We conclude that the embedded negative selection operator plays an important role in the AIS by helping it to maintain a low false positive detection rate.

Don't push me! Collision-avoiding swarms

This paper examines a particle swarm algorithm which has been applied to the generation of interactive, improvised music. An important feature of this algorithm is a balance between particle attraction to the centre of mass and repulsive, collision avoiding forces. These forces are not present in the classic particle swarm optimisation algorithms. A number of experiments illuminate the nature of these new forces and it is suggested that the algorithm may have applications to dynamic optimisation problems.

Particle swarm optimization recommender system

Recommender systems are new types of Internet-based software tools, designed to help users find their way through todays complex on-line shops and entertainment Web sites. This paper describes a new recommender system, which employs a particle swarm optimization (PSO) algorithm to learn personal preferences of users and provide tailored suggestions. Experiments are carried out to observe the performance of the system and results are compared to those obtained from the genetic algorithm (GA) recommender system and a standard, non-adaptive system based on the Pearson algorithm.

Towards development in evolvable hardware

Mapping between genotype and phenotype using a model of biological development has been widely touted as a technique for evolving solutions to large, complex problems. In this paper we describe two test-bed developmental systems for evolvable hardware problems, and compare each to a naive mapping system. We find that designing evolvable developmental systems is not a trivial problem, however early analysis of the evolved structures demonstrates the potential of the generative processes behind development. We also account for the differences between the results of the two systems, highlighting the importance of search space evolvability over size.

Improvised music with swarms

This paper describes SWARMUSIC, an interactive music improviser. A particle swarm algorithm generates musical material by a mapping of particle positions onto events in MIDI space. Interaction with an external musical source arises through the attraction of the particle swarm to a target. SWARMUSIC is the first application of swarm intelligence to music.

Biologically inspired evolutionary development

We describe the combination of a novel, biologically plausible model of development with a genetic algorithm. The Evolutionary Developmental System is an object-oriented model comprising proteins, genes and cells. The system permits intricate genomic regulatory networks to form and can evolve spherical embryos constructed from balls of cells. By attempting to duplicate many of the intricacies of natural development, and through experiments such as the ones outlined here, we anticipate that we will help to discover the key components of development and their potential for computer science.

Danger is ubiquitous: detecting malicious activities in sensor networks using the dendritic cell algorithm

There is a list of unique immune features that are currently absent from the existing artificial immune systems and other intelligent paradigms. We argue that some of AIS features can be inherent in an application itself, and thus this type of application would be a more appropriate substrate in which to develop and integrate the benefits brought by AIS. We claim here that sensor networks are such an application area, in which the ideas from AIS can be readily applied. The objective of this paper is to illustrate how closely a Danger Theory based AIS – in particular the Dendritic Cell Algorithm matches the structure and functional requirements of sensor networks. This paper also introduces a new sensor network attack called an Interest Cache Poisoning Attack and discusses how the DCA can be applied to detect this attack.