Shachar Siboni,Asaf Cohen

DOI: https://doi.org/10.48550/arXiv.1508.03687

2015-08-15

Abstract:Modern computer threats are far more complicated than those seen in the past. They are constantly evolving, altering their appearance, perpetually changing disguise. Under such circumstances, detecting known threats, a fortiori zero-day attacks, requires new tools, which are able to capture the essence of their behavior, rather than some fixed signatures. In this work, we propose novel universal anomaly detection algorithms, which are able to learn the normal behavior of systems and alert for abnormalities, without any prior knowledge on the system model, nor any knowledge on the characteristics of the attack. The suggested method utilizes the Lempel-Ziv universal compression algorithm in order to optimally give probability assignments for normal behavior (during learning), then estimate the likelihood of new data (during operation) and classify it accordingly. The suggested technique is generic, and can be applied to different scenarios. Indeed, we apply it to key problems in computer security. The first is detecting Botnets Command and Control (C&C) channels. A Botnet is a logical network of compromised machines which are remotely controlled by an attacker using a C&C infrastructure, in order to perform malicious activities. We derive a detection algorithm based on timing data, which can be collected without deep inspection, from open as well as encrypted flows. We evaluate the algorithm on real-world network traces, showing how a universal, low complexity C&C identification system can be built, with high detection rates and low false-alarm probabilities. Further applications include malicious tools detection via system calls monitoring and data leakage identification.

Cryptography and Security

J. Twycross,U. Aickelin

2008-01-01

Abstract:The immune system provides a rich metaphor for computer security: anomaly detection that works in nature should work for machines. However, early artificial immune system approaches for computer security had only limited success. Arguably, this was due to these artificial systems being based on too simplistic a view of the immune system. We present here a second generation artificial immune system for process anomaly detection. It improves on earlier systems by having different artificial cell types that process information. Following detailed information about how to build such second generation systems, we find that communication between cells types is key to performance. Through realistic testing and validation, we show that second generation artificial immune systems are capable of anomaly detection beyond generic system policies. The chapter concludes with a discussion and outline of the next steps in this exciting area of computer security.

Uwe Aickelin,Julie Greensmith

DOI: https://doi.org/10.48550/arXiv.0802.4002

2008-02-27

Neural and Evolutionary Computing

Abstract:The immune system provides an ideal metaphor for anomaly detection in general and computer security in particular. Based on this idea, artificial immune systems have been used for a number of years for intrusion detection, unfortunately so far with little success. However, these previous systems were largely based on immunological theory from the 1970s and 1980s and over the last decade our understanding of immunological processes has vastly improved. In this paper we present two new immune inspired algorithms based on the latest immunological discoveries, such as the behaviour of Dendritic Cells. The resultant algorithms are applied to real world intrusion problems and show encouraging results. Overall, we believe there is a bright future for these next generation artificial immune algorithms.

Uwe Aickelin,Julie Greensmith

2007-01-01

Abstract:Artificial Immune Systems (AIS) are a collection of algorithms inspired by aspects of the human immune system. The arguably most obvious application of AIS was to detect intrusions in computer networks. If we can fight viruses with our immune systems, then surely we can fight computer viruses with a computer immune system? Early AIS approaches used a technique called Negative Selection, which did not provide a sufficient level of protection against intrusions. Problems were found with scalability and large numbers of false positives (false alarms) were generated. In 2003, Dr Uwe Aickelin and his colleagues proposed that the reason for the poor performance of the AIS is that Negative Selection is based on outdated concepts in immunology. It was proposed that the incorporation of the Danger Theory, a modern principle of immunology, could improve the performance of AIS when applied to intrusion detection. The result of the proposal is the Danger Project (EPSRC Adventure Fund) – an interdisciplinary collaboration between computer security experts, computer scientists, and 'wetlab' immunologists. Recently, Uwe has been awarded an Advanced ESPRC Fellowship to investigate how OR models such as set covering problems can help direct future research. The work performed to achieve these goals is the focus of this part of the seminar. Instead of trying to improve on existing heuristics, Julie Greensmith spent one year trying to understand the intricate methods the human immune system uses to detect invaders when the body is under attack. A novel idea in immunology is that the immune system releases danger signals in response to damage caused by infection. One cell in particular is involved in the collection and processing of danger signals. These cells are called Dendritic Cells (DCs). DCs are a major control unit cell of the human immune system, but were previously ignored by the AIS

Jamie Twycross,Uwe Aickelin

DOI: https://doi.org/10.48550/arXiv.0910.3117

2009-10-16

Abstract:The immune system provides a rich metaphor for computer security: anomaly detection that works in nature should work for machines. However, early artificial immune system approaches for computer security had only limited success. Arguably, this was due to these artificial systems being based on too simplistic a view of the immune system. We present here a second generation artificial immune system for process anomaly detection. It improves on earlier systems by having different artificial cell types that process information. Following detailed information about how to build such second generation systems, we find that communication between cells types is key to performance. Through realistic testing and validation we show that second generation artificial immune systems are capable of anomaly detection beyond generic system policies. The paper concludes with a discussion and outline of the next steps in this exciting area of computer security.

Artificial Intelligence,Cryptography and Security,Neural and Evolutionary Computing

Julie Greensmith,Jamie Twycross,Uwe Aickelin

DOI: https://doi.org/10.1109/cec.2006.1688374

2006-01-01

SSRN Electronic Journal

Abstract:Artificial immune systems, more specifically the negative selection algorithm, have previously been applied to intrusion detection. The aim of this research is to develop an intrusion detection system based on a novel concept in immunology, the Danger Theory. Dendritic Cells (DCs) are antigen presenting cells and key to the activation of the human immune system. DCs perform the vital role of combining signals from the host tissue and correlate these signals with proteins known as antigens. In algorithmic terms, individual DCs perform multi-sensor data fusion based on time-windows. The whole population of DCs asynchronously correlates the fused signals with a secondary data stream. The behaviour of human DCs is abstracted to form the DC Algorithm (DCA), which is implemented using an immune inspired framework, libtissue. This system is used to detect context switching for a basic machine learning dataset and to detect outgoing portscans in real-time. Experimental results show a significant difference between an outgoing portscan and normal traffic.

Julie Greensmith,Uwe Aickelin,Jamie Twycross

DOI: https://doi.org/10.48550/arXiv.1002.0696

IF: 14.4

2010-02-03

Artificial Intelligence

Abstract:In recent years computer systems have become increasingly complex and consequently the challenge of protecting these systems has become increasingly difficult. Various techniques have been implemented to counteract the misuse of computer systems in the form of firewalls, anti-virus software and intrusion detection systems. The complexity of networks and dynamic nature of computer systems leaves current methods with significant room for improvement. Computer scientists have recently drawn inspiration from mechanisms found in biological systems and, in the context of computer security, have focused on the human immune system (HIS). The human immune system provides a high level of protection from constant attacks. By examining the precise mechanisms of the human immune system, it is hoped the paradigm will improve the performance of real intrusion detection systems. This paper presents an introduction to recent developments in the field of immunology. It discusses the incorporation of a novel immunological paradigm, Danger Theory, and how this concept is inspiring artificial immune systems (AIS). Applications within the context of computer security are outlined drawing direct reference to the underlying principles of Danger Theory and finally, the current state of intrusion detection systems is discussed and improvements suggested.

Faten Louati,Farah Barika Ktata,Ikram Amous

DOI: https://doi.org/10.1093/comjnl/bxae008

2024-02-11

The Computer Journal

Abstract:Abstract Ensuring the security of computer networks is of utmost importance, and intrusion detection plays a vital role in safeguarding these systems. Traditional intrusion detection systems (IDSs) often suffer from drawbacks like reliance on outdated rules and centralized architectures, limiting their performance in the face of evolving threats and large-scale data networks. To address these challenges, we present an advanced anomaly detection-based IDS that utilizes a decentralized communicative multi-agent reinforcement learning (MARL). In our approach, multiple reinforcement learning agents collaborate in intrusion detection, effectively mitigating the non-stationarity problem and introducing a specialized secure communication method. We further enhance the learning process by incorporating external knowledge. Our approach is evaluated through extensive experiments conducted on the benchmark NSL Knowledge Discovery and Data Mining dataset. These experiments encompass diverse scenarios, involving varying numbers of agents to prove scalability feature. The results underscore the effectiveness of our method, which surpasses the performance of existing state-of-the-art solutions based on MARL, achieving a high accuracy rate of 97.80%.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Uwe Aickelin,Peter Bentley,Steve Cayzer,Kim Jungwon,Julie McLeod

DOI: https://doi.org/10.1007/b12020

2008-05-16

Abstract:We present ideas about creating a next generation Intrusion Detection System based on the latest immunological theories. The central challenge with computer security is determining the difference between normal and potentially harmful activity. For half a century, developers have protected their systems by coding rules that identify and block specific events. However, the nature of current and future threats in conjunction with ever larger IT systems urgently requires the development of automated and adaptive defensive tools. A promising solution is emerging in the form of Artificial Immune Systems. The Human Immune System can detect and defend against harmful and previously unseen invaders, so can we not build a similar Intrusion Detection System for our computers.

Neural and Evolutionary Computing,Artificial Intelligence,Cryptography and Security

S. Meng,W. Schmitz,Bo Hu,F. Schultmann,S. Pickl,M. Wiens

Abstract:study RiKoV deals with mitigating risks of a terrorist attack against the German public railway system. The research method and first results will be presented and discussed in this paper. In the project, a scenario-based risk assessment method was developed tailored to intelligent, rationally acting attackers. We consider risk as a function of the system’s vulnerability, the threat to the system, and the consequences of an attack. In particular, we apply three complementary ways to deal with the problem of fundamental uncertainty with respect to the terrorists’ motivation. In a first approach, the input parameters “intention” and “capability” are regarded as fuzzy parameters which are measured in qualitative categories. The second approach is the derivation of optimal rules in a multi-criteria framework for decisions under uncertainty. Finally, we complement our elaborated risk analysis with game-theoretic arguments.

Political Science,Business,Engineering

Ziming Zhao,Zhaoxuan Li,Xiaofei Xie,Jiongchi Yu,Fan Zhang,Rui Zhang,Binbin Chen,Xiangyang Luo,Ming Hu,Wenrui Ma

DOI: https://doi.org/10.1109/tnet.2024.3413789

2024-01-01

Abstract:Anomaly-based network intrusion detection systems (NIDSs) are essential for ensuring cybersecurity. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with fine-grained unknown attack detection and ever-changing legitimate traffic adaptation. To tackle these problem, we present three key design norms. The core idea is to construct a model to split the data distribution hyperplane and leverage the concept of isolation, as well as advance the incremental model update. We utilize the isolation tree as the backbone to design our model, named, to echo back three norms. By analyzing the popular dataset of network intrusion traces, we show that significantly outperforms the state-of-the-art methods. Further, we perform an initial deployment of by working with the Internet Service Provider (ISP) to detect distributed denial of service (DDoS) attacks. With real-world tests and manual analysis, we demonstrate the effectiveness of to identify previously-unseen attacks in a fine-grained manner.

Pedro Pinacho-Davidson,Matías Lermanda,Ricardo Contreras,María A. Pinninghoff

DOI: https://doi.org/10.48550/arXiv.2109.05376

2021-09-12

Abstract:The detection of anomalies in unknown environments is a problem that has been approached from different perspectives with variable results. Artificial Immune Systems (AIS) present particularly advantageous characteristics for the detection of such anomalies. This research is based on an existing detector model, named Artificial Bioindicators System (ABS) which identifies and solves its main weaknesses. An ABS based anomaly classifier model is presented, incorporating elements of the AIS. In this way, a new model (R-ABS) is developed which includes the advantageous capabilities of an ABS plus the reactive capabilities of an AIS to overcome its weaknesses and disadvantages. The RABS model was tested using the well-known DARPA'98 dataset, plus a dataset built to carry out a greater number of experiments. The performance of the RABS model was compared to the performance of the ABS model based on classical sensitivity and specificity metrics, plus a response time metric to illustrate the rapid response of R-ABS relative to ABS. The results showed a better performance of R-ABS, especially in terms of detection time.

Cryptography and Security,Neural and Evolutionary Computing

Jinquan Zeng,Yan Fu,Jianbing Hu,AnLong Chen,Lingxi Peng

2008-01-01

Journal of Information and Computational Science

Abstract:Artificial Immune System (AIS) has been successful in many realms, especially in computer security, and the correlative algorithms rely on self-nonself discrimination, as stipulated in classical immunology. But when the algorithms are used in practical applications, scaling problems of self and nonself, computational efficiency, and the changing problems of self and nonself have to be addressed. Meanwhile, immunologists are increasingly finding faults with traditional self-nonself discrimination and a new Danger Theory (DT) is emerging. This new theory suggests that Human Immune System (HIS) is more concerned with damages than nonself and HIS reacts to threats through the correlation of danger signals. Based on the DT, within the context of computer system, immune response model is presented. In the model, the definitions of the danger signal, response type and intensity, and etc. are given. Then the producing method of the danger signal is put forth, and they are significant in incorporating the DT into computer security applications. 1548-7741/Copyright © 2008 Binary Information Press October 2008.

Li Zhi-tang,Li Yao,Wang Li

DOI: https://doi.org/10.1109/hpcasia.2005.7

2005-01-01

Abstract:More and more intrusion detection systems were developed, but most of these systems have very poor accuracy. To overcome this problem, a self-adaptive anomaly detection system was developed using fuzzy detection anomaly algorithm with negative selection of biology. The algorithm improves the accuracy of the detection method and produces a novel method to measure the deviation from the normal that does not need a discrete division of the non-self space. The proposed anomaly detection model is designed as flexible, extendible, and adaptable in order to meet the needs and preferences of network administrators and can be also supplied for IPv6 environment. Different experiments are performed with MIT-DARAP 1999 dataset (Lippmann et al., 2000) and real word data from different sources. The experimental results show that the proposed algorithms provide some advantages over other algorithms

Muhammad Tahir,Mingchu Li,Naeem Ayoub,Muhammad Aamir

DOI: https://doi.org/10.3390/app9030364

2019-01-22

Applied Sciences

Abstract:Computer networks are facing threats of ever-increasing frequency and sophistication. Encryption is becoming the norm in both legitimate and malicious network traffic. Therefore, intrusion detection systems (IDSs) are now required to work efficiently regardless of the encryption. In this study, we propose two new methods to improve the efficacy of the Cisco Cognitive Threat Analytics (CTA) system. In the first method, the efficacy of CTA is improved by sharing of intelligence information across a large number of enterprise networks. In the second method, a four variant-based global reputation model (GRM) is designed by employing an outlier ensemble normalization algorithm in the presence of missing data. Intelligence sharing provides additional information in the intrusion detection process, which is much needed, particularly for analysis of encrypted traffic with inherently low information content. Robustness of the novel outlier ensemble normalization algorithm is also demonstrated. These improvements are measured using both encrypted and non-encrypted network traffic. Results show that the proposed information sharing methods greatly improve the anomaly detection efficacy of malicious network behavior with bad base-line detection efficacy and slightly improve upon the average case.

Rialda Spahic,Vidar Hepsø,Mary Ann Lundteigen

DOI: https://doi.org/10.1007/s10846-023-01887-2

2023-06-02

Journal of Intelligent and Robotic Systems: Theory and Applications

Abstract:Cyber-physical systems are taking on a permanent role in the industry, such as in oil and gas or mining. These systems are expected to perform increasingly autonomous tasks in complex settings removing human operators from remote and potentially hazardous environments. High autonomy necessitates a more extensive use of artificial intelligence methods, such as anomaly detection, to identify unusual occurrences in the monitored environment. The absence of data characterizing potentially hazardous events leads to disruptive noise displayed as false alarms, a common anomaly detection issue for hazard identification applications. Contrastingly, disregarding the false alarms can result in the opposite effect, causing loss of early indications of hazardous occurrences. Existing research introduces simulating and extrapolating less represented data to expand the information on hazards and semi-supervise the methods or by introducing thresholds and rule-based methods to balance noise and meaningful information, necessitating intensive computing resources. This research proposes a novel Warning Identification Framework that evaluates risk analysis objectives and applies them to discern between true and false warnings identified by anomaly detection. We demonstrate the results by analyzing three seismic hazard assessment methods for identifying seismic tremors and comparing the outcomes to anomalies found using the unsupervised anomaly detection method. The demonstrated approach shows great potential in enhancing the reliability and transparency of anomaly detection outcomes and, thus, supporting the operational decision-making process of a cyber-physical system.

Jungwon Kim,Julie Greensmith,Jamie Twycross,Uwe Aickelin

DOI: https://doi.org/10.48550/arXiv.1003.4142

2010-03-22

Abstract:The analysis of system calls is one method employed by anomaly detection systems to recognise malicious code execution. Similarities can be drawn between this process and the behaviour of certain cells belonging to the human immune system, and can be applied to construct an artificial immune system. A recently developed hypothesis in immunology, the Danger Theory, states that our immune system responds to the presence of intruders through sensing molecules belonging to those invaders, plus signals generated by the host indicating danger and damage. We propose the incorporation of this concept into a responsive intrusion detection system, where behavioural information of the system and running processes is combined with information regarding individual system calls.

Artificial Intelligence,Cryptography and Security,Neural and Evolutionary Computing

Haidong Yang,Jianhua Guo,Feiqi Deng

DOI: https://doi.org/10.1007/s10844-010-0118-3

2010-01-01

Journal of Intelligent Information Systems

Abstract:The current RFID systems are fragile to external attacks, due to the limitations of encryption authentication and physical protection methods used in implementation of RFID security systems. In this paper, we propose a collaborative RFID intrusion detection method that is based on an artificial immune system (AIS). The new method can enhance the security of RFID systems without need to amend the existing technical standards of RFID. Mimicking the immune cell collaboration in biological immune systems, RFID operations are defined as self and nonself antigens, representing legal and illegal RFID operations, respectively. Data models are defined for antigens' epitopes. Known RFID attacks are defined as danger signals represented by nonself antigens. We propose a method to collect RFID data for antigens and danger signals. With the antigen and danger signal data available, we use a negative selection algorithm to generate adaptive detectors for self antigens as RFID legal operations. We use an immune based clustering algorithm aiNet to generate collaborative detectors for danger signals of RFID intrusions. Simulation results have shown that the new RFID intrusion detection method has effectively reduced the false detection rate. The detection rate on known types of attacks was 98% and the detection rate on unknown type of attacks was 93%.

Ivan Homoliak,Flavio Toffalini,Juan Guarnizo,Yuval Elovici,Martín Ochoa

DOI: https://doi.org/10.48550/arXiv.1805.01612

2018-05-04

Cryptography and Security

Abstract:Insider threats are one of today's most challenging cybersecurity issues that are not well addressed by commonly employed security solutions. Despite several scientific works published in this domain, we argue that the field can benefit from the proposed structural taxonomy and novel categorization of research that contribute to the organization and disambiguation of insider threat incidents and the defense solutions used against them. The objective of our categorization is to systematize knowledge in insider threat research, while leveraging existing grounded theory method for rigorous literature review. The proposed categorization depicts the workflow among particular categories that include: 1) Incidents and datasets, 2) Analysis of attackers, 3) Simulations, and 4) Defense solutions. Special attention is paid to the definitions and taxonomies of the insider threat; we present a structural taxonomy of insider threat incidents, which is based on existing taxonomies and the 5W1H questions of the information gathering problem. Our survey will enhance researchers' efforts in the domain of insider threat, because it provides: a) a novel structural taxonomy that contributes to orthogonal classification of incidents and defining the scope of defense solutions employed against them, b) an updated overview on publicly available datasets that can be used to test new detection solutions against other works, c) references of existing case studies and frameworks modeling insiders' behaviors for the purpose of reviewing defense solutions or extending their coverage, and d) a discussion of existing trends and further research directions that can be used for reasoning in the insider threat domain.

Jamie Twycross,Uwe Aickelin,Amanda Whitbrook

DOI: https://doi.org/10.48550/arXiv.1006.3654

2010-06-18

Abstract:Artificial Immune Systems have been successfully applied to a number of problem domains including fault tolerance and data mining, but have been shown to scale poorly when applied to computer intrusion detec- tion despite the fact that the biological immune system is a very effective anomaly detector. This may be because AIS algorithms have previously been based on the adaptive immune system and biologically-naive mod- els. This paper focuses on describing and testing a more complex and biologically-authentic AIS model, inspired by the interactions between the innate and adaptive immune systems. Its performance on a realistic process anomaly detection problem is shown to be better than standard AIS methods (negative-selection), policy-based anomaly detection methods (systrace), and an alternative innate AIS approach (the DCA). In addition, it is shown that runtime information can be used in combination with system call information to enhance detection capability.

Artificial Intelligence,Cryptography and Security,Neural and Evolutionary Computing