Julie Greensmith,Uwe Aickelin,Steve Cayzer

DOI: https://doi.org/10.48550/arXiv.1006.5008

IF: 14.4

2010-06-25

Artificial Intelligence

Abstract:The Dendritic Cell Algorithm (DCA) is inspired by the function of the dendritic cells of the human immune system. In nature, dendritic cells are the intrusion detection agents of the human body, policing the tissue and organs for potential invaders in the form of pathogens. In this research, and abstract model of DC behaviour is developed and subsequently used to form an algorithm, the DCA. The abstraction process was facilitated through close collaboration with laboratory- based immunologists, who performed bespoke experiments, the results of which are used as an integral part of this algorithm. The DCA is a population based algorithm, with each agent in the system represented as an 'artificial DC'. Each DC has the ability to combine multiple data streams and can add context to data suspected as anomalous. In this chapter the abstraction process and details of the resultant algorithm are given. The algorithm is applied to numerous intrusion detection problems in computer security including the detection of port scans and botnets, where it has produced impressive results with relatively low rates of false positives.

Julie Greensmith,Uwe Aickelin

DOI: https://doi.org/10.48550/arXiv.1002.0276

2010-02-01

Abstract:Artificial immune systems have previously been applied to the problem of intrusion detection. The aim of this research is to develop an intrusion detection system based on the function of Dendritic Cells (DCs). DCs are antigen presenting cells and key to activation of the human immune system, behaviour which has been abstracted to form the Dendritic Cell Algorithm (DCA). In algorithmic terms, individual DCs perform multi-sensor data fusion, asynchronously correlating the the fused data signals with a secondary data stream. Aggregate output of a population of cells, is analysed and forms the basis of an anomaly detection system. In this paper the DCA is applied to the detection of outgoing port scans using TCP SYN packets. Results show that detection can be achieved with the DCA, yet some false positives can be encountered when simultaneously scanning and using other network services. Suggestions are made for using adaptive signals to alleviate this uncovered problem.

Artificial Intelligence,Cryptography and Security,Neural and Evolutionary Computing

Ehsan Farzadnia,Hossein Shirazi,Alireza Nowroozi

DOI: https://doi.org/10.13140/RG.2.2.17223.65442

2020-04-15

Abstract:The Dendritic Cell Algorithm (DCA) as one of the emerging evolutionary algorithms is based on the behavior of the specific immune agents; known as Dendritic Cells (DCs). DCA has several potentially beneficial features for binary classification problems. In this paper, we aim at providing a new version of this immune-inspired mechanism acts as a semi-supervised classifier which can be a defensive shield in network intrusion detection problem. Till now, no strategy or idea has already been adopted on the GetAntigen() function on detection phase, but randomly sampling entails the DCA to provide undesirable results in several cycles in each time. This leads to uncertainty. Whereas it must be accomplished by biological behaviors of DCs in tissues, we have proposed a novel strategy which exactly acts based on its immunological functionalities of dendritic cells. The proposed mechanism focuses on two items: First, to obviate the challenge of needing to have a preordered antigen set for computing danger signal, and the second, to provide a novel immune-inspired idea in order to non-random data sampling. A variable functional migration threshold is also computed cycle by cycle that shows necessity of the Migration threshold (MT) flexibility. A significant criterion so called capability of intrusion detection (CID) used for tests. All of the tests have been performed in a new benchmark dataset named UNSW-NB15. Experimental consequences demonstrate that the present schema dominates the standard DCA and has higher CID in comparison with other approaches found in literature.

Cryptography and Security,Machine Learning,Neural and Evolutionary Computing

Julie Greensmith,Jan Feyereisl,Uwe Aickelin

DOI: https://doi.org/10.2139/ssrn.2823401

2008-01-01

SSRN Electronic Journal

Abstract:The Dendritic Cell Algorithm (DCA) is an immune-inspired algorithm, developed for the purpose of anomaly detection. The algorithm performs multi-sensor data fusion and correlation which results in a 'context aware' detection system. Previous applications of the DCA have included the detection of potentially malicious port scanning activity, where it has produced high rates of true positives and low rates of false positives. In this work we aim to compare the performance of the DCA and of a Self-Organizing Map (SOM) when applied to the detection of SYN port scans, through experimental analysis. A SOM is an ideal candidate for comparison as it shares similarities with the DCA in terms of the data fusion method employed. It is shown that the results of the two systems are comparable, and both produce false positives for the same processes. This shows that the DCA can produce anomaly detection results to the same standard as an established technique.

Julie Greensmith,Uwe Aickelin,Steve Cayzer

DOI: https://doi.org/10.48550/arXiv.1004.3196

IF: 14.4

2010-04-19

Artificial Intelligence

Abstract:Dendritic cells are antigen presenting cells that provide a vital link between the innate and adaptive immune system. Research into this family of cells has revealed that they perform the role of coordinating T-cell based immune responses, both reactive and for generating tolerance. We have derived an algorithm based on the functionality of these cells, and have used the signals and differentiation pathways to build a control mechanism for an artificial immune system. We present our algorithmic details in addition to some preliminary results, where the algorithm was applied for the purpose of anomaly detection. We hope that this algorithm will eventually become the key component within a large, distributed immune system, based on sound immunological concepts.

Julie Greensmith,Uwe Aickelin

DOI: https://doi.org/10.48550/arXiv.1006.1512

2010-06-08

Abstract:The Dendritic Cell Algorithm is an immune-inspired algorithm orig- inally based on the function of natural dendritic cells. The original instantiation of the algorithm is a highly stochastic algorithm. While the performance of the algorithm is good when applied to large real-time datasets, it is difficult to anal- yse due to the number of random-based elements. In this paper a deterministic version of the algorithm is proposed, implemented and tested using a port scan dataset to provide a controllable system. This version consists of a controllable amount of parameters, which are experimented with in this paper. In addition the effects are examined of the use of time windows and variation on the number of cells, both which are shown to influence the algorithm. Finally a novel metric for the assessment of the algorithms output is introduced and proves to be a more sensitive metric than the metric used with the original Dendritic Cell Algorithm.

Artificial Intelligence,Neural and Evolutionary Computing

Julie Greensmith,Uwe Aickelin,Jamie Twycross

DOI: https://doi.org/10.48550/arXiv.0910.4903

2009-10-26

Abstract:The Dendritic Cell algorithm (DCA) is inspired by recent work in innate immunity. In this paper a formal description of the DCA is given. The DCA is described in detail, and its use as an anomaly detector is illustrated within the context of computer security. A port scan detection task is performed to substantiate the influence of signal selection on the behaviour of the algorithm. Experimental results provide a comparison of differing input signal mappings.

Artificial Intelligence,Neural and Evolutionary Computing

Feng Gu,Julie Greensmith,Uwe Aickelin

DOI: https://doi.org/10.48550/arXiv.1003.0319

2010-03-01

Abstract:As an immune-inspired algorithm, the Dendritic Cell Algorithm (DCA), produces promising performances in the field of anomaly detection. This paper presents the application of the DCA to a standard data set, the KDD 99 data set. The results of different implementation versions of the DXA, including the antigen multiplier and moving time windows are reported. The real-valued Negative Selection Algorithm (NSA) using constant-sized detectors and the C4.5 decision tree algorithm are used, to conduct a baseline comparison. The results suggest that the DCA is applicable to KDD 99 data set, and the antigen multiplier and moving time windows have the same effect on the DCA for this particular data set. The real-valued NSA with constant-sized detectors is not applicable to the data set, and the C4.5 decision tree algorithm provides a benchmark of the classification performance for this data set.

Artificial Intelligence,Cryptography and Security,Neural and Evolutionary Computing

Julie Greensmith,Jamie Twycross,Uwe Aickelin

DOI: https://doi.org/10.1109/cec.2006.1688374

2006-01-01

SSRN Electronic Journal

Abstract:Artificial immune systems, more specifically the negative selection algorithm, have previously been applied to intrusion detection. The aim of this research is to develop an intrusion detection system based on a novel concept in immunology, the Danger Theory. Dendritic Cells (DCs) are antigen presenting cells and key to the activation of the human immune system. DCs perform the vital role of combining signals from the host tissue and correlate these signals with proteins known as antigens. In algorithmic terms, individual DCs perform multi-sensor data fusion based on time-windows. The whole population of DCs asynchronously correlates the fused signals with a secondary data stream. The behaviour of human DCs is abstracted to form the DC Algorithm (DCA), which is implemented using an immune inspired framework, libtissue. This system is used to detect context switching for a basic machine learning dataset and to detect outgoing portscans in real-time. Experimental results show a significant difference between an outgoing portscan and normal traffic.

Julie Greensmith,Uwe Aickelin

DOI: https://doi.org/10.48550/arXiv.0907.3867

IF: 14.4

2009-07-22

Artificial Intelligence

Abstract:Dendritic cells are the crime scene investigators of the human immune system. Their function is to correlate potentially anomalous invading entities with observed damage to the body. The detection of such invaders by dendritic cells results in the activation of the adaptive immune system, eventually leading to the removal of the invader from the host body. This mechanism has provided inspiration for the development of a novel bio-inspired algorithm, the Dendritic Cell Algorithm. This algorithm processes information at multiple levels of resolution, resulting in the creation of information granules of variable structure. In this chapter we examine the multi-faceted nature of immunology and how research in this field has shaped the function of the resulting Dendritic Cell Algorithm. A brief overview of the algorithm is given in combination with the details of the processes used for its development. The chapter is concluded with a discussion of the parallels between our understanding of the human immune system and how such knowledge influences the design of artificial immune systems.

Yang ZHANG,Chen ZHANG,Chaojing TANG

DOI: https://doi.org/10.3969/j.issn.1004-373X.2015.15.016

2015-01-01

Abstract:Since the current computer defense technology is immature and the network security problem becomes more prominent,an defense algorithm for active safety based on the modified single classifier dendritic cell algorithm(DCA)is pro?posed. DCA is the latest artificial immune algorithm,which takes danger signal as the foundation to recognize foreign body. The active safety DCA weakened the subjective human factors influencing on the experimental results. In this paper,the algorithm is verified,and the verification results show that the algorithm has higher detection rate for the smurf attack.

Julie Greensmith,Jan Feyereisl,Uwe Aickelin

DOI: https://doi.org/10.1007/s12065-008-0008-6

2008-01-01

Evolutionary Intelligence

Abstract:The dendritic cell algorithm (DCA) is an immune-inspired algorithm, developed for the purpose of anomaly detection. The algorithm performs multi-sensor data fusion and correlation which results in a ‘context aware’ detection system. Previous applications of the DCA have included the detection of potentially malicious port scanning activity, where it has produced high rates of true positives and low rates of false positives. In this work we aim to compare the performance of the DCA and of a self-organizing map (SOM) when applied to the detection of SYN port scans, through experimental analysis. A SOM is an ideal candidate for comparison as it shares similarities with the DCA in terms of the data fusion method employed. It is shown that the results of the two systems are comparable, and both produce false positives for the same processes. This shows that the DCA can produce anomaly detection results to the same standard as an established technique.

Julie Greensmith,Uwe Aickelin,Steve Cayzer

2017-01-01

Abstract:Dendritic cells are antigen presenting cells that provide a vital link between the innate and adaptive immune system. Research into this family of cells has revealed that they perform the role of coordinating T-cell based immune responses, both reactive and for generating tolerance. We have derived an algorithm based on the functionality of these cells, and have used the signals and differentiation pathways to build a control mechanism for an artificial immune system. We present our algorithmic details in addition to some preliminary results, where the algorithm was applied for the purpose of anomaly detection. We hope that this algorithm will eventually become the key component within a large, distributed immune system, based on sound immunological con-

Gang Zhang,Hao Li,Zhenxiang Chen,Lizhi Peng,Yuhui Zhu,Chuan Zhao

DOI: https://doi.org/10.1109/trustcom53373.2021.00097

2021-01-01

Abstract:Android platform is facing serious malware threats due to its popularity, as evidenced by the drastic increase on the number of mobile malware families and variants in recent years. Detecting malware variants and zero-day malware is a critical challenge that must be addressed to protect mobile devices against malware attacks. In this study, we present AndroCreme, a novel network intrusion detection system (NIDS) that can identify unseen malware by analyzing the network behavior of Android malware. To address the temporal bias issue in NIDS, we propose a method for rapid iterative update of the model based on data selection and data size limitation. The selection of effective data is carried out by induction and conformal technology, and the data scale is controlled by the method of time window and data cycle selection. To further achieve fast training speed and high efficiency, we leverage a gradient boosting framework that uses a tree-based learning algorithm, namely, LightGBM, as the meta predictor. We evaluate the performance of AndroCreme over 400K real-world network flows, which are collected from over 30K Android benignware and 21K malware applications. The experimental results show that, compared with the retraining method using all data, AndroCreme requires only a small amount of datareduce more than 3x to obtain better detection performance, which effectively solves the temporal bias.

Feng Gu,Julie Greensmith,Uwe Aickelin

2010-03-02

Abstract:As one of the newest members in Artificial Immune Systems (AIS), the Dendritic Cell Algorithm (DCA) has been applied to a range of problems. These applications mainly belong to the field of anomaly detection. However, real-time detection, a new challenge to anomaly detection, requires improvement on the real-time capability of the DCA. To assess such capability, formal methods in the research of rea-time systems can be employed. The findings of the assessment can provide guideline for the future development of the algorithm. Therefore, in this paper we use an interval logic based method, named the Duration Calculus (DC), to specify a simplified single-cell model of the DCA. Based on the DC specifications with further induction, we find that each individual cell in the DCA can perform its function as a detector in real-time. Since the DCA can be seen as many such cells operating in parallel, it is potentially capable of performing real-time detection. However, the analysis process of the standard DCA constricts its real-time capability. As a result, we conclude that the analysis process of the standard DCA should be replaced by a real-time analysis component, which can perform periodic analysis for the purpose of real-time detection.

Artificial Intelligence,Logic in Computer Science

Chen Zhongmin,Wang Yu,Xu Baowen

DOI: https://doi.org/10.1109/wicom.2007.446

2007-01-01

Abstract:Mobile agent technology could be used to solve the problems on intrusion detection in network security area, while immune principle could supply reference to algorithm design of agent for detecting and analyzing data. In this paper, the detecting algorithm based on the immune principle, including the definition of problem domain, computation of affinity between the antibody and antigen,as well as between antibody, the generation of the detectors, has been elaborated. The algorithm of negative selection used in the agent has been improved The experimental result indicates that the algorithm is more adaptive than the original one.

Tieshan Zhao,Zengzhi Li,Zemin Wang,Xiaofen Lin

DOI: https://doi.org/10.1109/isda.2006.253760

2006-01-01

Abstract:Intrusion detection systems' adaptability and diversity have been researched for long time. With the development of computer immunology, the dynamic clonal selection algorithm is tried to solve the problem. Based on some improved dynamic clonal selection algorithms, an adaptive intrusion detection algorithm is presented in this paper. According to the algorithm, an intrusion detection system is composed of a self-body antigen set, a memorial immunocyte set, a mature immunocyte set and an immature immunocyte set. An immature immunocyte grows into a mature one if it goes through self-tolerance. A mature immunocyte grows into a memorial one if it matches enough non-self-body antigens in limited time and it goes through co-stimulation. A memorial immunocyte doesn't die until it can't go through co-stimulation. Immature immunocytes are generated with clone and hypermutation methods when necessary. The self-body antigen set is renewed during above co-stimulation. Simulation experiments prove that the algorithm have good adaptability and diversity

Julie Greensmith,Uwe Aickelin,Gianni Tedesco

DOI: https://doi.org/10.48550/arXiv.1003.0789

IF: 14.4

2010-03-03

Artificial Intelligence

Abstract:Dendritic cells are antigen presenting cells that provide a vital link between the innate and adaptive immune system, providing the initial detection of pathogenic invaders. Research into this family of cells has revealed that they perform information fusion which directs immune responses. We have derived a Dendritic Cell Algorithm based on the functionality of these cells, by modelling the biological signals and differentiation pathways to build a control mechanism for an artificial immune system. We present algorithmic details in addition to experimental results, when the algorithm was applied to anomaly detection for the detection of port scans. The results show the Dendritic Cell Algorithm is sucessful at detecting port scans.

Yousof Al-Hammadi,Uwe Aickelin,Julie Greensmith

DOI: https://doi.org/10.2139/ssrn.2830396

2008-01-01

Abstract:Ensuring the security of computers is a nontrivial task, with many techniques used by malicious users to compromise these systems. In recent years a new threat has emerged in the form of networks of hijacked zombie machines used to perform complex distributed attacks such as denial of service and to obtain sensitive data such as password information. These zombie machines are said to be infected with a ‘bot’ - a malicious piece of software which is installed on a host machine and is controlled by a remote attacker, termed the ‘botmaster of a botnet’. In this work, we use the biologically inspired Dendritic Cell Algorithm (DCA) to detect the existence of a single bot on a compromised host machine. The DCA is an immune-inspired algorithm based on an abstract model of the behaviour of the dendritic cells of the human body. The basis of anomaly detection performed by the DCA is facilitated using the correlation of behavioural attributes such as keylogging and packet flooding behaviour. The results of the application of the DCA to the detection of a single bot show that the algorithm is a successful technique for the detection of such malicious software without responding to normally running programs.

Feng Gu,Jan Feyereisl,Robert Oates,Jenna Reps,Julie Greensmith,Uwe Aickelin

DOI: https://doi.org/10.1007/978-3-642-22371-6_17

2011-01-01

Abstract:Theoretical analyses of the Dendritic Cell Algorithm (DCA) have yielded several criticisms about its underlying structure and operation. As a result, several alterations and fixes have been suggested in the literature to correct for these findings. A contribution of this work is to investigate the effects of replacing the classification stage of the DCA (which is known to be flawed) with a traditional machine learning technique. This work goes on to question the merits of those unique properties of the DCA that are yet to be thoroughly analysed. If none of these properties can be found to have a benefit over traditional approaches, then "fixing" the DCA is arguably less efficient than simply creating a new algorithm. This work examines the dynamic filtering property of the DCA and questions the utility of this unique feature for the anomaly detection problem. It is found that this feature, while advantageous for noisy, time-ordered classification, is not as useful as a traditional static filter for processing a synthetic dataset. It is concluded that there are still unique features of the DCA left to investigate. Areas that may be of benefit to the Artificial Immune Systems community are suggested.