The immune system provides a rich metaphor for computer security: anomaly detection that works in nature should work for machines. However, early artificial immune system approaches for computer security had only limited success. Arguably, this was due to these artificial systems being based on too simplistic a view of the immune system. We present here a second generation artificial immune system for process anomaly detection. It improves on earlier systems by having different artificial cell types that process information. Following detailed information about how to build such second generation systems, we find that communication between cells types is key to performance. Through realistic testing and validation, we show that second generation artificial immune systems are capable of anomaly detection beyond generic system policies. The chapter concludes with a discussion and outline of the next steps in this exciting area of computer security.
Biological approaches to computer security are appealing for a number of reasons. Williamson (2002) discusses some of these reasons and their impact on the design of computer security systems. Biological organisms have developed many novel, parsimonious, and effective protection mechanisms. As computer systems and networks become more complex traditional approaches are often ineffective and suffer from problems such as scalability, and biologically systems are important sources of inspiration when designing new approaches. The short position paper of Morel (2002) discusses the general design of cyber-security systems that provides a large distributed computer network with a high degree of survivability. He proposes that a cyber-security system emulates the architecture of the biological immune system. As in this chapter, the innate immune system is considered as central to the immune response, processing information and controlling the adaptive immune system. An effective cyber-security system should emulate key features, most importantly distributed control, of the biological system, it should provide multiple information gathering mechanisms, and it should coevolve with the threat.
In another interesting position paper, Williams (1996) explores the similarities between people’s health and the security of complex computer systems. Humans are composed of distinct but tightly integrated multilayer systems, have external interfaces which can receive a wide range of input, and which carefully balance security and functionality, and have internal interfaces with protection mechanisms. They are not born with many of their defenses, but learn to protect themselves against recurring threats such as viruses, and are able to identify and develop defenses for new threats. The body is able to detect conditions that are likely to lead to injury. It is surrounded by a skin which, if damaged, leads to further response. Williams suggests that computer systems also need to have virtual skins with a similar functionality. He highlights the importance of the balance between functionality, security, and flexibility. Humans, as with computer systems, live a complex environment where conditions change over time. Both computer and biological systems are very sensitive to the input they receive. Biological systems check and filter input at many levels, and he suggests security systems need to do the same. He also emphasises the impossibility of accurate measurement of health in humans, which is reflected in the difficultly of measuring the security of computer systems. His general view is that the computer security industry is becoming as specialised as the healthcare industry, with security engineers akin to doctors.
Key Terms in this Chapter
Artificial Immune System: A relatively new class of metaheuristics that mimics aspects of the human immune system to solve computational problems. This method has shown particular promise for anomaly detection. Previous artificial immune systems have shown some similarities with evolutionary computation. This is because they focus on the adaptive immune system. More recent approaches have combined this with aspects of the innate immune system to create a second generation of artificial immune systems.
Adaptive Immune System: Central components of the adaptive immune system are T cells and B cells. The overall functionality of the adaptive immune system is to try and eliminate threats through antibodies, which have to be produced such that they match antigen. This is achieved in an evolutionary-like manner, with better and better matches being produced over a short period of time. The adaptive system remembers past threats and hence has the capability of responding faster to future similar events.
Process Anomaly Detection: A method of detecting intrusions on computer systems. The aim is to detect misbehaving processes, as this could be a sign of an intrusions. The detection is based on syscalls (i.e., activities by the processes), and context signals (e.g., CPU load, memory usage, or network activity).
T Cells: Created in the thymus (hence the “T”), these cells come in different subtypes. Cytotoxic T cells directly destroy infected cells. T helper cells are essential to activate other cells (e.g., B cells). T reg cells suppress inappropriate responses.
Dendritic Cells: These belong to the class of antigen presenting cells. During their life, dendritic cells ingest antigen and redisplay it on their surface. In addition, dendritic cells mature differently depending on the context signals they are exposed to. Using these two mechanisms, these cells differentiate between dangerous and non-dangerous material and then activate T cells.
Innate Immune System: Central components of the innate immune system are antigen presenting cells and in particular dendritic cells. Until recently, the innate system was viewed as less important than the adaptive system and its main function was seen as an information pre-processing unit. However, the latest immunological research shows that it is the innate system that actually controls the adaptive system. Above all, dendritic cells seem to be the key decision makers.