As one of the solutions to intrusion detection problems, Artificial Immune Systems (AIS) have shown their advantages. Unlike genetic algorithms, there is no one archetypal AIS, instead there are four major paradigms. Among them, the Dendritic Cell Algorithm (DCA) has produced promising results in various applications. The aim of this chapter is to demonstrate the potential for the DCA as a suitable candidate for intrusion detection problems. We review some of the commonly used AIS paradigms for intrusion detection problems and demonstrate the advantages of one particular algorithm, the DCA. In order to clearly describe the algorithm, the background to its development and a formal definition are given. In addition, improvements to the original DCA are presented and their implications are discussed, including previous work done on an online analysis component with segmentation and ongoing work on automated data pre-processing. Based on preliminary results, both improvements appear to be promising for online anomaly-based intrusion detection.
TopIntroduction
Artificial Immune Systems (AIS) (de Castro and Timmis, 2003) are computer systems inspired by both theoretical immunology and observed immune functions, principles and models, which are applied to real world problems. The human immune system, from which AIS draw inspiration, is evolved to protect the host from a wealth of invading microorganisms. AIS are developed to provide the similar defensive properties within a computing context. Initially AIS were based on simple models of the human immune system. As noted by Stibor et al. (2005), “first generation algorithms”, including negative selection and clonal selection do not produce the same high quality performance as the human immune system. These algorithms, negative selection in particular, are prone to problems with scaling and the generation of excessive false alarms when used to solve problems such as network based intrusion detection. Recent AIS use more rigorous and up-to-date immunology and are developed in collaboration with modellers and immunologists. The resulting algorithms are believed to encapsulate the desirable properties of immune systems including robustness, error tolerance, and self-organisation (de Castro and Timmis, 2003).
One such “second generation” AIS is the Dendritic Cell Algorithm (DCA) (Greensmith, 2007), inspired by the function of the dendritic cells (DCs) of the innate immune system. It incorporates the principles of a key novel theory in immunology, termed the “danger theory” (Matzinger, 2002). This theory suggests that DCs are responsible for the initial detection of invading microorganisms, in addition to the induction of various immune responses against such invaders. An abstract model of natural DC behaviour is used as the foundation of the developed algorithm. The DCA has been successfully applied to numerous computer security related, more specific, intrusion detection problems, including port scan detection (Greensmith, 2007), botnet detection (Al-Hammadi et al., 2008) and a classifier for robot security (Oates et al., 2007). According to the results, the DCA has shown not only good performance in terms of detection rate, but also the ability to reduce the rate of false alarms in comparison to other systems, including Self Organising Maps (SOM) (Greensmith et al., 2008).
The main aim of this chapter is to demonstrate the reason for why the DCA is a suitable candidate for intrusion detection problems. In order to clearly describe the algorithm, the background and a formal definition are given. In addition, improvements to the original DCA are presented and their implications are discussed. The chapter is organised as follows: firstly, background information about a series of well known AIS algorithms and intrusion detection are described in section 2; secondly, several population AIS approaches for intrusion detection are introduced in section 3; thirdly, the algorithm details and formal definition of the DCA are demonstrated in section 4; fourthly, issues with the current DCA and potential solutions are discussed in section 5; finally, a summary of the work and some future directions are given in section 6.