Information Technology Reference
In-Depth Information
In summary, DCs uptake and present antigen from the environment to T-cells.
Also, DCs uptake signals from the environment and produce signals which are
received by T-cells. The ultimate response of a T-cell to an antigen is determined
by both the antigen presented by the DC and the signals produced by the DC.
Section 3 below describes the implementation of this model in the context of a
computer intrusion detection problem.
3
The Algorithm
For this purpose the “libtissue” [9,10] AIS framework, a product of a danger
theory project [1], will model a number of innate immune system components
such as dendritic cells in order to direct an adaptive T-cell based response.
Dendritic cells will carry the responsibility of discerning dangerous and safe
contexts as well as carrying out their role of presenting antigen and signals to a
population of T-cells as in [4].
Tissue and Dendritic Cells. Dendritic cells (henceforth DCs) are of a class of
cells in the immune system known as antigen presenting cells. They differ from
other cells in this class in that this is their sole discernible function. As well as
being able to absorb and present antigenic material DCs are also well adapted
to detecting a set of endogenous and exogenous signals which arise in the tissue
(IDS correlation graph).
These biological signals are abstracted in our system under the following
designations:
1. Safe: Indicates a safe context for developing toleration.
2. Danger: Indicates a change in behaviour that could be considered patholog-
ical.
3. Pathogen Associated Molecular Pattern (PAMP)[3]: Known to be dangerous.
In our system a distinction is made between activation by endogenous danger
signals or through TLR receptors.
All of these environmental circumstances, or inputs, are factors in the life
cycle of the DC. In the proposed system, DCs are seen as living among the IDS
environment. This is achieved by wiring up their environmental inputs to changes
in the IDS output state. A population of DCs are tied to the prediction vertices
in the correlation graph, one DC for each predicted attack. Packets matching the
prediction criteria of such a vertex are collected as antigen by the corresponding
DC. These packets are either stored in memory or logged to disk until the DC
matures and is required to present the antigen to a T-cell.
Once a prediction vertex has been added to the correlation graph, the arrival
of subsequent alerts can cause that vertex to either be upgraded to an exploit
vertex, changed to a hypothesised vertex, or become redundant as sibling vertices
are so modified. These possible state changes will result in either a PAMP, danger
or safe signal respectively.
 
Search WWH ::




Custom Search