Information Technology Reference
In-Depth Information
These signals initiate maturation and consequent migration of the DC to a
virtual lymph node where they are exposed to a population of T-cells.
The signal we are most interested in is the PAMP signal, this occurs when a
predicted vertex becomes hypothesised. This provides us with a counterfactual
hypothesis to test, ie. “suppose a novel a variation of the attack was carried
out.” The hypothesis is not unreasonable since:
1. The exploit was predicted already therefore it's prerequisites are met.
2. An exploit which depends on the consequences of the attack was carried out
therefore the consequences of the exploit are met.
However this is not enough for a proof, since the standard caveats about the
accuracy of the model hold. An attacker may, after all, attempt an attack whose
preconditions are not met, the attack will fail, but the IDS cannot know.
Antigen Representation.
An important part of the design of an AIS is the
representation of the domain data. A number of choices are available [12,13]. For
this algorithm we chose to use a natural encoding for the problem domain.
Network packets are blobs of binary data, each one is decoded by the IDS. The
decoding process involves extracting, interpreting and validating the relevant
features for the purpose of matching the packet against the signature database.
Our proposed algorithm represents each packet as an array of (feature,val)
tuples. The array contains a tuple for all possible features and is ordered by
feature. Features can be either integers or character strings. Values may be set
to wildcards if the corresponding feature is not present in the packet.
This approach imposes a total order on the features. Such an order may be
based, for example, on position in the packet which in nearly all cases is invariant
and defined in protocol specifications.
Note that this representation shares structural similarities with the actual
signatures used in network IDS's. The connection is elaborated in the following
sub-section.
T-cells.
By the time a DC in our system has received a PAMP signal, matured,
migrated to a lymph node and bound to a T-cell it contains a number of candi-
date packets (our antigen) and an indication of which signal caused migration.
The simple T-cell model outlined in this paper only incorporates DC's activated
by PAMPs.
The problem here is to select a subset of packets which may contain the novel
variation(s) we are looking for. The inverse of the “f” function in our correlation
algorithm provides a number of candidate signatures which may be used as a
starting point. Thus the additional context is used to significantly reduce the
search space in this phase of the algorithm.
In order to find these possible variations, a version of the IDS signature match-
ing algorithm is required which provides meaningful partial matching. Since most
signatures entail string searching or regular expression matching this is not a
trivial task. For now, it will suce to simply sum the number of matching cri-
teria in each signature for each packet. If a match is suciently close, all the
