Information Technology Reference
In-Depth Information
It should be noted that the results are not directly comparable to other IDS
algorithms as the problem being solved is uniquely circumscribed. Rather than
designing an anomaly detection algorithm to find previously unknown attacks,
a misuse detector and alert correlator are extended to detect a certain kind of
anomaly arising from the incomplete models that are invariably used with such
algorithms.
Initial results are promising despite the high false positive rate. However since
the output is already clustered (all packets which were in a given DC are linked
together) it means that as long as there is an upper bound on false positives and
the false negative rate is low, there will usually be an accurate detection among
each such cluster.
The DCs in the presented model are able to detect specific anomalous patterns
of tissue growth and identify where and when novel attacks are taking place.
After a DC has made an initial selection of candidate packets, it is then the
responsibility of the T-cells to reduce the number of packets still further by
detecting structural similarities in the data. DCs are concerned primarily with
detecting abnormal behaviour within their environmental context, whereas T-
cells are concerned primarily with discerning patterns within the antigen data.
The co-ordination of both types of immune cell with each other and the tissue
through orthogonal programming interfaces make for neat and ecient solution.
Further investigation in to the T-cell phase of the algorithm should be fruitful.
The algorithm presented in this paper is fairly basic and does not incorporate
meaningful partial matching which is important for performance and accuracy.
A tolerance mechanism might also be useful in integrating the information con-
veyed by the safe and danger signals to further improve the false positive rate
in the dicult cases where malicious trac differs only slightly from legitimate
trac. Future testing should also incorporate historically problematic attack
variations in order to provide a more realistic appraisal of the algorithm.
A mechanism for the automated generation of signatures for the novel vari-
ations discovered by the algorithm would be ideal. Work such as [17] shows us
that this should, in theory, be possible with acceptable precision.
References
1. U Aickelin, P Bentley, S Cayzer, J Kim and J McLeod. “Danger Theory: The
Link between AIS and IDS?” 2nd International Conference on Artificial Immune
Systems. 2003.
2. R N Germain. “An innately interesting decade of research in immunology”. Nature
Medicine. Vol. 10, No. 4, pp. 1307-1320. 2004.
3. CA Janeway Jr. “Approaching the Asymptote? Evolution and Revolution in Im-
munology.” Cold Spring Harb Symp Quant Biol. 54 Pt 1:1-13. 1989.
4. J Greensmith, U Aickelin and S Cayzer. “Introducing Dendritic Cells as a Novel
Immune-Inspired Algorithm for Anomaly Detection.” 4th International Conference
on Articial Immune Systems, pp 153-167. 2005.
5. P Matzinger. “Tolerance, danger and the extended family.” Annual Reviews in
Immunology, 12:991-1045, 1994.
