Abstract
Metaphors derived from Danger Theory, a hypothesized model of how the human immune system works, have been applied to the intrusion detection domain. The major contribution in this area, is the dendritic cell algorithm (DCA). This paper presents an in-depth analysis of results obtained from two previous experiments, regarding the suitability of the danger theory analogy in constructing intrusion detection systems for web applications. These detectors would be capable of detecting novel attacks while improving on the limitations of anomaly-based intrusion detectors. In particular, this analysis investigates which aspects of this analogy are suitable for this purpose, and which aspects of the analogy are counterproductive if utilized in the way originally suggested by danger theory. Several suggestions are given for those aspects of danger theory that are identified to require modification, indicating the possibility of further pursuing this approach. These modifications could be realized in terms of developing a robust signal selection schema and a suitable correlation algorithm. This would allow for an intrusion detection approach that has the potential to overcome those limitations presently associated with existing techniques.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Aickelin, U., Bentley, P., Cayzer, P., Kim, J., McLeod, J.: Danger theory: The link between AIS and IDS? In: Timmis, J., Bentley, P.J., Hart, E. (eds.) ICARIS 2003. LNCS, vol. 2787, pp. 147–155. Springer, Heidelberg (2003)
Aickelin, U., Cayzer, P.: The danger theory and its application to artificial immune systems. In: Proceedings of ICARIS 2002. LNCS, Springer, Heidelberg (2002)
Axelsson, S.: The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security (2000)
Ayara, M., Timmis, J., de Lemos, R., Duncan, R.: Negative selection: How to generate detectors. In: Proceedings of 1st ICARIS (2002)
Baker, A.R., Esler, J.: Snort IDS and IPS Toolkit. Syngress (2007)
Cheswick, W., Bellovin, S., Rubin, A.: Firewalls and Internet Security: Repelling the Wiley Hacker, 2nd edn. Addison-Wesley, Reading (2003)
Clarke, J., Dhanjani, N.: Network Security Tools. O’Reilly, Sebastopol (2005)
D’haeseleer, P., Forrest, S., Helman, P.: An immunological approach to change detection: Algorithms, analysis, and implications. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy (1996)
Erickson, J.: Hacking: The Art of Exploitation, 2nd edn. No Starch (2008)
Forrest, S., Perelson, A., Allen, L., Cherukuri, R.: Self-nonself discrimination. In: Proceedings of the 1994 IEEE Symposium on Security and Privacy (1994)
Greensmith, J., Aickelin, U.: The Dendritic Cell Algorithm. PhD thesis, University of Nottingham (2007)
Greensmith, J., Aickelin, U.: The deterministic dendritic cell algorithm. In: Bentley, P.J., Lee, D., Jung, S. (eds.) ICARIS 2008. LNCS, vol. 5132, pp. 291–302. Springer, Heidelberg (2008)
Greensmith, J., Aickelin, U., Cayzer, S.: Introducing dendritic cells as a novel immune-inspired algorithm for anomaly detection. In: Jacob, C., Pilat, M.L., Bentley, P.J., Timmis, J.I. (eds.) ICARIS 2005. LNCS, vol. 3627, pp. 153–167. Springer, Heidelberg (2005)
Greensmith, J., Aickelin, U., Twycross, J.: Articulation and clarification of the dendritic cell algorithm. In: Bersini, H., Carneiro, J. (eds.) ICARIS 2006. LNCS, vol. 4163, pp. 404–417. Springer, Heidelberg (2006)
Gu, F., Greensmith, J., Ackelin, U.: Further exploration of the dendritic cell algorithm:Antigen multiplier and time windows. In: Bentley, P.J., Lee, D., Jung, S. (eds.) ICARIS 2008. LNCS, vol. 5132, pp. 142–153. Springer, Heidelberg (2008)
Helman, P., Forrest, S., Esponda, F.: A formal framework for positive and negative detection schemes. IEEE Transaction on Systems, Man, and Cybernetic (2004)
Helman, P., Liepins, G.: Statistical foundations of audit trail analysis for the detection of computer misuse. IEEE Transactions on Software Engineering (1993)
Hofmeyr, S., Forrest, S.: Architecture for an artificial immune system. IEEE Transactions on Evolutionary Computation (2000)
Hofmeyr, S., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security (1998)
Howard, M., Le Blanc, D., Viega, J.: 19 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. McGraw-Hill/Osborne, New York (2005)
Ingham, K.L., Inoue, H.: Comparing anomaly detection techniques for http. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 42–62. Springer, Heidelberg (2007)
Kim, J., Bentley, P.: The human immune system and network intrusion detection. In: EUFIT 1999 Proceedings (1999)
Kim, J., Bentley, P.: An evaluation of negative selection in an artificial immune system for network intrusion detection. In: GECCO 2001 Proceedings (2001)
King, S.T., Chen, P.M.: Backtracking intrusions. In: Proceedings of the 19th ACM symposium on Operating Systems Principles, SOSP 2003 (2003)
Kruegel, C., Vigna, G., Robertson, W.: A multi-model approach to the detection of web-based attacks. Computer Networks 48(5) (2005)
Long, J., Bayles, A., Foster, J., Hurley, C., Petruzzi, M., Rathaus, N., Wolfgang, M.: Penetration Tester’s Open Source Toolkit. Syngress (2006)
Maggi, F., Robertson, W., Kruegel, C., Vigna, G.: Protecting a moving target: Addressing web application concept drift. In: Balzarotti, D. (ed.) RAID 2009. LNCS, vol. 5758, pp. 21–40. Springer, Heidelberg (2009)
Matzinger, P.: The danger model: A renewed sense of self. Science (2002)
Northcutt, S., Zeltser, L., Winters, S., Kent, K., Ritchey, R.: Inside Network Perimeter Security. Sams (2005)
Riden, J., McGeehan, R., Engert, B., Mueter, M.: Web application threats. Know Your Enemy (2008)
Scambray, J., Shema, M., Sima, C.: Hacking Exposed - Web Applications, 2nd edn. McGraw-Hill, New York (2006)
Somayaji, A., Hofmeyr, S., Forrest, S.: Principles of a computer immune system. In: Proceedings of the 1997 New Security Paradigms Workshop (1997)
Twycross, J., Aickelin, U.: libtissue - a software system for incorporating innate immunity into artificial immune systems (2006), http://www.cpib.ac.uk/~jpt/papers/libtissue-tecv.pdf
Vella, M., Roper, M., Terzis, S.: Achieving anomaly detection effectiveness beyond the symmetric error lower bound, in web-based systems (2009), http://www.cis.strath.ac.uk/~mv/trep1.pdf
Vella, M., Roper, M., Terzis, S.: Characterization of a danger context for detecting novel attacks targetig web-based systems (2010), http://www.cis.strath.ac.uk/~mv/trep2.pdf
Wang, W., Guyet, T., Knapskog, S.J.: Autonomic intrusion detection system. In: Balzarotti, D. (ed.) RAID 2009. LNCS, vol. 5758, pp. 359–361. Springer, Heidelberg (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Vella, M., Roper, M., Terzis, S. (2010). Danger Theory and Intrusion Detection: Possibilities and Limitations of the Analogy. In: Hart, E., McEwan, C., Timmis, J., Hone, A. (eds) Artificial Immune Systems. ICARIS 2010. Lecture Notes in Computer Science, vol 6209. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14547-6_22
Download citation
DOI: https://doi.org/10.1007/978-3-642-14547-6_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-14546-9
Online ISBN: 978-3-642-14547-6
eBook Packages: Computer ScienceComputer Science (R0)