STLR: a novel danger theory based structural TLR algorithm

Document Type: ORIGINAL RESEARCH PAPER

Authors

Abstract

Artificial Immune Systems (AIS) have long been used in the field of computer security and especially in Intrusion Detection systems. Intrusion detection based on AISs falls into two main categories. The first generation of AIS is inspired from adaptive immune reactions but, the second one which is called danger theory focuses on both adaptive and innate reactions to build a more biologically-realistic model of Human Immune System. Two algorithms named TLR and DCA are proposed in danger theory field that both of them are trying to identify the antigens based on a simple identifier. Both of them suffer from low accuracy and detection rate due to the fact that they are not taking the structure of antigens into account. In this paper, we propose an algorithm called STLR (structural TLR), which is an extended form of TLR algorithm. STLR tries to model the interaction of adaptive and innate biological immune systems and at the same time considers the structure of the antigens. The experimental results show that using the structural aspects of an antigen, STLR can lead to a great increase in the detection rate and accuracy.

Keywords


[1] J. Twycross, "Immune Systems, Danger Theory and Intrution Detection", Symposium on The Immune System and Cognition, (2004).

[2] Mu. Chengpo, "A Survey of Intrusion-Detection Alert Aggregation and Correlation Techniques", Journal of Computer Research and Development, 43(1), (2006).

[3] S. X.Wu, W. Banzhaf, The use of computational intelligence in intrusion detection systems: A review, Applied Soft Computing, vol. 10, pp. 1-35, (2010).

[4] L. Ruochen, D. Haifeng and J. Licheng, Immunity Clonal Strategies, 5th International Conference on Computational Intelligence and Multimedia Applications IEEE Computer Society, (2003).

[5] S. A. Hofmeyr, An immunological model of distributed detection and its application to computer security, PhD thesis, University Of New Mexico, (1999).

[6] N. Jerne, Towards a network theory of the immune system, Annals of Immunology (Paris), 125 (1-2), pp. 373389, (1974).

[7] P. Matzinger, Tolerance, danger and the extended family, Annual Reviews in Immunology, Vol. 12, pp. 9911045, (1994).

[8] P. Matzinger, The danger model in its historical context, Scandinavian Journal of Immunology, 54 (1-2), pp. 4-9, (2001).

[9] Danger Theory Project Website. Retrieved January 26, 2012, from

http://www.dangertheory.com/.

[10] J. Greensmith, Dendritic Cell Algorithm, Ph.D. Thesis, The University of Nottingham, (2007).

[11] J. Greensmith, U. Aickelin, Dendritic cells for real-time anomaly detection, the Workshop on Artificial Immune Systems and Immune System Modeling (AISB06), pp. 7-8, (2006).

[12] J. Greensmith, U. Aickelin, Dendritic cells for syn scan detection, the Genetic and Evolutionary Computation Conference (GECCO07), pp. 49-56, (2007).

[13] J. Greensmith, U. Aickelin, S. Cayzer, Introducing dendritic cells as a novel immune-inspired algorithm for anomaly detection, 4th International Conference on Artificial Immune Systems (ICARIS05), Springer, Berlin/Heidelberg, pp. 153-167, (2005).

[14] J. Greensmith, U. Aickelin, G. Tedesco, Information fusion for anomaly detection with the dendritic cell algorithm, Information Fusion, 11(1), pp. 21-34, (2010).

[15] J. Greensmith, U. Aickelin, J. Twycross, Detecting danger: Applying a novel immunological concept to intrusion detection systems, 6th International Conference in Adaptive Computing in Design and Manufacture (ACDM04), (2004).

[16] J. Greensmith, J. Twycross, U. Aickelin, Dendritic cells for anomaly detection, the IEEE Congress on Evolutionary Computation (CEC06), IEEE Press, pp. 664-671, (2006).

[17] J. Twycross, integrated innate and adaptive artificial immune systems applied to process anomaly detection, PhD Thesis, The University of Nottingham, January, (2007).

[18] J. Twycross, U. Aickelin, Detecting anomalous process behavior using second generation artificial immune systems, the International Symposium on Recent Advances in Intrusion Detection (RAID), (2008).

[19] J. Twycross, U. Aickelin, An immune-inspired approach to anomaly detection, Handbook of Research on Information Assurance and Security, Information Science Reference, pp. 109121, chapter X, (2007).

[20] D. Mutz, F. Valeur, G. Vigna, Christopher Kruegel, Anomalous system call detection, ACM Transactions on Information and System Security (TISSEC), 9(1), pp. 61-93, (2006).

[21] C. Ko, M. Ruschitzka, K. Levitt, Execution Monitoring of Security-Critical Programs in Distributed Systems: A Specification-based Approach, IEEE Symposium on Security and Privacy, pp.175-187, (1997).

[22] M. Bernaschi, E. Gabrielli, and L. V. Mancini, Remus: A Security-Enhanced Operating System. ACM Transactions on Information and System Security, 5(1), pp. 36-61, (2002).

[23] S. N. Chari, P. C. Cheng, Bluebox: A policy-driven, host-based intrusion detection system, ACM Transaction on Information and System Security (TISSEC), 6(2), pp. 173-200, (2003).

[24] D. Wagner, D. Dean, Intrusion detection via static analysis, IEEE Symposium on Research in Security and Privacy, (2001).

[25] I. Goldberg, D. Wagner, R. Thomas, E. A. Brewer, A secure environment for untrusted helper applications, 6th Usenix Security Symposium, (1996).

[26] N. Provos, Improving host security with system call policies, SSYM03: 12th Conference on USENIX Security Symposium, USENIX Association, pp. 257272, (2003).

[27] C. Warrender, S. Forrest, B. Pearlmutter, Detecting intrusions using system calls: Alternative data models, IEEE Symposium on Security and Privacy, IEEE Computer Society, pp. 133-145, (1999).

[28] S. A. Hofmeyr, S. Forrest, A. Somayaji, Intrusion detection using sequences of system calls, Journal of Computer Security, 6(3), (1998).

[29] S. Forrest, S. A. Hofmeyr, A. Somayaji, T. A. Longstaff, A sense of self for Unix processes, IEEE Symposium on Security and Privacy, Los

Alamitos, CA, USA, IEEE Computer Society Press, pp. 120128, (1996).

[30] A. Somayaji, S. Forrest, Automated response using system-call delays, 9th USENIX Security Symposium, August (2000).

[31] J. T. Giffin, S. Jha, B. Miller, Automated discovery of mimicry attacks, 9th International Symposium on Recent Advances in Intrusion Detection (RAID 06), (2006).

[32] H. G. Kayacik, M. Heywood, N. Zincir-Heywood, On evolving buffer overflow attacks using genetic programming, the 8th annual conference on Genetic and evolutionary computation, pp. 1667-1674, (2006).

[33] C. Kruegel, E. Kirda, D. Mutz, W. Robertson, G. Vigna, Automating mimicry attacks using static binary analysis, 14th Annual Usenix Security Symposium, (2006).

[34] C. Kruegel, D. Mutz, F. Valeur, G. Vigna, On the detection of anomalous system call arguments, ESORICS 2003, pp. 326-343, (2003).

[35] A. P. Kosoresow, S. A. Hofmeyr, Intrusion detection via system call traces, IEEE Software, 14(5), pp. 35-42, (1997).

[36] C. Marceau, Characterizing the behavior of a program using multiple-length n-grams, the New Security Paradigms Workshop 2000, Association for Computing Machinery, (2000).

[37] R. Sekar, M. Bendre, P. Bollineni, D. Dhurjati, A fast automaton-based method for detecting anomalous program behaviors, the 2001 IEEE Symposium on Security and Privacy, (2001).

[38] D. Gao, M. K. Reiter, D. Song, Behavioral distance measurement using hidden markov models, In D. Zamboniand C. Kruegel, editors, Research Advances in Intrusion Detection, LNCS 4219, pp. 19-40, Berlin Heidelberg, Springer-Verlag, (2006).

[39] A. K. Ghosh, A. Schwartzbard, M. Schatz, Learning program behavior profiles for intrusion detection, 1st USENIX Workshop on Intrusion Detection and Network Monitoring, (1999).

[40] N. Darvishzadeh, R. Azmi, "Intrusion Detection Based on System calls Analysis", 13th International Iranian Conference of Computer Society, Tehran, Iran, pp. 200-205, (2007), (Persian).

[41] A. K. Ghosh, A. Schwartzbard, A study in using neural networks for anomaly and misuse detection, 8th USENIX Security Symposium, (1999).

[42] D. Endler, Intrusion detection: Applying machine learning to Solaris audit data, IEEE Annual Computer Security Applications Conference, pp. 268279. Society Press, (1998).

[43] H. Nemati, R. Azmi, A. R. Ghahremanian, M. T. Mir Mohammad Rezaei, "Intrusion Detection Using System call Auditing in Virtual Ma- chine Monitor Space", 7th International Iranian ISC Conference On Information Security and Cryptology, pp. 187-193, (2010), (Persian).

[44] R. H. C. Sufatrio. Yap, Improving host-based ids with argument abstraction to prevent mimicry attacks, the International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 146164, (2006).

[45] D. Gao, M. Reiter, D. Song, Gray-box extraction of execution graphs for anomaly detection, 11th ACM Conference on Computer and Communications Security, pp. 318-329, (2004).

[46] Y. Liao, V. Rao Vemuri, Use of k-nearest neighbor classifier for intrusion detection, Computer & Security, 21(5), pp.439448, Oct (2002 ).

[47] N. Almassian, R. Azmi, Aidslk: an anomaly based intrusion detection system in linux kernel. Information Systems Technology and Management, pp. 232243, (2009).

[48] R. Azmi. B. Pishgoo, H. Nemati, "Hypervisor-based Intrusion Detection Using Artificial Immune Systems", 8th International Iranian ISC Conference on Information Security and Cryptology, pp. 147-153, (2011), (Persian).

[49] http://linux.die.net/man/8/auditd

[50] http://linux.die.net/man/7/audit.rules

[51] http://ipsecs.com/web/?p=277

[52] M. Tavallaee, E. Bagheri, W. Lu, A. Ghorbani, A Detailed Analysis of the KDD CUP 99 Data Set , Second IEEE Symposium on Computational Intelligence for Security and Defense Applications (CISDA), pp. 1-6, (2009).

[53] A. Frank, A. Asuncion, UCI Machine Learning Repository [http://archive.ics.uci.edu/ml]. Irvine, CA: University of California, School of Information and Computer Science. (2010).

[54] S. D. Bay, D. Kibler, M. J. Pazzani, P. Smyth, The UCI KDD archive of large data sets for data mining research and experimentation. ACM

SIGKDD Explorations Newsletter, 2(2), pp. 81-85, (2000).

[55] D. M. Farid, J. Darmont, N. Harbi, H. H. Nguyen, M. Z. Rahman, Adaptive Network Intrusion Detection Learning: Attribute Selection and Classification, International Conference on Computer Systems Engineering (ICCSE09), (2009).

[56] F. Soltani Nejad, R. Salkhi, R. Azmi, B. Pishgoo, Structural TLR Algorithm for Anomaly Detection Based on Danger Theory, 9th International Iranian ISC conference on information security and cryptology, Tabriz, Iran, (2012).

[57] Z. Ji, D. Dasgupta, Augmented negative selection algorithm with variable-coverage detectors, the IEEE Congress on Evolutionary Computation(CEC04), IEEE Press, pp. 10811088, (2004).

[58] Z. Ji, D. Dasgupta, Real-valued negative selection using variable-sized detectors, the Genetic and Evolutionary Computation Conference (GECCO04), Springer, Berlin/ Heidelberg, pp.287-298, (2004).

[59] J. Greensmith and U. Aickelin. The deterministic dendritic cell algorithm. In Proceedings of the 7th International Conference on Artificial Immune Systems (ICARIS 2007), pages 291302, (2008).

[60] J. Greensmith and U. Aickelin. Human-Centric Information Processing Through Granular Modeling, chapter Artificial Dendritic Cells: Multifaceted Perspectives, pages 375395. Springer, (2009).

[61] J. Greensmith, U. Aickelin, and J. Twycross. Articulation and clarification of the dendritic cell algorithm. In Proceedings of the 5th International Conference on Artificial Immune Systems (ICARIS 2006), pages 404417, (2006).

[62] T. Stibor, R. Oates, G. Kendall, and J. M. Garibaldi. Geometrical insights into the dendritic cell algorithms. In Proceedings of the 11th Annual conference on Genetic and evolutionary computation, (2009).

[63] P. Matzinger. Tolerance, danger, and the extended family. Annual Review of Immunology, 12:9911045, (1994).

[64] F. Gu, J. Greensmith, U. Aickelin, "Theoretical formulation and analysis of the deterministic dendritic cell algorithm", Bio systems, 111(2), pp. 127-135, (2013)

[65] Y. Al-Hammadi, U. Aickelin, J. Greensmith, "Performance Evaluation of DCA and SRC on a Single Bot Detection", Journal of Information Assurance and Security, 5 (1), pp. 265-275, (2010)

[66] J. Greensmith, J. Feyereisl, U. Aickelin, "The DCA: SOMe Comparison A comparative study between two biologically-inspired algorithms", Evolutionary Intelligence, 1 (2), pp. 85-112, (2008)

[67] F. Gu, J. Feyereisl, R. Oates, J. Reps, J. Greensmith, U. Aickelin, "Quiet in Class: Classification, Noise and the Dendritic Cell Algorithm", Proceedings of the 10th International Conference on Artificial Immune Systems (ICARIS 2011), LNCS Volume 6825, Cambridge, UK, pp. 173-186, (2011)

[68] F. Gu, J. Greensmith, U. Aickelin, "The Dendritic Cell Algorithm for Intrusion Detection", Bio-Inspired Communications and Networking, IGI Global, pp. 84-102, (2011).

[69] N. Afzali, R. Azmi, B. Pishgoo, Radius Regularization using Learning Automata for Spherical Intelligent Anomaly Detectors, 5th international conference on information security and cryptology (ISC Turkey), Ankara, Turkey, pp. 23-27, (2012).

[70] N. Afzali, R. Azmi, B. Pishgoo, "A new clonal selection algorithm based on Radius Regularization of Anomaly Detectors", 16th CSI international symposium on Artificial intelligence and signal processing (AISP2012), Shiraz, Iran, pp. 497-502, (2012).