Biological inspired intrusion prevention and self-healing system for network security based on danger theory, M Elsadig, A Abdullah

Tags: Azween Abdullah Computer Science Letters Vol., agent, ANA, actions, Computer Science, immune system, ADA, responsibilities, Intrusion Detection, International Conference, behaviour, Petri net, knowledge base, Bio Inspired Intrusion Prevention, Faculty of Information Technology, Agent-Oriented Software Engineering, Self-Healing Software Systems, Bu Misuse, University of Nottingham, system components, Anomaly Detection, system component, abnormal behaviour, S. Cayzer, National Postgraduate Conference, J. Feyereisl, SYS, G. Tedesco, Self-healing, agent components, structural analysis, multi-agent system, SHA, Model states, weight function, artificial immune system, J. Greensmith, International Journal of Unconventional Computing, P. J. Bentley, Kim J. Bentley P., Artificial Immune Systems, U. Aickelin, J. Timmis
Content: www.csl.issres.net
Vol. 1 (1) ­ June 2009
Biological Inspired Intrusion Prevention and Self- healing System for Network Security Based on Danger Theory Muna Elsadig 1, Azween Abdullah1 1Department of Computer and Information Science Universiti Teknologi PETRONAS Bandar Seri Iskandar, 31750 Tronoh, Perak,Malaysia Abstract This paper presents a model for intrusion prevention and self-healing system for network security. The model detects, prevents, and heals harmful events, which are the actual reasons for damage of any of the system's components. The proposed model explores the design and implementation of artificial immune systems (AISs) inspired by the human immune system. A novel approaches for network security based on the combination of biological intrusion prevention (IP) and self-healing concepts are implemented in the proposed model. These approaches are based upon data inspired by the human immune system (HIS), which applied to the autonomous defence system. The system integrates an artificial immune intrusion prevention system for network security inspired by the immunology theory known as danger theory and adaptive immune system. The present model looks at the danger model and its application to attack defence in order to create a fully decentralized model. The intrusion prevention system (IPS) analyzes the behaviour of system processes and network traffic to detect harmful events. Abnormal behaviours are the actual reason for damage of any of the system's components. The detection of the damage caused by different types of malicious events or attack profiles is used to trigger the self - healing (SH) mechanism. This system is autonomous and enhances the fault repair and system recovery. Keywords--Artificial immune system, Network Security, intrusion prevention, Self-healing, agent
1 c Corresponding Author: S.A. Ibrahim Email: [email protected] Telephone: +607 5046378 © 2009-2012 All rights reserved. ISSR Journals
Fax: +607 5046378
Muna Elsadig,, Azween Abdullah
Computer Science Letters
Vol. 1(1) 2009
1. Introduction With the explosive growth of the network systems, information exchange became routine between computers around the world, thus the need for network security has become even more critical with the rise of information technology in everyday life [1]. Meanwhile, the complexity of attacks is on the rise regardless of the beefed up security measures. Intrusion Prevention Systems provide an in-line mechanism focus on identifying and blocking malicious network activity in real time. Immune system presents valuable metaphor for computer security systems and it is an appealing mechanism because firstly, the human immune system defends the body with high level of protection features from pathogens, in a self­organized, robust, distributed and diverse manner. Secondly, current security systems are not able to handle the dynamic and increasingly complex nature of the computer systems and their security needs. In addressing this deficiency, the artificial immune systems (AISs) have been successfully applied to a number of network security problem domain that includes intrusion detection systems, intrusion prevention systems (IPS) and antimalware systems. This paper looks at the model of computer immune systems and its application to intrusion prevention system combined with self-healing system, that create an autonomous system using agents of multi layers. The present model focuses on building biologically inspired AIS for intrusion prevention system that has the following security features: 1. Autonomous security system to secure network system; a system that responds effectively to new malicious activities without human intervention. Would significantly improve network security system and optimize the performance. 2. Robust multi layered security system; decrease the false alerts and errors in detecting and preventing malicious activities. 3. Hybrid Intrusion prevention system: a system that has capabilities to detect and prevent anomalies, and misuse of malicious activities. 4. Heal damages caused by attacks; a combination of features between the intrusion prevention system and self - healing mechanism to enhance survival ability of the network systems. The paper is structured as follows: section 2 the background about IPS, self healing system and HIS is summarized. The autonomous IPS and SH model design is explained in section 3. The algorithms of the designed model are explained in section 4. In section 5 the model features and limitations of model are presented with comparative study. Finally discussion, conclusion and future work are provided in section 6. 2. Background Intrusion prevention systems IPS were developed to resolve ambiguities in passive network monitoring by placing detection systems in-line [1]. The required capabilities, features methodologies and technologies of intrusion prevention system are clarified in [1,2,3]. To achieve secure and multi defense capability of network security system, the hybrid technology has been applied in the proposed model. 2.1 Human Immune The human immune system (HIS) [4] is responsible for an organism's protection against extraterrestrial particles, and is based on two main mechanisms: innate immune system that is an
Muna Elsadig,, Azween Abdullah
Computer Science Letters
Vol. 1(1) 2009
organism's first line defense and the adaptive immune system. The HIS features are desirable to be adapted to the network security systems to protect them from harmful activities. The immune system is one of a multilevel dynamic system of cells, molecules, tissues, organs and circulatory systems [5,6]. By this view HIS provides the basis for a representation of intrusion prevention as systems of autonomous agents. The main roles of the adaptive immune system include: the recognition of specific "non-self" antigens in the presence of "self", during the process of antigen presentation, the generation of responses that are tailored to maximally eliminate specific pathogen infected cells, and the development of immunological memory, in which each pathogen is "remembered" by a signature antibody. All details are explained in [7,8,9]. This matching between antibodies and antigens explains the core of adaptive immune system and most of the first generation of AIS implementations [10,11].The mechanisms of the innate immune system is usually triggered when microbes are recognized by pattern identification receptors, which identify components that are conserved among broad groups of microorganisms, or when damaged, or stressed cells send out distress signals. Innate immune system responds to pathogens is a generic, meaning the protection mechanisms of these systems are non-specific. Innate immune response are mainly explained in [12,13,14]. The dendritic cells (DCs) that are one of Antigen Presenting Cells (APCs) act as natural data fusion agents. They are present in three statuses of differentiation, immature, semi-mature and mature, which determines their exact role [14]. Variation between the different statuses is dependent upon the receiving of signals while in the initial or immature status. Overall, the classes of input signals are defined in table 1. Signals that point to damage cause a transition from immature to mature; those signals indicating good health in the monitored tissue cause a transition from the immature to semi mature status. Each DC has the capability to combine the relative extent of input signals to produce its own set of output signals. DCs interpret the signals of the antigen presented in an overall to `normal' or `anomalous' context for more details review [12,34]. To achieve the IPS requirements which are: Security capabilities, Performance, Adaptability, Scalability, Configurability and Robustness, the mechanisms of three HIS cells were mapped: Dendritic cells mechanism, B-cell and T-cells. These cooperation mechanisms are effective in the intrusion and prevention, and specification of an intrusion route for the network security [15]. Many immune system approaches to IDS and IPS have been introduced. There are three major extractions, and accordingly three different views: conventional algorithm, negative selection paradigm, and danger theory [16, 17, 18, 19, 20, 21,24,25]. The framework of the present model uses danger theory as forcefulness base for intrusion prevention system integrated with adaptive immune system, mainly T-cell and B-cell [10]. Applying self-healing properties to network systems could present a way to alter the current fault finding in network systems subjected to various abnormal behaviours. When such abnormal behaviour is detected, the proposed system enters a self-diagnosis mode that aims to categorize the fault and extract as much information as achievable with respect to its source, symptoms, and collision on the system. Once these are recognized, the system tries to adapt itself by generating candidate fixes, which are tested to find the beSt Mark state [22]. The self-healing architecture is combined to complement proposed IPS for more automatons damage repair and system continuity, and functionality.
Muna Elsadig,, Azween Abdullah
Computer Science Letters
Vol. 1(1) 2009
TABLE 1: SIGNALS DEFINITION IN INNATE IMMUNE SYSTEM [23]
Signal Safe Danger PAMP Inflammation
Definition A result of normal cell death. Where cells must die for regulatory reasons. The presence of safe signals indicates that no anomalies are present. A consequence of unintended necrotic cell death. The presence of danger signal may or may not indicate an anomalous situation. Pathogen - associated molecular proteins (PAMP). Protein expressed exclusively by bacteria. The occurrence of PAMPs usually indicates an anomalous state, which can be detected by DCs. Produced via the process of injury. Inflammatory signals and inflammatory signals processes are not enough to stimulate DCs alone, their presence amplifies the above three signals.
3. Autonomous IPS and SH System In [26,28], the authors proposed that bio inspired algorithms to be built-up and analyzed in the perspective of a multidisciplinary conceptual framework that represents biological models. In this work, an analytical computational framework has been built and authenticated based upon this conceptual framework. These frameworks provide principle for designing and analyzing bioinspired algorithms applicable to non-biological problems. In Figure 1 the abstract design and the model components of IPS and self-healing system are shown. The main agent components of IPS model are: sense agent (SEA), analysis agent (ANA) and the adaptive agent (ADA). SHA agent is combined with the IPS to include additional enhanced mechanism for self-healing purposes. One of the central features of the model is that it needs both expert knowledge and training data. Each agent in the model performs training on multiple types of input data within a specific period. Meanwhile, the model's main requirement is in building an expert knowledge base that assigns input signals and rules to appropriate category. Two knowledge base systems are used, one for misuse attack and the other for self-healing purposes. In autonomous multi-agent system, every agent has its own goals, which drive its decisions. The individual goals of each agent must be specified such that the preferred universal goals of the whole system are achieved [30]. The main three agents SEA, ANA, and ADA form three different function layers. For each agent we specify and identify the states and transitions of each agent according to how an agent behaves with respect to changes in its environment [31, 32].The environment of each agent consists of a set of states S and the agent can undertake a set of actions A and a set of percept P. The abstract architecture is modeled as a discrete-event system using Petri Nets. The Structural Analysis of the net provides an assessment of the communication and coordination properties of the multi-agent system. Deadlock avoidance in the multi-agent system is considered as an initial key property, and it is evaluated using liveness and boundedness properties using Linear Algebra. A Petri net base for the IPS and SH system is defined as a five-tuple (P,T,A,W,M0). Where; P is a finite set of places. T is a finite set of transitions. A sub(PЧT)U(TЧP). W:A {1,2,3,...} is a weight function. M0: P {1,2,3,..} is the initial marking.
Muna Elsadig,, Azween Abdullah
Computer Science Letters
Vol. 1(1) 2009
Input Data
Prevent Database
Sense Detection Agent Analysis Agent
Layer 1
system1
Adaptive Agent
system n
Layer 2
Self - healing System
Layer 3
Figure 1: IPS and Self-healing Model for Network System
According to these formulas, a Petri net for the four agents was built and represented
graphically. In the analysis we used P-invariants and T- invariants obtained from the incidence
matrix [33].
The incidence matrix A of a Petri net has |T| number of row and |P| number of columns.
A A P-invariant is a vector that satisfies x =0 (1)
A T invariant is a vector that satisfies
T y
=0
(2)
A Petri net model is covered by P-invariants, if and only if, for each place s in the net, there
exist a positive P-invariant x such that x(s)>0.
Petri net is structurally bounded if it is covered by P-invariants and initial marking M0 is infinite. Further a Petri net is covered by T-invariants, if and only if, for each transition t in the net y(t)>0.
Under this condition, Petri net is live and bounded if it is covered by T-invariants. The conditions
for the liveness and boundedness properties were proven to obtain the marking reachability graph
[36,37,38]. For each agent, the environment undertaken sets of states S, actions A and precept P
has the behaviour represented by the function action:
P A, and perception function
S P, and deterministic behaviour of an environment can be represented by the function
env: S A S.
3.1. Sense Agent (SEA)
The sense agent (SEA) performs the followings: Dynamically learns and trains to build a generic knowledge about all the network system normal behaviour (self) for example: system calls, ports and IP addresses. In the training period, all antigens and signal are defined according to the specific scanning criteria. Senses all input to the network system and compares it with data set that SEA has trained, and then decides whether it is a source of malicious activities. This is performed and inspired from how DC and tissue sense or capture the danger signal. If detection of abnormal behaviour is established, SEA prevents the malicious activities. Sends detection message to ANA and Starts retraining dynamically.
Muna Elsadig,, Azween Abdullah
Computer Science Letters
Vol. 1(1) 2009
The roles, function, and responsibilities of SEA are specified logically as follows:
The set of roles (RSEA) of the sense agent SEA is: RSEA ={sense input data} The set of function FSEA of the sense agent SEA is: FSEA = {learn normal behaviour, block abnormal behaviour} The set of responsibilities PSEA of the sense agent SEA is: PSEA = {detect malicious activities, send detection message to ANA} The SEA Model states, actions and precept specified as follows
Set of states ={ configure, train, detect, complete prevention, continue }
S SEA ={s1, s2, s3, s4, s5} Set of actions={configure completed, scan, block, detection message, permit}
A SEA ={a1, a2, a3, a4, a5} Set of percepts={training, detection, prevention, communication analysis agent, continue
connection} P SEA ={p1, p2, p3, p4, p5} For SEA agent each jth environment has the state:
s SEA j S SEA Similarly A SEA be the set of actions of SEA; a SEA k A SEA where Kth actions of SEA. These definitions have been used to build the Petri net sub ­
model of the SEA agent. The incidence matrix for SEA is obtained from the Petri net graph
and both P-invariant and T-invariant satisfy the conditions mentioned above. The TSEA and PSEA invariants for SEA vectors are: a1 a2 a3 a4 a5
P1 1 0 0 1 0 ISEA= p 2 1 1 0 0 0 p3 0 1 1 0 0 p4 0 0 1 1 0 P5 1 0 0 0 1
0
TSEA=

0

,
1

0

1
PSEA
=
1

0

1

0

1
Figure 2 shows the behaviour of the SEA states and transitions which satisfy the properties of liveness and boundedness and proof the reachability feature of the SEA.
1
0
-1 p1 p2 p3 p4 p5
a1 -1 1 0 0 -1
a2 0 -1 1 0 0
a3 0 0 -1 1 0
a4 1 0 0 -1 0
a5 0 0 0 0 1
p1 p2 p3 p4 p5
Figure 2: the SEA Transition a and State p graph
Muna Elsadig,, Azween Abdullah
Computer Science Letters
Vol. 1(1) 2009
3.2 Analysis Agent (ANA)
The analysis agents ANA performs the followings: Receives detection message from SEA, and then ANA analyzes the received information to extract the malicious signature. ANA scans the misuse database to search for a matching signature. If a match is found then the malicious signature is considered as a misuse. ANA checks the system behaviour and if there any abnormal activities detected, ANA sends MisusehealMsg to SHA. Or else, ANA considers the malicious signature as an anomaly and sends AnomalyMsg to ADA. ANA waits for RecognitionMsg from ADA which contains the recognition information of the anomaly, and then updates the database records. Checks system behaviour if there is any abnormal behaviour caused by the malicious activity, and then ANA sends Anomalyhealmsg to SHA.
The roles, functions, and responsibilities of ANA are specified logically as follows:
The set of roles RANA of the analysis agent ANA is: RANA= {analyze abnormal behaviour} The set of function FANA of the analysis agent ANA is: FANA = {distinguish misuse attack from anomaly attack, analyze attack behaviour} The set of responsibilities PANA of the analysis agent ANA is: PANA = {receive DetectionMsg from SEA, send AnomalyMsg to ADA agen,t receive RecognitionMsg from ADA agent, call self-healing system}
The ANA Model states, actions and precept specified as follows Set of states ={ configure, monitor, analyze, decide, wait, update } S ANA={s1, s2, s3, s4, s5, s6} Set of actions= {configure completed, DetectionMsg, scan, MisusehealMsg , send AnomalyMsg, Receive RecognitionMsg, AnomalyhealMsg, register } A ANA={a1, a2, a3, a4, a5, a6, a7,a8} Set of percepts={monitoring, analyzing, decision, receiving, sending, updating} PANA={p1, p2, p3, p4, p5, p6} For ANA agent each jth environment has the state: s ANA j S ANA Similarly A ANA be the set of actions of ANA; a ANA k A ANA where Kth actions of ANA
We use these definitions to build the Petri net sub ­ model of the ANA agent. The incidence
matrix for ANA obtained from the Petri net graph and both P-invariant and T-invariant satisfy the
conditions mentioned above. The TANA and PANA invariants for ANA vectors are:
a1 a 2 a3 a 4 a5 a 6 a7 a8
I ANA=
p1 p2
1 1
0 1
0 0
1 0
0 0
1 0
1 0
1 0
p3 0 1 1 0 0 0 0 0
p4 0 0 1 1 1 0 0 0
p5 0 0 0 0 1 1 0 0
p6 0 0 0 0 0 1 1 1
1
,
T ANA
=

0

,
1

0

1
1

1
P
ANA
=

0
1


1

0

0

1 0
Muna Elsadig,, Azween Abdullah
Computer Science Letters
Vol. 1(1) 2009
Figure 3 shows the behaviour of the ANA states and transitions which satisfy the properties of liveness and boundedness and proof the reachability feature of the ANA.
1
0
-1 p1 p2 p3 p4 p5 p6
a1 -1 1 0 0 0 0
a2 0 -1 1 0 0 0
a3 0 0 -1 1 0 0
a4 1 0 0 -1 0 0
a5 0 0 0 -1 1 0
a6 1 0 0 0 -1 1
a7 1 0 0 0 0 -1
a8 1 0 0 0 0 -1
p1 p2 p3 p4 p5 p6
Figure 3: the ANA Transition a and State p graph
3.3 Adaptive Agent (ADA)
The adaptive agents ADA performs the followings: Receives the AnomalyMsg from ANA and triggers adaptation method to anomaly behaviour. Recognizes and registers the anomaly behaviour signature. Sends RecognitionMsg to ANA that identifies the malicious anomaly and contains information required for database registration. The distributed immune agents have the abilities of self-learning, expert knowledge, memory, work autonomously and decartelized Learn. The roles, functions and responsibilities, and interaction of ADA are specified logically as follows:
The set of roles of the adaptive agent DA is: R DA= {adaptationToanomaly, regognize anomaly} The set of function FADA of the analysis agent ADA is: FADA = {adaptationToanomaly check adaptation to anomaly), recognize anomaly} The set of responsibilities PADA of the analysis agent ADA is: PADA = {anomaly signature, feedback to analysis agent} The ADA Model states, actions and precept specified as follows: Set of states ={configure, monitor, adaptation, recognize} S ADA={s1, s2, s3, s4} Set of actions= {configure completed, received AnomalyMsg, fix adaptation, send AnomalyhealMs } A ADA={a1, a2, a3, a4} Set of percepts={configuration, monitoring, receiving, adaptation, recognition, sending} P ADA={p1, p2, p3, p4, p5} For ADA agent each jth environment has the state: s ADA j S ADA Similarly A ADA be the set of actions of ADA; a ADA k A ADA where Kth actions of ADA.
Muna Elsadig,, Azween Abdullah
Computer Science Letters
Vol. 1(1) 2009
We use these definitions to build the Petri net sub­model of the ADA agent. The incidence matrix for ADA obtained from the Petri net graph. Both P-invariant and T-invariant satisfy the condition mentioned above. The TADA and PADA invariants for ADA vectors are:
a1 a 2 a3 a 4 I ADA = p 1 1 0 0 1 p2 1 1 0 0 p3 0 1 1 0 p4 0 0 1 1
T
ADA
=

0 0

0

1

,
P
ADA
=
0 1

0
1

Figure 4 shows the behaviour of the ADA states and transitions which satisfy the properties of liveness and boundedness and proof the reachability feature of the ADA.
1
0
-1 p1 p2 p3 p4 p5
a1 -1 1 0 0 -1
a2 0 -1 1 0 0
a3 0 0 -1 1 0
a4 1 0 0 -1 0
a5 0 0 0 0 1
p1 p2 p3 p4 p5
Figure 4: the ADA Transition and State p graph
3.4 Self ­ healing Agent (SHA)
The Self-healing agent SHA performs the followings: Receives MisusehealMsg and Anomalyhealmsg from ANA agent about harmful malicious activities. Diagnoses the system behaviour, captures the fault identification, and extracts anomaly activities configuration. SHA is an expert knowledge and is trained to adapt to abnormal activities using inspired cell regeneration mechanism. Generates fix candidates for each fault and repairs the specific damages caused by harmful activities. Finally Performs self - testing for the newly regenerated damaged component and deploys it.
The roles, functions and responsibilities, and interaction of SHA are specified logically as follows: The set of roles RSHA of the self healing agent SHA is: RSHA={ self-healing} The set of function FSHA of the analysis agent SHA is: FSHA ={ diagnoses, fault adaptation ,testing } The set of responsibilities PSHA of the analysis agent SHA is: PSHA={receive msg ,fault identification, candidaet fix generation ,deployment }
The SHA Model states, actions and precept specified as follows : Set of states ={create, train, fault diagnosis, fault adaptation, self test} S SHA={s1, s2, s3, s4,s 5} Set of actions= {configure, received message, fault identification, candidate fix generation, deployment } A SHA={a1, a2, a3, a4, a5}
Muna Elsadig,, Azween Abdullah
Computer Science Letters
Vol. 1(1) 2009
Set of precepts={training, receiving, fault adaptation, testing, deployment} P ADA={p1, p2, p3, p4, p5} For SHA agent each jth environment has the state: s SHA j S SHA Similarly A SHA be the set of actions of SHA; a SHA k A SHA where Kth actions of SHA
These definitions have been used to build the Petri net sub ­ model of the SHA agent. The incidence matrix for SHA obtained from the Petri net graph, and both P-invariant and T-invariant satisfy the conditions mentioned above. The TSHA invariant and PSHA invariant for SHA vectors are:
a1 a 2 a3 a 4 a5
ISHA = p 1 1 0
0
0
1 , T SHA = 0 ,
p2 1 1 0
0
0

1

p3 0
1 1 0
0
1
p4 0
0
1 1 0
p5 0
0
0
1 1

0

0
P SHA = 1

0

0

1

1
Figure 5 shows the behaviour of the SHA states and transitions which satisfy the properties of liveness and boundedness and proof the reachability feature of the SHA.
1
0
-1 p1 p2 p3 p4 p5
a1 -1 1 0 0 0
a2 0 -1 1 0 0
a3 0 0 -1 1 0
a4 0 0 0 -1 1
a5 1 0 0 0 -1
p1 p2 p3 p4 p5
Figure 5: the SHA Transition and State p graph
4. IPS and SH Algorithms The mechanism of DC is mapped and is represented by Sense agent, which has the following constituents: As an agent it must has trained to have the ability of multi signaling processing And Receptors for each processed input signals are pre defined and updated periodically Antigen set that correlated with the input signals and receptors that are predefined. Sampling the binding between the receptors and the relation set of antigen and input signals. This agent must perform the follows: Calculate the rate of the binding process. Represent the output signal predefined as danger or safe signal to the T-cells. Prevent the damage behaviour when the rate exceeds the threshold. The steps of the detection and prevention algorithm can be represented as illustrated in Figure 6. Firstly, the categories vector that the system must monitor must be specified; according to this we have to define the matrix of signals. For each category, the signal matrix has a relation with
Muna Elsadig,, Azween Abdullah
Computer Science Letters
Vol. 1(1) 2009
a specific set of receptors. This relation produces a set of antigens related to specific components of signals and receptors. This relation gives the context of the abnormal behaviour that generates two types of output signal: safe signal, or danger signal.
The vector of categories can be defined as;
CGI= [CG1,.....CGi] The matrix of the input signals;
0 i I //N number of categories
SL= [S1,......,Sl] Vector of receptors;
1 l L //L number of signal per categories
CH CGIЧSL 1 h H
//H number of receptors per categories per period of time t
Vector of produced antigens according to produced receptors per categories
AN= [a1,...., an] The set of context per antigen per period of time t;
R CЧ(SЧA)
Context Component
CG1,...CG4
Category
S1,......, SL
Input Signal
C1,.......,Ch
Receptors Set
a1,...........,an
Antigens Vector
RC Ч(S Ч a)
Output Context
O1,O0
Output Signal
Output Context
Thresholds
Abnormal behavior
Prevent
Figure 6: Detection and Prevention Algorithm Steps
During a period time t, the behaviours contexts are accumulated in R.
Where;
R = R'R" , R' is the set of normal behaviour context,
R" is the set of abnormal behaviour context,
The rate of the accumulated abnormal context.
0 1
T R"
=
t 0 T
0t T
The output signal O is examined against the threshold Thd.
1 Thd
//danger signal or attack detected
O=
0 Thd
//safe signal or normal behaviour
T-cell, which is represented by the analysis agent in this model functions to analyze the signal in terms of abnormal behaviour context. When the analysis agent receives the danger signal, it starts searching the knowledge database, and compares the abnormal behaviour context R". Mu Bu //Misused abnormal behaviour R"x
Muna Elsadig,, Azween Abdullah
Computer Science Letters
Vol. 1(1) 2009
Mu Bu //Anomaly abnormal behaviour
[Mu][Bu] is the database set of misuse abnormal behaviours.
R O
" x

M u Bu

Misuse to SHA
agent.
//Omuse is healmisuse message to the self ­ healing
R O
" x
Mu Bu
Anomaly to ADA
//Oanomaly is adaptation message to the adaptive
agent.
The adaptive agent receives the Oanomaly ,tries to recognize the abnormal behaviour, and calculate the distance between the normal behaviour context R' and abnormal behaviour context R"
R R which is given by f ( '', ') dis from the normal behaviour
R R l (
" x

)' 2 x
x 1
f S(R") // value of f gives the deviation
dis
dis
Where, S(R") is the function of the signature extraction that distinguishes between abnormal
distinguishes abnormal from normal behaviours. The adaptive agent maps the mechanism of B-cell,
which produces adaptive antibodies to recognize the pathogens. Adaptive agent sends S(R") and
f characteristics to the analysis agent to update the knowledge base database. As the self­healing dis gent receives the healing message from the analysis agent that contains the abnormal behaviour,
characteristics and the damage behaviour.
SYS is a set of system component in normal behaviour state,
J= total number of the component
SYS {sys1,........, sysJ } After intrusion occurred'
1 < J<
sys
j
sys
' j
SYS '
// set of damaged system components.
Where;
sys' f '(sys) f '
//is function cause the damage.
SHA has a knowledge base containing all candidate system components such that;
sys'healk HealK set of healing function that heals the damaged system component.
healk
(sys
' j
)

f (sys j )
where
S(R") S(R') 0 If the above result finds the healing component, which is identified as the successful candidate then the healing component will be deployed, and tested to keep the system continuity.
5. Discussion This model maps the efficient features of HIS. The IPS which combined with SH system is Robust to secure network system with high efficiency. The model is expected to give less rates of false positive and false negative detection error. Moreover, the self-sufficiency in nature of the model by using agents' paradigm shows more efficiency in reducing the period of detection and the corresponding response time for prevention and healing. The interest of this work is in improving the elements of the system that perform the monitoring, diagnosis and healing the abnormal activities damages to carry on system continuity. Meanwhile the model may show limitation in
Muna Elsadig,, Azween Abdullah
Computer Science Letters
Vol. 1(1) 2009
scalability feature. This is because the sensitivity of defining the categories of authorized normal behaviour and the specification of healing knowledge base in very large network. Recently, new research and algorithm in AIS are focusing on building systems that have more biological resemblance, inspired by both the innate and adaptive immune systems. Table 2 illustrates a comparison between the proposed model and the three algorithms for intrusion detection and prevention, which have been based on the danger model as second-generation of artificial immune system.
TABLE 2: COMPARISON BETWEEN THE PROPOSED MODEL AND OTHER DANGER MODELS FOR INTRUSION DETECTION AND PREVENTION SYSTEM
AIS Adaptive immune system Innate immune system Knowledge base Training base Prevention mechanism Self-healing mechanism Standard antigen database Standard signal database Processing signal
DCA Algorithm[14]
TLR Algorithm[35]

Adaptive IPS approach[11]

IPS and SH Model
6. Conclusion and Future work In this paper we have described a novel model for biological intrusion prevention and selfhealing system. The model is inspired by the danger theory (dendritic cell, tissue), adaptive immune system (T-cell, B-cell), and human cell regeneration, and has agents paradigm. The approach maps some pertinent features of the immune system to IPS: dynamic, self­monitoring, self­adapting, autonomous and distributed security system. The agent's function and structural specifications are detailed and grouped into sets of roles, functions and responsibilities. The functional algorithms for each agent built upon the specification model are constructed. Network systems are highly autonomously, secured by using the bio prevention mechanisms. Moreover, the self-healing features ensure the survival ability of these systems. For future work, we intend to simulate, prototype, and implementation the model in addition to model reliability testing, which will be carried out as well. References [1] Andreas.F (2005). " Intrusion Detection Systems and Intrusion Prevention Systems". In Information Security Technical Report ,10, 134e139, Elsevier Ltd. [2] Karen. S, P. Mell (February 2007). " Guide to Intrusion Detection and Prevention Systems (IDPS) ". In National Institute of Standards and Technology Special Publication 800-94 ,Natl. Inst. Stand. Technol. Spec. Publ. 800-94, 127 pages [3] NIST (Nov. 2001). " Intrusion detection systems ". In NIST Computer Science Special Reports SP 800-31. [4] Hofmeyr.S.A, S. Forrest (1999). "Immunity by design: an artificial immune system", Proceedings of the Genetic and Evolutionary Computation Conference, pp.1289­1296.
Muna Elsadig,, Azween Abdullah
Computer Science Letters
Vol. 1(1) 2009
[5] Steven H..A (1997). " An Overview of the Immune System", http //www.cs.unm.edu/immsec/html-imm/immune-system.html,. [6] Jamie. T, U. Aickelin (2007). " Biological Inspiration for Artificial Immune Systems ", School of Computer Science, University of Nottingham, UK,[email protected] [7] Charles .J, P. Travers, M. Walport, and M. Shlomchik (2005). "Immunobiology: The Immune System in Health and Disease". Garland Publishing. Available online at http://www.ncbi.nlm.nih.gov/books/, 6th Edition. [8] John .I.T, (September 2001). "Artificial immune systems - A novel data analysis technique inspired by the immune network theory", PhD thesis, University of Wales. [9] Azzedine. B, R. B. Machado, K.R.L. Juca, J.Bosco M. Sobral , Mirela S.M.A. Notare (March 2007). "An agent based and biological inspired real-time intrusion detection and security model for computer network operations a Paradise", Elsevier B.V pages 2649-2660.25. [10] Stephanie A.F, S. A. Hofmeyr , A. Somayaj (1997)."Computer Immunology", Communications of the ACM, Vol. 40, No. 10, pp. 88­96. [11] Alexander.K and M. Alexander (2008). " An Approach for Adaptive Intrusion Prevention Based on The Danger Theory",IEEE Xplore. [12] Alberts.B, A. Johnson, J. Lewis, M. Raff, K. Roberts, P. Walters (2002). Molecular Biology of the Cell, Fourth Edition. New York and London. Garland Science. ISBN 0-8153-3218-1. http://www.ncbi.nlm.nih.gov/books/bv.fcgi?call=bv.View..ShowTOC&rid=mboc4.TOC&dept h=2. [13] Charles .J, C. P. Travers, M. Walport, M. Shlomchik (2001). Immunobiology; Fifth Edition. New York and London, Garland Science. ISBN 0-8153-4101-6. http://www.ncbi.nlm.nih.gov/books/bv.fcgi?call=bv.View..ShowTOC&rid=imm.TOC&depth= 10. [14] Julie . G, U. Aickelin, S. Cayzer (2005). " Introducing dentritic cells as a novel immune ­ inspired algorithm for anomaly detection", ICRRIS05.LNCS, vol. 3627, pp.153-67. [15] Hiroyuki.N, M. Fumio (2003). " Design and Implementation of Security System Based on Immune System", Springer-Verlag Berlin Heidelberg, ISSS 2002, LNCS 2609, pp. 234­248. [16] Kephart J. O, G. B. Sorkin, W. C. Arnold, D. M. Chess, G. J. Teasuro, and S. R. White (1997). "Biologically Inspired Defences against Computer Viruses". In Machine Learning and data mining: Method and Applications, pp. 313-334, John-Wiley & Son. [17] Thomas. P and E. D. Carosella (2006). " The Self Model and the Conception of Biological Identity in Immunology. Biology and Philosophy", 21(2), pp. 235­252. [18] Stephanie A.F, S. Perelson, L. Allen, and R. Cherukuri (1994). "Self-nonself discrimination in a computer". In Proceedings of the 1994 IEEE Symposium on Security and Privacy, pp. 202, IEEE Computer Society.
Muna Elsadig,, Azween Abdullah
Computer Science Letters
Vol. 1(1) 2009
[19] Kim.J, P. J. Bentley, U. Aickelin, J. GreenSmith, G. Tedesco, J.Twycross (2008). "Immune System Approaches to Intrusion Detection - A Review". Natural Computing, Springer. [20] Kim J. Bentley P. (July 2001). "Evaluating negative selection in artificial immune system for network intrusion detection". In proceedings of GECCO, pp.1330-7. [21] U. Aickelin and S. Cayzer (2002). " The Danger Theory and Its Application to AIS ". Proceedings of the 1st International Conference on Artificial Immune Systems (ICARIS-2002), pp. 141-148. [22] Angelos. D. K (2008). " Characterizing Self-Healing Software Systems". [23] Julie . G, J. Feyereisl, U. Aickelin (2008). " DCA:SOMe comparison a comparative study between two biologically-inspired algorithm". School of Computer Science, University of Nottingham, UK,[email protected] [24] Julie . G, U. Aickelin (2007). "Dendritic Cells for SYN Scan Detection". London, England, United Kingdom. ACM 978-1-59593-697-4/07/0007. [25] Morton.S (2006). "Using the danger model of immune systems for distributed defense in modern data networks ", Elsevier. [26] Susan. S, R. Smith, J. Timmis, and A. Tyrrell (2004). " Towards a Conceptual Framework for Artificial Immune Systems ". In Proc. of the 3rd International Conference on Artificial Immune Systems, LNCS 3239, pp. 53­64, Catania, Italy. [27] Leandro. N. de. C and J. Timmis (2002). "Artificial Immune Systems: A New Computational Intelligence Approach". Springer. [28] Susan .S, R. Smith, J. Timmis, A. Tyrrell, M. Neal, and A. Hone (2005). " Conceptual Frameworks for Artificial Immune Systems ". International Journal of Unconventional Computing, 1(3):315­338. [29] Seleznyov.A (Sept. 21, 2002). "An Anomaly Intrusion Detection System Based on Intelligent User Recognition", Faculty of Information Technology of the University of Jyvдskylд, in the Building Agora, (Ag Aud. 2). [30] Kim .J and P. Bentley (Sept. 1999). "The human immune system and network intrusion detection". In Proc. Of European Congress on Intelligent Techniques and Soft Computing (EUFIT '99), Aachen, Germany. [31] Elizabeth .K (June 2001)." Agent Software Engineering with role modeling ". In P. Ciancarini and M. Wooldrige, editors, first international workshop of Agent-Oriented Software Engineering, AOSE 2000, number 1957 in LNCS ,pp. 163-170, Limerick, Ireland, SpringerVerlag . [32] Kephart .J. O.and D. M. Chess (Jan. 2003). "The Vision of Autonomic Computing Computer ". IEEE, Volume 36, Issue 1, pp. 41-50.
Muna Elsadig,, Azween Abdullah
Computer Science Letters
Vol. 1(1) 2009
[33] Jose R..a, Alan A. . Desrochers, R. J. Graves (2009). " Modeling and Analysis of Multi-agent Systems using Petri nets". 1439 1-4244-0991-8/07©2007 IEEE. [34] Uwe. Aand J .Greensmith (2007). " Sensing danger: Innate immunology for intrusion detection ". Information Security Technical Reports I 2, pp. 218-227, Elsevier Ltd. [35] Jamie. T, (2007). " Integrated Innate and Adaptive Artificial Immune Systems applied to Process Anomaly Detection". PhD thesis, School of Computer Science, University of Nottingham, U.K. [36] Muna. E,A.Abdullah,(2008)." Bio Inspired Intrusion Prevention and Self-healing Architecture for Network Security", "Innovations in Information Technology conference" Innovation08 , Dubai. [37] Muna. E,A.Abdullah,(2009)." Biological Hybrid Intrusion Prevention and Self-healing Model for Network Security", International Conference on Future Computer and Communication (ICFCC 2009) , kuala lumpur. [38] Muna. E, A.Abdullah, (2009)." Hybrid Biological Intrusion Prevention and Self-healing for Network Security", National Postgraduate conference (NPC09), university technology petronas.
Muna Elsadig,, Azween Abdullah
Computer Science Letters
Vol. 1(1) 2009
APPENDIX 1 TERMINOLOGY AND ABBREVIATIONS
Term SEA ANA ADA SHA Normal behaviour Abnormal behaviour Malicious activity DetectionMsg MisusehealMsg AnomalyMsg
Description Sense Agent Analysis Agent Adaptive Agent Self Healing Agent Authorized and normal system activities Unauthorized and abnormal system activities caused by attacks or malware Attacks and malware Message from SEA to ANA which contains all information about the behaviour or malicious activity detected Message from ANA to SHA which contains all information about the misuse abnormal activities and system behaviour Message from ANA to ADA which contains the available information in order to recognize the malicious anomaly

M Elsadig, A Abdullah

File: biological-inspired-intrusion-prevention-and-self-healing-system.pdf
Title: Microsoft Word - finall-paper_2_.doc
Author: M Elsadig, A Abdullah
Author: Mamoun
Published: Wed Jan 13 14:49:53 2010
Pages: 17
File size: 0.3 Mb


, pages, 0 Mb

, pages, 0 Mb
Copyright © 2018 doc.uments.com