Combining Immune Systems and Social Insect Metaphors: A Paradigm for Distributed Intrusion Detection and Response System
Given the ongoing evolution and broadening of network environments, one should reconsider computer security from a new point of view. Indeed, the increasing transparency of network connections is a wide open door to new kinds of distributed attacks exploiting, among others, the inherent flaws of TCP/IP.
In this paper, we advocate that future Intrusion Detection and Response Systems (IDRS) should exhibit characteristics adapted to such environments. Thus, we propose an architecture of distributed IDRS inspired by natural systems. On the one side, the detection process mimics the functioning of natural immune systems: it monitors crucial computer processes and computes a deviation value allowing to discriminate between “normal" and “abnormaly" behavior. A strong deviation is regarded as the sign of a possible attack. A population of mobile agents, the Intrusion Detection Agents (IDAs), which are sensitive to this deviation, are responsible for the detection of the corresponding suspicious activity. On the other side, the alert raising and response processes are based on communication mechanisms present in social insect colonies: an artificial communication medium called “artificial pheromone" is used to build alert gradients (mapped over the network and originating from threatened machines). A population of mobile agents, the Intrusion Response Agents (IRAs), sensitive to these pheromones, react to these alert gradients by implementing a distributed response process. We present the overview and principles of our architecture, as well as a detailed description of its intrinsic components. We describe some of our simulation work dealing with parameter analysis which was previously achieved. In the present paper, we discuss in greater details some new results.
KeywordsIntrusion Detection Mobile Agent Social Insect Coloni Suspicious Activity Natural Immune System
Unable to display preview. Download preview PDF.
- 1.Crosbie, M., Spafford, E.H.: Defending a computer system using autonomous agents, pp. 549-558 (1995)Google Scholar
- 2.Grasse, P.P.: La reconstruction du nid et les interactions inter-individuelles chez les bellicoitermes natalenis et cubitermes, la thorie de la stigmergie - essai d’interprtation des termites constructeurs. Insectes Sociaux (6), 41-81 (1959) Google Scholar
- 3.Bonabeau, E., Dorigo, M., Theraulaz, G.: Swarm intelligence: Prom natural to artificial systems. Oxford University Press, New York (1999)Google Scholar
- 4.Parunak, H.V.D., Brueckner, S.: Entropy and self-organization in multi-agent systems. In: Proceedings of 5th International Conference on Autonoumous Agents,Montreal, Canada (May 2001)Google Scholar
- 5.Valckenaers, P., Kollingbaum, M., Zamfirescu, C., Van Brussel, H., Bochmann, O.: The design of multi-agent coordinationand control systems using stigmergy. In: Proceedings of 3rd International Workshop on Emergent Synthesis (IWES 2001), Bled, Slovenia (March 2001)Google Scholar
- 6.Hofmeyr, S., Forrest, S.: Architecture for an artificial immune system. Evolutionary Computation 7(1), 1289–1296 (2000)Google Scholar
- 7.Landecy, D.: Simulation d’un modle de dtection et de rponse une intrusion inspir des systmes naturels. Master’s thesis, Centre Universitaire d’Informatique (2002)Google Scholar
- 9.Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A sense of self for unix processes (1996)Google Scholar
- 10.Foukia, N., Billard, D., Juergen Harms, P.: Computer system immunity using mobile agents. In: HPOVUA Workshop, Berlin (June 2001)Google Scholar
- 11.Foukia, N., Hassas, S., Fenet, S., Hulaas, J.: An intrusion response scheme: Tracking the alert source using stigmergy paradigm (July 2002)Google Scholar