Danger Theory: The Link between AIS and IDS?

  • U. Aickelin
  • P. Bentley
  • S. Cayzer
  • J. Kim
  • J. McLeod
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2787)


We present ideas about creating a next generation Intrusion Detection System (IDS) based on the latest immunological theories. The central challenge with computer security is determining the difference between normal and potentially harmful activity. For half a century, developers have protected their systems by coding rules that identify and block specific events. However, the nature of current and future threats in conjunction with ever larger IT systems urgently requires the development of automated and adaptive defensive tools. A promising solution is emerging in the form of Artificial Immune Systems (AIS): The Human Immune System (HIS) can detect and defend against harmful and previously unseen invaders, so can we not build a similar Intrusion Detection System (IDS) for our computers? Presumably, those systems would then have the same beneficial properties as HIS like error tolerance, adaptation and self-monitoring. Current AIS have been successful on test systems, but the algorithms rely on self-nonself discrimination, as stipulated in classical immunology. However, immunologist are increasingly finding fault with traditional self-nonself thinking and a new ‘Danger Theory’ (DT) is emerging. This new theory suggests that the immune system reacts to threats based on the correlation of various (danger) signals and it provides a method of ‘grounding’ the immune response, i.e. linking it directly to the attacker. Little is currently understood of the precise nature and correlation of these signals and the theory is a topic of hot debate. It is the aim of this research to investigate this correlation and to translate the DT into the realms of computer security, thereby creating AIS that are no longer limited by self-nonself discrimination. It should be noted that we do not intend to defend this controversial theory per se, although as a deliverable this project will add to the body of knowledge in this area. Rather we are interested in its merits for scaling up AIS applications by overcoming self-nonself discrimination problems.


Intrusion Detection Danger Signal Intrusion Detection System Artificial Immune System Computer Security 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aickelin, U., Cayzer, S.: The Danger Theory and Its Application to AIS. In: 1st International Conference on AIS, pp. 141–148 (2002)Google Scholar
  2. 2.
    Barcia, R., Pallister, C., Sansom, D., McLeod, J.: Apoptotic response to membrane and soluble CD95-ligand by human peripheral T cells. Immunology 101 S1 77 (2000)Google Scholar
  3. 3.
    Boulougouris, G., McLeod, J., et al.: IL-2 independent T cell activation and proliferation induced by CD28. Journal of Immunology 163, 1809–1816 (1999)Google Scholar
  4. 4.
    Cayzer, S., Aickelin, U.: A Recommender System based on the Immune Network. In: Proceedings CEC, pp. 807–813 (2002)Google Scholar
  5. 5.
    Cayzer, S., Aickelin, U.: Idiotypic Interactions for Recommendation Communities in AIS. In: 1st International Conference on AIS, pp. 154–160 (2002)Google Scholar
  6. 6.
    Cuppens, F.: Managing Alerts in a Multi Intrusion Detection Environment. In: The 17th Annual Computer Security Applications Conference (2001)Google Scholar
  7. 7.
    Cuppens, F., et al.: Correlation in an Intrusion Process. In: Internet Security Communication Workshop, SECI 2002 (2002)Google Scholar
  8. 8.
    Dain, O., Cunningham, R.: Fusing a Heterogeneous Alert Stream into Scenarios. In: Proceeding of the 2001 ACM Workshop on Data Mining for Security Applications, pp. 1–13 (2001)Google Scholar
  9. 9.
    Dasgupta, D., Gonzalez, F.: An Immunity-Based Technique to Characterize Intrusions in Computer Networks. IEEE Trans. Evol. Comput. 6(3), 1081–1088 (2002)Google Scholar
  10. 10.
    Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion-Detection Alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  11. 11.
    Dennett, N., Barcia, R., McLeod, J.: Biomarkers of apoptotic susceptibility associated with in vitro ageing. Experimental Gerontology 37, 271–283 (2002)CrossRefGoogle Scholar
  12. 12.
    Esponda, F., Forrest, S., Helman, P.: Positive and Negative Detection. IEEE Transactions on Systems, Man and Cybernetics (2002)Google Scholar
  13. 13.
    Esponda, F., Forrest, S., Helman, P.: Positive and Negative Detection. IEEE Transactions on Systems, Man and Cybernetics (2002) (Submitted)Google Scholar
  14. 14.
    Fadok, V.A., et al.: Macrophages that have ingested apoptotic cells in vitro inhibit proinflammatory cytokine production through autocrine/paracrine mechanisms involving TGFb, PGE2, and PAF. Journal of Clinical Investigation 101(4), 890–898 (1998)CrossRefGoogle Scholar
  15. 15.
    Gallucci, S., et al.: Natural Adjuvants: Endogenous activators of dendritic cells. Nature Medicine 5(11), 1249–1255 (1999)CrossRefGoogle Scholar
  16. 16.
    Gallucci, S., Matzinger, P.: Danger signals: SOS to the immune system. Current Opinions in Immunology 13, 114–119 (2001)CrossRefGoogle Scholar
  17. 17.
    Hirata, H., et al.: Caspases are activated in a branched protease cascade and control distinct downstream processes in Fas-induced apoptosis. J. Experimental Medicine 187(4), 587–600 (1998)CrossRefMathSciNetGoogle Scholar
  18. 18.
    Hoagland, J., Staniford, S.: Viewing IDS alerts: Lessons from SnortSnarf (2002),
  19. 19.
    Hofmeyr, S., Forrest, S.: Architecture for an AIS. Evolutionary Computation 7(1), 1289–1296 (2000)Google Scholar
  20. 20.
    Holler, N., et al.: Fas triggers an alternative, caspase-8-independent cell death pathway using the kinase RIP as effector molecule. Nature Immunology 1(6), 489–495 (2000)CrossRefGoogle Scholar
  21. 21.
    Holzman, D.: New danger theory of immunology challenges old assumptions. Journal Natl. Cancer Inst. 87(19), 1436–1438 (1995)CrossRefGoogle Scholar
  22. 22.
    Inaba, K., et al.: The tissue distribution of the B7-2 costimulator in mice. J. Experimental Medicine 180, 1849–1860 (1994)CrossRefGoogle Scholar
  23. 23.
    Kerr, J.F., et al.: Apoptosis: Its significance in cancer and cancer therapy. British Journal of Cancer 26(4), 239–257 (1972)CrossRefGoogle Scholar
  24. 24.
    Kim, J.: Integrating Artificial Immune Algorithms for Intrusion Detection, PhD Thesis, University College London (2002)Google Scholar
  25. 25.
    Kim, J., Bentley, P.: The Artificial Immune Model for Network Intrusion Detection. In: 7th European Congress on Intelligent Techniques and Soft Computing, EUFIT 1999 (1999)Google Scholar
  26. 26.
    Kim, J., Bentley, P.: Evaluating Negative Selection in an AIS for Network Intrusion Detection. In: Genetic and Evolutionary Computation Conference, pp. 1330–1337 (2001)Google Scholar
  27. 27.
    Kim, J., Bentley, P.: Towards an AIS for Network Intrusion Detection: An Investigation of Dynamic Clonal Selection. The Congress on Evolutionary Computation, 1015–1020 (2002)Google Scholar
  28. 28.
    Kuby, J.: Immunology. In: Richard, A., et al. (eds.), 5th edn. (2002)Google Scholar
  29. 29.
    Matzinger, P.: Tolerance Danger and the Extended Family. Annual reviews of Immunology 12, 991–1045 (1994)CrossRefGoogle Scholar
  30. 30.
    Matzinger, P.: The Danger Model: A Renewed Sense of Self. Science 296, 301–305 (2002)CrossRefGoogle Scholar
  31. 31.
    McLeod, J.: Apoptotic capability of ageing T cells. Mechanisms of Ageing and Development 121, 151–159 (2000)CrossRefGoogle Scholar
  32. 32.
    Morrison, T., Aickelin, U.: An AIS as a Recommender System for Web Sites. In: 1st International Conference on AIS, pp. 161–169 (2002)Google Scholar
  33. 33.
    Ning, P., Cui, Y.: An Intrusion Alert Correlator Based on Prerequisites of Intrusions, TR-2002-01, North Carolina State University (2002)Google Scholar
  34. 34.
    Ning, P., Cui, Y., Reeves, S.: Constructing Attack Scenarios through Correlation of Intrusion Alerts. In: 9th Conference on Computer & Communications Security, pp. 245–254 (2002)Google Scholar
  35. 35.
    Sauter, M., et al.: Consequences of cell death: exposure to necrotic tumor cells. Journal of Experimental Medicine 191(3), 423–433 (2001)CrossRefMathSciNetGoogle Scholar
  36. 36.
    Stainford, E., Hogland, J., McAlerney, J.: Practical Automated Detection of Stealthy Portscans. Journal of Computer Security 10(1/2) (2002)Google Scholar
  37. 37.
    Todryk, S., Melcher, S., Dalgleish, A., et al.: Heat shock proteins refine the danger theory. Immunology 99(3), 334–337 (2000)CrossRefGoogle Scholar
  38. 38.
    Valdes, A., Skinner, K.: Probabilistic Alert Correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  39. 39.
    Vance, R.: Cutting Edge Commentary: A Copernican Revolution? Doubts about the danger theory. j. immunology 165(4), 1725–1728 (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • U. Aickelin
    • 1
  • P. Bentley
    • 2
  • S. Cayzer
    • 3
  • J. Kim
    • 4
  • J. McLeod
    • 5
  1. 1.University of Bradford 
  2. 2.University College London 
  3. 3.HP Labs Bristol 
  4. 4.King’s College London 
  5. 5.University of the West of England 

Personalised recommendations