Danger Theory and Intrusion Detection: Possibilities and Limitations of the Analogy

  • Mark Vella
  • Marc Roper
  • Sotirios Terzis
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6209)


Metaphors derived from Danger Theory, a hypothesized model of how the human immune system works, have been applied to the intrusion detection domain. The major contribution in this area, is the dendritic cell algorithm (DCA). This paper presents an in-depth analysis of results obtained from two previous experiments, regarding the suitability of the danger theory analogy in constructing intrusion detection systems for web applications. These detectors would be capable of detecting novel attacks while improving on the limitations of anomaly-based intrusion detectors. In particular, this analysis investigates which aspects of this analogy are suitable for this purpose, and which aspects of the analogy are counterproductive if utilized in the way originally suggested by danger theory. Several suggestions are given for those aspects of danger theory that are identified to require modification, indicating the possibility of further pursuing this approach. These modifications could be realized in terms of developing a robust signal selection schema and a suitable correlation algorithm. This would allow for an intrusion detection approach that has the potential to overcome those limitations presently associated with existing techniques.


Intrusion Detection Danger Signal Anomaly Detection Intrusion Detection System Safe Signal 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aickelin, U., Bentley, P., Cayzer, P., Kim, J., McLeod, J.: Danger theory: The link between AIS and IDS? In: Timmis, J., Bentley, P.J., Hart, E. (eds.) ICARIS 2003. LNCS, vol. 2787, pp. 147–155. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Aickelin, U., Cayzer, P.: The danger theory and its application to artificial immune systems. In: Proceedings of ICARIS 2002. LNCS, Springer, Heidelberg (2002)Google Scholar
  3. 3.
    Axelsson, S.: The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security (2000)Google Scholar
  4. 4.
    Ayara, M., Timmis, J., de Lemos, R., Duncan, R.: Negative selection: How to generate detectors. In: Proceedings of 1st ICARIS (2002)Google Scholar
  5. 5.
    Baker, A.R., Esler, J.: Snort IDS and IPS Toolkit. Syngress (2007)Google Scholar
  6. 6.
    Cheswick, W., Bellovin, S., Rubin, A.: Firewalls and Internet Security: Repelling the Wiley Hacker, 2nd edn. Addison-Wesley, Reading (2003)Google Scholar
  7. 7.
    Clarke, J., Dhanjani, N.: Network Security Tools. O’Reilly, Sebastopol (2005)Google Scholar
  8. 8.
    D’haeseleer, P., Forrest, S., Helman, P.: An immunological approach to change detection: Algorithms, analysis, and implications. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy (1996)Google Scholar
  9. 9.
    Erickson, J.: Hacking: The Art of Exploitation, 2nd edn. No Starch (2008)Google Scholar
  10. 10.
    Forrest, S., Perelson, A., Allen, L., Cherukuri, R.: Self-nonself discrimination. In: Proceedings of the 1994 IEEE Symposium on Security and Privacy (1994)Google Scholar
  11. 11.
    Greensmith, J., Aickelin, U.: The Dendritic Cell Algorithm. PhD thesis, University of Nottingham (2007)Google Scholar
  12. 12.
    Greensmith, J., Aickelin, U.: The deterministic dendritic cell algorithm. In: Bentley, P.J., Lee, D., Jung, S. (eds.) ICARIS 2008. LNCS, vol. 5132, pp. 291–302. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    Greensmith, J., Aickelin, U., Cayzer, S.: Introducing dendritic cells as a novel immune-inspired algorithm for anomaly detection. In: Jacob, C., Pilat, M.L., Bentley, P.J., Timmis, J.I. (eds.) ICARIS 2005. LNCS, vol. 3627, pp. 153–167. Springer, Heidelberg (2005)Google Scholar
  14. 14.
    Greensmith, J., Aickelin, U., Twycross, J.: Articulation and clarification of the dendritic cell algorithm. In: Bersini, H., Carneiro, J. (eds.) ICARIS 2006. LNCS, vol. 4163, pp. 404–417. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Gu, F., Greensmith, J., Ackelin, U.: Further exploration of the dendritic cell algorithm:Antigen multiplier and time windows. In: Bentley, P.J., Lee, D., Jung, S. (eds.) ICARIS 2008. LNCS, vol. 5132, pp. 142–153. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  16. 16.
    Helman, P., Forrest, S., Esponda, F.: A formal framework for positive and negative detection schemes. IEEE Transaction on Systems, Man, and Cybernetic (2004)Google Scholar
  17. 17.
    Helman, P., Liepins, G.: Statistical foundations of audit trail analysis for the detection of computer misuse. IEEE Transactions on Software Engineering (1993)Google Scholar
  18. 18.
    Hofmeyr, S., Forrest, S.: Architecture for an artificial immune system. IEEE Transactions on Evolutionary Computation (2000)Google Scholar
  19. 19.
    Hofmeyr, S., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security (1998)Google Scholar
  20. 20.
    Howard, M., Le Blanc, D., Viega, J.: 19 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. McGraw-Hill/Osborne, New York (2005)Google Scholar
  21. 21.
    Ingham, K.L., Inoue, H.: Comparing anomaly detection techniques for http. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 42–62. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  22. 22.
    Kim, J., Bentley, P.: The human immune system and network intrusion detection. In: EUFIT 1999 Proceedings (1999)Google Scholar
  23. 23.
    Kim, J., Bentley, P.: An evaluation of negative selection in an artificial immune system for network intrusion detection. In: GECCO 2001 Proceedings (2001)Google Scholar
  24. 24.
    King, S.T., Chen, P.M.: Backtracking intrusions. In: Proceedings of the 19th ACM symposium on Operating Systems Principles, SOSP 2003 (2003)Google Scholar
  25. 25.
    Kruegel, C., Vigna, G., Robertson, W.: A multi-model approach to the detection of web-based attacks. Computer Networks 48(5) (2005)Google Scholar
  26. 26.
    Long, J., Bayles, A., Foster, J., Hurley, C., Petruzzi, M., Rathaus, N., Wolfgang, M.: Penetration Tester’s Open Source Toolkit. Syngress (2006)Google Scholar
  27. 27.
    Maggi, F., Robertson, W., Kruegel, C., Vigna, G.: Protecting a moving target: Addressing web application concept drift. In: Balzarotti, D. (ed.) RAID 2009. LNCS, vol. 5758, pp. 21–40. Springer, Heidelberg (2009)Google Scholar
  28. 28.
    Matzinger, P.: The danger model: A renewed sense of self. Science (2002)Google Scholar
  29. 29.
    Northcutt, S., Zeltser, L., Winters, S., Kent, K., Ritchey, R.: Inside Network Perimeter Security. Sams (2005)Google Scholar
  30. 30.
    Riden, J., McGeehan, R., Engert, B., Mueter, M.: Web application threats. Know Your Enemy (2008)Google Scholar
  31. 31.
    Scambray, J., Shema, M., Sima, C.: Hacking Exposed - Web Applications, 2nd edn. McGraw-Hill, New York (2006)Google Scholar
  32. 32.
    Somayaji, A., Hofmeyr, S., Forrest, S.: Principles of a computer immune system. In: Proceedings of the 1997 New Security Paradigms Workshop (1997)Google Scholar
  33. 33.
    Twycross, J., Aickelin, U.: libtissue - a software system for incorporating innate immunity into artificial immune systems (2006),
  34. 34.
    Vella, M., Roper, M., Terzis, S.: Achieving anomaly detection effectiveness beyond the symmetric error lower bound, in web-based systems (2009),
  35. 35.
    Vella, M., Roper, M., Terzis, S.: Characterization of a danger context for detecting novel attacks targetig web-based systems (2010),
  36. 36.
    Wang, W., Guyet, T., Knapskog, S.J.: Autonomic intrusion detection system. In: Balzarotti, D. (ed.) RAID 2009. LNCS, vol. 5758, pp. 359–361. Springer, Heidelberg (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Mark Vella
    • 1
  • Marc Roper
    • 1
  • Sotirios Terzis
    • 1
  1. 1.Department of Computer and Information SciencesUniversity of StrathclydeGlasgowUnited Kingdom

Personalised recommendations