Artificial Immune Systems promise effective antidote for computer viruses, worms and malwares…
The havoc caused by viruses, worms and malwares on the modern interconnected world cannot be underestimated. As the complexity and scale of our interconnected networks of computers and other intelligent devices grows, they become increasingly vulnerable to these malicious forms of artificial life, that seem to spread and replicate just like natural viruses.
One of the challenges that anti-virus scanners face is the fast pace at which new viruses and malwares are created everyday. If you do not update the known virus signature database on your computer in a timely manner, your computer is sure to be hit by some new unknown deadly virus or malware, potentially infecting and damaging your files.
Polymorphic viruses, that modify themselves, and Metamorphic viruses, that rewrite themselves completely from one infection to another, pose another serious threat to the capabilities of contemporary anti virus scanners.
An alternative approach is to learn how biological systems, such as human bodies, protect themselves from natural viruses, and then apply those techniques to build Artificial Immune Systems that will protect our interconnected networks of intelligent devices.
The natural immune systems have a mechanism consisting of T-cells that can discriminate between self, that is, genuine cells in the body, and non-self, that is, viruses and harmful foreign cells. When a T-cell encounters a non-self, it attaches to the harmful cell, ultimately destroying it.
This mechanism works even for unknown non-selfs. The body rejects whatever its immune system does not like, with the objective of protecting its own genuine healthy cells.
When applied to Artificial Immune Systems (AIS), the self consists of authorized users, allowed IP addresses, port numbers, protocols, applications, utilities and legitimate files. The non-self in this context consists of computer viruses, worms, malwares and rogue programs.
The AIS essentially considers each self in the system to be represented by a string or a collection of sub-strings that uniquely identifies each data-set with certain attributes. For an incoming packet stream, the string may include source and destination addresses, checksum, port numbers, protocol, encoding etc. For a file in a storage system, it might additionally include authentication ids and file owners. In this way, AIS maintains knowledge of the known state of the system with these self-strings.
The task for AIS now is to continuously monitor these self-strings and detect any change, by comparison with detector strings, that are made up of all those strings which are not part of the set of self-strings. In other words, the set of detector strings includes all possible non-self-strings. For example if a self-string for incoming packet on a network interface includes only the source ip address 10.234.24.231, then the detector string will exclude source ip address 10.234.24.231. In practical terms, the detector string will look for any incoming non-self packet that does not have the source ip address 10.234.24.231.
The AIS algorithm generates the set of detector strings by using Negative Selection Algorithm (NSA). To begin with, detector strings are randomly generated and then matched with the known self-strings. If there is a match, the detector string is deleted. As a result, the remaining set of detector strings consists of only non-self-strings.
Once the detector strings are matured by this matching process, they are put into action for a match with any unknown or known non-self-string. If a match is detected, remedial action is taken to isolate and remove the detected non-self-string, which may be an unwanted computer virus, worm, malware or any unknown foreign agent potentially harmful to the self.
AIS can be implemented on each device that is connected to the network in a distributed manner. As a further extension, the AIS on each connected device can be made to collaborate with each other over the network. This collaborative AIS framework is expected to speed up the detection of known as well as unknown non-self entities, as the results of detection can be shared within the Distributed Artificial Immune System (DAIS).
Consider a future scenario with DAIS implemented everywhere. You will prefer to buy an immunized smartphone, or an immunized notebook computer. The Cloud Services Providers will ensure that all the servers on their network are immunized.
You as a consumer may demand to look at the immunization record of a service network, before you sign up for any of the cloud services!
What do you think?
Places to go from here:
Artificial Immune System for Intrusion Detection