We propose an artificial immune model for intrusion detection in distributedsystems based on a relatively recent theory in immunology called Danger theory.Based on Danger theory, immune response in natural systems is a result ofsensing corruption as well as sensing unknown substances. In contrast,traditional self-nonself discrimination theory states that immune response isonly initiated by sensing nonself (unknown) patterns. Danger theory solves manyproblems that could only be partially explained by the traditional model.Although the traditional model is simpler, such problems result in high falsepositive rates in immune-inspired intrusion detection systems. We believe usingdanger theory in a multi-agent environment that computationally emulates thebehavior of natural immune systems is effective in reducing false positiverates. We first describe a simplified scenario of immune response in naturalsystems based on danger theory and then, convert it to a computational model asa network protocol. In our protocol, we define several immune signals and modelcell signaling via message passing between agents that emulate cells. Mostmessages include application-specific patterns that must be meaningfullyextracted from various system properties. We show how to model these messagesin practice by performing a case study on the problem of detecting distributeddenial-of-service attacks in wireless sensor networks. We conduct a set ofsystematic experiments to find a set of performance metrics that can accuratelydistinguish malicious patterns. The results indicate that the system can beefficiently used to detect malicious patterns with a high level of accuracy.
展开▼