Dendritic Cells for SYN Scan Detection

TL;DR

This paper presents a novel intrusion detection system inspired by dendritic cells in the immune system, using the Dendritic Cell Algorithm to detect TCP SYN port scans with promising results and some false positives.

Contribution

It introduces the Dendritic Cell Algorithm for network intrusion detection, adapting immune system principles to improve anomaly detection capabilities.

Findings

Successfully detected TCP SYN port scans

Achieved anomaly detection with some false positives

Proposed adaptive signals to reduce false positives

Abstract

Artificial immune systems have previously been applied to the problem of intrusion detection. The aim of this research is to develop an intrusion detection system based on the function of Dendritic Cells (DCs). DCs are antigen presenting cells and key to activation of the human immune system, behaviour which has been abstracted to form the Dendritic Cell Algorithm (DCA). In algorithmic terms, individual DCs perform multi-sensor data fusion, asynchronously correlating the the fused data signals with a secondary data stream. Aggregate output of a population of cells, is analysed and forms the basis of an anomaly detection system. In this paper the DCA is applied to the detection of outgoing port scans using TCP SYN packets. Results show that detection can be achieved with the DCA, yet some false positives can be encountered when simultaneously scanning and using other network services. Suggestions are made for using adaptive signals to alleviate this uncovered problem.