Detecting Anomalous Process Behaviour using Second Generation Artificial Immune Systems

TL;DR

This paper introduces a biologically-inspired artificial immune system model that improves process anomaly detection performance by integrating innate and adaptive immune mechanisms, outperforming existing methods.

Contribution

It presents a more complex, biologically-authentic AIS model that enhances anomaly detection and combines runtime with system call data for better results.

Findings

Outperforms standard AIS and policy-based methods

Enhanced detection by combining runtime and system call data

Biologically-inspired model improves scalability and accuracy

Abstract

Artificial Immune Systems have been successfully applied to a number of problem domains including fault tolerance and data mining, but have been shown to scale poorly when applied to computer intrusion detec- tion despite the fact that the biological immune system is a very effective anomaly detector. This may be because AIS algorithms have previously been based on the adaptive immune system and biologically-naive mod- els. This paper focuses on describing and testing a more complex and biologically-authentic AIS model, inspired by the interactions between the innate and adaptive immune systems. Its performance on a realistic process anomaly detection problem is shown to be better than standard AIS methods (negative-selection), policy-based anomaly detection methods (systrace), and an alternative innate AIS approach (the DCA). In addition, it is shown that runtime information can be used in combination with system call information to enhance detection capability.