Masters Thesis Defense

1
Masters Thesis Defense

• Immune based Event-Incident model for
  Intrusion Detection Systems
• A Nature Inspired Approach to
  Secure Computing
• 
  Swetha Vasudevan
• Director of Thesis
  Dr. Michael Rothstein

2
Acknowledgements

• This thesis would not have been possible
  with out the constant support and encouragement I
  received from my academic advisor, Dr. Michael
  Rothstein. From the first vague proposal of this
  topic to later queries on focus and connection,
  he was always eager to entertain my ideas and
  help me solve conceptual difficulties. I
  sincerely thank him for his consistent efforts
  and true desire to keep me on track.
• I would also like to thank my committee
  members, Dr. Johnny Baker and Dr. Austin Melton
  for serving in my defense committee despite their
  overwhelmingly busy schedule.
• Special thanks to the staff at the Kent
  State Department of Computer Science, in
  particular Marcy Curtiss who helped and
  encouraged me every step of the way during my
  time in the department.
• Finally, I would like to express my
  deepest gratitude to my parents. Their support
  and unwavering confidence in my ability helped me
  achieve my academic dreams.

3
Outline

• Introduction
• Scope of the Thesis
• Ideal Intrusion Detection System
• Understanding Human Immune System
• Review of Existing Literature
• The Immunological Concept of Danger Theory
• Application of Danger Theory to Intrusion
  Detection
• Proposed Danger Theory based Event-Incident Model
• Conclusion
• Bibliography

4

• SECTION 1

5

• Introduction
• Why are Computer Scientists interested in
  Human Immune System?

• Defense In Depth
• -gt External Line
  of Defense
• -gt Innate
  Immunity
• -gt Adaptive
  Immunity
• Uniqueness
• Distributed accurate detection and subsequent
  elimination of foreign activities
• Self Replication
• Learning/Memory

6

IntroductionWhy are Computer Scientists
interested in Human Immune System? (Cont.)

• Adaptability
• Methodology of protecting itself from attacks

7

• SECTION 2

8
Scope of the Thesis

• Two well-known immunological theories are
  examined
• -gt Self / Non-Self
  Theory (SNS)
• -gt Danger Theory
• Inadequacies of the classic SNS theory is
  presented.
• Analogy between Human Immune System and Intrusion
  Detection System is reviewed and assessed.
• A Danger Theory based Event-Incident Model for
  Intrusion Detection System is proposed.
• The Proposed model also exhibits characteristics
  of autonomous multi-agent system.

9
Scope of the Thesis (Cont.)

• It is designed to be accurate in its ability to
  differentiate an event from an incident,
  scalable, flexible and adaptable.
• The model employs a group of detectors known as
  the Mobile Intrusion Detection Squad to
  identify and respond to both distributed and
  coordinated attacks.
• This thesis ONLY provides a conceptual view and
  overall infrastructure of the proposed model.
• Specific implementation is beyond the scope of
  this thesis.

10
The Problem Statement

• Problem
• The literature of Immune-based Intrusion
  Detection System currently lacks solution for
  ensuring corruption free immune detectors .
• Result of this Problem
• Monitoring by CORRUPTED immune detectors -gt
  ineffective correlation of intrusion analysis
  results and alerts -gt false alarm production.

11
Solution

• Proposed Solution
• Implementing attack resistant mobile agents which
  can relocate itself inside the network and be
  elusive when a suspicious activity is sensed.
• Employ Immunological concept of Danger Theory
  and Danger Zone Establishment for effective
  alert correlation and false alarm reduction.

12

• SECTION 3

13
Ideal Intrusion Detection System

• Any attempt to compromise the Confidentiality,
  Integrity, and Availability (CIA) of a resource
  can be categorized as Intrusion.
• There is a growing need to ensure CIA of a
  resource and eliminate both internal and external
  system penetrators.
• Effective way of achieving this is to utilize the
  concept of Intrusion Detection which is the
  process of gathering and analyzing Information to
  determine that the system has presence of
  intrusive activity.
• Intrusion Detection techniques adopt the
  philosophy of Defense in Depth. Multiple layers
  of defense strengthens the overall security
  infrastructure.

14
Defense in Depth
15
Architecture

• One of the most critical considerations in
  Intrusion Detection.
• In an effective architecture each host, its
  internal components and process performs its
  functions in an
• 
  -gt Effective
• 
  -gt Coordinated manner
• 
  Resulting in
• 
  -gt Efficient Information Processing
• 
  -gt Analysis
• 
  -gt Timely Response
• Can be Single-Tiered, Multi-Tiered or Peer-Peer.

16
Tiered Architecture
Multi-Tiered
Single-Tiered
Peer-Peer
17
Ideal Intrusion Detection System

• Three major tasks to perform
• 
  -gt Continuous Monitoring
• 
  -gt Detect the presence of malicious activities
• 
  -gt Notify system security officer and take
• 
  appropriate steps to resolve the issue
• Accomplished by 4 components
• 
  -gt Agent
• 
  -gt Director
• 
  -gt Alert Analyzer
• 
  -gt System Security Officer

18
Ideal Intrusion Detection System
19

• SECTION 4

20

Understanding Human Immune System

• Human Immune System is a complex, intricate
  network of organs which produces cells and
  tissues that participate in immune response.
• Defense in Depth
• -gt First Level
  Surface barrier that prevents direct pathogenic
• 
  entry into our body (e.g. skin).
• -gt Second
  Level Innate Immune System (non-specific) that
• 
  prevents pathogenic entry into our
  tissues.
• -gt Third Level
  Adaptive Immune System (specific) that can
• 
  recognize, respond to a pathogen by
  producing
• 
  needed antibodies.
• 
  Exhibits Immunological memory which
  helps
• 
  mount a stronger, focused attack in
  future.

21
Immune System (Defense in Depth)
22
Immune System- Major Players

• Lymphocytes
• Antigens
• Antibodies
• Antigen Presenting Cells (APC)
• Major Histocompatibility Complex (MHC)

23
Classes of Lymphocytes

• Two classes of Lymphocytes take part in the
  immune response.
• 
  -gt B cells (antibody secreting white blood cells)
• 
  -gt T cells
• Lymphocytes have specific binding areas (called
  Receptors) that enable them to bind to a
  particular antigen.
• Receptors have complementary shapes to the
  localized region on the surface of antigens known
  as Epitopes.
• Antigens are recognized by their epitopes binding
  to lymphocyte antibody receptors.

24
Classes of Lymphocytes (Cont.)

• Antibodies are a specific type of proteins
  produced by lymphocytes in response to the
  invading foreign organism.
• Each antibody is unique and defends our body
  against a specific kind of antigen.
• B cells (has special binding areas called B-cell
  receptors)
• -gt Develop and mature in bone
  marrow.
• -gt When body gets invaded by
  foreign pathogens, B cells react in
• response by secreting
  antibodies.
• -gt B cells produce enough
  antibodies to protect our body from
• diverse range of antigens.

25
Classes of Lymphocytes (Cont.)

• -gt B cells are capable of
  immunological memory.
• -gt Memory cells remind the
  Immune System of all the antigen
• patterns that have been
  encountered by our body in the past.
• T cells (has special binding areas called T-cell
  receptors)
• -gt Responsible for cell mediated
  immunity (involves eliminating
• infected self cells before
  the release of harmful toxins and
• viruses that can infect
  other cells).
• -gt Made in bone marrow but
  develop in thymus.
• -gt Two classes (T-helper and
  T-killer)

26
Structure of an Lymphocyte
27
Negative Selection

• Only fully developed B and T cells can
  participate in the immune response and fight
  infection.
• During the birth of B and T cells it is possible
  that the developing B and T cells categorize self
  proteins as harmful antigens.
• This leads to the bonding of B and T cell
  receptors to the self cell epitopes.
• This creates auto-immunity (commences immune
  response against our own bodys cells and
  tissues)
• The process of negative selection is used to
  filter such B and T cells.

28
Negative Selection (Cont.)

• Negative selection ensures that our body only
  produces lymphocytes that could bind themselves
  to the epitopes of foreign antigens not self
  cells.
• During this phase all B and T cells that react to
  self cells are killed instantly.
• Since B cells mature in the lymph nodes which are
  distributed all over the body, ensuring tolerance
  in B cell is harder than T cells which mature in
  the thymus.
• In this case T cells provide distributed
  censoring of B cells via Co-Stimulation.

29
Concept of Negative Selection
30
Co-Stimulation

• In order to become activated, B cells must
  receive co-stimulation in the form of 2 signals.
• Signal 1 occurs when the B cell receptors bind
  to the antigen epitopes beyond the affinity
  threshold.
• Signal 2 is provided to the B cell by the
  helper T cell. Helper T cell will only provide
  signal 2 if it recognizes the pathogen the B
  cell has captured.
• If not, it concludes that B cell has captured a
  self cell and does not co-stimulate the B cell by
  providing signal 2. In the absence of signal
  2, B cells die.

31
Co-Stimulation
32
Lymphocyte-Antigen Bonding

• Antibodies secreted by B-cells needs to be
  activated either directly or indirectly to be
  able to recognize harmful antigens.
• B cell receptors bind to antigen epitopes with
  certain affinity.
• Probability of bond forming increases as affinity
  increases.
• The number of features required to bind before a
  match can be made between antigen epitopes and
  lymphocyte receptors is known as affinity
  threshold.
• If B cell receptors bind themselves to an antigen
  epitope above a certain threshold , they get
  directly activated.

33
Lymphocyte-Antigen Bonding (Cont.)

• However, if B cell antibody receptor binds to an
  antigen epitope with weak affinity, it seeks the
  help of T cells and MHC.
• MHC helps B cells by performing 2 functions
• 
  -gt Binds to hidden fragments of antigens that
• 
  are not visible on the cell surface.
• 
  -gt Transports the antigen infected cell to the
• 
  surface of the B cell.
• In order for the T cell receptors to recognize
  the antigens, the antigens needs to first be
  processed by APCs which are usually dendritic
  cells.

34
Lymphocyte-Antigen Bonding (Cont.)

• The processed antigen is then stuck into the
  special molecule inside the MHC.
• APC now displays this foreign antigen complexed
  with MHC for T cell receptors to recognize.
• Now T cells can easily bind to the MHC molecule
  on the surface of B cell.
• When T cell receptor binds to the MHC molecule
  with strong affinity, it sends chemical signal to
  B cell which lets it get activated immediately.

35
Lymphocyte-Antigen Bonding
36

• SECTION 5

37
Review of Existing Literature

• Forest et.al Negative selection algorithm
• - Protecting computer systems viewed as
  instance of distinguishing
• self (legitimate users) from non-self
  (malicious activities).
• - Self-gt normal behavior.
• - Random patterns compared to self
  pattern.
• - If matches, it fails to become a
  detector.
• - If detector matches newly profiled
  pattern, it indicates presence
• of anomaly.

38
Review of Existing Literature (Cont.)

• Kepharts immunologically inspired approach
• - Known virus -gt computer coded
  sequences.
• - Unknown virus -gt unusual behavior.
• - Decoy programs at strategic areas in
  memory.
• - Decoy programs periodically examined
  for modification.
• - Modification indicates presence of
  virus.
• - Modified decoys are processed to
  obtain signature of attack which is
• then stored in the archive for
  future reference.

39
Review of Existing Literature (Cont.)

• Dipankar Dasguptas approach
• - Computational aspects of immune system
  integrated in single framework.
• - Develops multi-agent intrusion and
  response system.
• - Monitors several parameters at
  multiple levels.
• - Monitoring agents, communicator agents
  decision/action agents
• functions as immune cells.
• - Three appealing properties Mobility,
  adaptivity and collaboration.

40
Review of Existing Literature (Cont.)

• Mell and McLarnons approach towards ensuring
  attack resistance in mobile agents (not an immune
  based approach)
• - Attack resistance achieved
  through five stages.
• - Stage one -gt Location of
  mobile agents randomized.
• - Stage two-gt Removing
  centralized directory services for
• 
  eliminating single points of failure.
• - Stage three-gt Agents take
  evasive action to avoid attack.

41

Review of Existing Literature (Cont.)

• - Stage 4-gt Resurrect killed agents.
• - Stage 5-gt Backup agents take over
  and reestablish broken
• communication
  links.

42
Review of Existing Literature (Cont.)

• Emergence of Danger Theory
• -gt According to SNS any entity that
  originates from the organism will
• not trigger an immune response,
  where as an entity that originates
• outside of the organism will
  trigger an immune reaction
• -gt Many immunologists questioning
  the legitimacy of the above
• statement. (no immune reaction
  to the foreign bacteria in the gut
• or in the food we eat although
  both originate from outside the
• organism)
• -gt Polly Matzinger introduced a new
  concept known as Danger
• Theory (DT) that attempts to
  fill the gap left by the SNS theory.

43
Review of Existing Literature (Cont.)

• -gt According to DT, immune response
  is triggered when diseased
• cells that die unnaturally
  induces alarm signals.
• -gt Alarm or danger signals are
  actually harmful toxins released by
  
• cells in distress.
• -gt Propagating signals create a
  danger zone around itself and only
• antibodies within the range begin
  immune reaction.
• -gt It is not the foreignness of an
  entity that triggers the immune
• response by the actual level of
  danger itself.

44
Review of Existing Literature (Cont.)

• -gt Computer Security experts are
  trying to implement this fascinating
• philosophy in Intrusion
  Detection Systems.
• -gt In the context of IDS, danger
  signals would be interpreted as
• unusual memory usages, access
  of unauthorized files, intruder
• presence, inappropriate disk
  activity and so forth.
• -gt Generated alarm signals would be
  correlated with IDS alerts.
• -gt Based on DT, alerts are
  classified as Apoptotic (normal) and
• Necrotic (abnormal)

45
Review of Existing Literature (Cont.)

• -gt It is believed that proper
  balancing of the two types of alerts would
• result in a optimum sensor
  setting of threshold. This results in
• reduced false alarms.
• -gt Successful correlation of these
  alerts would then lead to
• construction of an intrusion
  scenario.
• -gt When IDS has strong indications
  of presence of intrusive activities
• it can activate the sensors
  that are spatially, temporally or logically
• near the original sensor
  emitting the danger signal (danger zone).
• Propagation of these signals
  would enable the system to immune
• itself from attacks.

46

SECTION 6
47
Concept of Danger Theory

• Every cell in our body has a defined life cycle
• -gt A
  beginning.
• -gt An
  end.
• Cells can die in two ways
• -gt
  Necrosis (get killed accidentally by harmful
• 
  pathogens).
• -gt
  Apoptosis or Programmed Cell Death ( process
• 
  of deliberate life relinquishment of a cell).
• In the case of Apoptosis, the cells that undergo
  suicide, sends out signals to nearby scavenger
  cells (Phagocytes), which helps prevent the dying
  cell from releasing harmful toxins (intact cell
  membrane)

48
Apoptosis (Programmed Cell Death)
49
Concept of Danger Theory (Cont.)

• In the case of Necrosis, the cell death is not
  organized.
• The disorderly death does not send signals which
  inform the nearby Phagocytes to engulf the
  injured cells.
• This makes it hard for the cleanup cells
  (Phagocytes) to locate and digest the cells that
  die due to Necrosis.
• The injury received by the cells, compromises the
  cell membrane which stores special digestive
  enzymes. The release of this harmful toxin,
  accelerates unorganized chemical reaction.

50
Necrosis
51
Concept of Danger Theory (Cont.)

• DT was built on the concept that proposed that
  the intracellular contents that were released by
  damaged cells were actually a form of danger
  signal that alerted the nearby APCs and
  activated them.
• Only cells that die due to Necrosis would send
  out alarm signals. Healthy cells and cells that
  die due to Apoptosis or PCD should not.
• Rather than responding to the foreignness in the
  case of SNS, according to DT, the Immune System
  responds to actual danger.
• Danger Model was built on existing immune signal
  model that utilizes the SNS discrimination.

52
Immune Signal Models

• Burnets One Signal Model
• Bretscher and Cohns Two Signal Model
• Lafferty and Cunninghams Model
• Janeways Model (Priming of Antigen Presenting
  Cells)
• Matzingers Danger Signal Model

53
Burnets One Signal Model
54
Bretscher Cohns Model
55
Lafferty and Cunninghams Model
56
Janeways Model
57
Matzingers Danger Signal Model
58

• SECTION 7

59
Application of DT to IDS

• DT based IDS would focus on accurate
  classification, correlation and balancing of
  alerts.
• Alerts classified as
• -gt Apoptotic
  (prerequisite for an attack).
• -gt Necrotic
  (consequence of a successful attack).
• Relies on successful correlation of prerequisite
  and consequence of individual attacks to develop
  intrusion scenario.
• In DT based alert correlation post-conditions of
  certain attacks can be used as precondition for
  other attacks (linking alerts). Hence, it is
  sufficient to specify properties such as
  prerequisites and consequences for individual
  attacks.

60
Application of DT to IDS (Cont. )

• This enables identify missing alerts.
• DT based IDS would minimize false alarms as it
  can quantify the degree of alert detection by
  appropriately tuning the intrusion signatures and
  anomaly thresholds.
• Striking a balance between Apoptotic and Necrotic
  alerts would enable IDS to identify the most
  suitable intrusion signature and anomaly
  threshold setting.
• Similar to memory cells in HIS, intrusion
  signatures and thresholds are continuously
  redefined as new attacks invade the system. This
  significantly increases the accuracy rate of the
  IDS.

61
Application of DT to IDS (Cont. )

• When intrusion detection sensor identifies the
  presence of unauthorized activity, it raises an
  alert.
• Danger alerts arising from one sensor can be
  transmitted to nearby sensors informing them of
  the intruder presence.
• Alerts are propagated only if the probability of
  an intrusion scenario is higher than the
  threshold set.
• Activation of nearby sensors establishes Danger
  Zone.

62

• SECTION 8

63
EVENT-INCIDENT MODEL

• Employs Intrusion Detection Squad
  (attack-resistance mobile agents)
• -gt Assistant
  Patrol Agents.
• -gt Incident
  Pattern Presenters.
• -gt Correlator.
• -gt Negotiator.
• -gt Coordinator.
• -gt Neutralizer.
• Works with
• -gt CIA Threshold Unit
  (Confidentiality, Integrity
• Availability).
• -gt Knowledge Database.
• -gt Anomaly Signature
  Converter.
• -gt Peer Information
  Buffer.

64
EVENT-INCIDENT MODEL (Cont.)

• Architecture
• -gt Peer-Peer.
• Works at four levels
• -gt Host level.
• -gt Application
  level.
• -gt Protocol
  level.
• -gt Network
  level.
• DT based Event-Incident Model for IDS is a Six
  Phase Process. Each phase denotes distinct
  sequence of events which leads to the progression
  to the next phase.

65
EVENT-INCIDENT MODEL (Cont.)

• Recruitment (Phase One) Coordinator of the
  Intrusion Detection Squad responsible for
  recruitment of customized mobile agents. They
  generate two classes of agents for each of the
  four levels namely, Assistant Patrol Agents (APA)
  and Incident Pattern Presenters (IPP).
• Dispersal (Phase Two) Coordinator sends agents
  to neighborhood patrol. When it receives the
  monitoring results from the agents, it
  communicates with Peer Information Buffer to
  decide whether an action plan is required.
• Alert Categorization and Intrusion Scenario
  Strength Analysis (Phase Three) Correlator/
  Negotiator unit is responsible for alert
  categorization and intrusion scenario strength
  analysis (adopts the immune signal model).

66
EVENT-INCIDENT MODEL (Cont.)

• Propagation (Phase Four) Coordinator activates
  the Neutralizer unit and starts to propagate the
  danger signal to all its neighbors upon
  confirming the presence of intrusion.
• Neutralization (Phase Five) Neutralizer unit
  takes necessary steps (based on the type and
  severity of the attack) to immunize itself from
  the infected node.
• Updating Knowledge Database (Phase Six) If the
  signature of the undergoing attack is not already
  saved, the coordinator feeds the detected anomaly
  to Anomaly Signature Converter unit to generate a
  signature. After this the knowledge database is
  updated.

67
EVENT INCIDENT MODEL
68
Laws of DT based Event-Incident Model

• Law 1
• Coordinator becomes activated if
• -gt Receives signal
  0.
• -gt Receives signal
  1.
• -gt Receives both
  signal 0 and signal 1.
• Law 2
• Coordinator propagates Danger
  Signal if and only if
  
• -gt
  Receives confirmation signal 2 from
• 
  Correlator/ Negotiator Unit (ELSE)
• -gt
  Ignore signal 0 and signal 1.
• -gt
  Become deactivated.

69
Laws of DT based Event-Incident Model

• Law 3
• After Propagation of Danger Signal
• -gt Become
  deactivated.

70
Attack Resistance
-gt Randomized Agent Location -gt Digitally Signed
Code -gt Cooperating Agents -gt Maintain Backup
Copies -gt Proof Carrying Code -gt Maintain Path
Histories -gt Encrypted Communication
71
INTRUSION DETECTION
SCENARIO
72
Topology
73

• SECTION 9

74
Conclusion

• Merits of the proposed DT based Event-Incident
  Model
• -gt
  Recognition.
• -gt
  Learning Memory.
• -gt
  Diversity.
• -gt
  Scalable.
• -gt No
  single point of failure.
• -gt
  Danger Zone establishment (alert communication).
• -gt
  False alarm reduction by alert correlation.
• 
  -gtAttack Resistance.

75
Conclusion
Analogy between HIS Event-Incident Model
76
Bibliography

• 1. Kim, J., Bentley, P. The Human Immune System
  and Network Intrusion Detection. In the
  Proceedings of the 7th European Congress on
  Intelligent Techniques and Soft Computing,
  Aachen, Germany, 1999.
• 2. Bishop, M. Introduction to Computer
  Security. Addison Wesley Boston, 2005.
• 3. Forrest, S., Hofmeyr, S., and Somayaji, A.
  Computer Immunology. In Communications of the
  ACM, Vol. 40, No. 10, Pages 88-96, 1997.
• 4. Forrest, S., Perelson, A.S., Allen, L. and
  Cherukuri, R. Self-Nonself Discrimination in a
  Computer. In Proceedings of IEEE Symposium on
  Research in Security and Privacy, pages 202--212,
  Oakland, May 16-18 1994
• 5. S. A. Hofmeyr and S. Forrest. Immunizing
  ComputerNetworks Getting All the Machines in
  your Network to Fightthe Hacker Disease, In IEEE
  Symposium on Security Privacy, 1999
• 6. Sullivan J. 1996. How lymphocytes produce
  antibody
• lthttp//www.cellsalive.com/antibody.htmgt
  Accessed April 11, 2006

77
Bibliography

• 7. Dasgupta, D. 1999. "Immunity-Based Intrusion
  Detection System A General Framework lt
  http//csrc.nist.gov/nissc/1999/proceeding/papers/
  p11.pdfgt Accessed April 11, 2006
• 8. Crosbie, M. and Spafford, G. Active defense
  of a computer system using autonomous agents.
  Technical Report 95008, Department of Computer
  Science, Purdue University, February 1995.
• 9. Hofmer, S. 1997. An overview of the Immune
  System lthttp//www.cs.unm.edu/immsec/html-imm/in
  troduction.htmlgt Accessed October 20, 2006
• 10. Tyler, D. 2003. Artificial Immune System and
  Negative Selection lthttp//www.logicalgenetics.co
  m/showarticle.php?topic_id894gt Accessed October
  24, 2006
• 11. Online Encyclopedia. Immune System
  lthttp//en.wikipedia.org/wiki/Immune_systemgt
  Accessed October 24, 2006

78
Bibliography

• 12. Greensmith, J., Aickelin, U. Twycross, J.
  Detecting Danger Applying a Novel Immunological
  Concept to Intrusion Detection Systems. In the
  6th International Conference in Adaptive
  Computing in Design and Manufacture, Bristol, UK,
  2004
• 13. D. Dasgupta. Immunity-Based Intrusion
  Detection Systems A General Framework. In the
  proceedings of the 22nd National Information
  Systems Security Conference (NISSC), Pages
  147-160, October 18-21, 1999
• 14. Aickelin, U., Bentley, P., Cayzer, S., Kim, J
  and McLeod, J. Danger Theory The Link between
  AIS and IDS? In Proceedings ICARIS-2003, 2nd
  International Conference on Artificial Immune
  Systems, Pages 147-155, Edinburgh, UK, 2003
• 15. Aickelin, U., Cayzer, S. The Danger Theory
  and Its Application to AIS, First International
  Conference on AIS, Pages 141-148, UK, 2002
• 16. Matzinger, P. The Danger Model in Its
  Historical Context, Scandinavian Journal of
  Immunology, Vol 54, Pages 4-9, 2001

79
Bibliography

• 17. Janeway, C. The immune System evolved to
  discriminated infectious nonself from
  noninfectious self, Immunology Today, Vol 13,
  Pages 11-16, 1992
• 18. Bretscher, P., Cohn, M. A theory of
  self-nonself discrimination, Science, Vol 169,
  Pages 1042-1049, 1970
• 19. Matzinger, P. The Danger Model A Renewed
  Sense of Self, Science, Vol 296, Pages 301-305,
  2002
• 20. Vance, R.E. Cutting Edge Commentary A
  Copernican Revolution? Doubts About the Danger,
  Journal of Immunology, Vol 165, Pages 1725-1728,
  2000
• 21. Endorf, C.F., Schultz, E., and Mellander, J.
  Intrusion Detection and Prevention McGraw-Hill,
  Osborne Media Published, U.S.A, 2003
• 22. Kruegel, C., Valeur, F., Vigna, G. Intrusion
  Detection and Correlation, Challenges and
  Solution, Springer Science, Business Media Inc,
  U.S.A, 2005

80
Bibliography

• 23. Mell, P., Mclarnon, M. Mobile Agent Attack
  Resistant Distributed Hierarchical Intrusion
  Detection System, In the Proceedings of RAID
  99, CERIAS, Purdue University, 1999
• 24. Matzinger, P. 2005. The Real Function of the
  Immune System or Tolerance and the Four Ds
  (Danger, Death, Distruction and
  Distress)lthttp//cmmg.biosci.wayne.edu/asg/polly.
  htmlgt Accessed December 4, 2006
• 25. Ramachandran, G., Hart, D. A P2P Intrusion
  Detection System based on Mobile Agents, ACM-SE
  42, In the Proceedings of the 42nd annual
  Southeast regional conference, U.S.A, 2004
• 26. W. Jansen, P. Mell, T. Karygiannis, and D.
  Marks. Applying mobile agents to intrusion
  detection and response, Technical report,
  National Institute of Standard and Technology,
  Interim Report 6416, 1999
• 27. Anderson, J.P. Computer security threat
  monitoring and surveillance. Technical report,
  J. P. Anderson Co., U.S.A, 1980

81
Bibliography

• 28. Online Encyclopedia. Lymphocyte
  lthttp//en.wikipedia.org/wiki/Lymphocytegt
  Accessed December 4, 2006
• 29. Online Encyclopedia. B-Cellslthttp//en.wikip
  edia.org/wiki/B_cellgt Accessed December 4, 2006
• 30. Online Encyclopedia. T-Cells
  lthttp//en.wikipedia.org/wiki/T_cellgt Accessed
  December 4, 2006
• 31. Paul, W. E., The Immune System An
  Introduction, In Fundamental Immunology 3rd Ed.,
  W. E. Paul (Ed), Raven Press Ltd, 1993.
• 32. Tizard, I. R., Immunology Introduction,
  4th Ed, Saunders College Publishing, 1995
• 33. Kephart, J.O.A Biologically Inspired Immune
  Systems for Computers, In the Proceedings of the
  Fourth International Workshop on Synthesis and
  Simulation of Living Systems, MIT Press, Pages
  130-139, Cambridge, MA, 1994

82
Bibliography

• 34. Online Encyclopedia. Apoptosis and
  Necrosislthttp//en.wikipedia.org/wiki/Apoptosisgt
  Accessed December 17, 2006
• 35. F. M. Burnet, The Clonal Selection Theory of
  Acquired Immunity, Vanderbilt Univ. Press,
  Nashville, TN, 1959
• 36. Lafferty, K. J. and Cunningham, A., A New
  Analysis of Allogeneic Interactions, Australian
  Journal of Experimental Biology and Medical
  Sciences, Vol 53, Pages 27-42, 1975
• 37. Jansen, W. and Karygiannis, T. Mobile Agent
  Security lthttp//csrc.nist.gov/publications/nistp
  ubs/800-19/sp800-19.pdfgt Accessed March 2, 2007
• 38. Reis, M., Paula, F., Fernandes, D. and Geus,
  P. A Hybrid IDS Architecture based on Immune
  System, Brazil, 2002
• 39. Borselius, N. Mobile Agent
  Securitylthttp//www.agent.ai/doc/upload/200402/bo
  rs02_1.pdfgt Accessed March 2, 2007