Danger theory: the link between AIS and IDS?

We present ideas about creating a next generation Intrusion Detection System (IDS) based on the latest immunological theories. The central challenge with computer security is determining the difference between normal and potentially harmful activity. For half a century, developers have protected their systems by coding rules that identify and block specific events. However, the nature of current and future threats in conjunction with ever larger IT systems urgently requires the development of automated and adaptive defensive tools. A promising solution is emerging in the form of Artificial Immune Systems (AIS): The Human Immune System (HIS) can detect and defend against harmful and previously unseen invaders, so can we not build a similar Intrusion Detection System (IDS) for our computers? Presumably, those systems would then have the same beneficial properties as HIS like error tolerance, adaptation and self-monitoring. Current AIS have been successful on test systems, but the algorithms rely on self-nonself discrimination, as stipulated in classical immunology. However, immunologist are increasingly finding fault with traditional self-nonself thinking and a new ‘Danger Theory’ (DT) is emerging. This new theory suggests that the immune system reacts to threats based on the correlation of various (danger) signals and it provides a method of ‘grounding’ the immune response, i.e. linking it directly to the attacker. Little is currently understood of the precise nature and correlation of these signals and the theory is a topic of hot debate. It is the aim of this research to investigate this correlation and to translate the DT into the realms of computer security, thereby creating AIS that are no longer limited by self-nonself discrimination. It should be noted that we do not intend to defend this controversial theory per se, although as a deliverable this project will add to the body of knowledge in this area. Rather we are interested in its merits for scaling up AIS applications by overcoming self-nonself discrimination problems.

ToLeRating UR-STD

A new emerging paradigm of Uncertain Risk of Suspicion, Threat and Danger, observed across the field of information security, is described. Based on this paradigm a novel approach to anomaly detection is presented. Our approach is based on a simple yet powerful analogy from the innate part of the human immune system, the Toll-Like Receptors. We argue that such receptors incorporated as part of an anomaly detector enhance the detector’s ability to distinguish normal and anomalous behaviour. In addition we propose that Toll-Like Receptors enable the classification of detected anomalies based on the types of attacks that perpetrate the anomalous behaviour. Classification of such type is either missing in existing literature or is not fit for the purpose of reducing the burden of an administrator of an intrusion detection system. For our model to work, we propose the creation of a taxonomy of the digital Acytota, based on which our receptors are created.

Information fusion in the immune system

Biologically-inspired methods such as evolutionary algorithms and neural networks are proving useful in the field of information fusion. Artificial immune systems (AISs) are a biologically-inspired approach which take inspiration from the biological immune system. Interestingly, recent research has shown how AISs which use multi-level information sources as input data can be used to build effective algorithms for realtime computer intrusion detection. This research is based on biological information fusion mechanisms used by the human immune system and as such might be of interest to the information fusion community. The aim of this paper is to present a summary of some of the biological information fusion mechanisms seen in the human immune system, and of how these mechanisms have been implemented as AISs.

Real-time alert correlation with type graphs

The premise of automated alert correlation is to accept that false alerts from a low level intrusion detection system are inevitable and use attack models to explain the output in an understandable way. Several algorithms exist for this purpose which use attack graphs to model the ways in which attacks can be combined. These algorithms can be classified in to two broad categories namely scenario-graph approaches, which create an attack model starting from a vulnerability assessment and type-graph approaches which rely on an abstract model of the relations between attack types. Some research in to improving the efficiency of type-graph correlation has been carried out but this research has ignored the hypothesizing of missing alerts. Our work is to present a novel type-graph algorithm which unifies correlation and hypothesizing in to a single operation. Our experimental results indicate that the approach is extremely efficient in the face of intensive alerts and produces compact output graphs comparable to other techniques.

A multiagent based strategy for detecting attacks in databases in a distributed mode

This paper presents a distributed hierarchical multiagent architecture for detecting SQL injection attacks against databases. It uses a novel strategy, which is supported by a Case-Based Reasoning mechanism, which provides to the classifier agents with a great capacity of learning and adaptation to face this type of attack. The architecture combines strategies of intrusion detection systems such as misuse detection and anomaly detection. It has been tested and the results are presented in this paper.

Aplicaciones de los modelos de predicción bio-inspirados en la administración

Las organizaciones y sus entornos son sistemas complejos. Tales sistemas son difíciles de comprender y predecir. Pese a ello, la predicción es una tarea fundamental para la gestión empresarial y para la toma de decisiones que implica siempre un riesgo. Los métodos clásicos de predicción (entre los cuales están: la regresión lineal, la Autoregresive Moving Average y el exponential smoothing) establecen supuestos como la linealidad, la estabilidad para ser matemática y computacionalmente tratables. Por diferentes medios, sin embargo, se han demostrado las limitaciones de tales métodos. Pues bien, en las últimas décadas nuevos métodos de predicción han surgido con el fin de abarcar la complejidad de los sistemas organizacionales y sus entornos, antes que evitarla. Entre ellos, los más promisorios son los métodos de predicción bio-inspirados (ej. redes neuronales, algoritmos genéticos /evolutivos y sistemas inmunes artificiales). Este artículo pretende establecer un estado situacional de las aplicaciones actuales y potenciales de los métodos bio-inspirados de predicción en la administración.

Subchondral Cystlike Lesions Develop Longitudinally in Areas of Bone Marrow Edema-like Lesions in Patients with or at Risk for Knee Osteoarthritis: Detection with MR Imaging-The MOST Study

Purpose: To assess the association of prevalent bone marrow edema-like lesions (BMLs) and full-thickness cartilage loss with incident subchondral cyst-like lesions (SCs) in the knee to evaluate the bone contusion versus synovial fluid intrusion theories of SC formation. Materials and Methods: The Multicenter Osteoarthritis study is a longitudinal study of individuals who have or are at risk for knee osteoarthritis. The HIPAA-compliant protocol was approved by the institutional review boards of all participating centers, and written informed consent was obtained from all participants. Magnetic resonance images were acquired at baseline and 30-month follow-up and read semiquantitatively by using the Whole-Organ Magnetic Resonance Imaging Score system. The tibiofemoral and patellofemoral joints were subdivided into 14 subregions. BMLs and SCs were scored from 0 to 3. Cartilage morphology was scored from 0 to 6. The association of prevalent BMLs and full-thickness cartilage loss with incident SCs in the same subregion was assessed by using logistic regression with mutual adjustment for both predictors. Results: A total of 1283 knees were included. After adjustment for full-thickness cartilage loss, prevalent BMLs showed a strong and significant association with incident SCs in the same subregion, with an odds ratio of 12.9 (95% confidence interval [CI]: 8.9, 18.6). After adjustment for BMLs, prevalent full-thickness cartilage loss showed a significant but much less important association with incident SCs in the same subregion (odds ratio, 1.4; 95% CI: 1.0, 2.0). There was no apparent relationship between severity of full-thickness cartilage loss at baseline and incident SCs. Conclusion: Prevalent BMLs strongly predict incident SCs in the same subregion, even after adjustment for full-thickness cartilage loss, which supports the bone contusion theory of SC formation. (C) RSNA, 2010

Anomaly Detection Using System Call Sequence Sets.

This paper discusses our research in developing a generalized and systematic method for anomaly detection. The key ideas are to represent normal program behaviour using system call frequencies and to incorporate probabilistic techniques for classification to detect anomalies and intrusions. Using experiments on the sendmail system call data, we demonstrate that concise and accurate classifiers can be constructed to detect anomalies. An overview of the approach that we have implemented is provided.

UWB radar sensor networks: Detection algorithms design and experimental analysis

In the last years radar sensor networks for localization and tracking in indoor environment have generated more and more interest, especially for anti-intrusion security systems. These networks often use Ultra Wide Band (UWB) technology, which consists in sending very short (few nanoseconds) impulse signals. This approach guarantees high resolution and accuracy and also other advantages such as low price, low power consumption and narrow-band interference (jamming) robustness. In this thesis the overall data processing (done in MATLAB environment) is discussed, starting from experimental measures from sensor devices, ending with the 2D visualization of targets movements over time and focusing mainly on detection and localization algorithms. Moreover, two different scenarios and both single and multiple target tracking are analyzed.

The Lea Grating Test In Assessing Detection Grating Acuity In Normal Infants Less Than 4 Months Of Age.

To assess binocular detection grating acuity using the LEA GRATINGS test to establish age-related norms in healthy infants during their first 3 months of life. In this prospective, longitudinal study of healthy infants with clear red reflex at birth, responses to gratings were measured at 1, 2, and 3 months of age using LEA gratings at a distance of 28 cm. The results were recorded as detection grating acuity values, which were arranged in frequency tables and converted to a one-octave scale for statistical analysis. For the repeated measurements, analysis of variance (ANOVA) was used to compare the detection grating acuity results between ages. A total of 133 infants were included. The binocular responses to gratings showed development toward higher mean values and spatial frequencies, ranging from 0.55 ± 0.70 cycles per degree (cpd), or 1.74 ± 0.21 logMAR, in month 1 to 3.11 ± 0.54 cpd, or 0.98 ± 0.16 logMAR, in month 3. Repeated ANOVA indicated differences among grating acuity values in the three age groups. The LEA GRATINGS test allowed assessment of detection grating acuity and its development in a cohort of healthy infants during their first 3 months of life.

Determination Of Tetrakis(hydroxymethyl)phosphonium Sulfate In Commercial Formulations And Cooling Water By Capillary Electrophoresis With Contactless Conductivity Detection.

A novel capillary electrophoresis method using capacitively coupled contactless conductivity detection is proposed for the determination of the biocide tetrakis(hydroxymethyl)phosphonium sulfate. The feasibility of the electrophoretic separation of this biocide was attributed to the formation of an anionic complex between the biocide and borate ions in the background electrolyte. Evidence of this complex formation was provided by (11) B NMR spectroscopy. A linear relationship (R(2) = 0.9990) between the peak area of the complex and the biocide concentration (50-900 μmol/L) was found. The limit of detection and limit of quantification were 15.0 and 50.1 μmol/L, respectively. The proposed method was applied to the determination of tetrakis(hydroxymethyl)phosphonium sulfate in commercial formulations, and the results were in good agreement with those obtained by the standard iodometric titration method. The method was also evaluated for the analysis of tap water and cooling water samples treated with the biocide. The results of the recovery tests at three concentration levels (300, 400, and 600 μmol/L) varied from 75 to 99%, with a relative standard deviation no higher than 9%.

Human Herpesvirus Infections Of The Central Nervous System: Laboratory Diagnosis Based On Dna Detection By Nested Pcr In Plasma And Cerebrospinal Fluid Samples.

Infections of the central nervous systems (CNS) present a diagnostic problem for which an accurate laboratory diagnosis is essential. Invasive practices, such as cerebral biopsy, have been replaced by obtaining a polymerase chain reaction (PCR) diagnosis using cerebral spinal fluid (CSF) as a reference method. Tests on DNA extracted from plasma are noninvasive, thus avoiding all of the collateral effects and patient risks associated with CSF collection. This study aimed to determine whether plasma can replace CSF in nested PCR analysis for the detection of CNS human herpesvirus (HHV) diseases by analysing the proportion of patients whose CSF nested PCR results were positive for CNS HHV who also had the same organism identified by plasma nested PCR. In this study, CSF DNA was used as the gold standard, and nested PCR was performed on both types of samples. Fifty-two patients with symptoms of nervous system infection were submitted to CSF and blood collection. For the eight HHV, one positive DNA result-in plasma and/or CSF nested PCR-was considered an active HHV infection, whereas the occurrence of two or more HHVs in the same sample was considered a coinfection. HHV infections were positively detected in 27/52 (51.9%) of the CSF and in 32/52 (61.5%) of the plasma, difference not significant, thus nested PCR can be performed on plasma instead of CSF. In conclusion, this findings suggest that plasma as a useful material for the diagnosis of cases where there is any difficulty to perform a CSF puncture.

Detection Of Explosives On The Surface Of Banknotes By Raman Hyperspectral Imaging And Independent Component Analysis.

The aim of this study was to develop a methodology using Raman hyperspectral imaging and chemometric methods for identification of pre- and post-blast explosive residues on banknote surfaces. The explosives studied were of military, commercial and propellant uses. After the acquisition of the hyperspectral imaging, independent component analysis (ICA) was applied to extract the pure spectra and the distribution of the corresponding image constituents. The performance of the methodology was evaluated by the explained variance and the lack of fit of the models, by comparing the ICA recovered spectra with the reference spectra using correlation coefficients and by the presence of rotational ambiguity in the ICA solutions. The methodology was applied to forensic samples to solve an automated teller machine explosion case. Independent component analysis proved to be a suitable method of resolving curves, achieving equivalent performance with the multivariate curve resolution with alternating least squares (MCR-ALS) method. At low concentrations, MCR-ALS presents some limitations, as it did not provide the correct solution. The detection limit of the methodology presented in this study was 50μgcm(-2).

A screening method for detection of hexavalent chromium levels in soils

A rapid and low cost method to determine Cr(VI) in soils based upon alkaline metal extraction at room temperature is proposed as a semi-quantitative procedure to be performed in the field. A color comparison with standards with contents of Cr(VI) in the range of 10 to 150 mg kg-1 was used throughout. For the different types of soils studied, more than 75% of the fortified soluble Cr(VI) were recovered for all levels of spike tested for both the proposed and standard methods. Recoveries of 83 and 99% were obtained for the proposed and the standard methods, respectively, taking into account the analysis of a heavily contaminated soil sample.

Histopathological events and detection of Metarhizium anisopliae using specific primers in infected immature stages of the fruit fly Anastrepha fraterculus (Wiedemann, 1830) (Diptera: Tephritidae)

The fungus Metarhizium anisopliae is used on a large scale in Brazil as a microbial control agent against the sugar cane spittlebugs, Mahanarva posticata and M. fimbriolata (Hemiptera., Cercopidae). We applied strain E9 of M. anisopliae in a bioassay on soil, with field doses of conidia to determine if it can cause infection, disease and mortality in immature stages of Anastrepha fraterculus, the South American fruit fly. All the events were studied histologically and at the molecular level during the disease cycle, using a novel histological technique, light green staining, associated with light microscopy, and by PCR, using a specific DNA primer developed for M. anisopliae capable to identify Brazilian strains like E9. The entire infection cycle, which starts by conidial adhesion to the cuticle of the host, followed by germination with or without the formation of an appressorium, penetration through the cuticle and colonisation, with development of a dimorphic phase, hyphal bodies in the hemocoel, and death of the host, lasted 96 hours under the bioassay conditions, similar to what occurs under field conditions. During the disease cycle, the propagules of the entomopathogenic fungus were detected by identifying DNA with the specific primer ITSMet: 5' TCTGAATTTTTTATAAGTAT 3' with ITS4 (5' TCCTCCGCTTATTGATATGC 3') as a reverse primer. This simple methodology permits in situ studies of the infective process, contributing to our understanding of the host-pathogen relationship and allowing monitoring of the efficacy and survival of this entomopathogenic fungus in large-scale applications in the field. It also facilitates monitoring the environmental impact of M. anisopliae on non-target insects.