'Danger Theory: The Link between AIS and IDS?'

Abstract We present ideas about creating a next generation Intrusion Detection System (IDS) based on the latest immunological theories. The central challenge with computer security is determining the difference between normal and potentially harmful activity. For half a century, developers have protected their systems by coding rules that identify and block specific events. However, the nature of current and future threats in conjunction with ever larger IT systems urgently requires the development of automated and adaptive defensive tools. A promising solution is emerging in the form of Artificial Immune Systems (AIS): The Human Immune System (HIS) can detect and defend against harmful and previously unseen invaders, so can we not build a similar Intrusion Detection System (IDS) for our computers? Presumably, those systems would then have the same beneficial properties as HIS like error tolerance, adaptation and self-monitoring. Current AIS have been successful on test systems, but the algorithms rely on self-nonself discrimination, as stipulated in classical immunology. However, immunologist are increasingly finding fault with traditional self-nonself thinking and a new 'Danger Theory' (DT) is emerging. This new theory suggests that the immune system reacts to threats based on the correlation of various (danger) signals and it provides a method of 'grounding' the immune response, i.e. linking it directly to the attacker. Little is currently understood of the precise nature and correlation of these signals and the theory is a topic of hot debate. It is the aim of this research to investigate this correlation and to translate the DT into the realms of computer security, thereby creating AIS that are no longer limited by self-nonself discrimination. It should be noted that we do not intend to defend this controversial theory per se, although as a deliverable this project will add to the body of knowledge in this area. Rather we are interested in its merits for scaling up AIS applications by overcoming self-nonself discrimination problems.

Danger theory: the link between AIS and IDS?

We present ideas about creating a next generation Intrusion Detection System (IDS) based on the latest immunological theories. The central challenge with computer security is determining the difference between normal and potentially harmful activity. For half a century, developers have protected their systems by coding rules that identify and block specific events. However, the nature of current and future threats in conjunction with ever larger IT systems urgently requires the development of automated and adaptive defensive tools. A promising solution is emerging in the form of Artificial Immune Systems (AIS): The Human Immune System (HIS) can detect and defend against harmful and previously unseen invaders, so can we not build a similar Intrusion Detection System (IDS) for our computers? Presumably, those systems would then have the same beneficial properties as HIS like error tolerance, adaptation and self-monitoring. Current AIS have been successful on test systems, but the algorithms rely on self-nonself discrimination, as stipulated in classical immunology. However, immunologist are increasingly finding fault with traditional self-nonself thinking and a new ‘Danger Theory’ (DT) is emerging. This new theory suggests that the immune system reacts to threats based on the correlation of various (danger) signals and it provides a method of ‘grounding’ the immune response, i.e. linking it directly to the attacker. Little is currently understood of the precise nature and correlation of these signals and the theory is a topic of hot debate. It is the aim of this research to investigate this correlation and to translate the DT into the realms of computer security, thereby creating AIS that are no longer limited by self-nonself discrimination. It should be noted that we do not intend to defend this controversial theory per se, although as a deliverable this project will add to the body of knowledge in this area. Rather we are interested in its merits for scaling up AIS applications by overcoming self-nonself discrimination problems.

ToLeRating UR-STD

A new emerging paradigm of Uncertain Risk of Suspicion, Threat and Danger, observed across the field of information security, is described. Based on this paradigm a novel approach to anomaly detection is presented. Our approach is based on a simple yet powerful analogy from the innate part of the human immune system, the Toll-Like Receptors. We argue that such receptors incorporated as part of an anomaly detector enhance the detector’s ability to distinguish normal and anomalous behaviour. In addition we propose that Toll-Like Receptors enable the classification of detected anomalies based on the types of attacks that perpetrate the anomalous behaviour. Classification of such type is either missing in existing literature or is not fit for the purpose of reducing the burden of an administrator of an intrusion detection system. For our model to work, we propose the creation of a taxonomy of the digital Acytota, based on which our receptors are created.

Information fusion in the immune system

Biologically-inspired methods such as evolutionary algorithms and neural networks are proving useful in the field of information fusion. Artificial immune systems (AISs) are a biologically-inspired approach which take inspiration from the biological immune system. Interestingly, recent research has shown how AISs which use multi-level information sources as input data can be used to build effective algorithms for realtime computer intrusion detection. This research is based on biological information fusion mechanisms used by the human immune system and as such might be of interest to the information fusion community. The aim of this paper is to present a summary of some of the biological information fusion mechanisms seen in the human immune system, and of how these mechanisms have been implemented as AISs.

Real-time alert correlation with type graphs

The premise of automated alert correlation is to accept that false alerts from a low level intrusion detection system are inevitable and use attack models to explain the output in an understandable way. Several algorithms exist for this purpose which use attack graphs to model the ways in which attacks can be combined. These algorithms can be classified in to two broad categories namely scenario-graph approaches, which create an attack model starting from a vulnerability assessment and type-graph approaches which rely on an abstract model of the relations between attack types. Some research in to improving the efficiency of type-graph correlation has been carried out but this research has ignored the hypothesizing of missing alerts. Our work is to present a novel type-graph algorithm which unifies correlation and hypothesizing in to a single operation. Our experimental results indicate that the approach is extremely efficient in the face of intensive alerts and produces compact output graphs comparable to other techniques.

A multiagent based strategy for detecting attacks in databases in a distributed mode

This paper presents a distributed hierarchical multiagent architecture for detecting SQL injection attacks against databases. It uses a novel strategy, which is supported by a Case-Based Reasoning mechanism, which provides to the classifier agents with a great capacity of learning and adaptation to face this type of attack. The architecture combines strategies of intrusion detection systems such as misuse detection and anomaly detection. It has been tested and the results are presented in this paper.

Aplicaciones de los modelos de predicción bio-inspirados en la administración

Las organizaciones y sus entornos son sistemas complejos. Tales sistemas son difíciles de comprender y predecir. Pese a ello, la predicción es una tarea fundamental para la gestión empresarial y para la toma de decisiones que implica siempre un riesgo. Los métodos clásicos de predicción (entre los cuales están: la regresión lineal, la Autoregresive Moving Average y el exponential smoothing) establecen supuestos como la linealidad, la estabilidad para ser matemática y computacionalmente tratables. Por diferentes medios, sin embargo, se han demostrado las limitaciones de tales métodos. Pues bien, en las últimas décadas nuevos métodos de predicción han surgido con el fin de abarcar la complejidad de los sistemas organizacionales y sus entornos, antes que evitarla. Entre ellos, los más promisorios son los métodos de predicción bio-inspirados (ej. redes neuronales, algoritmos genéticos /evolutivos y sistemas inmunes artificiales). Este artículo pretende establecer un estado situacional de las aplicaciones actuales y potenciales de los métodos bio-inspirados de predicción en la administración.

Molecular detection and identification of zygomycetes species from paraffin-embedded tissues in a murine model of disseminated zygomycosis: a collaborative European Society of Clinical Microbiology and Infectious Diseases (ESCMID) Fungal Infection Study Group (EFISG) evaluation.

The present study was performed to assess the interlaboratory reproducibility of the molecular detection and identification of species of Zygomycetes from formalin-fixed paraffin-embedded kidney and brain tissues obtained from experimentally infected mice. Animals were infected with one of five species (Rhizopus oryzae, Rhizopus microsporus, Lichtheimia corymbifera, Rhizomucor pusillus, and Mucor circinelloides). Samples with 1, 10, or 30 slide cuts of the tissues were prepared from each paraffin block, the sample identities were blinded for analysis, and the samples were mailed to each of seven laboratories for the assessment of sensitivity. A protocol describing the extraction method and the PCR amplification procedure was provided. The internal transcribed spacer 1 (ITS1) region was amplified by PCR with the fungal universal primers ITS1 and ITS2 and sequenced. As negative results were obtained for 93% of the tissue specimens infected by M. circinelloides, the data for this species were excluded from the analysis. Positive PCR results were obtained for 93% (52/56), 89% (50/56), and 27% (15/56) of the samples with 30, 10, and 1 slide cuts, respectively. There were minor differences, depending on the organ tissue, fungal species, and laboratory. Correct species identification was possible for 100% (30 cuts), 98% (10 cuts), and 93% (1 cut) of the cases. With the protocol used in the present study, the interlaboratory reproducibility of ITS sequencing for the identification of major Zygomycetes species from formalin-fixed paraffin-embedded tissues can reach 100%, when enough material is available.

Method of collaborative detection of autonomous transport vehicles based on laser rangefinder data

To master changing performance demands, autonomous transport vehicles are deployed to make inhouse material flow applications more flexible. The socalled cellular transport system consists of a multitude of small scale transport vehicles which shall be able to form a swarm. Therefore the vehicles need to detect each other, exchange information amongst each other and sense their environment. By provision of peripherally acquired information of other transport entities, more convenient decisions can be made in terms of navigation and collision avoidance. This paper is a contribution to collective utilization of sensor data in the swarm of cellular transport vehicles.

RECLAMO: virtual and collaborative honeynets based on trust management and autonomous systems applied to intrusion management

Security intrusions in large systems is a problem due to its lack of scalability with the current IDS-based approaches. This paper describes the RECLAMO project, where an architecture for an Automated Intrusion Response System (AIRS) is being proposed. This system will infer the most appropriate response for a given attack, taking into account the attack type, context information, and the trust and reputation of the reporting IDSs. RECLAMO is proposing a novel approach: diverting the attack to a specific honeynet that has been dynamically built based on the attack information. Among all components forming the RECLAMO's architecture, this paper is mainly focused on defining a trust and reputation management model, essential to recognize if IDSs are exposing an honest behavior in order to accept their alerts as true. Experimental results confirm that our model helps to encourage or discourage the launch of the automatic reaction process.

Subchondral Cystlike Lesions Develop Longitudinally in Areas of Bone Marrow Edema-like Lesions in Patients with or at Risk for Knee Osteoarthritis: Detection with MR Imaging-The MOST Study

Purpose: To assess the association of prevalent bone marrow edema-like lesions (BMLs) and full-thickness cartilage loss with incident subchondral cyst-like lesions (SCs) in the knee to evaluate the bone contusion versus synovial fluid intrusion theories of SC formation. Materials and Methods: The Multicenter Osteoarthritis study is a longitudinal study of individuals who have or are at risk for knee osteoarthritis. The HIPAA-compliant protocol was approved by the institutional review boards of all participating centers, and written informed consent was obtained from all participants. Magnetic resonance images were acquired at baseline and 30-month follow-up and read semiquantitatively by using the Whole-Organ Magnetic Resonance Imaging Score system. The tibiofemoral and patellofemoral joints were subdivided into 14 subregions. BMLs and SCs were scored from 0 to 3. Cartilage morphology was scored from 0 to 6. The association of prevalent BMLs and full-thickness cartilage loss with incident SCs in the same subregion was assessed by using logistic regression with mutual adjustment for both predictors. Results: A total of 1283 knees were included. After adjustment for full-thickness cartilage loss, prevalent BMLs showed a strong and significant association with incident SCs in the same subregion, with an odds ratio of 12.9 (95% confidence interval [CI]: 8.9, 18.6). After adjustment for BMLs, prevalent full-thickness cartilage loss showed a significant but much less important association with incident SCs in the same subregion (odds ratio, 1.4; 95% CI: 1.0, 2.0). There was no apparent relationship between severity of full-thickness cartilage loss at baseline and incident SCs. Conclusion: Prevalent BMLs strongly predict incident SCs in the same subregion, even after adjustment for full-thickness cartilage loss, which supports the bone contusion theory of SC formation. (C) RSNA, 2010

CDT, GGT, and AST as markers of alcohol use: The WHO/ISBRA Collaborative Project

Background: Estimates of the performance of carbohydrate deficient transferrin (CDT) and gamma glutamyltransferase (GGT) as markers of alcohol consumption have varied widely. Studies have differed in design and subject characteristics. The WHO/ISBRA Collaborative Study allows assessment and comparison of CDT, GGT, and aspartate aminotransferase (AST) as markers of drinking in a large, well-characterized, multicenter sample. Methods: A total of 1863 subjects were recruited from five countries (Australia, Brazil, Canada, Finland, and Japan). Recruitment was stratified by alcohol use, age, and sex. Demographic characteristics, alcohol consumption, and presence of ICD-10 dependence were recorded using an interview schedule based on the AUDADIS, CDT was assayed using CDTect(TM) and GGT and AST by standard methods. Statistical techniques included receiver operating characteristic (ROC) analysis. Multiple regression was used to measure the impact of factors other than alcohol on test performance. Results: CDT and GGT had comparable performance on ROC analysis, with AST performing slightly less well. CDT was a slightly but significantly better marker of high-risk consumption in men. All were more effective for detection of high-risk rather than intermediate-risk drinking. CDT and GGT levels were influenced by body mass index, sex, age, and smoking status. Conclusions: CDT was little better than GGT in detecting high- or intermediate-risk alcohol consumption in this large, multicenter, predominantly community-based sample. As the two tests are relatively independent of each other, their combination is likely to provide better performance than either test alone, Test interpretation should take account sex, age. and body mass index.

Methodological framework for detection of harmonisation breaking in service environments

As the complexity of markets and the dynamicity of systems evolve, the need for interoperable systems capable of strengthening enterprise communication effectiveness increases. This is particularly significant when it comes to collaborative enterprise networks, like manufacturing supply chains, where several companies work, communicate, and depend on each other, in order to achieve a specific goal. Once interoperability is achieved, that is once all network parties are able to communicate with and understand each other, organisations are able to exchange information along a stable environment that follows agreed laws. However, as markets adapt to new requirements and demands, an evolutionary behaviour is triggered giving space to interoperability problems, thus disrupting the sustainability of interoperability and raising the need to develop monitoring activities capable of detecting and preventing unexpected behaviour. This work seeks to contribute to the development of monitoring techniques for interoperable SOA-based enterprise networks. It focuses on the automatic detection of harmonisation breaking events during real-time communications, and strives to develop and propose a methodological approach to handle these disruptions with minimal or no human intervention, hence providing existing service-based networks with the ability to detect and promptly react to interoperability issues.

Results of a collaborative study of the EDNAP group regarding mitochondrial DNA heteroplasmy and segregation in hair shafts.

A collaborative exercise was carried out by the European DNA Profiling Group (EDNAP) in order to evaluate the distribution of mitochondrial DNA (mtDNA) heteroplasmy amongst the hairs of an individual who displays point heteroplasmy in blood and buccal cells. A second aim of the exercise was to study reproducibility of mtDNA sequencing of hairs between laboratories using differing chemistries, further to the first mtDNA reproducibility study carried out by the EDNAP group. Laboratories were asked to type 2 sections from each of 10 hairs, such that each hair was typed by at least two laboratories. Ten laboratories participated in the study, and a total of 55 hairs were typed. The results showed that the C/T point heteroplasmy observed in blood and buccal cells at position 16234 segregated differentially between hairs, such that some hairs showed only C, others only T and the remainder, C/T heteroplasmy at varying ratios. Additionally, differential segregation of heteroplasmic variants was confirmed in independent extracts at positions 16093 and the poly(C) tract at 302-309, whilst a complete A-G transition was confirmed at position 16129 in one hair. Heteroplasmy was observed at position 16195 on both strands of a single extract from one hair segment, but was not observed in the extracts from any other segment of the same hair. Similarly, heteroplasmy at position 16304 was observed on both strands of a single extract from one hair. Additional variants at positions 73, 249 and the HVII poly(C) region were reported by one laboratory; as these were not confirmed in independent extracts, the possibility of contamination cannot be excluded. Additionally, the electrophoresis and detection equipment used by this laboratory was different to those of the other laboratories, and the discrepancies at position 249 and the HVII poly(C) region appear to be due to reading errors that may be associated with this technology. The results, and their implications for forensic mtDNA typing, are discussed in the light of the biology of hair formation.

Differential DNA extraction of challenging simulated sexual assault samples: a Swiss collaborative study.

ABSTRACT: In sexual assault cases, autosomal DNA analysis of gynecological swabs is a challenge, as the presence of a large quantity of female material may prevent the detection of the male DNA. A solution to this problem is differential DNA extraction, but as there are different protocols, it was decided to test their efficiency on simulated casework samples. Four difficult samples were sent to the nine Swiss laboratories active in the forensic genetics. They used their routine protocols to separate the epithelial cell fraction, enriched with the non-sperm DNA, from the sperm fraction. DNA extracts were then sent to the organizing laboratory for analysis. Estimates of male to female DNA ratio without differential DNA extraction ranged from 1:38 to 1:339, depending on the semen used to prepare the samples. After differential DNA extraction, most of the ratios ranged from 1:12 to 9:1, allowing the detection of the male DNA. Compared to direct DNA extraction, cell separation resulted in losses of 94-98% of the male DNA. As expected, more male DNA was generally present in the sperm than in the epithelial cell fraction. However, for about 30% of the samples, the reverse trend was observed. The recovery of male and female DNA was highly variable depending on the laboratories. Experimental design similar to the one used in this study may help for local protocol testing and improvement.