Applying Similarities Between Immune Systems And Mobile Agent Systems In Intrusion Detection

Nearly all present-day commercial intrusion detection systems are based on a hierarchical architecture. Nodes at the bottom of the hierarchy collect information, which is passed to higher nodes in the hierarchy until the root node is reached. The root node is a command and control system that evaluates attack signatures and issues responses. Many single points of failure exist in an intrusion detection system (IDS) based on a hierarchical architecture that does not have redundant communication lines and the capability to dynamically reconfigure relationships in the case of failure of key components. For example, an attacker can cut off a control branch of the IDS by attacking an internal node or even interrupt the operation of the entire system by taking out the root command and control node. To solve this problem, we propose an IDS inspired by the human immune system. The architecture of the proposed IDS has no aggregation nodes or a root node that evaluates attack signatures. Instead, the function of attack signature evaluation is divided and placed within mobile agents. The mobile agents act similarly to white blood cells of the immune system and travel from host to host in the network to detect any intrusions. As in the immune system, intrusions are detected by distinguishing between "self" and "non-self", or normal and abnormal process behaviour respectively. The IDS can remain operational even when most of its components have been disabled because the agents that remain in the network can still carry out their task as they do not need to communicate with their home platform. Furthermore, because mobile agents are not static and their number can vary, the whole IDS is more difficult to disable than an IDS based only on static components.