Abstract

The Dendritic Cell Algorithm (DCA) is an immune-inspired algorithm, developed for the purpose of anomaly detection. The algorithm performs multi-sensor data fusion and correlation which results in a ‘context aware’ detection system. Previous applications of the DCA have included the detection of potentially malicious port scanning activity, where it has produced high rates of true positives and low rates of false positives. In this work we aim to compare the performance of the DCA and of a Self-Organizing Map (SOM) when applied to the detection of SYN port scans, through experimental analysis. A SOM is an ideal candidate for comparison as it shares similarities with the DCA in terms of the data fusion method employed. It is shown that the results of the two systems are comparable, and both produce false positives for the same processes. This shows that the DCA can produce anomaly detection results to the same standard as an established technique.

Highlights

  • The Dendritic Cell Algorithm (DCA) is an immune-inspired algorithm, which is the latest addition to a family of algorithms termed Artificial Immune Systems (AIS)

  • The results of the DCA applied to the passive normal data are presented in Figures 17-19 and in

  • The results for an antigen segment size z=100 are shown in Figure 17 and represent results generated across ten runs by the DCA on the same data set

Read more

Summary

Introduction

The Dendritic Cell Algorithm (DCA) is an immune-inspired algorithm, which is the latest addition to a family of algorithms termed Artificial Immune Systems (AIS). The danger theory suggests that the immune system responds to signals generated by the host cells (i.e. by the tissue) during cell stress, leading to the targeting of proteins present under the conditions of cell stress It is a competing immunological theory, though it is still widely debated within immunology itself. Insider attacks are one of the most costly and dangerous attacks performed against computerised systems, with a large amount of known intrusions of intrusions attributed to internal attackers [6] This type of intrusion is defined through the attacker being a legitimate user of a system who behaves in an unauthorised manner. This information can be used to steal sensitive data, to cause damage to the network or to disguise the identity of the true attacker

Objectives
Methods
Results
Discussion
Conclusion

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.