Abstract
The Dendritic Cell Algorithm (DCA) is an immune-inspired algorithm, developed for the purpose of anomaly detection. The algorithm performs multi-sensor data fusion and correlation which results in a ‘context aware’ detection system. Previous applications of the DCA have included the detection of potentially malicious port scanning activity, where it has produced high rates of true positives and low rates of false positives. In this work we aim to compare the performance of the DCA and of a Self-Organizing Map (SOM) when applied to the detection of SYN port scans, through experimental analysis. A SOM is an ideal candidate for comparison as it shares similarities with the DCA in terms of the data fusion method employed. It is shown that the results of the two systems are comparable, and both produce false positives for the same processes. This shows that the DCA can produce anomaly detection results to the same standard as an established technique.
Highlights
The Dendritic Cell Algorithm (DCA) is an immune-inspired algorithm, which is the latest addition to a family of algorithms termed Artificial Immune Systems (AIS)
The results of the DCA applied to the passive normal data are presented in Figures 17-19 and in
The results for an antigen segment size z=100 are shown in Figure 17 and represent results generated across ten runs by the DCA on the same data set
Summary
The Dendritic Cell Algorithm (DCA) is an immune-inspired algorithm, which is the latest addition to a family of algorithms termed Artificial Immune Systems (AIS). The danger theory suggests that the immune system responds to signals generated by the host cells (i.e. by the tissue) during cell stress, leading to the targeting of proteins present under the conditions of cell stress It is a competing immunological theory, though it is still widely debated within immunology itself. Insider attacks are one of the most costly and dangerous attacks performed against computerised systems, with a large amount of known intrusions of intrusions attributed to internal attackers [6] This type of intrusion is defined through the attacker being a legitimate user of a system who behaves in an unauthorised manner. This information can be used to steal sensitive data, to cause damage to the network or to disguise the identity of the true attacker
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
