Download An Innate Immune System for the Protection of

An Innate Immune System
for the Protection of Computer Networks
Anastasia Pagnoni1, Andrea Visconti1
1
Department of Computer Science and Communication – University of Milan, Italy
[email protected] [email protected]
Abstract. This paper presents design, implementation, and testing of NAIS, an artificial
immune system for the protection of computer networks. Inspired by the biological innate
immune system, NAIS consists of a collection of digital macrophages that scan the network
for dangerous non-self processes, and kill them. NAIS is based on the observation that all
significant network attacks are preceded by preparatory small-scale intrusions meant to gather
the necessary information – information on servers and operating systems, logins, weak
passwords, ill-installed or poorly maintained services, etc. This information is used to bypass
the network’s defense barriers – access controls, firewalls – and to gain access to the machine
before it is attacked. Such preparatory intrusions do not generate new processes, however the
subsequent, actual intrusion will. Such processes will be recognized as non-self by the digital
macrophages run by NAIS, and killed right away, thus defusing the attack. Telling illegal new
processes from legal ones is a difficult matter, and amounts to providing a strong definition of
non-self process. Our testing of NAIS proved our definition to be quite effective in protecting
networks of one-service computers.
1 Introduction
A number of authors [1,8] suggested biological immune systems as a new, promising
paradigm for the design of powerful computer security systems [6,4,7,5], and different very
interesting approaches have been suggested [2,7,3]. This paper suggests a different, if
complementary, approach: we suggest designing intrusion detection systems that are the
technological equivalent of the innate immune system. As we shall see, this approach helps
overcoming some of the practical limitations [5,8]. Let us explain briefly.
Biological immune systems draw up several lines of defense to protect living organisms
from all kinds of potentially dangerous intruders. This defense system includes chemical and
physical barriers – skin, mucus secretions, stomach pH, etc., – the innate, or native, immune
system, and the acquired immune system. Computer networks also rely on several lines of
defense to protect them against unwanted intrusions. Firewalls can be seen as network
equivalents of the skin, as they filter external requests of access, and block all connection
attempts that violate certain criteria. Login policies correspond to physiological barriers, as
they let regular physiological users into the network, while blocking the access of outsiders.
Let us briefly summarizes and compare the functioning of the innate and acquired
immune systems. The working of both systems is based on their capability to recognize
elementary components of the body that they protect as either self – i.e., endogenous and
innocuous, – or non-self – i.e., exogenous and potentially pathogenic. The innate immune
system is meant to protect the body from birth. Therefore, it attacks antigens right away, with
no necessity of previous exposure to the pathogen; every antigen is non-self to the innate
system. The acquired immune system works in a less straightforward, more complex way.
The acquired immune system recognizes a smaller variety of pathogens, but kills more of
them, because its attack response is antigen-specific. In time, with exposure to different
antigens, the acquired immune system learns to identify different pathogens, and to respond to
each of them in a specific and hence more effective way. The response of the innate system is
Copyright © held by author/owner
63
much quicker, though less precise than that of the acquired system. Notice that the recognition
capability of the acquired immune system is not perfect – some antigens will go
unrecognized, – while that of the innate immune system is perfect.
Every artificial immune system is based on some partition of a given set of possible
actions into two subsets: the set of self and the set of non-self actions. This requires
unambiguous definitions of self and non-self actions. A number of ground-breaking solutions
to this problem have been published [1-8]. However, practical application of the proposed
ideas has has not developed that much so far, due to some unsolved problems. The
difficulties come from the necessity of providing a strong, reliable discrimination between
normal and abnormal patterns of behavior [5]. The necessity of maintaining a complete – and
therefore large – database of “good or bad actions”, that are to be used by the self/non-self
recognition algorithms, is crucial to the performance of any AIS; this is because bad behavior
patterns not stored in the database may result in unchallenged network attacks [8].
Manipulating this large database (extracting and clustering a proper training set matrix, or
searching the database itself, etc.) entails a substantial degree of slowness that is sometimes
avoided by settling for a weaker discrimination of self/non-self patterns.
In order to overcome these problems, we designed NAIS (Native Artificial Immune
System), an intrusion detection system based on the paradigm of the innate immune system.
Indeed, though less precise than the acquired one, the innate immune system is the first one to
attack any pathogen, known or unknown, that enters the body. Here the idea is not to find,
recognize, and kill specific antigens in the most effective way [8], but to find and kill any
antigen as quick as possible. The innate immune system is the first line of defense against
antigens that succeed in entering the body in spite of its physical and chemical barriers. It is
meant to attack any antigen that enters the body immediately. NAIS models the behavior of
the innate immune system by building a number of processes that act as macrophages that
detect and immediately kill any non-self process running on a server.
The sequel of this paper is organized following the AIS-design guidelines suggested by
Leandro de Castro and Jonathan Timmis in [1]. Section 2 presents our problem description;
Section 3 discusses the immune principle applied in NAIS, and the reasons for our choices.
Section 4 presents the design and engineering of NAIS: our model of the innate immune
system, its dynamics and its metadynamics (how new macrophages are generated, and how
they die). It also explains how NAIS is actually engineered. Finally, conclusions and future
work are briefly discussed in Section 5.
2 Problem Description
Intrusion detection systems are based on some definition of a system intruder and some
algorithm for the detection of intrusive system components – in the language of AIS we say
that an IDS is based on a definition of self and non-self system components, and a capability
of recognizing both of them [5]. The problem addressed in this paper is the design,
implementation, and testing of an intrusion detection system modeled on the workings of the
innate immune system. As we shall see, this approach helps overcoming some of the practical
limitations. In particular, we wanted (a) to avoid the need for a comprehensive database of
self/non-self system components, and (b) to provide for a strong, reliable discrimination
between normal and abnormal behaviors. The overall design of NAIS, the prototype IDS we
came up with, will be discussed in Section 3. In this section, we will refine our problem
description and discuss its motivation.
The goal of designing and implementing an intrusion detection system modeled on the
innate immune system is better specified and understood by focusing on a set of features that
characterize effective immune systems. This is a clear discrimination between intrusive (nonself) and regular (self) system components, the detection and elimination of infections, and
64
the absence of autoimmune threats to the hosting system (no risk that the immune system
attacks the system it is supposed to protect). With this specification, our problem breaks down
quite naturally into the following five simple sub problems.
The first subproblem is that of providing an unambiguous definition of self and non-self
system components in the framework of a computer network. For the innate immune system,
self-system components are innate components, that is, components that are there at birth;
everything else is held to be non-self, and will be attacked. The problem is to define what an
innate component is in the context of a running network of computers. Our solution is that of
considering innate, – meaning “self”, – all processes running on a network before it is
connected to the internet.
The second subproblem is that of modeling digital macrophages capable of detecting and
eliminating computer infections. Our macrophages are running processes that monitor the
activities of the server, and kill any non-self process.
The third subproblem is that of providing digital macrophages with the capability of
recognizing new infections. A new infection is defined as an unknown attack that exploits
some system bug, and generates at least one new running process. Any non-self process of
this kind will have to be recognized and killed by our macrophages.
The fourth subproblem is that of automatically repairing previous infections based on
system bugs.
The fifth subproblem is that of making sure that our approach does not cause autoimmune
pathologies, that is, that the macrophages do not attack and/or kill self system components.
Our solution to these problems and the engineering of its implementation are discussed in
Section 4. The next section presents a short introduction to the innate immune system, and
may be skipped by readers already familiar with it.
3 The Innate Immune System
The immune system is a multi-layered defense system that evolved to protect living
organisms from diseases. Several layers of defense interact to shelter the body from
pathogenic intruders; these layers mainly consist of physical and chemical barriers, and
specialized cells that can recognize and/or kill antigens.
The mechanical and chemical barriers provide the first line of defense in the fight against
antigens; most importantly skin, mucous secretions, and enzymes, with their changing pH and
temperature features. Bacterial colonies present on the skin surface are in general unable to
pass the through the skin barrier, though a skin injury may allow the bacteria to enter the
body. In this case, as a consequence of the trauma, the cells surrounding the injured area
release a range of chemicals; this causes local blood vessel dilation. This in turn brings more
blood to the area to help the healing process. The blood released into the affected tissue
causes swelling, and signals the inflammatory cells, the phagocytes, to gather at the trauma
site. The phagocytes can recognize antigen particles and engulf them, in a process called
phagocytosis.
The second line of defense is the innate immune system. It consists of a family of cells,
collectively called phagocytes (more specifically, macrophages, neutrofils, monocytes,
basophiles, etc.), which recognizes, attacks, engulfs, and finally kills antigens. The innate, or
native, response is a non antigen-specific barrier of the immune system, meant to fight against
any infection without the need of previous immunization. Its response consists in actions of
two different types: rapid action, which lasts from four minutes to four hours, performed by
macrophages, and medium-to-slow action, performed either via inflammation, or by natural
killer (NK) cells.
Macrophages play a key role in the destruction of microorganisms. They are a type of
white blood cell that behaves like a patrol cell, as it engulfs and kills foreign infectious
65
invaders. Macrophages are activated during the innate response by their receptors, and during
the adaptive response by the immunoglobulin. Macrophage activation is triggered by the
liberation of several kinds of cytokines, and produces a further secretion of cytokines, which
in turn induces more inflammation in the second phase of the innate response.
NK cells appear in larger quantities in young mammals, and diminish, as the animal gets
older. This means that the role of NK cells is akin to that of the innate immune response
mechanisms, and not triggered by a specific antigenic stimulation. NK cells are immediately
activated against cells infected by any antigen. The size of NK cells is not always the same.
We can see small or medium sized NK cells without granules, as in pigs, and large and
granulated NKs, as in humans.
Macrophages and stimulated natural killer cells produce different cytokines that induce
local inflammation and other general effects, such as the elevation of body temperature. These
actions attract immune cells to the affected area. When the innate immune system fails, an
infection is established, and an acquired immunity starts to develop. The acquired immune
response is based on a complex learning process, that lets the immune system adaptively
acquire ever better immunity during its lifetime.
When it comes to artificial immune systems, the definition of a non-self system
component is at the heart of every model, and must be formulated in a way that makes telling
intrusive system components (system calls, programs, data files, etc.) from legitimate ones
reasonably easy. Without the capability of making this distinction there is no intrusion
detection. In the language of immune systems, we call intrusive system components non-self,
and legitimate system components self. This crucial problem has been addressed, and solved
in a number of very ingenuous ways by researchers working in the field of AIS [6,5,8,7]. For
the innate immune system, however, this distinction is readily made: self components are
components that are there at birth.
4 Design and Engineering of NAIS
The design and engineering of NAIS (Native Artificial Immune System) is based on the
following observations. In the first place, many years of monitoring intrusion techniques and
studying effective countermeasures convinced us that most network intrusions take place
while server administrators are not connected to the server, and cannot control the running
processes. This situation offers attackers the best chances of success. In the second place,
more and more often LAN administrators try to protect their networks from some of the
damage caused by intrusions by running different services on different machines. A machine
is used as a web server, a second one as an e-mail server, a third as a ftp server, and so on. By
distributing essential services over a cluster of computers, a network administrator achieves
two significant advantages. First, the LAN becomes more secure, because if one of the servers
comes under attack, the remaining machines will be unaffected, and the services on them will
still be running. Secondly, the workload can be distributed more evenly over the network. We
conceived NAIS with this kind of architecture in mind.
NAIS consists in a collection of processes that runs on a server, and acts as digital
macrophages. If network services are distributed over several machines, every server machine
will have its own service-specific macrophages.
NAIS must be initialized through a training phase. This procedure is necessary to identify
the system components to be considered innate. This is done by analyzing the list of the
processes running on the web server at “birth”, that is, before the server is connected to the
internet. During the training phase we surf our site, while the immune system compiles an
exhaustive list of actually running processes; all of them are recognized as innate, i.e., defined
as “self”. This list contains two kind of processes: (a) system processes (like init, mingetty,
etc.), and (b) web surfing processes (basic web surfing processes like apache, and mysql).
66
A regular user who tries to surf a site will always generate new processes, but these will
only be “known” apache, or mysql processes belonging to list (b) of self web surfing
processes. Hence, the immune system will recognize these processes as self, and leave them
alone.
On the contrary, an intruder who tries to exploit system bugs to enter the network will
want to try to open a shell, or compile a program, install a new server, create a new user, etc.
In order to achieve such goals, s/he will inevitably have to generate some new processes. The
digital macrophages of NAISA will immediately recognize such new processes as non-self,
because they will neither appear on list (a) of self system processes, nor on list (b) of site
surfing processes. In fact, such processes will compile source code, or install programs, clean
system logs, and so on. For this reason, NAIS will also deny apache and mysql processes any
kind of operation but web surfing. Macrophages will kill non-self processes right away.
After the training phase is completed, and the server is connected to internet,
macrophages will keep polling the list of active server processes in search of potential
intruders. Notice that potential intruders trying to take advantage of system bugs to enter the
network will necessarily generate new, and hence non-innate, processes. Macrophages will
immediately recognize such new processes as non-self, and kill them right away. This
response to any kind of intruder does not address specific system bugs directly. It is a first,
generalized defense reaction of the system against intruders of any kind. Of course,
macrophages will recognize new processes as self if they are web surfing processes of the
same, innocuous, kind as the processes generated during the training phase.
This method has the advantage of blocking never encountered infections well – exploits
based on new server bugs or new attack methods. NAIS will counter all new infections right
away, and block them quite effectively.
The number of macrophages running on a machine is not constant, but varies between a
lower and an upper threshold; both of them are established experimentally. Between these
boundaries, the number of macrophages may be increased by the immune system itself, either
to replace macrophages killed by intruders, or simply to improve the performance of NAIS. If
the number of macrophages decreases under the lower threshold, new macrophages will be
automatically created. The upper threshold makes sure that an overwhelming number of
running macrophages does not affect the performance of NAIS negatively. Both thresholds
have to be optimized experimentally because they depend on the hardware features and the
workload of the server.
NAIS has been developed as a Linux-based intrusion-detection system for a LAN
running different services on different machines. Presently, NAIS is executed on two server
machines, on which we previously installed a web server, apache, ftp server, and vsftp.
Intensive testing is still underway, but excellent intrusion detection performance has already
been established.
NAIS has been tested on a PIII server with 1Gb RAM, running Apache 1.3.31 and 1.3.27
under Linux Red Hat 7.1. On a machine of this type the number of running macrophages was
always between 15 and 50. Two kinds of tests have been performed to this day:
a. tests generating new processes: opening shells, creation of new users with root
privileges;
b. tests that do not generate new processes: weak password lookups, sniffing information
on legitimate users of the tested computer.
NAIS does not block attacks that do not execute processes on the attacked computer –
such as port scanning, weak passwords lookups, DoS attacks. An intruder will still be able to
gather information on the system, and access the machine via its bugs, but this will result in
no harm, because NAIS will block the execution of any subsequent illegitimate operation.
67
5 Conclusions
NAIS is an intrusion detection system based on the idea of providing computer networks with
the technological equivalent of an innate immune system. NAIS works on machines on which
either a web server or a ftp server has been installed. Though still at a preliminary stage,
NAIS provides a completely reliable discrimination between normal and abnormal processes.
It is able to detect and protect servers against new and unknown attacks, and is quite effective
in denying foreign processes access to the server.
NAIS is not meant to replace firewalls, and will therefore not block attacks that do not
execute processes, such as port scanning or DOS attacks. An intruder will still be able to
gather information on the system, and access the machine via its bugs, but this will result in
no harm, because NAIS will block the execution of any subsequent illegal operation.
Future work will be devoted to extend NAIS to different services: telnet, ssh and possibly
others. This requires solving the problem of finding a strong definition of self and non-self
processes in the specific context of these services. This is no easy task because for these
services the a-priori behavior of each user is unknown. Moreover, making a comprehensive
list of self processes during the training phase is not possible.
Acknowledgements
We are pleased to thank José Bidot and his research group at Segurmática, La Habana, Cuba,
for the fruitful and pleasant discussions with them, and their useful suggestions.
References
1. L.N. De Castro, J. Timmis, Artificial Immune System: a new computational intelligence paradigm,
Springer-Verlag, Heidelberg, New York, 2002
2. P. D'haeseleer, S. Forrest, P. Helman, An immunological approach to change detection:
algorithms, analysis and implication, 1996 Symposium on Computer Security and Privacy, IEEE
Computer Society Press, 1996
3. F. Esponda, S. Forrest, P. Helman, Positive and Negative Detection, IEEE Transactions on
System, Man, and Cybernetics, in press, 2004
4. S. Forrest, S. Hofmeyr, A. Somayaji, Computer immunology, Communication of ACM, Vol. 40,
No. 10, 1997
5. S. Forrest, S. Hofmeyr, A. Somayaji, T. Longstaff, A sense of self for UNIX processes, 1996
Symposium on Research in Security and Privacy, IEEE Press, 1996
6. S. Forrest, A. Perelson, L. Aleen, R. Cherukuri, Self-nonself discrimination in a computer, 1994
Symposium on Research in Security and Privacy, Los Alamos, CA, IEEE Computer Society Press,
1994
7. S. Hofmeyr, S. Forrest,Architecture for an Artificial Immune System, Evolutionary Computation,
Vol. 7, No. 1, Morgan-Kaufmann, San Francisco, CA, 2000
8. A.O. Tarakanov, V.A. Skormin, S.P. Sokolova, Immunocomputing: Principles and Applications,
Springer-Verlag, Heidelberg, New York, 2003
68