www.elsevier.com/locate/parco

Parallel Computing 30 (2004) 629–646

An artificial immune based intrusiondetection model for computerand telecommunication systems

Azzedine Boukerche a,*, Kathia Regina Lemos Juc�a b,Jo~ao Bosco Sobral b, Mirela Sechi Moretti Annoni Notare c

a Ottawa University, 800 King Edwards Avenue, Ottawa, ONT, Canada K1N-6N5b Federal University of Santa Catarina, P.O. Box 476, Florian�opolis, Brazilc Barddal University, Avenue Madre Benvenuta 416, Florian�opolis, Brazil

Received 10 November 2002; accepted 15 January 2004

Available online 19 May 2004

Abstract

Recent years have seen a growing interest in computational methods based upon natural

phenomena with biologically inspired techniques, such as cellular automata, immune human

systems, neural networks, DNA and molecular computing. Some of these techniques are clas-

sified under the realm of a general paradigm, called bio-computing. In this paper, we propose a

security system for fraud detection of intruders and improper use of both computer system

and mobile telecommunication operations. Our technique is based upon data analysis inspired

by the natural immune human system. We show how immune metaphors can be used effi-

ciently to tackle this challenging problem. We also describe how our scheme extracts salient

features of the immune human system and maps them within a software package designed

to identify security violations of a computer system and unusual activities according to the

usage log files. Our results indicate that our system shows a significant size reduction of the

logs file (i.e., registration of each log activity), and thereby the size of the report maintained

by the computer system manager. This might help the system manager to monitor and

observe unusual activities on the machine hosts more efficiently, as they happen, and can

*Corresponding author.

E-mail addresses: boukerch@site.uottawa.ca (A. Boukerche), kathia@npd.ufsc.br (K.R.L. Juc�a),

bosco@inf.ufsc.br (J.B. Sobral), mirela@barddal.br (M.S.M.A. Notare).

URLs: http://www.uottawa.ca/~boukerch, http://www.kathia.ger.ufsc.br, http://www.inf.ufsc.br/~bo-

sco, http://www.inf.barddal.br/~mirela.

0167-8191/$ - see front matter � 2004 Published by Elsevier B.V.doi:10.1016/j.parco.2003.12.008

630 A. Boukerche et al. / Parallel Computing 30 (2004) 629–646

act accordingly before it is too late. Last but not least, we propose an intrusion and fraud

detection model based upon immune human analogy for mobile phone operations. We discuss

our model and present its specification using the Z Language.

� 2004 Published by Elsevier B.V.

Keywords: Nature inspired solution; Human immune systems; Intrusion detection

1. Introduction

This paper is motivated by the needs in the continuous changing computer and

telecommunication industries, and the accelerated growth of malicious intruders

and computer viruses, among others fraudulent activities [4,5,15]. Even the mostmodern computer and telecommunication systems have security problems. Most

applications and operational systems are overwhelmed by security failures at differ-

ent levels. If there are no verification and monitoring procedures in the com-

putational system, then security services (e.g., access control, firewalls and

cryptography) become ineffective. Security policies define requisites and use rules

predetermined by the computational and departmental services. An intrusion can be

defined as a group of actions which endanger integrity, confidentiality and/or avail-

ability of a provided resource. Computer viruses are the first form of artificial life tohave an impact on modern society. The rate at which new viruses are being written is

high and increasing due to global connectivity. We propose a security approach for

intrusion detection from computer viruses on computer system operations. It acts so-

lely upon the usage logs and the registration activities of the mail messages. Our tech-

nique is based upon data analysis inspired by the human natural immune system.

This paper shows how immune metaphors can be used efficiently to tackle this chal-

lenging problem. We also describe how our scheme extracts salient features of the

human immune system and maps them within a software package designed to iden-tify misuse activities according to the usage log files. We also show how to extend our

system to deal with the fraud detection problem for mobile phone operations [4,5].

The field of mobile and wireless networking is reemerging amid unprecedented

growth in the scale and diversity of computer networking. However, further in-

creases in network security are necessary before the promise of mobile communica-

tion can be fulfilled. Thus, our fraud detection model might prove to be quite useful

to the telecom industries that are facing a huge margin of profit losses due to the

cloning and subscription frauds.The remainder of the paper is organized as follows. In Sections 2 and 3, we pres-

ent the basic background on the human and the correlation between the immune sys-

tems and the computer security system, respectively. In Section 4, we present our

Artificial Immune System. Section 5 reports the experimental results we obtained.

In Section 6, we present a novel artificial immune fraud detection model based upon

a Z-language [21] for mobile telecommunication systems. In Section 7, we present

our conclusion and future work.

A. Boukerche et al. / Parallel Computing 30 (2004) 629–646 631

2. Background on immunology

The immune system [1,6,9,10,12] is a complex network of organs and cells respon-

sible for the organism’s defense against alien particles. One of the main features of

the immune system is its capacity to distinguish between self and non-self genes.Every cell of the organism possesses molecules in its structure, which are character-

ized as self genes. On the other hand, the molecules that constitute alien organisms

are characterized as non-self genes.

2.1. Immune system anatomy

The organs that compose the immune system [14,16,17,22] are stationed through-

out the body. These organs are refered to as lymphoid organs, because they are con-cerned with the growth, development, and deployment of lymphocytes.

• Lymphocytes––the lymphocytes are small white cells. Their responsibility lies in

specifying activities to the immune system. The two major classes of lymphocytes

are: B-cells, T-cells.

• Antibodies––antibodies can be classified under a large family of molecules known

as immunoglobulins. They are described as follows:

IgG––the largest immunoglobulin in the blood, working effectively againstmicroorganisms;

IgM––usually possess a star-shaped surface. It is very effective against bacteria;

IgA––found in body fluids. It has the responsibility for the defense of the

body’s entrances;

IgE––normally appear in small concentrations, involved mainly in defense

against parasites;

IgD––found almost exclusively in B-cell membranes, which regulate the activa-

tion of the cells.• Natural and acquired immunity––when an organism is exposed to a disease, B-cells

and T-cells are activated and some of them are able to retain a memory of the dis-

ease. When the organism faces the same antigen in another circumstance, the im-

mune system will recognize it and will quickly destroy it. Babies have a passive

natural immunity though being protected in their first months by antibodies re-

ceived from the mother. The IgG antibody, which moves through the placenta,

makes them immune to microbes to which the mother is immune. Also, children

receive IgA antibodies from breast milk.

2.2. Immune system properties

The immune system has four main properties: detection, diversity, learning and

tolerance.

• Detection––detection (or recognition)of chemicalcomponentsbetweenpathogenfrag-

ments and receptors on the surface of the lymphocyte occurs in an immune system.

632 A. Boukerche et al. / Parallel Computing 30 (2004) 629–646

• Diversity––detection in the immune system is related to non-self elements of the

organism, thus, the immune system must have diverse receptors to ensure that

at least some of lymphocytes will react to the pathogenic element. The solution

adopted by the body relies on a dynamic protection via a continuous renewal

of lymphocytes.• Learning––the immune system must be capable of detecting as quickly as possible

the pathogen and eliminating it. It includes a principle which allows lymphocytes

to learn and adapt themselves to specific foreign protein structures, and to

‘‘remember’’ these structures as soon as possible when needed. These principles

are implemented by the B-cells.

• Tolerance––the molecules that mark a cell as a self gene are contained in the

chromosome sections also known as Major Histocompatibility Complex (MHC).

2.3. Computer security and immune system––a correlation

There is a strong correlation between the immune system and computer security

system. The immune system protects the body from pathogen elements in the same

way the computer security system protects the computer from malicious users.

The security policy used by the immune system is specified mainly by a natural

selection phenomenon, and only a few aspects of security computations are of great

importance, such as: (1) disposability: this aspect allows the body to continue work-ing even under attack of a pathogen; (2) correction: to prevent the immune system

from attacking the body cells; (3) integrity: this is a way to guarantee that the genetic

codes present in the cells will not be corrupted by any pathogen; (4) accountability:

these are the means adopted by the immune system to identify, find and destroy

the pathological agents.

As we can see, both immune and computer security systems share common secu-

rity concerns. They both intend to protect their corresponding system against attacks

and intrusions that violate the (established) security policy. See Table 1.

2.4. Intrusion detection

An intrusion can be defined as ‘‘an act of a person of proxy attempting to break

into or misuse a system in violation of an established policy’’ [12,13]. Intrusion can be

classified as: (i) misuse intrusions, i.e., well defined attacks against known system vul-

nerabilities; and (ii) anomaly intrusions, i.e., activities based on deviation from nor-

mal system usage patterns. Intrusion detection systems (IDS) are one of the latestsecurity tools in the battle against these attacks [3,10].

3. Operational environment

Earlier intrusion detection systems (IDS) focused on the log registration analysis,

which is produced by the operational system and other applications, as cited in

[12,13]. The UNIX operating system uses syslog to generate, store and register its

Table 1

Immune system protection

Human immune system Artificial immune system

Integrity This is a way to guarantee that the

genetic codes, present in the cells, will

not be corrupted by any pathogen

Data has to be protected from

intentional or accidental corruption

Availability This aspect allows the body to continue

working even under attack of a pathogen

Information, such as the computer,

must be accessible when necessary

and as desired

Correction This mechanism prevents the immune

system against attacks of the (body)

cells

False alarms from an incorrect classifi-

cation of computational events must be

minimized

Accountability These are means adopted by the immune

system to identify, find and destroy the

pathological agents

The security system must be configured

to preserve sufficient information from

the intrusion that can be permitted to

trace the origin of the attack

Confidentiality These are no concepts of secret data

or confidential information

Data access must only be allowed to

authorized users

A. Boukerche et al. / Parallel Computing 30 (2004) 629–646 633

activities [7]. In order to monitor the execution of a program, we chose to analyze

the log registry originating from the execution of the program. Presently, we will

adopt a variation from the architecture presented by [19].

In the artificial immune systems, we consider that each mail message in a host cor-

responds to a cell. At a given time, it is possible to have many different mail messages

in one host. Thus, we say that the host is observed as a multi-cellular organism. Inthis host, there is a process that acts as a lymphocyte in the recognition mail mes-

sages, like non-self elements. The acquired immune system is implemented by a mail

scanner that acts as lymphocyte and by the virus definition files that are considered

as vaccines. In the same manner as the human body, when a mail message in the

artificial organism has its function changed, the organism is identified as ill.

4. Artificial immune system

4.1. Anomaly based approach

Similar to the human system, the computational immune system is divided into

innate and acquired immune systems. The innate computational immune system is

a component from UNIX’s root file-system, much like the file permission and access

modes to archives that are established during the system installation. Adopting an

immune analogy, these security mechanisms are IgG antibodies. Just after the oper-ating system is installed, it can be compared to a newborn child, which possesses a

weak immune system. The operating system responds only to the violations and

weaknesses that the software designers were aware of during the period of release

of that software version. By analogy, we can consider the corrections in a given ver-

sion of the operating system as those represented by the release as IgA antibodies.

634 A. Boukerche et al. / Parallel Computing 30 (2004) 629–646

Passive immunity in modern computational systems lasts for only a few hours, un-

like the human immune system that protects the newborn for a few months. For this

reason it is necessary that the computational and operating system receive a comple-

mentary immunization just after its installation. Complementary immunization such

as installation of complementary security and software services and patches can bemade by the administrator. With a complementary immunization, the artificial

organism begins the assembly of the acquired immune system. The degree and dura-

tion of immunity in a computational system will depend on certain items that char-

acterize the security.

The approaches adopted to restrict the access to some services were shifted to use

the following tools: TCP WRAPPER [13], responsible for filtering the access to the

programs, provides the same function as immunoglobulins. The antibody IgA is

responsible for patrolling the entrances of the organism. The entrances of the organ-ism are represented by TCP and UDP ports, which are used by the services offered by

the host.

The largest property of the human immune system is the capacity to distinguish

the self-elements from the non-self ones. Each cell of the human body contains

MHC chromosomes, which identify them to the immune system as self. These char-

acteristics are provided to the computational and immune system via the LogCheck

[18], software that plays a similar role to that of the T-cells. The LogCheck software

filters the registrations of the activities within a host, and generates reports to theadministrator of the logs of the activities.

The distinction between an activity that corresponds to self activity (or element)

and one that is non-self is based upon the following four files [18]:

logcheck.hacking––this file is composed of keywords that characterize anMHC antigen class I, and its occurrence unchains the immune answering system.

logcheck.violations––this file contains keywords that characterize anMHC antigen class II, and the code portion exposes antigen.logcheck.violations.ignore––in this file they recognize keywords thatare the opposite of the existing words in the file logcheck.violations

logcheck.ignore––this file contains keywords which do not represent a viola-tion of the host’s safety (see Table 2).

4.2. Misuse based approach

The computational immune system is divided in the same way as the human im-mune system: innate and acquired immune systems. The innate computational im-

mune system is a component from UNIX’s root filesystem, much like the file

permission and access modes to archives that are established during the system

installation. Adopting an immune analogy, these security mechanisms are IgG anti-

bodies.Just after the operating system is installed, it can be compared to a newborn

child, which possesses a weak immune system. The operating system responds only

to the violations and weaknesses that the software designers were aware in the period

of release of that version. By analogy, we can consider the corrections in a given ver-

Table 2

Innate and acquired immune system

Human immune system Artificial immune system

Innate

immunity

When an organism is exposed to an infec-

tion then B-cells and T-cells are activated

When a computer exposed to an anomaly

then alarms are sent to the administrator,

and some keywords are memorized for

further recognition

And some of these cells are able to

memorize (recognize and quickly destroy

it further)

Antibody IgG––from the mother

placenta––against microbes from which

the mother is immune

Basic security characteristics of operating

system (file permissions, access control);

respond only for what the designers were

aware it the version

Antibody IgA––from the mother milk––

responsible to defend the body entrances

Defend the TCP ports of the servers

Acquired

immunity

Vaccine ( dead microbes, modified

microbes; live viruses that were

attenuated)

Installation of complementary security

services, patches to repair bugs, remove

services dangerous for the security

(e.g., change telnet to SSH)

A. Boukerche et al. / Parallel Computing 30 (2004) 629–646 635

sion of the operating system to be represented by the release of IgA antibodies. Pas-

sive immunity in modern computational systems lasts for only a few hours, unlike

the human immune system that protects the newborn for a few months. For this rea-

son it is necessary that the computational system receives a complementary immuni-

zation just after its installation. The administrator makes the complementary

immunization in the following way: installation of complementary security and soft-

ware services. With a complementary immunization, the artificial organism begins

the assembly of an acquired immune system. The degree and duration of immunityin a computational system will depend on certain items that characterize the security

of the host and of the network in which the host is connected (e.g., UNIX server that

serves Windows workstations via a POP3 service may receive mails with infected files

attached to these emails) [13].

The largest property of the human immune system is the capacity to distinguish

the elements self from the elements non-self. Each cell of the human body contains

the chromosome MHC, which identifies it to the immune system as self. These char-

acteristics are provided to the computational immune system via signature viruses, asoftware that plays a similar role to the pathogen. The software AMaViS[2] scans the

incoming mail messages within a host and generates reports to the administrator of

the logs of the infected emails.

5. Experimental results

5.1. Anomaly based approach

In our implementation, the software LogCheck [18] was installed in two hosts with

different operating systems and registration services, using the Federal University of

636 A. Boukerche et al. / Parallel Computing 30 (2004) 629–646

Santa Catarina’s local network at federal University of Santa Catarina. The chosen

hosts were the servers of two different departments: in Physical andMathematical Sci-

ences Center (CFM) at the Communication and Expression Center (CCE). The hosts

possess the following characteristics: the server of CFM is Sun with the Solaris OS.

The machine server of CCE is a PowerPC IBM, using theAIX operating system. Bothservers provide the following services: DNS, SMTP, POP3, FTP.

The activities in these servers were monitored for five consecutive months, and the

operational ambient didn’t suffer any interference in the characteristics of its basic

activities. Thus, the registrations can be considered trustworthy because they reflect

a normal situation. The amount of information contained in this group is quite large,

thereby making its analysis very difficult.

In Fig. 1, we present the results we have obtained for the CFM server. As we

can see, our results indicate that our system helps to reduce significantly the numberof registration activities. In Fig. 2, we portray the results we have obtained for CCE

center. As we can see, a significant reduction of the number of registration is

obtained.

We can observe in Fig. 2, that we obtained about a 66% reduction during the

month of June for instance. In both monitored servers, CFM and CCE, a significant

reduction in the number of user registrations during the five months of our experi-

ments has been obtained. This will have a profound impact in reducing the size of

the reports that can be used to detect malicious intruders, thereby speeding up thedetection of such intrusions. However, during the period when we monitor the

CCE system and collect the registration information, we have obtained only the re-

ports that correspond to the violations of safety and unusual events. The registra-

tions belonging to this group also belong to the activities group of type non-self.

The administrator shall receive a notification, in the form of an email, with the report

of the activities of type non-self genes, thereby minimizing his security management

work (i.e., intrusion detection). During the period of monitoring and user activity

registrations collection, only the security violations and unusual events weredetected. The data are represented in Figs. 3 and 4.

0

5000

10000

15000

20000

25000

30000

march april may june july

month

Rec

ord

Num

ber

Total Report

Total Record

Fig. 1. Reduction of the number of registers in the CFM server.

CCE

020000400006000080000

100000120000

march april may june july

month

Rec

ord

Num

ber

Total Record Total Report

Fig. 2. Reduction of the number of registers in the CCE server.

0

5000

10000

15000

20000

25000

march april may june july

reco

rd n

umbe

r

security violation

security events

Fig. 3. Security violations and unusual events––CFM.

0

2000

4000

6000

8000

10000

12000

14000

16000

march april may june july

reco

rd n

umbe

r

security violation

security events

Fig. 4. Security violations and unusual events––CCE.

A. Boukerche et al. / Parallel Computing 30 (2004) 629–646 637

They show the security violations and the unusual events that have occurred for

both CFM and CCE machines and during the period March to July. Our results

indicate clearly that it is possible to monitor and observe the hosts’ activities in an

efficient and less costly way.

638 A. Boukerche et al. / Parallel Computing 30 (2004) 629–646

5.2. Misuse based approach

In our implementation, the software AmaViS[2] in combination with H+BEDV

AntiVir [11] was installed in one host with Linux operating systems and registration

services. The selected host was the server of the Center of Biological Sciences (CCB).Servers provide the following services: DNS, SMTP, POP3, FTP.

The activities in this server were monitored for 132 days, and the operational

ambient did not suffer any interference in the characteristics of its basic activities.

Thus, the registrations can be considered trustworthy, because they reflect a normal

situation. In Fig. 5, we present the results we have obtained for the CCB server, the

number of detected viruses (non-self elements) is portrayed in the right columns and

the total number of clean messages (self elements) is in the left columns.

Fig. 6 shows the incident number. This event was divided into virus types, whichfirst showed the worm Klez.E, second Tettona, third W32.Sircam.C, fourth element

Magistr.B*, fifth Nimda, sixth Nimda, seventh Yaha.E, eighth Frethem.L and finally

the HappyTime.

0

10000

20000

30000

40000

50000

60000

70000

80000

1 2 3 4 5

Fig. 5. Self and non-Self in the CCB server.

0

1000

2000

3000

4000

5000

6000

Worm/Klez

.E

Tettona

W32.Sirc

am.C

Magist

r.B*

Nimda

CIH.AYah

a.E

Frethem

.L

HappyT

ime

Incident Number

Fig. 6. Computer viruses in the CCB.

Table 3

Self and non-self––CCB

Month Mails Worm/viruses

5 19,666 599

6 49,276 1202

7 66,819 2408

8 66,463 1888

9 75,077 2724

Table 4

Viruses vs. number of incidents

Worm/viruses Incident number

Worm/Klez.E 5106

Tettona 32

W32.Sircam.C 342

Magistr.B� 12

Nimda 14

CIH.A 4

Yaha.E 89

Frethem.L 75

HappyTime 25

A. Boukerche et al. / Parallel Computing 30 (2004) 629–646 639

Our results indicate clearly that the number of email messages infected is very

small, when we compare it to the total number of email messages, as we can see in

Table 3. In Table 4, we show the different types of viruses and the incident numbers.

6. An artificial immune fraud detection model

In this section we wish to extend our intrusion detection system to mobile telecom-munication systems. We will present a fraud detection model for mobile telecommu-

nication systems based upon immune human system paradigm, as shown in Section 4.

In this paper, we propose to use the Z specification language [20,21] to formally spe-

cify the main part of our Artificial Telecom Immune System, and capture some of the

properties within the components of the system, which we refer to as schemas. The Z

schemas make use of some variables whose values are subject to some constrained

through predicates (pre-conditions and pos-conditions) that describe their properties

within the operations of the system. The operations of our immune fraud detectionmodel for mobile telecommunication system have been designed using a state

machine paradigm, which defines the state and operations on the system.

With the use of Z language [14], we adopt a formal specification, using mathemat-

ical notations that describe the properties of the model, as well as both the static and

dynamic aspects of the model. The static aspects of the proposed model include the

following invariant properties: (i) the states it can occupy (i.e., call register states), (ii)

the relationships that are maintained as the system moves from state to state. The

dynamic aspects of the proposed model include: (i) the operations that are possible,and (ii) the changes of states that happen within the system.

640 A. Boukerche et al. / Parallel Computing 30 (2004) 629–646

The Z language specifications describe what objects exist, and how the relation-

ships between these objects may be made into specifications. For completeness, we

shall provide the main components of the Z language as in [21].

• Types––a type is an expression of a restricted kind, and every expression that ap-pears in a proper Z specification is associated with a unique type. If the expression

is defined, then the value of the expression is a member of its type. Every Z spec-

ification begins with certain basic types that play a part in the specification but

have no internal structure of interest.

• Sets and set types––any set of objects that are member of the same type t is itself inthe set type P t. Sets may be written in Z by listing their elements. They may alsobe written by giving a property which is characteristic of the elements of the set.

• Tuples and Cartesian products types––if x and y are two objects that are memberof the types t and u, respectively, then the ordered pair ðx; yÞ is an object in theCartesian product type t · u. Similarly, if x1; . . . ; xn are n objects of typest1; . . . ; tn, respectively, then the ordered n-tuple (x1; . . . ; xn) is an object of typet1 � � � � � tn. If (y1; . . . ; yn) is another n-tuple of the same type, then the two areequal if xi ¼ yi for each i where 16 i6 n.

• Binding and schema-types––if p and q are distinct identifiers, and x and y are objectsof types t and u respectively, then there is a binding, where: z ¼< p1Vx1 . . . ; pnVxnwith components z:p equal to x and z:q equal to y. This binding is an object with theschema type /p : t; q : u.. Bindings are used in the operations of Z which allowinstances of a schema to be regards as mathematical objects in their own right:

the components of the bindings correspond to the components of the schema.

They are used to describe the meaning of the predicate parts of schemas.

• Signature––is a collection of variables, each with a type. Signatures are created bydeclarations, and provide a vocabulary based upon mathematical statements and

identified by logical predicates.

• Property––a property over a signature is characterized by the set of binding underwhich it has a true value. A predicate identifies a property. We say a predicate is

true under binding if the property it expresses is true under that binding. We say

that the binding satisfies the property, or the predicate which it expresses, if the

property is true under the binding.

• Schema––a schema is a pair of signatures together with a property over a signa-ture. The signature and its property parts of a schema correspond to the declara-

tion and predicate written within the schema. Most schemas consist of a part

above the central dividing line, in which some variables are declared, and part be-low the line which identifies a relationship between the values of the variables

(pre-conditions and post-conditions).

6.1. Telecom immune based system: a modeling approach

In our intrusion detection and telecom immune based model against malicious

and mobile phone intruders, we adopt a biological analogy, where each registration

of a mobile phone call is considered as a biological cell and the set of monitored

A. Boukerche et al. / Parallel Computing 30 (2004) 629–646 641

user’s registration is being considered as a multi-cellular organism. The user pattern

[4] is considered as the innate immune system. To create the acquired immune sys-

tem, a lymphocyte is implemented and acts as the telephone exchange, which also

monitors the user’s registrations. The first lymphocytes are identified as a set of

user’s registrations of valid telephone calls. The initial set of detectors can be substi-tuted by other lymphocytes which has the capability to detect new intrusions. In this

model, the components of the set of self genes will be defined by the set of user’s reg-

istrations already entered in the systems used mainly to identify the normal use,

while non-self genes represents the users’ registration and may be used to identify

malicious intruders.

The environment of this model is defined over the universe U , where U is a set ofphone calls. The set U contains two groups, S and N , called self and non-self, respec-

tively, where S [ N ¼ U and S \ N ¼ ; [8].The domain of the intrusion detection model, which we refer to asD, can be used to

classify all phone calls, i.e., either phone calls s 2 U as normal or n 2 U as anonymous[12]. However, due to the limited knowledge of all phone calls, it does not have knowl-

edge of the types of frauds that can occur in the future. Thus, we have the following

predicate:

D ¼ ðf;MÞ; where M � U:

The domain D contains the following two elements: M is the set of phone calls, andf : PU � U !{self, non-self}. By applying the cartesian product type, at any mo-ment in the universe U , we can have a user’s registration of no calls, the registrationof only valid calls, the registration of only invalid calls, or registration of both valid

calls and invalid calls. Thus, we can say that if x1; . . . ; xn are n elements of typest1; . . . ; tn, respectively, then the ordered n-tuple (x1; . . . ; xn) is an element of typet1 � � � � � tn. Therefore, we can conclude that ðM; sÞ is a self element if s 2 M andnon-self element if s 62 M.In our proposed model, we are interested in identifying these phone calls. Thus,

we have identified the set of all phone calls as a basic type of the specification,

and we have defined a call identifier CALL_ID as a schema-type of the Z-language

as follows:

642 A. Boukerche et al. / Parallel Computing 30 (2004) 629–646

In this model, a self element is defined by a normal behavior while a non-self element

is considered as an abnormal behavior which indicates a potential intruder.Thus, we define an event type as:

EVENT TYPE :¼ self j non� self

This will allows us to name these sets without identifying what kind of objects they

may contain. We define its state space:

EVENT_TYPE

CallSpace

f : P CALL_ID X CALL_ID

calls_known = dom fCALL_ID = S ∪ N

{ }S =∩ N

This schema describes the state space of the system and represents important

observations. The function f applied to CALL_ID, returns an EVENT_TYPE ele-

ment. The part below of the schema gives a relationship which is true in every state

of the system and is maintained by every operations on it. In this case, it says that thecalls_known set is the same as the domain of the function f . This relationship is aninvariant property of the model. This is the set of phone call registers to which it can

be validated. Notice that in this description of the state space for the model, we have

not been forced to place a limit on the number of phone call registers, nor to say the

order in that these entries will be stored. Initially the set of registers of telephonic

calls is empty, then we define the following schema for representing the initial state

of the system:

Let us now define some operations on our model. The first operation consists of

adding a new register, and can be described with the following schema:

AddCallSpaceCallSpace

call_input ? : CALL_ID

f' = f ∪ { call_input ? }

call_input ? ∉ calls_known

A. Boukerche et al. / Parallel Computing 30 (2004) 629–646 643

The declaration DCallSpace alerts us about the fact that the schema is describ-ing a state change: it introduces a variable phone calls. The function f representsthe state before any change of the system, and f 0 represents the new state of the

system after a change occurs. The set called calls_known is the same as the domain

of the function f . This relationship is a post-condition of the model. The predicatesbelow the line give a pre-condition for the success of the operation and the regis-

tration of the phone call to be added must not already be a known call for the

model.

The immune system uses the anomaly-based approach to detect intrusions. It

discovers self empirically and the attack can be any cells by exhibiting proteins that

are non-self. To detect an intrusion, the intrusion detector process is represented by

the following schema:

f : CALL_ID X CALL_ID EVENT_TYPEP∈s CALL_IDf(M,s) = self s∈Mf(M,s) = non-self s∉M

M

IntrusionDetection

f : PCALL_ID X CALL_ID EVENT_TYPE

∈

CALL_IDs

f(M,s) = self s M

f(M,s) = non-self s M∉

In the above schema, a registration phone call is identified as an intruder, and

identified by the EVENT_TYPE, and thereby it is identified as a non-self element.

Anomaly-based systems address these problems by attempting to characterize self

operation and to detect any deviation from the normal. This classification can

generate the emission of false alarms, though, first we must initialize the detection

process, which is defined by the following schema:

InitIntrusionDetection

IntrusionDetection

UTest

UTest

UTest

STest

STest

NTest

NTest

: CALL_ID

: CALL_ID

∪⊆

,

= CALL_ID

644 A. Boukerche et al. / Parallel Computing 30 (2004) 629–646

Classification errors are defined over a subset UTest which is part of the typeCALL_ID, and represents the union of the two subsets STest and NTest.A detection system can identify two types of classified errors: a false positive error

Eþ occurs when a self is classified as anomalous; and a false negative error E� occurs

when a non-self is classified as normal. This situation is represented by the twofollowing two schemas:

FalsePositiveError

IntrusionDetection

n : N

STestE+ = { s ∈ | f(M,s) = n }

E+ : CALL_ID

and the error false negative E� is defined as in the schema below:

FalseNegativeError

IntrusionDetection

s : S

NTestE- = { s ∈ | f(M,s) = s }

E- : CALL_ID

In the situation in which a true intrusion is detected we have its representation

such as:

AnomalyDetection

IntrusionDetection

s : CALL_ID

∈s (f,M)

This Z specification encloses the space of referring data to the registers of telephone

calls used in the model and some appropriate operations on the intrusion detection

search space. This specification refers to the anomaly detection and the time needed

for the human immune system to detect potential anomalies within the system. Thisapproach is based on the following fact: our model did not have an initial set of phone

calls to be used by the intrusion detection system to learn more about the system.

7. Conclusion and future works

This paper describes a new approach to secure both monitoring computer systems

and mobile phone operations. The main idea is to specify what services are critical in

A. Boukerche et al. / Parallel Computing 30 (2004) 629–646 645

both computer and telecommunication systems and to monitor their utilization while

searching for anomalies and operational misuse of the targeted system. We have pre-

sented a solution based upon a natural immune human system to the fraud detection

problem for both computer and mobile telecommunication systems. We have dis-

cussed the design and the implementation of an efficient and reliable security man-agement using our proposed solution. Our results indicate clearly that biological

inspired techniques are well suited to solve such problems.

As a future work, we see several directions. First, we plan to investigate the per-

formance of our security system for mobile phone operations by using several of user

patterns behaviors and then extend our model to mobile e-commerce and wireless

networks applications. Next, we plan to develop a model that can be executed on

a cluster of workstations in order to enhance the performance of our system.

References

[1] B. Alberts, Molecular biology of the cell, fourth ed., Garland Science, Taylor & Francis Group, New

York, 2002.

[2] AMaViS––A Mail Virus Scanner �1997–2000 Mogens Kjaer, Carlsberg Laboratory. mk@crc.dk,J€urgen Quade quade@amavis.org, Christian Bricart, shiva@aachalon.de, Rainer Link link@suse.de,Lars Hecking lhecking@nmrc.ie and others.

[3] S. Balasubramaniyan, An architecture for intrusion detection using autonomous agents, Coast

Laboratory, Purdue University, West Lafayette, 1998.

[4] A. Boukerche, M.S.M. Notare, Applications of neural networks to mobile communication systems,

in: A. Zomaya, S. Olariu (Eds.), Solutions to Parallel and Distributed Computing Problems: Lessons

from Biological Sciences, Wiley & Sons, 2001, pp. 255–368.

[5] A. Boukerche, M.S.M. Notare, Neural fraud detection in mobile phone operations, Fourth IEEE

BioSP3, Bio-Inspired Solutions to Parallel Processing, LNCS, Springer Verlag, pp. 636–644.

[6] S. Cayzer, U. Aickelin, A recommended system based on the immune network. Proceedings of CEC

2002.

[7] P. Dowd, J.T. Mchenry, Network security: it’s time to take it seriously, IEEE Computer 31 (9) (1998)

24–28.

[8] R.O. Duda, P.E. Hart, Pattern classification and scene analysis, John Wiley & Sons, Inc, New York,

NY, 1973.

[9] J.D. Farmer, N.H. Packard, A.S. Perelson, The immune system, adaptation, and machine learning,

Physica D 22 (1986) 187–204.

[10] S. Forrest, A.S. Perelson, L. Allen, R. Cherukuri, Self–nonself discrimination in a computer,

Proceedings of the 1994 IEEE Symposium on Research in Security and Privacy, 1994, pp. 202–212.

[11] H+BEDV––AntiVir for Linux � 2000, Created by H+BEDV Datentechnik GmbH, Tettnang,Germany.

[12] S. Hofmeyer, An immunological model of distributed detection and its applications to computer

security, Ph.D. Computer Science, University of New Mexico, Albuquerque, 1999.

[13] K.R.L. Juca, An approaching for intrusion detection base don human immunologic system (in

Portuguese, Uma Abordagem de Detecc�~ao de Intrus~ao Baseada no Sistema Imunol�ogico Humano),Master Thesis, CPGCC/UFSC, Florianopolis, Brazil, 2001.

[14] D. Male, Immunology––An Illustrated Outline, Gower Medical Publishing Ltd., 1986.

[15] M.S.M.A. Notare, Conception, analysis and development of a security management system for

telecommunication networks (in portuguese), Thesis (Computer Science Program)––Department of

Informatic and Statistic, Technological Center, Federal University of Santa Catarina, Florianopolis,

Brazil, 2000.

646 A. Boukerche et al. / Parallel Computing 30 (2004) 629–646

[16] A.S. Perelson, Immune network theory, Immunological, Theoretical Division, Los Alamos National

Laboratory, NM 87545, Review 110, 1989, pp. 5–36.

[17] I.M. Roitt, Essential Immunology, fifth ed., Blackwell Scientific Publications, 1995.

[18] C. Rowland, Logcheck Reference Manual, Available from: <http://www.psionic.com/abacus>

accessed on March, 01. 2001.

[19] A. Somayaji, S. Hofmeyr, S. Forrest, Principles of a Computer Immune System, University of New

Mexico. Albuquerque, NM, 1997.

[20] J.B.M. Sobral, A language for specifying distributed systems in a high level abstraction (in

Portuguese, Uma linguagem para Especificac�~ao de Sistemas Distribu�ıdos em Alto N�ıvel de

Abstrac�~ao), Ph.D. Thesis––Electric Engineering Program at COPPE/UFRJ, Rio de Janeiro, Brazil,1996.

[21] J.M. Spivey, The Z Notation: A Reference Manual, Oxford University, England, 1994.

[22] J.I. Timmis, Artificial Immune Systems: a novel data analysis technique inspired by the immune

network theory, Ph.D. Thesis, Department of Computer Science, University of Wales, Aberystwyth,

2000.