Upload
azzedine-boukerche
View
212
Download
0
Embed Size (px)
Citation preview
www.elsevier.com/locate/parco
Parallel Computing 30 (2004) 629–646
An artificial immune based intrusiondetection model for computerand telecommunication systems
Azzedine Boukerche a,*, Kathia Regina Lemos Juc�a b,Jo~ao Bosco Sobral b, Mirela Sechi Moretti Annoni Notare c
a Ottawa University, 800 King Edwards Avenue, Ottawa, ONT, Canada K1N-6N5b Federal University of Santa Catarina, P.O. Box 476, Florian�opolis, Brazilc Barddal University, Avenue Madre Benvenuta 416, Florian�opolis, Brazil
Received 10 November 2002; accepted 15 January 2004
Available online 19 May 2004
Abstract
Recent years have seen a growing interest in computational methods based upon natural
phenomena with biologically inspired techniques, such as cellular automata, immune human
systems, neural networks, DNA and molecular computing. Some of these techniques are clas-
sified under the realm of a general paradigm, called bio-computing. In this paper, we propose a
security system for fraud detection of intruders and improper use of both computer system
and mobile telecommunication operations. Our technique is based upon data analysis inspired
by the natural immune human system. We show how immune metaphors can be used effi-
ciently to tackle this challenging problem. We also describe how our scheme extracts salient
features of the immune human system and maps them within a software package designed
to identify security violations of a computer system and unusual activities according to the
usage log files. Our results indicate that our system shows a significant size reduction of the
logs file (i.e., registration of each log activity), and thereby the size of the report maintained
by the computer system manager. This might help the system manager to monitor and
observe unusual activities on the machine hosts more efficiently, as they happen, and can
*Corresponding author.
E-mail addresses: [email protected] (A. Boukerche), [email protected] (K.R.L. Juc�a),
[email protected] (J.B. Sobral), [email protected] (M.S.M.A. Notare).
URLs: http://www.uottawa.ca/~boukerch, http://www.kathia.ger.ufsc.br, http://www.inf.ufsc.br/~bo-
sco, http://www.inf.barddal.br/~mirela.
0167-8191/$ - see front matter � 2004 Published by Elsevier B.V.doi:10.1016/j.parco.2003.12.008
630 A. Boukerche et al. / Parallel Computing 30 (2004) 629–646
act accordingly before it is too late. Last but not least, we propose an intrusion and fraud
detection model based upon immune human analogy for mobile phone operations. We discuss
our model and present its specification using the Z Language.
� 2004 Published by Elsevier B.V.
Keywords: Nature inspired solution; Human immune systems; Intrusion detection
1. Introduction
This paper is motivated by the needs in the continuous changing computer and
telecommunication industries, and the accelerated growth of malicious intruders
and computer viruses, among others fraudulent activities [4,5,15]. Even the mostmodern computer and telecommunication systems have security problems. Most
applications and operational systems are overwhelmed by security failures at differ-
ent levels. If there are no verification and monitoring procedures in the com-
putational system, then security services (e.g., access control, firewalls and
cryptography) become ineffective. Security policies define requisites and use rules
predetermined by the computational and departmental services. An intrusion can be
defined as a group of actions which endanger integrity, confidentiality and/or avail-
ability of a provided resource. Computer viruses are the first form of artificial life tohave an impact on modern society. The rate at which new viruses are being written is
high and increasing due to global connectivity. We propose a security approach for
intrusion detection from computer viruses on computer system operations. It acts so-
lely upon the usage logs and the registration activities of the mail messages. Our tech-
nique is based upon data analysis inspired by the human natural immune system.
This paper shows how immune metaphors can be used efficiently to tackle this chal-
lenging problem. We also describe how our scheme extracts salient features of the
human immune system and maps them within a software package designed to iden-tify misuse activities according to the usage log files. We also show how to extend our
system to deal with the fraud detection problem for mobile phone operations [4,5].
The field of mobile and wireless networking is reemerging amid unprecedented
growth in the scale and diversity of computer networking. However, further in-
creases in network security are necessary before the promise of mobile communica-
tion can be fulfilled. Thus, our fraud detection model might prove to be quite useful
to the telecom industries that are facing a huge margin of profit losses due to the
cloning and subscription frauds.The remainder of the paper is organized as follows. In Sections 2 and 3, we pres-
ent the basic background on the human and the correlation between the immune sys-
tems and the computer security system, respectively. In Section 4, we present our
Artificial Immune System. Section 5 reports the experimental results we obtained.
In Section 6, we present a novel artificial immune fraud detection model based upon
a Z-language [21] for mobile telecommunication systems. In Section 7, we present
our conclusion and future work.
A. Boukerche et al. / Parallel Computing 30 (2004) 629–646 631
2. Background on immunology
The immune system [1,6,9,10,12] is a complex network of organs and cells respon-
sible for the organism’s defense against alien particles. One of the main features of
the immune system is its capacity to distinguish between self and non-self genes.Every cell of the organism possesses molecules in its structure, which are character-
ized as self genes. On the other hand, the molecules that constitute alien organisms
are characterized as non-self genes.
2.1. Immune system anatomy
The organs that compose the immune system [14,16,17,22] are stationed through-
out the body. These organs are refered to as lymphoid organs, because they are con-cerned with the growth, development, and deployment of lymphocytes.
• Lymphocytes––the lymphocytes are small white cells. Their responsibility lies in
specifying activities to the immune system. The two major classes of lymphocytes
are: B-cells, T-cells.
• Antibodies––antibodies can be classified under a large family of molecules known
as immunoglobulins. They are described as follows:
IgG––the largest immunoglobulin in the blood, working effectively againstmicroorganisms;
IgM––usually possess a star-shaped surface. It is very effective against bacteria;
IgA––found in body fluids. It has the responsibility for the defense of the
body’s entrances;
IgE––normally appear in small concentrations, involved mainly in defense
against parasites;
IgD––found almost exclusively in B-cell membranes, which regulate the activa-
tion of the cells.• Natural and acquired immunity––when an organism is exposed to a disease, B-cells
and T-cells are activated and some of them are able to retain a memory of the dis-
ease. When the organism faces the same antigen in another circumstance, the im-
mune system will recognize it and will quickly destroy it. Babies have a passive
natural immunity though being protected in their first months by antibodies re-
ceived from the mother. The IgG antibody, which moves through the placenta,
makes them immune to microbes to which the mother is immune. Also, children
receive IgA antibodies from breast milk.
2.2. Immune system properties
The immune system has four main properties: detection, diversity, learning and
tolerance.
• Detection––detection (or recognition)of chemicalcomponentsbetweenpathogenfrag-
ments and receptors on the surface of the lymphocyte occurs in an immune system.
632 A. Boukerche et al. / Parallel Computing 30 (2004) 629–646
• Diversity––detection in the immune system is related to non-self elements of the
organism, thus, the immune system must have diverse receptors to ensure that
at least some of lymphocytes will react to the pathogenic element. The solution
adopted by the body relies on a dynamic protection via a continuous renewal
of lymphocytes.• Learning––the immune system must be capable of detecting as quickly as possible
the pathogen and eliminating it. It includes a principle which allows lymphocytes
to learn and adapt themselves to specific foreign protein structures, and to
‘‘remember’’ these structures as soon as possible when needed. These principles
are implemented by the B-cells.
• Tolerance––the molecules that mark a cell as a self gene are contained in the
chromosome sections also known as Major Histocompatibility Complex (MHC).
2.3. Computer security and immune system––a correlation
There is a strong correlation between the immune system and computer security
system. The immune system protects the body from pathogen elements in the same
way the computer security system protects the computer from malicious users.
The security policy used by the immune system is specified mainly by a natural
selection phenomenon, and only a few aspects of security computations are of great
importance, such as: (1) disposability: this aspect allows the body to continue work-ing even under attack of a pathogen; (2) correction: to prevent the immune system
from attacking the body cells; (3) integrity: this is a way to guarantee that the genetic
codes present in the cells will not be corrupted by any pathogen; (4) accountability:
these are the means adopted by the immune system to identify, find and destroy
the pathological agents.
As we can see, both immune and computer security systems share common secu-
rity concerns. They both intend to protect their corresponding system against attacks
and intrusions that violate the (established) security policy. See Table 1.
2.4. Intrusion detection
An intrusion can be defined as ‘‘an act of a person of proxy attempting to break
into or misuse a system in violation of an established policy’’ [12,13]. Intrusion can be
classified as: (i) misuse intrusions, i.e., well defined attacks against known system vul-
nerabilities; and (ii) anomaly intrusions, i.e., activities based on deviation from nor-
mal system usage patterns. Intrusion detection systems (IDS) are one of the latestsecurity tools in the battle against these attacks [3,10].
3. Operational environment
Earlier intrusion detection systems (IDS) focused on the log registration analysis,
which is produced by the operational system and other applications, as cited in
[12,13]. The UNIX operating system uses syslog to generate, store and register its
Table 1
Immune system protection
Human immune system Artificial immune system
Integrity This is a way to guarantee that the
genetic codes, present in the cells, will
not be corrupted by any pathogen
Data has to be protected from
intentional or accidental corruption
Availability This aspect allows the body to continue
working even under attack of a pathogen
Information, such as the computer,
must be accessible when necessary
and as desired
Correction This mechanism prevents the immune
system against attacks of the (body)
cells
False alarms from an incorrect classifi-
cation of computational events must be
minimized
Accountability These are means adopted by the immune
system to identify, find and destroy the
pathological agents
The security system must be configured
to preserve sufficient information from
the intrusion that can be permitted to
trace the origin of the attack
Confidentiality These are no concepts of secret data
or confidential information
Data access must only be allowed to
authorized users
A. Boukerche et al. / Parallel Computing 30 (2004) 629–646 633
activities [7]. In order to monitor the execution of a program, we chose to analyze
the log registry originating from the execution of the program. Presently, we will
adopt a variation from the architecture presented by [19].
In the artificial immune systems, we consider that each mail message in a host cor-
responds to a cell. At a given time, it is possible to have many different mail messages
in one host. Thus, we say that the host is observed as a multi-cellular organism. Inthis host, there is a process that acts as a lymphocyte in the recognition mail mes-
sages, like non-self elements. The acquired immune system is implemented by a mail
scanner that acts as lymphocyte and by the virus definition files that are considered
as vaccines. In the same manner as the human body, when a mail message in the
artificial organism has its function changed, the organism is identified as ill.
4. Artificial immune system
4.1. Anomaly based approach
Similar to the human system, the computational immune system is divided into
innate and acquired immune systems. The innate computational immune system is
a component from UNIX’s root file-system, much like the file permission and access
modes to archives that are established during the system installation. Adopting an
immune analogy, these security mechanisms are IgG antibodies. Just after the oper-ating system is installed, it can be compared to a newborn child, which possesses a
weak immune system. The operating system responds only to the violations and
weaknesses that the software designers were aware of during the period of release
of that software version. By analogy, we can consider the corrections in a given ver-
sion of the operating system as those represented by the release as IgA antibodies.
634 A. Boukerche et al. / Parallel Computing 30 (2004) 629–646
Passive immunity in modern computational systems lasts for only a few hours, un-
like the human immune system that protects the newborn for a few months. For this
reason it is necessary that the computational and operating system receive a comple-
mentary immunization just after its installation. Complementary immunization such
as installation of complementary security and software services and patches can bemade by the administrator. With a complementary immunization, the artificial
organism begins the assembly of the acquired immune system. The degree and dura-
tion of immunity in a computational system will depend on certain items that char-
acterize the security.
The approaches adopted to restrict the access to some services were shifted to use
the following tools: TCP WRAPPER [13], responsible for filtering the access to the
programs, provides the same function as immunoglobulins. The antibody IgA is
responsible for patrolling the entrances of the organism. The entrances of the organ-ism are represented by TCP and UDP ports, which are used by the services offered by
the host.
The largest property of the human immune system is the capacity to distinguish
the self-elements from the non-self ones. Each cell of the human body contains
MHC chromosomes, which identify them to the immune system as self. These char-
acteristics are provided to the computational and immune system via the LogCheck
[18], software that plays a similar role to that of the T-cells. The LogCheck software
filters the registrations of the activities within a host, and generates reports to theadministrator of the logs of the activities.
The distinction between an activity that corresponds to self activity (or element)
and one that is non-self is based upon the following four files [18]:
logcheck.hacking––this file is composed of keywords that characterize anMHC antigen class I, and its occurrence unchains the immune answering system.
logcheck.violations––this file contains keywords that characterize anMHC antigen class II, and the code portion exposes antigen.logcheck.violations.ignore––in this file they recognize keywords thatare the opposite of the existing words in the file logcheck.violations
logcheck.ignore––this file contains keywords which do not represent a viola-tion of the host’s safety (see Table 2).
4.2. Misuse based approach
The computational immune system is divided in the same way as the human im-mune system: innate and acquired immune systems. The innate computational im-
mune system is a component from UNIX’s root filesystem, much like the file
permission and access modes to archives that are established during the system
installation. Adopting an immune analogy, these security mechanisms are IgG anti-
bodies.Just after the operating system is installed, it can be compared to a newborn
child, which possesses a weak immune system. The operating system responds only
to the violations and weaknesses that the software designers were aware in the period
of release of that version. By analogy, we can consider the corrections in a given ver-
Table 2
Innate and acquired immune system
Human immune system Artificial immune system
Innate
immunity
When an organism is exposed to an infec-
tion then B-cells and T-cells are activated
When a computer exposed to an anomaly
then alarms are sent to the administrator,
and some keywords are memorized for
further recognition
And some of these cells are able to
memorize (recognize and quickly destroy
it further)
Antibody IgG––from the mother
placenta––against microbes from which
the mother is immune
Basic security characteristics of operating
system (file permissions, access control);
respond only for what the designers were
aware it the version
Antibody IgA––from the mother milk––
responsible to defend the body entrances
Defend the TCP ports of the servers
Acquired
immunity
Vaccine ( dead microbes, modified
microbes; live viruses that were
attenuated)
Installation of complementary security
services, patches to repair bugs, remove
services dangerous for the security
(e.g., change telnet to SSH)
A. Boukerche et al. / Parallel Computing 30 (2004) 629–646 635
sion of the operating system to be represented by the release of IgA antibodies. Pas-
sive immunity in modern computational systems lasts for only a few hours, unlike
the human immune system that protects the newborn for a few months. For this rea-
son it is necessary that the computational system receives a complementary immuni-
zation just after its installation. The administrator makes the complementary
immunization in the following way: installation of complementary security and soft-
ware services. With a complementary immunization, the artificial organism begins
the assembly of an acquired immune system. The degree and duration of immunityin a computational system will depend on certain items that characterize the security
of the host and of the network in which the host is connected (e.g., UNIX server that
serves Windows workstations via a POP3 service may receive mails with infected files
attached to these emails) [13].
The largest property of the human immune system is the capacity to distinguish
the elements self from the elements non-self. Each cell of the human body contains
the chromosome MHC, which identifies it to the immune system as self. These char-
acteristics are provided to the computational immune system via signature viruses, asoftware that plays a similar role to the pathogen. The software AMaViS[2] scans the
incoming mail messages within a host and generates reports to the administrator of
the logs of the infected emails.
5. Experimental results
5.1. Anomaly based approach
In our implementation, the software LogCheck [18] was installed in two hosts with
different operating systems and registration services, using the Federal University of
636 A. Boukerche et al. / Parallel Computing 30 (2004) 629–646
Santa Catarina’s local network at federal University of Santa Catarina. The chosen
hosts were the servers of two different departments: in Physical andMathematical Sci-
ences Center (CFM) at the Communication and Expression Center (CCE). The hosts
possess the following characteristics: the server of CFM is Sun with the Solaris OS.
The machine server of CCE is a PowerPC IBM, using theAIX operating system. Bothservers provide the following services: DNS, SMTP, POP3, FTP.
The activities in these servers were monitored for five consecutive months, and the
operational ambient didn’t suffer any interference in the characteristics of its basic
activities. Thus, the registrations can be considered trustworthy because they reflect
a normal situation. The amount of information contained in this group is quite large,
thereby making its analysis very difficult.
In Fig. 1, we present the results we have obtained for the CFM server. As we
can see, our results indicate that our system helps to reduce significantly the numberof registration activities. In Fig. 2, we portray the results we have obtained for CCE
center. As we can see, a significant reduction of the number of registration is
obtained.
We can observe in Fig. 2, that we obtained about a 66% reduction during the
month of June for instance. In both monitored servers, CFM and CCE, a significant
reduction in the number of user registrations during the five months of our experi-
ments has been obtained. This will have a profound impact in reducing the size of
the reports that can be used to detect malicious intruders, thereby speeding up thedetection of such intrusions. However, during the period when we monitor the
CCE system and collect the registration information, we have obtained only the re-
ports that correspond to the violations of safety and unusual events. The registra-
tions belonging to this group also belong to the activities group of type non-self.
The administrator shall receive a notification, in the form of an email, with the report
of the activities of type non-self genes, thereby minimizing his security management
work (i.e., intrusion detection). During the period of monitoring and user activity
registrations collection, only the security violations and unusual events weredetected. The data are represented in Figs. 3 and 4.
0
5000
10000
15000
20000
25000
30000
march april may june july
month
Rec
ord
Num
ber
Total Report
Total Record
Fig. 1. Reduction of the number of registers in the CFM server.
CCE
020000400006000080000
100000120000
march april may june july
month
Rec
ord
Num
ber
Total Record Total Report
Fig. 2. Reduction of the number of registers in the CCE server.
0
5000
10000
15000
20000
25000
march april may june july
reco
rd n
umbe
r
security violation
security events
Fig. 3. Security violations and unusual events––CFM.
0
2000
4000
6000
8000
10000
12000
14000
16000
march april may june july
reco
rd n
umbe
r
security violation
security events
Fig. 4. Security violations and unusual events––CCE.
A. Boukerche et al. / Parallel Computing 30 (2004) 629–646 637
They show the security violations and the unusual events that have occurred for
both CFM and CCE machines and during the period March to July. Our results
indicate clearly that it is possible to monitor and observe the hosts’ activities in an
efficient and less costly way.
638 A. Boukerche et al. / Parallel Computing 30 (2004) 629–646
5.2. Misuse based approach
In our implementation, the software AmaViS[2] in combination with H+BEDV
AntiVir [11] was installed in one host with Linux operating systems and registration
services. The selected host was the server of the Center of Biological Sciences (CCB).Servers provide the following services: DNS, SMTP, POP3, FTP.
The activities in this server were monitored for 132 days, and the operational
ambient did not suffer any interference in the characteristics of its basic activities.
Thus, the registrations can be considered trustworthy, because they reflect a normal
situation. In Fig. 5, we present the results we have obtained for the CCB server, the
number of detected viruses (non-self elements) is portrayed in the right columns and
the total number of clean messages (self elements) is in the left columns.
Fig. 6 shows the incident number. This event was divided into virus types, whichfirst showed the worm Klez.E, second Tettona, third W32.Sircam.C, fourth element
Magistr.B*, fifth Nimda, sixth Nimda, seventh Yaha.E, eighth Frethem.L and finally
the HappyTime.
0
10000
20000
30000
40000
50000
60000
70000
80000
1 2 3 4 5
Fig. 5. Self and non-Self in the CCB server.
0
1000
2000
3000
4000
5000
6000
Worm/Klez
.E
Tettona
W32.Sirc
am.C
Magist
r.B*
Nimda
CIH.AYah
a.E
Frethem
.L
HappyT
ime
Incident Number
Fig. 6. Computer viruses in the CCB.
Table 3
Self and non-self––CCB
Month Mails Worm/viruses
5 19,666 599
6 49,276 1202
7 66,819 2408
8 66,463 1888
9 75,077 2724
Table 4
Viruses vs. number of incidents
Worm/viruses Incident number
Worm/Klez.E 5106
Tettona 32
W32.Sircam.C 342
Magistr.B� 12
Nimda 14
CIH.A 4
Yaha.E 89
Frethem.L 75
HappyTime 25
A. Boukerche et al. / Parallel Computing 30 (2004) 629–646 639
Our results indicate clearly that the number of email messages infected is very
small, when we compare it to the total number of email messages, as we can see in
Table 3. In Table 4, we show the different types of viruses and the incident numbers.
6. An artificial immune fraud detection model
In this section we wish to extend our intrusion detection system to mobile telecom-munication systems. We will present a fraud detection model for mobile telecommu-
nication systems based upon immune human system paradigm, as shown in Section 4.
In this paper, we propose to use the Z specification language [20,21] to formally spe-
cify the main part of our Artificial Telecom Immune System, and capture some of the
properties within the components of the system, which we refer to as schemas. The Z
schemas make use of some variables whose values are subject to some constrained
through predicates (pre-conditions and pos-conditions) that describe their properties
within the operations of the system. The operations of our immune fraud detectionmodel for mobile telecommunication system have been designed using a state
machine paradigm, which defines the state and operations on the system.
With the use of Z language [14], we adopt a formal specification, using mathemat-
ical notations that describe the properties of the model, as well as both the static and
dynamic aspects of the model. The static aspects of the proposed model include the
following invariant properties: (i) the states it can occupy (i.e., call register states), (ii)
the relationships that are maintained as the system moves from state to state. The
dynamic aspects of the proposed model include: (i) the operations that are possible,and (ii) the changes of states that happen within the system.
640 A. Boukerche et al. / Parallel Computing 30 (2004) 629–646
The Z language specifications describe what objects exist, and how the relation-
ships between these objects may be made into specifications. For completeness, we
shall provide the main components of the Z language as in [21].
• Types––a type is an expression of a restricted kind, and every expression that ap-pears in a proper Z specification is associated with a unique type. If the expression
is defined, then the value of the expression is a member of its type. Every Z spec-
ification begins with certain basic types that play a part in the specification but
have no internal structure of interest.
• Sets and set types––any set of objects that are member of the same type t is itself inthe set type P t. Sets may be written in Z by listing their elements. They may alsobe written by giving a property which is characteristic of the elements of the set.
• Tuples and Cartesian products types––if x and y are two objects that are memberof the types t and u, respectively, then the ordered pair ðx; yÞ is an object in theCartesian product type t · u. Similarly, if x1; . . . ; xn are n objects of typest1; . . . ; tn, respectively, then the ordered n-tuple (x1; . . . ; xn) is an object of typet1 � � � � � tn. If (y1; . . . ; yn) is another n-tuple of the same type, then the two areequal if xi ¼ yi for each i where 16 i6 n.
• Binding and schema-types––if p and q are distinct identifiers, and x and y are objectsof types t and u respectively, then there is a binding, where: z ¼< p1Vx1 . . . ; pnVxnwith components z:p equal to x and z:q equal to y. This binding is an object with theschema type /p : t; q : u.. Bindings are used in the operations of Z which allowinstances of a schema to be regards as mathematical objects in their own right:
the components of the bindings correspond to the components of the schema.
They are used to describe the meaning of the predicate parts of schemas.
• Signature––is a collection of variables, each with a type. Signatures are created bydeclarations, and provide a vocabulary based upon mathematical statements and
identified by logical predicates.
• Property––a property over a signature is characterized by the set of binding underwhich it has a true value. A predicate identifies a property. We say a predicate is
true under binding if the property it expresses is true under that binding. We say
that the binding satisfies the property, or the predicate which it expresses, if the
property is true under the binding.
• Schema––a schema is a pair of signatures together with a property over a signa-ture. The signature and its property parts of a schema correspond to the declara-
tion and predicate written within the schema. Most schemas consist of a part
above the central dividing line, in which some variables are declared, and part be-low the line which identifies a relationship between the values of the variables
(pre-conditions and post-conditions).
6.1. Telecom immune based system: a modeling approach
In our intrusion detection and telecom immune based model against malicious
and mobile phone intruders, we adopt a biological analogy, where each registration
of a mobile phone call is considered as a biological cell and the set of monitored
A. Boukerche et al. / Parallel Computing 30 (2004) 629–646 641
user’s registration is being considered as a multi-cellular organism. The user pattern
[4] is considered as the innate immune system. To create the acquired immune sys-
tem, a lymphocyte is implemented and acts as the telephone exchange, which also
monitors the user’s registrations. The first lymphocytes are identified as a set of
user’s registrations of valid telephone calls. The initial set of detectors can be substi-tuted by other lymphocytes which has the capability to detect new intrusions. In this
model, the components of the set of self genes will be defined by the set of user’s reg-
istrations already entered in the systems used mainly to identify the normal use,
while non-self genes represents the users’ registration and may be used to identify
malicious intruders.
The environment of this model is defined over the universe U , where U is a set ofphone calls. The set U contains two groups, S and N , called self and non-self, respec-
tively, where S [ N ¼ U and S \ N ¼ ; [8].The domain of the intrusion detection model, which we refer to asD, can be used to
classify all phone calls, i.e., either phone calls s 2 U as normal or n 2 U as anonymous[12]. However, due to the limited knowledge of all phone calls, it does not have knowl-
edge of the types of frauds that can occur in the future. Thus, we have the following
predicate:
D ¼ ðf;MÞ; where M � U:
The domain D contains the following two elements: M is the set of phone calls, andf : PU � U !{self, non-self}. By applying the cartesian product type, at any mo-ment in the universe U , we can have a user’s registration of no calls, the registrationof only valid calls, the registration of only invalid calls, or registration of both valid
calls and invalid calls. Thus, we can say that if x1; . . . ; xn are n elements of typest1; . . . ; tn, respectively, then the ordered n-tuple (x1; . . . ; xn) is an element of typet1 � � � � � tn. Therefore, we can conclude that ðM; sÞ is a self element if s 2 M andnon-self element if s 62 M.In our proposed model, we are interested in identifying these phone calls. Thus,
we have identified the set of all phone calls as a basic type of the specification,
and we have defined a call identifier CALL_ID as a schema-type of the Z-language
as follows:
642 A. Boukerche et al. / Parallel Computing 30 (2004) 629–646
In this model, a self element is defined by a normal behavior while a non-self element
is considered as an abnormal behavior which indicates a potential intruder.Thus, we define an event type as:
EVENT TYPE :¼ self j non� self
This will allows us to name these sets without identifying what kind of objects they
may contain. We define its state space:
EVENT_TYPE
CallSpace
f : P CALL_ID X CALL_ID
calls_known = dom fCALL_ID = S ∪ N
{ }S =∩ N
This schema describes the state space of the system and represents important
observations. The function f applied to CALL_ID, returns an EVENT_TYPE ele-
ment. The part below of the schema gives a relationship which is true in every state
of the system and is maintained by every operations on it. In this case, it says that thecalls_known set is the same as the domain of the function f . This relationship is aninvariant property of the model. This is the set of phone call registers to which it can
be validated. Notice that in this description of the state space for the model, we have
not been forced to place a limit on the number of phone call registers, nor to say the
order in that these entries will be stored. Initially the set of registers of telephonic
calls is empty, then we define the following schema for representing the initial state
of the system:
Let us now define some operations on our model. The first operation consists of
adding a new register, and can be described with the following schema:
AddCallSpaceCallSpace
call_input ? : CALL_ID
f' = f ∪ { call_input ? }
call_input ? ∉ calls_known
A. Boukerche et al. / Parallel Computing 30 (2004) 629–646 643
The declaration DCallSpace alerts us about the fact that the schema is describ-ing a state change: it introduces a variable phone calls. The function f representsthe state before any change of the system, and f 0 represents the new state of the
system after a change occurs. The set called calls_known is the same as the domain
of the function f . This relationship is a post-condition of the model. The predicatesbelow the line give a pre-condition for the success of the operation and the regis-
tration of the phone call to be added must not already be a known call for the
model.
The immune system uses the anomaly-based approach to detect intrusions. It
discovers self empirically and the attack can be any cells by exhibiting proteins that
are non-self. To detect an intrusion, the intrusion detector process is represented by
the following schema:
f : CALL_ID X CALL_ID EVENT_TYPEP∈s CALL_IDf(M,s) = self s∈Mf(M,s) = non-self s∉M
M
IntrusionDetection
f : PCALL_ID X CALL_ID EVENT_TYPE
∈
CALL_IDs
f(M,s) = self s M
f(M,s) = non-self s M∉
In the above schema, a registration phone call is identified as an intruder, and
identified by the EVENT_TYPE, and thereby it is identified as a non-self element.
Anomaly-based systems address these problems by attempting to characterize self
operation and to detect any deviation from the normal. This classification can
generate the emission of false alarms, though, first we must initialize the detection
process, which is defined by the following schema:
InitIntrusionDetection
IntrusionDetection
UTest
UTest
UTest
STest
STest
NTest
NTest
: CALL_ID
: CALL_ID
∪⊆
,
= CALL_ID
644 A. Boukerche et al. / Parallel Computing 30 (2004) 629–646
Classification errors are defined over a subset UTest which is part of the typeCALL_ID, and represents the union of the two subsets STest and NTest.A detection system can identify two types of classified errors: a false positive error
Eþ occurs when a self is classified as anomalous; and a false negative error E� occurs
when a non-self is classified as normal. This situation is represented by the twofollowing two schemas:
FalsePositiveError
IntrusionDetection
n : N
STestE+ = { s ∈ | f(M,s) = n }
E+ : CALL_ID
and the error false negative E� is defined as in the schema below:
FalseNegativeError
IntrusionDetection
s : S
NTestE- = { s ∈ | f(M,s) = s }
E- : CALL_ID
In the situation in which a true intrusion is detected we have its representation
such as:
AnomalyDetection
IntrusionDetection
s : CALL_ID
∈s (f,M)
This Z specification encloses the space of referring data to the registers of telephone
calls used in the model and some appropriate operations on the intrusion detection
search space. This specification refers to the anomaly detection and the time needed
for the human immune system to detect potential anomalies within the system. Thisapproach is based on the following fact: our model did not have an initial set of phone
calls to be used by the intrusion detection system to learn more about the system.
7. Conclusion and future works
This paper describes a new approach to secure both monitoring computer systems
and mobile phone operations. The main idea is to specify what services are critical in
A. Boukerche et al. / Parallel Computing 30 (2004) 629–646 645
both computer and telecommunication systems and to monitor their utilization while
searching for anomalies and operational misuse of the targeted system. We have pre-
sented a solution based upon a natural immune human system to the fraud detection
problem for both computer and mobile telecommunication systems. We have dis-
cussed the design and the implementation of an efficient and reliable security man-agement using our proposed solution. Our results indicate clearly that biological
inspired techniques are well suited to solve such problems.
As a future work, we see several directions. First, we plan to investigate the per-
formance of our security system for mobile phone operations by using several of user
patterns behaviors and then extend our model to mobile e-commerce and wireless
networks applications. Next, we plan to develop a model that can be executed on
a cluster of workstations in order to enhance the performance of our system.
References
[1] B. Alberts, Molecular biology of the cell, fourth ed., Garland Science, Taylor & Francis Group, New
York, 2002.
[2] AMaViS––A Mail Virus Scanner �1997–2000 Mogens Kjaer, Carlsberg Laboratory. [email protected],J€urgen Quade [email protected], Christian Bricart, [email protected], Rainer Link [email protected],Lars Hecking [email protected] and others.
[3] S. Balasubramaniyan, An architecture for intrusion detection using autonomous agents, Coast
Laboratory, Purdue University, West Lafayette, 1998.
[4] A. Boukerche, M.S.M. Notare, Applications of neural networks to mobile communication systems,
in: A. Zomaya, S. Olariu (Eds.), Solutions to Parallel and Distributed Computing Problems: Lessons
from Biological Sciences, Wiley & Sons, 2001, pp. 255–368.
[5] A. Boukerche, M.S.M. Notare, Neural fraud detection in mobile phone operations, Fourth IEEE
BioSP3, Bio-Inspired Solutions to Parallel Processing, LNCS, Springer Verlag, pp. 636–644.
[6] S. Cayzer, U. Aickelin, A recommended system based on the immune network. Proceedings of CEC
2002.
[7] P. Dowd, J.T. Mchenry, Network security: it’s time to take it seriously, IEEE Computer 31 (9) (1998)
24–28.
[8] R.O. Duda, P.E. Hart, Pattern classification and scene analysis, John Wiley & Sons, Inc, New York,
NY, 1973.
[9] J.D. Farmer, N.H. Packard, A.S. Perelson, The immune system, adaptation, and machine learning,
Physica D 22 (1986) 187–204.
[10] S. Forrest, A.S. Perelson, L. Allen, R. Cherukuri, Self–nonself discrimination in a computer,
Proceedings of the 1994 IEEE Symposium on Research in Security and Privacy, 1994, pp. 202–212.
[11] H+BEDV––AntiVir for Linux � 2000, Created by H+BEDV Datentechnik GmbH, Tettnang,Germany.
[12] S. Hofmeyer, An immunological model of distributed detection and its applications to computer
security, Ph.D. Computer Science, University of New Mexico, Albuquerque, 1999.
[13] K.R.L. Juca, An approaching for intrusion detection base don human immunologic system (in
Portuguese, Uma Abordagem de Detecc�~ao de Intrus~ao Baseada no Sistema Imunol�ogico Humano),Master Thesis, CPGCC/UFSC, Florianopolis, Brazil, 2001.
[14] D. Male, Immunology––An Illustrated Outline, Gower Medical Publishing Ltd., 1986.
[15] M.S.M.A. Notare, Conception, analysis and development of a security management system for
telecommunication networks (in portuguese), Thesis (Computer Science Program)––Department of
Informatic and Statistic, Technological Center, Federal University of Santa Catarina, Florianopolis,
Brazil, 2000.
646 A. Boukerche et al. / Parallel Computing 30 (2004) 629–646
[16] A.S. Perelson, Immune network theory, Immunological, Theoretical Division, Los Alamos National
Laboratory, NM 87545, Review 110, 1989, pp. 5–36.
[17] I.M. Roitt, Essential Immunology, fifth ed., Blackwell Scientific Publications, 1995.
[18] C. Rowland, Logcheck Reference Manual, Available from: <http://www.psionic.com/abacus>
accessed on March, 01. 2001.
[19] A. Somayaji, S. Hofmeyr, S. Forrest, Principles of a Computer Immune System, University of New
Mexico. Albuquerque, NM, 1997.
[20] J.B.M. Sobral, A language for specifying distributed systems in a high level abstraction (in
Portuguese, Uma linguagem para Especificac�~ao de Sistemas Distribu�ıdos em Alto N�ıvel de
Abstrac�~ao), Ph.D. Thesis––Electric Engineering Program at COPPE/UFRJ, Rio de Janeiro, Brazil,1996.
[21] J.M. Spivey, The Z Notation: A Reference Manual, Oxford University, England, 1994.
[22] J.I. Timmis, Artificial Immune Systems: a novel data analysis technique inspired by the immune
network theory, Ph.D. Thesis, Department of Computer Science, University of Wales, Aberystwyth,
2000.