Clonal vs. Negative Selection in Artificial Immune Systems (AIS) Marcellus Williams Moayed Daniel Daneshyari Hampton University Hampton University 100 East Queen Street 100 East Queen Street Hampton, VA 23668 Hampton, VA 23668 1(757)316-6319 1(757) 728-6406 [email protected] [email protected] ABSTRACT In this paper, we review the bio-inspired Artificial Immune System (AIS) using two detection and selection mechanism 2. LITERATURE REVIEW known as negative selection and clonal selections. AIS mimic the One such proposed algorithm to be utilized in implementing an behavior of natural immune system to find the unknown pattern artificial immune system is the HAIS Supervised Learning that have not been seen by the system similar to what bodies Algorithm, which is meant to imitate the adaptive response of an would do in facing the microbial entities. We simulate the immune system. It contains different components of the immune behavior of negative selection and clonal selection and compare system including B cells, IGs, antibodies, hyper mutation, them with each other to see the benefit of each one. Our goal is to memory cells, and affinity maturation. The B cells identify data design a system that can be utilized as an Intrusion Detection (ID) samples of different computational afflictions; the B cells operate tool in networking security paradigms. as the first layer and contain antibodies that capture the system pathogens for identification. Once the pathogen is identified the B cell executes the appropriate protocol to cure the machine and General Terms once this is completed the system becomes more optimized to the Algorithms, Design, Security protocol established to defeat this particular type of ailment. [1] This algorithm is broken down into phases that allow it to mimic Keywords the response mechanism of the human immune system. The first Artificial Immune System, Clonal Selection, Negative Selection, phase of implementation for the artificial immune system Computer Security algorithm is to detect an intrusion. Similar to the body in order to be a reactive system it must detect that something is abnormal or 1. INTRODUCTION hinders optimal performance. It is difficult because the system Artificial immune system is the idea that the concept of the must have a problem set with conditions already determined that human immune system can be mimicked to be utilized in are intrusions or pathogens in medical terms to react to. [2] computing to defend or even heal systems [1]. The human body uses an automated process of identifying viruses and pathogens that negatively impact the body, without harming the cells that are harmless. To make this process artificial covers many aspects of For intrusion detection you analyze the conditions in the problem computing including artificial intelligence to be able to detect and and determine the severity of the affliction. If the information or make decisions with little human interference. This artificial input given in the problem set matches the conditions of what the immune system would function ideally utilizing an artificial immune system determines as malicious, then the automated nervous system to detect malfunctions, and initiate the right immune system will react to the positive reading and begin to response sequence. The human body adapts to vaccinations, analyze the affliction to manufacture the antibodies with the which introduce a harmful virus or pathogen into the body at a appropriate signatures to effectively limit damage and deal with weakened state to set a precedence of how the body should react the attack. If the conditions are read as divine the system will if faced with the real virus or threat to the system. This process dismiss the negative reading. The difficulty in this procedure is can be applied in a security context if we can automate this false positives and negatives as highlighted in this sample portion. process, and create algorithms that introduce these afflictions to There must be controls set in place to limit the possibility of false the system and automate an effective analysis of the virus so it positives and negatives and confirm accurate readings. There can automatically initiate the right solution sequence. must be a threshold in place that represents the margin of error in identifying intrusive behavior. There must be a percentage that indicates the possibility for either a positive or negative reading or the system must know, which way to lean towards based on that Permission to make digital or hard copies of all or part of this work for percentage to prevent false readings. [3] personal or classroom use is granted without fee provided that copies are The next portion of the algorithm consists of analyzing the not made or distributed for profit or commercial advantage and that properties of the ailment and manufacturing the appropriate copies bear this notice and the full citation on the first page. To copy antibodies to deal with the affliction. The antibody properties are otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. generated pseudo randomly in a random number generator when the classification of affliction is determined. The system then tries ADMI 2016, March 31-April 3, 2016, Winston-Salem, NC, USA. Copyright 2016 ADMI. to match itself to the signatures of virus or intrusion based on the system to select and eliminate harmful pathogens from the body. class of the virus. It repeats this process until the appropriate Through the gene expression process the human immune system signature of antibody is found and then it replicates these makes gene libraries that develop antibodies, which attach to antibodies to deal with the affliction. [3] pathogens and neutralize their impact on the body. The signature The matching phase of the artificial immune system uses of the antigen is identified and the population of antibodies is mathematical formulas to calculate the difference between the consulted to find the antibody that is genetically designed to intrusion or virus and the signatures stored from the vaccination combat that antigen. [4] The negative selection algorithm has phase. It uses a form of the standard deviation formula to been successfully applied to detect computer viruses, and has determine the difference between the signatures of the vaccination shown several advantages over previous methods of detection for and the intrusion or virus. being able to constantly adapt and detect anomaly in computer systems. [3] The Negative Selection Algorithm is designed to be a detection system for abnormal activity in computer systems. 3.1.1 Pseudo Code for Detector Generation Input: Data This is the correlation coefficient which is used in this algorithm Output: Antibodies to determine how closely related the pathogen X is to the signatures stored in the system through the vaccination phase Generator using byte signatures to determine how far the pathogen is from While(StopCondition()) the matching signature. DetectorGenerateRandDetectors() For( Antibodies) The Hamming distance is a common function that measures how If(Matches( , Data)) much a bit string has been corrupted or altered during Antibodies transmission. This can be applied effectively in this algorithm to End determine the difference between the pathogen and the signature End stored in the artificial immune system. This is used to determine End the landscape affinity, which identifies the appropriate antigen and bonds with the pathogen neutralizing its effect on the natural 3.1.2 Pseudo Code for Detector Application human immune system. Input: pathogenSamples, Antibodies The landscape affinity can be artificially implementing using a For(Inputi pathogenSamples) threshold or limit based on the antibody and the input of the Input ”non-self” affliction. These differences are measured using bit string For( Antibodies) differences that are either measured by the correlation coefficient If(Matches( , )) or the hamming distance of the bit string. [3] ”self” break end end Once an antigen has been matched with a pathogen the artificial end immune system can heal the system. In the human body the 3.1.3 Detector Generation antigen neutralizes the effects of the pathogen rendering it The first algorithm randomly creates the amount of detectors that harmless and the body disposes of the pathogen. The concept of will act as the antibodies for the artificial detection system. It is the artificial immune system implements these using formulas that designed to mirror the genetic production of antibodies in the determine the right antigen to match the pathogen impacting the system by obtaining the data to create the genetic material, and system. This can be applied in a security context by improving the store that data into each antibody. This data is the signatures of efficiency of intrusion detection and prevention systems. It the viruses each antibody is supposed to combat. It generates a creates a more reactive system that is able to effectively detect random amount of antibodies, and if the detector matches the and defeat harmful system pathogens with little human data, then the data is stored into the antibody giving it the intervention. [3] characteristics to be able to ward off the harmful pathogen in the A hybrid method was also proposed consisting of a neural system artificial immune system. [2] that controls the deployment of antigens and antibodies. This 3.1.4 Detector Application neural system is meant to be a more effective method of the system learning the signatures of viruses. It stores the conditions The second algorithm uses the output of the first algorithm to from the vaccination phase for optimal implementation of the detect pathogen samples and apply the appropriate antibody to HAIS algorithm. It is able to be more efficient spending less time combat the pathogen that matches its signature. The pathogen analyzing the pathogen, and more time reacting and defeating the sample is entered into the algorithm and the antibodies generated pathogen that is affecting the system.