Danger Theory: The Link between AIS and IDS?

Danger Theory: Th e Link between AIS and IDS? Proceedings ICARIS-2 003, 2nd International Conference on Artifi cial Immune Systems, pp 147-155, 2003. U Aickelin, P Bentley, S Cay zer, J Kim, J McLeod University of Nottingham, uxa@cs.nott.ac.uk University College London, P.Bentley@cs.ucl. ac.uk HP Labs Bristol, Steve_Cayzer@hplb.hpl.hp.com King’s College London, Jungwon@dcs.kcl.ac.u k University of the West of England, Julie.Mcleod@uwe.ac.uk Abstract We present i deas about creating a next generation Intrusion Detection System (IDS) based on the latest immunological theories. The central challenge with computer security is determining the difference between normal and potentially harmful activity. For h alf a cent ury, developers have protected their systems by coding rules that identify and block specific events. However, the nature o f current and future threats in conjunction with ev er larg er IT systems u rgently requires the development of automated and adaptive defensive tools. A promising solution is emerging in the form of Artificial Immune Systems (AIS): The Human Imm une System (HIS) can detect an d defend against h armful and previously unseen invaders, so can we no t build a similar Intrusion Detection System (IDS) for our computers? Presumably, those systems would then have th e same ben eficial properties as HIS like error tolerance, adaptation and self-monitoring. Current AIS have been successful on test sy stems, b ut the algorithms rely on self-non self discrimination, as stipulated in classical immunology. However, immunologist are increasingly finding fault with traditional self-nonself thinking and a new ‘Dang er Theory’ (DT) is emerging. This new theory suggests that the immun e sy stem reacts to th reats b ased on the correlation of various ( danger) s ignals and it provides a method of ‘grounding’ the immu ne response, i .e. linking it di rectly to the attacker. Little is currently u nderstood of the precise n ature and correlation of these signals and the theory is a topic of hot d ebate. It is the aim of t his research to investig ate this correlation an d to translate the DT into the realms o f computer security, thereby creating AIS that are no long er limited by self-nonself discrimination. It should b e n oted that we do not intend t o defend this controversial th eory per se, alt hough as a deliverable this p roject wil l add to the body of kno wledge in this area. Rather we are interested in its merits for scaling up AIS applications by overcoming self-nonself discrimination p roblems. 1. Introduction The key to the next gene ration Intru sion Detection System (IDS) ([9 ], [25], [26]) that we are p lanning to build is the combin ation of rece nt Artif icial Immu ne Sy stem ( AIS) / Danger Theory (DT) mo dels ([1], [4], [5], [32]) with our growing understand ing of cellular componen ts involved with cell death ([3] , [11], [31]). In particular, the difference be tween 2 U Aickelin, P Bentley, S Cayzer, J Kim, J M cLeod necrotic (‘b ad’) and apoptotic (‘good’ or ‘planned ’) c ell death, with respect to Antigen Presenting Cells (AP Cs) act ivatio n, is importan t in o ur pr oposed I DS. In th e Hu man Immun e System (HIS) apoptosis has a suppressive effect and necrosis a stimulato ry immuno logical effect, although they might not actu ally be as distinct as cu rrently thought. In the IDS contex t, we pro pose to use th e correla tion of th ese two eff ects as a basi s of ‘ danger signals’. A variety of contextual clues may be essential for a meaning ful d anger signal, and immunolog ical studies will prov ide a fr amework of ideas as to how ‘dange r’ is assessed in the HI S. In the IDS con text, the d anger signals should sh ow up af ter limited attack to min imise dam age a nd th erefor e have to be quickly and auto matically measurable. Once th e d anger signal h as been transmitted, the AIS should react to those ar tificial antigens that are ‘n ear’ the emitter of the danger signal. This allows the AIS to p ay sp ecial attention to d angerous components and would have the advantag e of detecting ra pidly spreading viru ses or scan ning intru sions fast an d at an early stag e prev enting serious damage. 2. AIS and Intrusion Detection Alongside intr usion preven tion te chnique s suc h as en cryption and firewalls, I DS are another signif icant method used to safegua rd computer systems. The main go al of IDS is to detect un author ised use, misu se and ab use of co mputer systems by b oth system insiders an d external intruders. Most current IDS define suspicious sign atures based on kno wn intrusions and probes [25]. The obvio us limit of this type of IDS is its fa ilure of dete cting previo usly unk nown in trusions. In c ontrast, the HIS ad aptively generates new immun e cells so that it is ab le to detec t previously unknown an d rapidly evolving harmful antig ens [28]. In o rder to provide viable IDS, AIS m ust b uild a set o f detectors that ac curately match antig ens. In current AIS based IDS ([9], [12], [19], [13]), both network conn ections and dete ctors are modelled as string s. Detectors are randomly c reated and then under go a maturatio n phase where th ey are p resented with go od, i.e. self, conn ections. If the detectors match an y of these th ey are eliminated otherwise the y become m ature. These m ature Danger Theory: The Link between AIS and IDS? 3 detectors start to monito r new co nnection s during their lifetime. If these matur e detector s match anything else, exceed ing a certain threshold valu e, they become activate d. This is then r eported to a h uman o perator wh o dec ides whether there is a true ano maly. If so, the detectors are promoted to memory detectors with an indefinite l ife sp an and m inimum activation threshold (im munisation) [ 27]. An approach such as the above is known as n egative selection as only those detectors ( antibod ies) that do no t match liv e on [ 13]. However, this appealing approach shows scaling p roblems when it is applied to r eal ne twork traffic [26]. As the systems to be protected grow larg er and larger so d oes self and nonself. Hence, it become s more and mo re proble matic to find a set of detector s that provid es adequ ate co verage, whilst bei ng compu tationally efficient. It is inefficien t, to m ap the entire self or n onself universe, particular ly as they will be c hanging over time an d on ly a minority of nonself is har mful, whilst some self might cause dam age (e.g. in ternal attack). This situation is fu rther aggrav ated b y the f act that th e lab els se lf and nonself are often am biguous and even with expert kno wledge they are not always ap plied correctly [24]. 2.1 The Da nger Theory We now examine the bio logical basis for the self-nonself metaphor , and the altern ative DT hypo thesis. The HIS is common ly thou ght to work at two levels: inn ate imm unity in cluding external barriers (skin , mucus), a nd the acquired or adaptive immun e system [28]. As part of th e latter level, B-Lymphocytes secr ete spec ific antib odies th at reco gnise and re act to stimuli. I t is this ma tching between an tibodies and an tigens th at lies at th e hear t of the HI S and mo st AIS implem entations. The cen tral tenet o f the immune sy stem is the ab ility to resp ond to foreign invaders or ‘antigens’ whilst not reacting to ‘self’ mo lecules. In order to undertake this role the immune system n eeds to be able to d iscern differen ces b etween foreign, and possibly pathog enic, invade rs and non-fo reign mo lecules. It is cur rently b elieved th at this occu rs through the utilisatio n of the Majo r Histoco mpatability Complex (MHC). T his comp lex is unique to each indiv idual and therefo re pro vides a mark er of ‘self’. In add ition, the cells 4 U Aickelin, P Bentley, S Cayzer, J Kim, J M cLeod within the immu ne system are mature d by becoming tolerised to self- molecules. T ogether, through the MHC and toler ance, the HIS is ab le to recognise foreign invaders an d send the requisite sign als to the k ey effector cells in volved with th e immune response. The DT debates this and argu es th at th ere must be discrimi nation happ ening that goes beyond the self-nonself distinction because th e HIS o nly discr iminates ‘some self’ from ‘ some non self’. It could ther efore b e proposed that it is not the ‘fore ignness’ of the invader s th at is impo rtant for immun e recognition, but the relative ‘danger ’ of these invader s. This theory wa s first prop osed in 199 4 [29] to explain cu rrent anom alies in our under standing of ho w the immun e system reco gnises foreign invad ers. For instance, there is no immune reaction to foreign bacteria in the gut or to foo d. Conversely, so me auto- reactive processes exist, e.g. a gainst self- molecules exp ressed b y stressed cells. Furtherm ore, the hu man body ( self) ch anges over its lifetime. T herefore, wh y do defe nces against no nself learn ed early in life n ot become auto-reactive later? The DT su ggests that fo reign inv aders, wh ich are d angerous, will in duce th e generatio n of cellular molecules ( danger signals) by in itiating cellular stress or cell death [30]. These m olecules are recognised by APCs, cr itical ce lls in the initiat ion of an immune response, which beco me activated le ading to protective immune interaction s. Overall there are two classes of danger signal; those which are genera ted endogenou sly i.e. by the body itself, and ex ogeno us signals which are deriv ed from inv ading org anisms e. g. bacter ia [16]. Evidenc e is accruin g as to th e existence o f myr iad endoge nous danger signals includ ing cell receptor s, intrace llular mo lecules and cytokin es. A co mmonality is their ab ility to activate APCs and thus driv e an immune respo nse. We believe that th e DT will pr ovide a more su itable biological metaphor for I DS than the tr aditional self- nonself viewp oint, reg ardless whether the theor y holds fo r the HIS, something that is curren tly h otly debated am ongst immunologists ([37], [21], [39]). In particular , th e DT p rovides a way o f grounding the respon se, i.e. linkin g it dire ctly to th e attacker and it r emoves the necessity to map self or nonself [1]. In our model, self-non self discriminatio n will still be useful but it is no longer e ssential. Th is is b ecause non self no longer causes a response. Instead, danger signals will trigger a reaction. Actually, the Danger Theory: The Link between AIS and IDS? 5 response is mo re comp licated than this, sinc e it is believed that the APC s in tegrate ne crotic (‘danger’ ) and a poptotic (‘saf e’) signals in order to regulate the immu ne respon se. We intend to examine this integrative activity expe rimentally, wh ich sh ould provide u seful inspiration for IDS. 2.2 The DT in t he Context of the HIS One of th e central the mes of the DT is the ge neration o f dang er signals thro ugh cellular stress or cell d eath. Cell d eath can o ccur in two ways; necro sis an d apop tosis, and alth ough both terminate in cell d eath, the intracellular pathway s of each process are ve ry distinct. Necrosis in volves the un regulated d eath of a cell following cell stress an d re sults in total cell lysis and subsequen t inflamm ation du e to the cell deb ris. Apop tosis, on the o ther han d, is a v ery regulated form of cell death with def ined in tracellular pathway s and regulato rs [23]. Physiologically, apoptosis is u tilised by the bod y to maintain tissue home ostasis and is vital in regulating the immune respo nse. Once apoptosis is initiated extrac ellular recep tors on the cell signal to phagocytic cells, e.g. APCs to remov e the dying ce ll from the system. Apopto sis can be initiated in a numb er of ways including; cy tokine d eprivation, death rec eptors e.g. CD95 a nd UV irradiatio n each havin g un ique intr acellular signalling profiles [17]. Intere stingly, r ecent work has sugg ested that ap optotic pathways may not be as distinct from necrosis as p reviou sly assume d [20] and indeed may be in ter-related. In both cases ph agocytosis of the dying ce ll o ccurs and studies suggests that the APCs rec eive signals f rom the dying cells that a ffects a ctivation state o f th e APCs the mselves [ 35]. These results are o f particular interest since they support the concept of dan ger sign als, w ith th e APCs being a rheostat respondin g to ‘input’ signa ls f rom cells un dergo ing necrosis, tipping the immu ne balance to wards a pro -inflammatory state, which is an ‘output’ signal. Evidenc e to support th e critica l role of cell death signals in APC activation has shown th at APCs, which have p hagocytosed necrotic cells, gen erate p ro-inflamma tory cytokin es e .g. in terleukin (IL) –1, inter feron ( IFN) and necrotic ce lls h ave b een found to activate AP Cs in a v ital step toward s an imm une respo nse ([35] , [15]). Of p articular in terest is th e f inding that cells undergo ing apoptosis, r ather than bein g invisible to the APCs, m ay 6 U Aickelin, P Bentley, S Cayzer, J Kim, J M cLeod actually h elp regulate the APCs response to necrotic cell debris. Studies [14] h ave shown that apoptotic cells actively dow n-regulate the APC activity by generating anti- inflamma tory cytokin es e.g. TGF and PGE2 , although in oth er cases this has n ot been observed [35]. In a fu rther com plexity to the b alance, r eports have shown that n ecrotic an d apopto tic cells work together to af fect the APC activation and subseque nt immu ne respo nse [35]. Ther efore a balance b etween cell death, either necrotic or apop totic, would appear to be cr itical to the final im munological outcome. He re, we seek to u nderstand how the AP Cs react to the balance of ‘input’ signals fr om a poptotic an d necrotic cell death with an aim to determin e and simplify the danger sign al ‘output’. Previous studies hav e observed alterations in the generation of pro- and anti- inflamma tory cytokin es e.g. IL-1 , IFN, TGF-ß and PGE2 following APC incubatio n with necrotic or apo ptotic cells respective ly [14]. In additio n, a ctivation-r elated recepto rs e.g. MHC and CD80/86 have been reported to b e upregulated in the presence of necrotic cells [15]. We in tend to exten d and c onfirm these studies using pro teomics, wh ich will allow the pan-id entification of novel, k ey protein s within the APC which are influence d by the presence of dying cells o r ‘danger sign als’. Hence, th e aims of the immunological in vestigation c an be summarised as • To identify and investigate key APC-deriv ed signals in r esponse to co-culture with necrotic or apoptotic cells. • To undertake functional analysis of th e identified key signals in affecting the activation state of imm une cells. • To ma nipulate the co-cu lture system an d d erived signals upon results fro m the AIS / IDS studies. 2.3 Intrusion Detection Systems – Current State o f the Art An imp ortant and rece nt research issue f or IDS is ho w to fin d tr ue intrusio n alerts from thousand s alerts generated [1 9]. Ex isting I DS employ various types of sensors that mon itor Danger Theory: The Link between AIS and IDS? 7 low-level system ev ents. Tho se sensors report ano malies of networ k traffic patter ns, unusual terminations of UNIX proce sses, memory usag es, the attempts to acc ess unauthor ised files, e tc. [24]. Althou gh these reports are useful signals of real intr usions, they are often mixed with false a lerts and the ir unman ageable volume forces a secur ity officer to ign ore most aler ts [1 8]. Moreove r, the low level of alerts make s it hard for a security officer to identif y advan cing intrusions that u sually con sist of differe nt stages of attack seq uences. For instance, hack ers of ten u se a numb er of prep aratory stages (r aising low-level a lerts) befo re actual hackin g [18]. Hence, the correlations b etween intr usion aler ts from different attack stage s pro vide more convin cing attack scenarios than detecting an intrusion scenario based on low-level aler ts from indiv idual stages. To correla te IDS alerts for detection of an intrusion scenario, recen t studies have employ ed two diff erent approaches: a probab ilistic ap proach ([8], [36], [38]) and an expert system ap proach ([6], [7], [ 10], [33 ], [34]). The probabilistic ap proach represents kn own intrusion scenarios as Baye sian n etworks. The nodes o f Bay esian networ ks are IDS alerts and the p osterior lik elihood between nodes is up dated as new alerts ar e collected. The updated likelihood can lead to conclusions ab out a specific intrusion scenario occurr ing or not. The expert system ap proach initially builds possible intrusio n scenarios by identifying low-level alerts. These alerts consist of prerequ isites an d consequence s, an d they are represente d as hypergraph s ([33], [34]) or specifica tion language forms ([6] , [10], [18]). Known intrusion scenar ios are detected by observing the low-lev el alerts a t e ach stage. These app roaches hav e the following problems [7 ]: • Handling unobserv ed low-level alerts tha t compr ise an intrusion scenar io. • Handling optional prer equisite actions an d intrusion scen ario variatio ns. The common trait of th ese problems is tha t th e IDS can fa il to d etect an intrusion if an incomp lete set of alerts comprising an intrusion scenar io is reported. In han dling this proble m, the prob abilistic ap proach is som ewhat mo re advantageous b ecause in the ory it allows the I DS to correlate missing or mutated a lerts. Ho weve r, the sim ilarities a lone can fail to id entify a causal r elationship between p rerequisite actions and actual attacks if p airs of pre requisite actions an d actual attack s do no t appear f requently e nough to be reported. 8 U Aickelin, P Bentley, S Cayzer, J Kim, J M cLeod Attackers often do no t repeat th e same actions in o rder to d isguise their attempts. Thus, the curren t p robabilistic appr oach fails to detect intrusions that do not show strong similarities between a lert featur es but have causal r elationships lea ding to fin al attacks ([8], [36], [38]). 3. A DT-Inspired Approach to Intrusion Detection We pr opose AIS based on DT ideas tha t can handle the above I DS alert c orrelation proble ms. As outline previously, the DT expla ins the immune respon se of the h uman body by the in teraction between APCs and vario us signa ls. The immune respon se of each APC is determin ed by th e g eneration of d anger signals through cellular stress or death . In particular , the balance and c orrelation betwee n different si gnals depend ing on different causes appears to be critical to the immuno logical o utcome. Propo sed wet ex perimen ts of this pro ject fo cus on understanding how the APCs react to the balance of different types of signals, a nd how this reaction leads to an o verall immune r esponse. Similarly, our I DS investigation will centre o n u nderstand ing ho w intru sion scenario s would be detected by reacting to th e balance of var ious type s of alerts. In the HIS, APCs activate accor ding to the balance of apoptotic and necrotic cells an d this activation leads to protective immune responses. Similarly, the senso rs in IDS repo rt var ious low-leve l alerts an d the correlation of these a lerts will lead to the construc tion of an intru sion scenario. 3.1 Apoptotic versus Necro tic Alerts We b elieve that v arious IDS ale rts can be catego rised into two g roups: apopto tic type of alerts and necrotic ty pe of alerts. Apopto tic alerts correspond to ‘nor mal’ cell death – hence, low- level alerts that could result from legitimate actions but could also be the prerequisites for an attack. Necrotic (unr egulated cell d eath) alerts on the o ther hand relate to actu al da mage caused by a su ccessful atta ck. An intrusion scenar io co nsists of several actions, divided into p rerequisite stages and actual a ttack stages [7]. Fo r instan ce, in th e case of Distribu ted Den ial of Ser vice ( DDOS) intr usions, intruder s initially look for vulner able Sadmind services b y execu ting the P ing Sadm ind process [3 3]. Th is would b e an apopto tic ale rt, relating to a prer equisite action. Just as apo pto sis is vital in regulatin g the human im mune response, apoptotic types of alerts are vital in detectin g an intrusion Danger Theory: The Link between AIS and IDS? 9 scenario (since it in dicates the pr erequisite actions within an actual intrusion s cenario) Necrotic aler ts, or actual attack ale rts are raised when the IDS o bserves system d amage caused by the DDOS. Ju st as n ecrosis invo lves the unr egulated cell de ath, necro tic types of alerts would be those ge nerated fro m the unexpe cted system outco mes. In our opinion, a better understanding how the APCs react to the balance of apopto tic and necrotic cells wou ld help us to propose a new approac h to correlate apoptotic and necrotic type of alerts g enerated from sensors. If the DT can explain the key p roteins leading to necr otic an d ap optotic sign als, DT- based AIS wo uld also be a ble to identif y k ey types of apo ptotic and n ecrotic alerts revealing the degree of alert corre lation. In th is way, DT-based AIS will correlate key types of aler ts rather than specific alerts, and this will allow the AIS to co rrelate missing o r m utated alerts as lon g as the key types of alerts are reporte d. For instance, in the DDOS ex ample, a n intruder ca n directly attack without executing Ping b ut executing th e similar process tracerou te instead [7]. I n this case, our DT-based AIS should be a ble to link traceroute to DDOS a ttack damage since any ty pe of scanning process is und erstood as an apoptotic typ e of alert for DDOS attacks. 3.2 Stre ngth of React ions Additiona lly, if the DT can quantify the deg ree o f the immune response, DT-based AIS would b e able to qu antify th e de gree of o verall alert detectio n strictness. For in stance, false positive alerts of IDS are often caused by inappr opriately setting of intrusion signatur es or anomaly thresholds. Debar and W espi [9] use a clustering algorith m to g roup a large numbe r o f alerts and m anually extra ct a genera lised alarm reflecting each alarm cluster. By doing so, they identify the r oot cause of each a larm clu ster and d iscriminate false positive alert clusters fr om true positiv e alert clusters. Th e root c ause is the most b asic cau se that can reaso nably be identif ied an d fixed [9]. According to the id entified roo t ca uses, new intrusion signature s or anomaly thr esholds a re red efined by remov ing those causing root causes. However, their work h as not reported further impacts af ter intrusio n sign atures and anomaly thresholds are re set. Sim ple remova l of intrusion signature s that cause the root 10 U Aickelin, P Bentley, S Cayzer, J Kim, J McLeod causes mig ht d egrade true p ositive detectio n rate instead. Furthe rmore, continuous ch anges of n etwork and system en vironmen ts requ ire con stant updates o f intr usion signatur es and anomaly thresh olds. Thus, it is importan t f or IDS how to react to f alse p ositive alerts a nd true positive alerts dynamically. The key feature of th e DT-ba sed AIS would pro vide a possible solution fo r this issue. The DT- based AIS would adopt a similar wa y to two types of immune cell death sign als af fecting the activation o f nearby A PCs. Curre ntly observed balances b etween two types of alerts would af fect the ID S sensors’ activation status by resetting intrusion signatures or anomaly thr esholds. Then, these new settings will r esult in new b alances between th e two ty pes of alerts. If the DT can explain that this k ind of cascading reactio n stab ilises i n a way so that the over all imm une responses can conv erge to an ideal statu s at giv en time, the DT -based AI S would also be a ble to fo llow a similar mechanism to i dentify the most suitable intrusion signature and anomaly thresholds setting at given time. 3.3 Danger Zones Furtherm ore, our study aims to investigate how the danger alerts repo rted from a sen sor can be tra nsmitted to o ther sensors in o rder to d etect on -going in trusions. Once a sen sor has generate d the d anger signals or ale rts, the AIS can quantify the degree of alert correlations indicating the strength of possible intru sion scenar ios. If the AIS h as strong indicatio ns of possible intru sion scenar ios, it can activa te other sensor s th at are spatially, tempor ally or logically ‘ near’ the original sen sor emitting the dang er signal. Th is process is similar to the activated APCs send ing its im mune r esponse providing a self-nonself ind ependent groundin g. For instance, when the danger signal rep orts the strong possibility o f a web server compromise, this s ignal can be sent to other web servers in th e same network domain . 4. Summary and Conclusion s Our aim is to challeng e the classical self -nonself viewpoin t in AIS based I DS, and r eplace it by ideas from the DT . Existing system s u sing certain aspects o f the HIS h ave been successful on small problems and have shown the same benefits as th eir natural Danger Theory: The Link between AIS and IDS? 11 counter parts: error to lerance, adaptatio n and self-monitoring . The DT is a new the ory among st immunologists stating that the natural immune system does not rely on self- nonself discrimin ation but identifies ‘dan ger’. Th is is currently hotly debated by immuno logists an d far from widely accepte d and has never before been applied to th e IDS arena. It is ou r opinion that th is th eory is the key that will un lock the true potential o f AIS by allo wing us to b uild commercially viable sy stems that can scale up to real world proble m sizes. We in tend to use the correlatio n of signals based on the DT. We believe the success of our system to be i ndepe ndent of the eve ntual acceptance o r rejection o f the DT by immunologist as the proposed AIS wo uld achieve this b y identifying key types of apopto tic and ne crotic alerts and understand ing the balance between these two types of alerts. In addition, th e proposed AIS is extended b y employing the APC activation mechanism exp lained by the DT. T his mech anism has the adv antage of de tecting rapidly spreading viruses or scan ning intrusion s at an early stage . References [1] Aickelin U, Cayzer S (2002), The Danger Theory and Its Application to AIS, 1st Int ernational Conference on AIS, pp 141-148. [2] Barcia R, Pallister C, Sansom D, McLeod J (2000 ), Apoptotic respo nse to mem brane a nd soluble CD95-ligand by human peripheral T cells, Immunology 101 S1 77. [3] Boulougouris G, McLeod J et al (1999), IL-2 independent T cell activation and proliferation induced by CD28. Journal of Immuno logy 163: 1809-1816. [4] Cayzer S, Aick elin U (20 02), A Recommend er S ystem b ased o n the Immun e Network , Proceedings CEC, pp 807-813. [5] Cayzer S, Aickelin U (2 002), Idiotypic Interactions for Recommendation Co mmunities in AIS, 1st International Conference on AIS, pp 154-160 . [6] Cuppens F (2001), Ma naging Alerts in a Multi Intrusion Det ection Environment, the 1 7th Annual Computer Security Applications Conference. [7] Cuppens F et al (2002), Correlation in an Intrusion Process, Int ernet Security Communication Workshop (SECI'02). [8] Dain O, Cunningham R (2001), Fusing a Heterogeneous Ale rt Stream into Scenarios, Proceeding of the 2001 ACM Workshop on Data Mining for S ecurity Applications, pp 1-13. [9] Dasgupta D, Go nzalez F (2002), "An Immunity-Based Techni que to Characterize Intrusion s i n Computer Networks", IEEE Trans. Evol. Comput. Vol 6; 3, pp 1081-1088. [10] Debar H, Wespi A (2001), Aggregation and Correlation of Intrusion-Detection Alerts, the Fourth workshop on the Recent Advan ces in Intrusion Detection, LNCS 2212, pp 85-103. [11] Denn ett N, Barcia R, McLeod J (2002), Biomarkers of apoptotic susceptib ility associated wit h in vitro ageing, Experimental Gerontology 37, 271-283. 12 U Aickelin, P Bentley, S Cayzer, J Kim, J McLeod [12] Esp onda F, Fo rrest S, Helman P (2 002), Positive and Negative Detection, IEEE Transactions on Systems, Man and Cybernetics. [13] F . Esponda, S. Forrest, and P. Helman (2002), Po sitive and Neg ative Detection, IEEE Transactions on Systems, Man and Cybernetics (Submitted). [14] F adok et al (1998), Macrophages that have ingested apoptotic cells in vitro inhibit proinflammatory cytokine prod uction through autocrine/paracrine mechanisms involving T GFb, PGE2, and PAF, Journal of Clinical Investig ation 101(4), 890-898. [15] Gallu cci S et al ( 1999), Natural Adju vants: Endog enous activators o f dend ritic cells, Nature Medicine 5(11), pp 1249-1255. [16] Gallu cci S, M atzinger P (2001), Danger signals: SOS to the immune system, Current Opinions in Immunology 13, pp 114-119. [17] Hirata et al (199 8), Caspases are activ ated in a branched protease cascade and con trol distinct downstream processes in Fas-induced apoptosis, J Experimental Medicine 187(4), 587-600. [18] Ho agland J, Stanif ord S (2 002), Viewing IDS alerts: Lessons from SnortSnarf, www.silicondefense.com/software/snortsnarf/ [19] Ho fmeyr S, Forrest S (2000), Architecture for an AIS, Evo lutionary Computation, Vol. 7, No. 1, pp 1289-1296. [20] Ho ller et al (2000), F as triggers an alternative, caspase-8-independent cell death pathway using the kinase RIP as effector molecule, Nature Immunology 1(6 ), 489-495. [21] Ho lzman D (1995) , New danger th eory of immunology challenges o ld assumptions, Journal Natl Cancer Inst, 87 (19): 1436-1438. [22] In aba et al (1994), The tissue distribution of the B7 -2 costimulator in mice, J Experimental Medicine 180, 1849-1860. [23] Kerr et al (1 972), Apoptosis: Its significance in cancer and cancer therapy , British Journal of Cancer 26(4), pp 239-257. [24] Kim J (2 002), In tegrating Artificial Immune Algorith ms for Intrusion Detection, PhD Th esis, University College London. [25] Kim J, Ben tley P (1999) , The Artificial Immune Mo del for Network Intrusion Detection, 7th European Congress on Intelligent Techniques and Soft Co mputing (EUFIT'99). [26] Kim J, Bentley P (2001), Evaluating Negative Selec tion in an AIS for Network Intrusion Detection, Genetic and Evolutionary Computation Conference 2001, 1330-1337. [27] Kim J, Ben tley P (20 02), Towards an AIS for Network Intrusio n Detection: An I nvestigation o f Dynamic Clonal Selection, the Congress on Evolutionary Computation 2002, pp 1015-1020. [28] Ku by J (2002), Immunology, Fifth Edition by Richard A. Goldsby et al. [29] M atzinger P (1994), Tolerance Danger an d the Ex tended F amily, Annual reviews of Immunology 12, pp 991-1045. [30] M atzinger P (2002), The Danger Model: A Renewed Sen se of Self, Science 296: 301-305. [31] M cLeod J (2000), Apoptotic c apability of ageing T cells, Mechanisms of Ageing and Development 121, pp 151-159. [32] M orrison T, Aick elin U (2002), An AIS as a Recommender S ystem for Web Sites, 1st International Conference on AIS, pp 161-169. [33] Nin g P, Cui Y (2002), An Intrusion Alert Correlator Based on Prerequisites of Intrusions, TR- 2002-01, North Carolina State University . [34] Nin g, P, Cui Y, Reeves S (2002), Constructing Att ack Scenarios through Correlation of Intrusion Alerts, 9th Conference on Computer & Communications Security , pp 245-254. [35] S auter et al (20 01), Consequences of cell death: exposure to necrotic tumor cells, Journal o f Experimental Medicine 191(3), 423-433. [36] S tainford E, Hogland J, M cAlerney J (2002), Practical Automated Detection o f Stealthy Portscans, Journal of Computer Security, Vol. 10, Issues 1/2. [37] To dryk S, Melcher S, Dalgleish A et al (2000), "Heat shock p roteins refine the danger theory" Immunology 99 (3): 334-337. [38] Vald es A, Skinner K (2001), Probabilistic Alert Co rrelation, RAID’2001, 54-68. Danger Theory: The Link between AIS and IDS? 13 [39] Vance R (2000), Cutting Edge Commentary: A Copernican Revolution? Doubts about the danger theory, j immunology 165 (4), 1725-1728.