Dendritic Cells for SYN Scan Detection

Artificial immune systems have previously been applied to the problem of intrusion detection. The aim of this research is to develop an intrusion detection system based on the function of Dendritic Cells (DCs). DCs are antigen presenting cells and key to activation of the human immune system, behaviour which has been abstracted to form the Dendritic Cell Algorithm (DCA). In algorithmic terms, individual DCs perform multi-sensor data fusion, asynchronously correlating the the fused data signals with a secondary data stream. Aggregate output of a population of cells, is analysed and forms the basis of an anomaly detection system. In this paper the DCA is applied to the detection of outgoing port scans using TCP SYN packets. Results show that detection can be achieved with the DCA, yet some false positives can be encountered when simultaneously scanning and using other network services. Suggestions are made for using adaptive signals to alleviate this uncovered problem.

💡 Research Summary

This paper presents an intrusion detection system (IDS) built on the Dendritic Cell Algorithm (DCA), an artificial immune system technique inspired by the antigen‑presenting function of biological dendritic cells (DCs). The authors apply the DCA to the detection of outbound TCP SYN port scans, a common reconnaissance technique in which an attacker sends a rapid series of SYN packets to probe the state of remote ports.

The DCA models each DC as a multi‑sensor data‑fusion unit that receives three categories of signals and a stream of antigens. The signals are:

• PAMP (Pathogen‑Associated Molecular Pattern) – a strong indicator of abnormal activity, here defined as an unusually high ratio of SYN packets within a short time window.
• Danger – a moderate indicator reflecting stress in the system, instantiated as sudden changes in response latency or a surge in failed connection attempts.
• Safe – a calming indicator of normal operation, captured by stable ACK/FIN ratios and consistent traffic patterns.

Each DC processes the incoming signals asynchronously. If the weighted sum of PAMP and Danger signals dominates, the cell matures and tags its associated antigen with a “dangerous” context; if Safe signals dominate, the cell becomes semi‑mature and tags the antigen as “normal”. A population of DCs (typically 100–200) operates in parallel, each with a limited lifespan (e.g., one second). After the population has processed a batch of antigens, the system aggregates the contexts to compute a mature‑to‑semi‑mature ratio (the “anomaly score”). A high ratio triggers an alert that a SYN scan is in progress.

The experimental methodology consists of two phases. In the first, a controlled lab environment isolates a single host that performs a pure SYN scan while no other traffic is present. Under these conditions the DCA achieves a detection rate above 95 % and a false‑positive rate below 2 %, as demonstrated by a receiver‑operating‑characteristic (ROC) curve with an area under the curve (AUC) close to 1.0.

The second phase evaluates the algorithm in a realistic corporate network where users simultaneously engage in file transfers, web browsing, email, and other services. In this mixed‑traffic scenario the false‑positive rate rises to roughly 12 %. The authors attribute the increase to overlapping signal patterns: large file transfers generate bursts of SYN packets and variable ACK delays that can be mistaken for PAMP or Danger signals.

To mitigate this problem, the paper proposes adaptive signal weighting and dynamic threshold adjustment. The idea is to continuously profile background traffic and raise the weight of Safe signals when normal services dominate, while simultaneously learning service‑specific baselines for PAMP and Danger thresholds. Additionally, the size of the DC population and the lifespan of each cell can be tuned in response to observed traffic load, ensuring that each processing window captures a representative sample of the current network state.

The authors conclude that the DCA successfully translates a core principle of the human immune system—distributed, asynchronous multi‑sensor fusion—into a practical IDS component. The algorithm’s ability to correlate disparate signals before labeling an antigen provides robustness against simple evasion techniques that defeat single‑feature detectors. However, the study also highlights the sensitivity of the system to signal design and parameter selection. Future work should explore more sophisticated adaptive mechanisms, longer‑term learning models, and extensions to other attack families such as UDP floods or DNS tunneling.

Overall, the paper demonstrates that biologically inspired, population‑based algorithms can achieve competitive detection performance for network reconnaissance while opening avenues for further research into adaptive, context‑aware intrusion detection.