LISYS is an artificial immune system framework which is specialized for the problem of network intrusion detection. LISYS learns to detect abnormal packets by observing normal network tra#c. Because LISYS sees only a partial sample of normal tra#c, it must generalize from its observations in order to characterize normal behavior correctly. A variation of the r-contiguous bits matching rule is introduced, and its e#ect on coverage and generalization is studied. The e#ect of representation diversity on coverage and generalization is also explored by studying permutations in the order of bits in the representation.

This paper studies a simplified form of LISYS, an artificial immune system for network intrusion detection. The paper describes results based on a new, more controlled data set than that used for earlier studies. The paper also looks at which parameters appear most important for minimizing false positives, as well as the trade-o#s and relationships among parameter settings.

This chapter describes the behavior of the immune system from an informationprocessing perspective. It reviews a series of projects conducted at the University of New Mexico and the Santa Fe Institute, which have developed and explored the theme "immunology as information processing." The projects cover the spectrum from serious modeling of real immunological phenomena, such as crossreactive responses in animals and the generation of diversity, to computer science applications, especially the attempt to develop an immune system for computers to protect them against viruses, intrusions, and other malicious activities. In each project, we have used an approach with the following steps: (1) Identify a specific mechanism that appears to be interesting computationally, (2) write a computer program that implements or models the mechanism, (3) study its properties through simulation and mathematical analysis, and (4) demonstrate its capabilities, either by applying the ...

Many people are exposed to more information than they can process eectively. We describe an approach to building an information immune system that eliminates undesirable information before it reaches the user. This approach

Intrusions may sometimes involve the insertion of hostile code in an intrusion-detection system, causing it to "lie", for example by giving a ood of false-positives. To address this problem we consider an intrusion detection system as a reflective layer in an autonomous system which is able to observe the whole system's internal behaviour and take corrective action as necessary. To protect the reective layer itself, several mutually reective components (agents) are used within the layer. Each agent acquires a model of the normal behaviour of a group of other agents under its protection and uses this model to detect anomalies. The ideal situation is a "closed reflective network" where all components are monitored and protected by other components within the same autonomous system, so that no component is left unprotected. Using informal...