## An Immunological Approach to Change Detection: Algorithms (1996)

Venue: | Analysis and Implications,” IEEE Symposium on Security and Privacy |

Citations: | 130 - 20 self |

### BibTeX

@INPROCEEDINGS{Forrest96animmunological,

author = {Stephanie Forrest and Paul Helman},

title = {An Immunological Approach to Change Detection: Algorithms},

booktitle = {Analysis and Implications,” IEEE Symposium on Security and Privacy},

year = {1996},

pages = {110--119}

}

### Years of Citing Articles

### OpenURL

### Abstract

We present new results on a distributable changedetection method inspired by the natural immune system. A weakness in the original algorithm was the exponential cost of generating detectors. Two detector-generating algorithms are introduced which run in linear time. The algorithms are analyzed, heuristics are given for setting parameters based on the analysis, and the presence of holes in detector space is examined. The analysis provides a basis for assessing the practicality of the algorithms in specific settings, and some of the implications are discussed. 1.

### Citations

315 | Self/Non-self Discrimination in a computer
- Forrest
- 1994
(Show Context)
Citation Context ...otection algorithms can be a major vulnerability in large networks of computers because an intrusion at one site implies that all sites are vulnerable. The negative detection method was introduced in =-=[6]-=-. Our current emphasis is on extending the theoretical basis of the method and addressing the important question of practicality, including (i) the feasibility of generating detectors, (ii) determinin... |

86 |
Theoretical studies of clonal selection: minimal antibody repertoire size and reliability of self-non-self discrimination
- Perelson, Oster
- 1979
(Show Context)
Citation Context ...o reach the desired P f ). At best, we can spread the detectors apart such that no two detectors match the same nonself string. This gives us an absolute lower bound on the number of detectors needed =-=[12]-=-: ( ) N ≥ 1 −P P . (3) R f m Looking at the structure of the template array we can get another estimate for N R . Each detector generated matches one of the 2 r templates in each of the (l-r) columns ... |

78 | Defending a computer system using autonomous agents
- Crosbie, Spafford
- 1995
(Show Context)
Citation Context ...umber of independent detector sets used. • The individual detectors in the detector set can be run independently as well, for instance in a scheme with autonomous agents (such as the one presented in =-=[1]-=-), where each agent would contain one or a few detectors. We think this distributability property is crucial because it allows each copy of the algorithm to use a unique set of detectors. Having ident... |

56 |
Introduction to Mathematical Probability
- Uspensky
- 1937
(Show Context)
Citation Context ... alphabet size used, the harder it becomes to make an optimal choice for the matching length r. This is due to the fact that for the matching rules considered here, the matching probability Pm ∝ m −r =-=[11, 13]-=-. Assuming that Pm has to stay within certain bounds for the detection algorithm to perform efficiently, the range of acceptable values for r becomes very narrow with increasing alphabet size. For som... |

47 |
T cell tolerance by clonal elimination in the thymus
- Kappler, Roehm, et al.
- 1987
(Show Context)
Citation Context ... in the immune system. In the thymus, T-cells with essentially random receptors are generated, but before they are released to the rest of the body, those T-cells that match self proteins are deleted =-=[9, 10]-=-. Similarly, our method distinguishes self strings (the protected data or activities) from nonself strings (foreign or malicious data or activities) by generating detectors for anything that is not in... |

40 |
An immunological approach to change detection: theoretical results
- D’Haeseleer
- 1996
(Show Context)
Citation Context ...two strings match if their Hamming distance is less than or equal to a fixed radius r). In fact, almost all practical matching rules with a fixed matching probability can be expected to exhibit holes =-=[4, 5]-=-. However, we can eliminate holes altogether by choosing a matching rule with a variable matching radius, such that potential holes are filled by detectors with high specificity. Because holes will ne... |

27 |
RJ, Perelson AS. How diverse should the immune system be
- Boer
- 1993
(Show Context)
Citation Context ...uires generating a number of candidate detectors ( N R0 : initial detector repertoire size, before negative selection). that is exponential in the size of self (for a fixed matching probability P m ) =-=[2]-=-: − ln( Pf ) NR = N . 0 S Pm ⋅( 1 − Pm) For independent detectors, we can approximate the failure probability Pf achieved by NR detectors by: ( ) N R Pf≈ 1 −Pm. (1) For Pm sufficiently small and NR su... |

23 |
Fundamental Immunology
- Paul
- 1984
(Show Context)
Citation Context ... in the immune system. In the thymus, T-cells with essentially random receptors are generated, but before they are released to the rest of the body, those T-cells that match self proteins are deleted =-=[9, 10]-=-. Similarly, our method distinguishes self strings (the protected data or activities) from nonself strings (foreign or malicious data or activities) by generating detectors for anything that is not in... |

20 |
An efficient algorithm for generating random antibody strings
- Helman, Forrest
- 1994
(Show Context)
Citation Context ...ich run in linear time with respect to the size of the input. See [6] for an exposition of the exhaustive detector generating algorithm (2.1). For more details on the linear time algorithm (2.2), see =-=[8]-=- and [3]. This last report also covers the greedy algorithm (2.3) and the algorithm for counting the holes (2.4), including some examples and a derivation of the time and space complexities. 2.1. Exha... |

20 | T cell tolerance by clonal elimination - Kappler, Roehm, et al. - 1987 |

13 |
Further efficient algorithms for generating antibody strings
- D’haeseleer
- 1995
(Show Context)
Citation Context ...in linear time with respect to the size of the input. See [6] for an exposition of the exhaustive detector generating algorithm (2.1). For more details on the linear time algorithm (2.2), see [8] and =-=[3]-=-. This last report also covers the greedy algorithm (2.3) and the algorithm for counting the holes (2.4), including some examples and a derivation of the time and space complexities. 2.1. Exhaustive d... |

7 |
A change-detection algorithm inspired by the immune system: Theory, algorithms and techniques
- D’haeseleer
- 1995
(Show Context)
Citation Context ...two strings match if their Hamming distance is less than or equal to a fixed radius r). In fact, almost all practical matching rules with a fixed matching probability can be expected to exhibit holes =-=[4, 5]-=-. However, we can eliminate holes altogether by choosing a matching rule with a variable matching radius, such that potential holes are filled by detectors with high specificity. Because holes will ne... |

6 |
A sense of self for UNIX processes”, submitted to the 1996
- Forrest, Hofmeyr, et al.
- 1995
(Show Context)
Citation Context ... could be used for a wide variety of change-detection problems, including those requiring some tolerance of noise, or involving dynamic streams of data (such as activity patterns in running processes =-=[7]-=-). On the other hand, it might not always be as efficient as some of the knowledge-intensive special-purpose mechanisms for detecting specific kinds of changes or known attacks. Its strength, however,... |

1 | sense of self for UNIX processes”, submitted to the 1996 - Longstaff - 1995 |