SOMA - a self-organising mobile agent immune system for computer networks RAID 2004 Abstract

Our group, composed of researchers from the University of Nottingham, University College London, the University of the West of England, HewlettPackard Labs, Bristol, and developers of the Firestorm intrusion detection system, is currently engaged in the initial stages of designing and implementing a biologically-inspired anomaly-based intrusion detection system. The system, which we have called SOMA, draws strong inspiration from the way the human immune system protects the body. While our work builds on previous work such as [1], [3], [5], [6], presented at past RAID workshops and elsewhere, it also introduces several new concepts which are briefly summarised below. SOMA conceptualises the network which is to be protected as an artificial body. Each host on the network is seen as an artificial organ linked together by an artificial circulatory system, the underlying network infrastructure. Components on each host monitor different aspects of process behaviour, such as system call, disk and network usage, and package the information into groups of artificial tissue cells. A single host is represented as different artificial tissue types and a number of artificial danger signals, described shortly. The artificial tissue of each host is monitored by several classes of mobile autonomous agents which circulate though the network and which emulate the activities of various cells of the human immune system. None of these artificial immune cells by themself protect the system, but instead protection emerges as a result of the interaction of the cells. SOMA differs from previous immune-inspired approaches to intrusion detection such as [2] in that it rejects the view that the decision as to whether to initiate an immune response or not is based on some kind of self-nonself discrimination. Instead, SOMA explores an alternative contemporary model of immune system functioning, the Danger Model [4], which hypothesises that danger is the driving factor which determines immune system responsiveness. When biological cells undergo stress or damage, they emit certain chemicals, called danger signals, which guide immune system cells. This paradigm shift takes the decision as to whether to respond out of the hands of the system doing the protection i.e. the cells of the immune system, and places it with the organism being protected. We are currently exploring a number of digital danger signals, such as execution of code in data segments, access to restricted files and