Advances in artificial immune systems

Dipankar DasguptaUniversity of Memphis, USA

© DIGITALVISION

40 IEEE COMPUTATIONAL INTELLIGENCE MAGAZINE | NOVEMBER 2006 1556-603X/06/$20.00©2006IEEE

Advances in Artificial

Immune Systems

During the last decade, the field of Artificial Immune System (AIS) is progressingslowly and steadily as a branch of Computational Intelligence (CI) as shown inFigure 1.There has been increasing interest in the development of computa-tional models inspired by several immunological principles. In particular, some

are building models mimicking the mechanisms in the biological immune system (BIS) tobetter understand its natural processes and simulate its dynamical behavior in the presenceof antigens/pathogens. Most of the AIS models, however, emphasize designing arti-facts–computational algorithms, techniques using simplified models of variousimmunological processes and functionalities. Like other biologically-inspired tech-niques, such as artificial neural networks, genetic algorithms, and cellular automata,

AISs also try to extract ideas from the BIS in order to develop computationaltools for solving science and engineering problems. Although still relative-

ly young, the Artificial Immune System (AIS) is emerging as anactive and attractive field involving models, techniques and

applications of greater diversity.

I. Immune System MetaphorsThe biological immune system is a complex adaptive systemthat has evolved in vertebrates to protect them from invadingpathogens. To accomplish its tasks, the immune system hasevolved sophisticated pattern recognition and response mecha-nisms following various differential pathways, i.e. dependingon the type of enemy, the way it enters the body and the dam-age it causes, the immune system uses various response mecha-nisms either to destroy the invader or to neutralize its effects.

In medical science, historically, the term immunity refers tothe condition in which an organism can resist disease, morespecifically infectious disease. However, a broader definition ofimmunity is a reaction to foreign (or dangerous) substances.Cells and molecules responsible for immunity constitute thebiological immune system, and the collective coordinatedresponse of such cells and molecules in the presence ofpathogens is known as the immune response. The biologicalimmune system can be envisioned as a multilayer protectionsystem, where each layer provides different types of defensemechanisms for detection, recognition and responses. Thus,three main layers include the anatomic barrier, innate immunity(nonspecific) and adaptive (specific) immunity. Innate (non-specific)immunity and adaptive (specific) immunity are inter-linked andinfluence each other [28]. Once adaptive immunity recognizesthe presence of an invader, it triggers two types of responseshumoral immunity and cell-mediated (cellular) immunity, whichact in a sequential fashion. Innate immunity is directed againstany pathogen. If an invading pathogen escapes the innatedefenses, then the body can launch an adaptive or specificresponse against a particular type of foreign agent.

Figure 2 presents an abstract outline of some immunologi-cal components and their functional relationships from com-putational perspectives. This illustration focuses on some BISterminologies that are used to design artificial immune sys-tems. The antibodies are generated in the humoral immune

response, which has recognition functions and thus binds toforeign antigens. But they have no meaning if they only bindto antigens, as antibodies do not kill anything. By binding toantigens, however, antibody molecules activate the serumcomplement that can bind to the appropriate region of anti-body molecules and initiate the classic pathway of comple-ment activation. Finally, a pore-forming molecule-membraneattacking complex (MAC) is formed through complementactivation, which punches holes in the cell surface of the for-eign antigen and destroys the foreign antigen.

In the biological immune system, signal diffusion and dia-logue are two kinds of communication schemes available. Theytake a major role in sharing and passing information duringimmune response. In immune diffusion, the message is passedfrom one immuno-component to others without any feedback.Another scheme is called immune dialogue, where the immunesystem continuously exchanges molecular signals with its coun-terparts. Immune sensitivity is determined by context, whereself and foreign agents play upon each other. The body is underconstant challenge to respond along a continuum of behaviorand needs to adapt accordingly. Signaling is important in bio-logical defense as it allows a cell to move a signal from the out-side to the inside, and signaling results in changes to the cell,allowing it to appropriately respond to a stimulus.

From an information-processing perspective, the immunesystem is a remarkable parallel and distributed adaptive systemwith (partial) decentralized control mechanism. It uses featureextraction, signaling, learning, memory, and associative retrievalto solve recognition and classification tasks. In particular, it learnsto recognize relevant patterns, remember patterns that have beenseen previously, and use combinatorics to construct patterndetectors efficiently. Also, the overall behavior of the system isan emergent property of many local interactions. These remark-able information-processing abilities of the immune system pro-vide several important aspects in the field of computation.

NOVEMBER 2006 | IEEE COMPUTATIONAL INTELLIGENCE MAGAZINE 41

FIGURE 1 Artificial Immune System (AIS) as a branch of Computational Intelligence (CI).

Computational Intelligence

... ...Biology-Inspired

Methods... ...

Neural NetworksEvolutionary Computation

Artificial Immune System (AIS)

... ...

Immune Network Clonal Selection Negative

Selection AlgorithmsOther Models

Danger Theory

II. Artificial Immune SystemsArtificial Immune Systems (AIS) emerged in the 1990s as anew branch in Computational Intelligence (CI).A numberof AIS models exist, and they are used in pattern recogni-tion, fault detection, computer security, and a variety ofother applications researchers are exploring in the field ofscience and engineering [32], [49], [52]. Although the AISresearch has been gaining its momentum, the changes in thefundamental methodologies have not been dramatic.Among various mechanisms in the biological immune sys-tem that are explored as AISs, negative selection, immunenetwork model and clonal selection are still the most dis-cussed models [4], [13], [30].

A. Immune Network ModelsThe immune Network theory had been proposed in themid-seventies [29]. The hypothesis was that the immunesystem maintains an idiotypic network of interconnected Bcells for antigen recognition. These cells both stimulate andsuppress each other in certain ways that lead to the stabi-lization of the network. Two B cells are connected if theaffinities they share exceed a certain threshold, and thestrength of the connection is directly proportional to theaffinity they share.

In artificial immune network (AIN) models, a B-cell popu-lation is made of two sub-populations: the initial populationand the cloned population. The initial set is generated from asubset of raw training data to create the B-cell network. Theremainders are used as antigen training items. Antigens arethen selected randomly from the training set and presented tothe areas of the B-cell network. If the binding is successful,then the B-cell is cloned and mutated [24]. The mutationyields a diverse set of antibodies that can be used in the classifi-cation procedure.Once a new B cell is created, an attempt ismade to integrate it into the network at the closest B Cells. Ifthe new B cell cannot be integrated, it is removed from thepopulation. If no bind is successful, then a B-cell is generatedusing the antigen as a template and is then incorporated intothe network.

An updated version, called AINE [32] uses artificial recog-nition ball (ARB) to represent a number of similar B-cells (nota single B-cell). This resembles the idea of recognition ball inimmunology, which refers to the region in the shape space ofantigen that an antibody can recognize. It represents a single n-dimensional data item that could be matched by Euclidean dis-tance to an antigen or another ARB. A link between twoB-cells is created if the affinity (distance) between two ARBs isbelow a network affinity threshold (NAT). The results show

42 IEEE COMPUTATIONAL INTELLIGENCE MAGAZINE | NOVEMBER 2006

FIGURE 2 Shows different functional elements of the Biological Immune System (BIS) and their relationship.

Antigen

EndogenousAntigen

ExogenousAntigen

Target CellAntigen Processing and

Presentation

T Killer CellEndogenous Antigen Killing

T Helper Cell

Recognition and Activation

Macrophages

Phagocytosis

Antigen Presenting Cell

Antigen Processing andPresentation

B CellAntigen Processing and

Presentation

Cytokines

Plasma CellAntibody Secretion

Opsonization

Complement

Exogenous Antigen Killing

Monokines

that the combination of normalizing the stimulation levels ofARBs in the network and the resource allocation mechanismleads to the biasing of AINE toward the strongest pattern inthe data set to emerge [33].

B. Clonal Selection PrincipleThe Clonal Selection Principle describes the basic features ofan immune response to an antigenic stimulus. It establishes theidea that only those cells that recognize the antigen proliferate,thus being selected against those that do not. The main fea-tures of the Clonal Selection Theory are that: ❏ The new cells are copies of their parents (clone) subjected

to a mutation mechanism with high rates (somatic hyper-mutation);

❏ Elimination of newly differentiated lymphocytes carryingself-reactive receptors;

❏ Proliferation and differentiation on contact of mature cellswith antigens.The algorithm (CLONALG) is based on the clonal selec-

tion and affinity maturation principles [13]. It is similar tomutation-based evolutionary algorithms and has several inter-esting features: 1) population size dynamically adjustable, 2)exploitation and exploration of the search space, 3) location ofmultiple optima, 4) capability of maintaining local optimasolutions, and 5) defined stopping criterion [12], [13]. A modelcombining the ideas of aiNet and AINE was also proposed[35]. This work emphasizes its self-organizing ability, i.e. theuse of minimal number of control parameters.

C. Negative Selection AlgorithmsOne of the purposes of the immune system is to recognize allcells (or molecules) within the body and categorize those cellsas self or non-self. The non-self cells are further categorized inorder to induce an appropriate type of defensive mechanism.The immune system learns through evolution to distinguishbetween foreign antigens (e.g., bacteria, viruses, etc.) and thebody’s own cells or molecules. The purpose of negative selec-tion is to provide tolerance for self cells. It deals with theimmune system’s ability to detect unknown antigens while notreacting to the self cells. During the generation of T-cells,

receptors are made through a pseudo-random geneticrearrangement process. Then, they undergo a censoringprocess in the thymus, called the negative selection. There, T-cells that react against self-proteins are destroyed; thus, onlythose that do not bind to self-proteins are allowed to leave thethymus. These matured T-cells then circulate throughout thebody to perform immunological functions and protect thebody against foreign antigens.

The negative selection algorithm Forrest et al. [30], is oneof the computational models of self/nonself discrimination,first designed as a change detection method. It is one of theearliest AIS algorithms that were applied in various real-worldapplications. Since it was first conceived, it has attracted manyAIS researchers and practitioners and has gone through somephenomenal evolution. In spite of evolution and diversificationof this method, the main characteristics of a negative selectionalgorithm described by Forrest et al. [30] still persist. Figures 3(a) and (b), similar to the original conception, describe themajor steps in such an algorithm. In generation stage, thedetectors are generated by some random process and censoredby trying to match self samples. Those candidates that matchare eliminated and the rest are kept as detectors. In the detec-tion stage, the collection of detectors (or detector set) is usedto check whether an incoming data instance is self or non-self.If it matches any detector, then it is claimed as non-self oranomaly. This description is limited to some extent, but con-veys the essential idea.

Like any other Computational Intelligence technique, dif-ferent negative selection algorithms are characterized by partic-ular representation schemes, matching rules and detectorgeneration processes:❏ Data and detector representation

• Binary (or string) representation• Real-valued representation; detectors as hypersphere, or

hyper-rectangle• Hybrid representation

❏ Generate/elimination mechanism• Random generation + censoring• Genetic algorithm• Greedy algorithm or other deterministic algorithm


FIGURE 3 The basic concept of the Negative Selection (NS) Algorithm.

RandomCandidate

Self Samples

Match?

No

Yes

Add toDetector Set

Discard

Data Itemto Be Checked

Detector Set

Match?

No

Yes

Normal (Self)

Abnormal(Nonself)

❏ Matching rule• rcb (r-contiguous bits), r-chunk, Hamming distance and

variations (like R&T distance), edit distance• statistical correlation, landscape matching• Euclidean distance-based for real-valued representationTwo important aspects of a negative selection algorithm

are:1) The target concept of the algorithm is the complement of a

self set.2) The goal is to discriminate between self and non-self pat-

terns, but only samples from one class are available (one-class learning).The performance of each NS algorithm differs based on a

number of factors, such as ❏ Number of detectors

• Affecting the efficiency of generation and detection❏ Detector coverage

• Affecting the accuracy of detection

❏ Algorithm of generating detectors• Linked to efficiency and quality of detector set

❏ Applicable scenario• Large amount of self (normal) samples• Rare or no abnormal samples

❏ another possible usage: “negative database”❏ When it is not appropriate; for example, the number of self

samples is small and sparse.Some limitations of the (binary) string representation in NS

algorithms are❏ Binary matching rules are not able to capture the semantics

of some complex self/non-self spaces.❏ It is not easy to extract meaningful domain knowledge.❏ In some cases, a large number of detectors are needed to

guarantee better coverage (detection rate).❏ It is difficult to integrate the NS algorithm with other

immune algorithms.❏ Crisp boundary of self and non-self may be hard to define.


TYPE OFMODEL OR TECHNIQUE ASPECTS OF THE BIS REPRESENTATION

REFERENCE DESCRIPTION MODELED USED APPLICATIONS

HUNT ET AL., A MACHINE-LEARNING SYSTEM (JISYS) AG-AB BINDING. IMMUNE MIXED NUMERICAL, FRAUD DETECTION.1999 [24] BASED ON IMMUNE NETWORKS NETWORK. CATEGORICAL AND LEARNING.

STRING DATA.DASGUPTA, 1999 AN ARCHITECTURE FOR AN AGENT- DISTRIBUTED CONTROL. JAVA OBJECTS COMPUTER SECURITY

[7] BASED INTRUSION/ANOMALY SELF/NON-SELF (APPLETS)DETECTION AND RESPONSE SYSTEM DISCRIMINATION.

DASGUPTA, 1999 COMBINES IMMUNE SYSTEM IDEAS AND AG-AB BINDING. BINARY STRINGS CHEMICAL SPECTRUM[8] GENETIC ALGORITHMS TO INTERPRET SELF/NON-SELF RECOGNITION.

CHEMICAL SPECTRA DISCRIMINATION.WILLIAMS, 1999 A MULTI-AGENT COMPUTATIONAL AG-AB BINDING. SELF/NON-SELF COMPUTER SECURITY

[9] IMMUNE SYSTEM (CDIS) FOR DISCRIMINATION.INTRUSION DETECTION STRINGS FROM A

FINITE ALPHABET.

TARAKANOV, 2000 A FORMAL MODEL OF THE IMMUNE AG-AB BINDING. REAL-VALUED VECTORS. BIS MODELING.[10] SYSTEM.

TIMMIS, 2000 A RESOURCE LIMITED ARTIFICIAL AG-AB BINDING, IMMUNE REAL-VALUED VECTORS. DATA ANALYSIS,[11] IMMUNE SYSTEM RAINE FOR DATA NETWORK. CLUSTERING.

ANALYSIS THAT EXTENDS THE WORK OF COOKE AND HUNT [8].

DE CASTRO, 2000 A SYSTEM BASED ON CLONAL AG-AB BINDING. CLONAL BINARY AND INTEGER PATTERN MATCHING,[12] SELECTION AND AFFINITY SELECTION. AFFINITY STRINGS. OPTIMIZATION.

MATURATION (CLONALG). MATURATION.DE CASTRO, 2001 AN IMMUNE NETWORK LEARNING AG-AB BINDING, CLONAL REAL-VALUED VECTORS. DATA ANALYSIS,

[13] ALGORITHM (AINET). SELECTION, AFFINITY CLUSTERING.MATURATION, IMMUNENETWORK.

HOFMEYR [25] AN ARCHITECTURE FOR AN ARTIFICIAL AG-AB BINDING. BINARY STRINGS. COMPUTER IMMUNE SYSTEM (LISYS). SELF/NON-SELF SECURITY.

DISCRIMINATION, AFFINITY MATURATION.

BRADLEY, 2000 A MACHINE FAULT TOLERANCE SELF/NON-SELF BINARY STRINGS. HARDWARE FAULT[1] MECHANISM BASED ON IMMUNE DISCRIMINATION. DETECTION AND

SYSTEM IDEAS (IMMUNOTRONICS). TOLERANCE.DE CASTRO, 2001 A SIMULATED ANNEALING ALGORITHM AG-AB BINDING, IMMUNE REAL-VALUED VECTORS. INITIALIZATION OF

[2] BASED ON THE IMMUNE SYSTEMS DIVERSITY. FEED-FORWARD(SAND) APPLIED TO NEURAL NEURAL NETWORKNETWORK INITIALIZATION. WEIGHTS.

TARAKANOV [3] ARCHITECTURE TO BUILD CHIPS THAT AG-AB BINDING, IMMUNE REAL-VALUED VECTORS PATTERN MATCHING.IMPLEMENT THE IMMUNE SYSTEM NETWORK. (INTERNALLYMODEL. REPRESENTED AS BITS).

(CONTINUES)

TABLE 1 A timeline of recent AIS developments.

In real-valued representation, the detectors are representedby hyper-shapes in n-dimensional space. The algorithms usegeometrical spaces and use heuristics to distribute detectors inthe non-self space.

Some limitations of the real-valued representation in NSalgorithms are❏ The issue of holes in some geometrical shapes, and may

need multi-shaped detectors❏ Curse of dimensionality❏ The estimation of coverage❏ The selection of distance measure

In recent years, there has been an interesting debate amongimmunologists about the classical self/non-self distinction andthe importance of detection and recognition processes [40], [41].An issue that has been addressed is that autoimmunity is a nor-mal finding in healthy individuals. A main problem with self andnon-self discrimination is the determination of the frontierbetween self and non-self. In Danger Theory, the immune

response is determined by the presence or absence of alarm sig-nals; some danger signals such as tissue damage trigger a myriadof immune reactions and responses, and APCs are activated byendogenous cellular alarm signals from distressed or injured cells.

Table 1 shows a chronological list of some AIS models andtechniques that are found in the literature. The tables include ashort description of each model or technique, use of specificimmunological mechanisms, type of representations, and theintended applications.

III. AIS ApplicationsArtificial Immune Systems (AIS) are being used in many appli-cations such as anomaly detection [37], [59], pattern recogni-tion [36], data mining [38], computer security [6], [7], [25],[63], [65], adaptive control [39] and fault detection [1], [60].Two applications of AIS are considered as representative andillustrate how artificial immune systems are used in the solutionof real-world problems.


TABLE 1 (Continued)...

TYPE OFMODEL OR TECHNIQUE ASPECTS OF THE BIS REPRESENTATION

REFERENCE DESCRIPTION MODELED USED APPLICATIONS

NASRAOUI, 2002 AN IMMUNE NETWORK BASED AG-AB BINDING, IMMUNE REAL-VALUED VECTORS. CLUSTERING, WEB[27] ALGORITHM THAT USES FUZZY NETWORK. DATA MINING

THEORY TO MODEL THE AG-AB MATCHING.

HART, 2002 [4] A SYSTEM TO CLUSTER NON-STATIONARY AG-AB BINDING, IMMUNE BINARY STRINGS. CLUSTERING.DATA (SOSDM) THAT COMBINES MEMORY. ASSOCIATIVE IDEAS FROM BIS AND SPARSE MEMORY,DISTRIBUTED MEMORIES.

COELLO, 2002 [5] AN APPROACH TO HANDLE AG-AB BINDING, GENE BINARY STRINGS OPTIMIZATION.CONSTRAINTS IN GA-BASED LIBRARIES.OPTIMIZATION.

KIM, 2002 [6] AN ALGORITHM TO PERFORM DYNAMIC AG-AB BINDING, CLONAL BINARY STRINGS. DYNAMIC LEARNING.LEARNING ON CHANGING SELECTION, SELF/NONENVIRONMENTS. -SELF DISCRIMINATION.

NASRAOUI, 2002, A SCALABLE ARTIFICIAL IMMUNE SYSTEM AG-AB BINDING, IMMUNE REAL-VALUED VECTORS. CLUSTERING.2003 [14] ,[25] MODEL FOR DYNAMIC UNSUPERVISED NETWORK. DYNAMIC

LEARNING BASED ON IMMUNE LEARNING.NETWORK THEORY.

DASGUPTA ET AL., MULTI-LEVEL IMMUNE LEARNING NEGATIVE SELECTION, DIFFERENT ANOMALY2003 [26] ALGORITHM (MILA) COMBINES CLONAL SELECTION, REPRESENTATIONS DETECTION,

SEVERAL IMMUNOLOGICAL FEATURES. APC AND MATCHING PATTERNRULES, REPERTOIRE RECOGNITIONOPTIMIZATION

IQBAL ET AL., ARTIFICIAL APC MODEL DANGER THEORY STRING DANGER2004 [15] SUSCEPTIBLE DATA

CODONSSTEPNEY ET AL., CONCEPTUAL DEVELOPMENT ENTIRE IMMUNE SYSTEM GENERAL FRAMEWORK

2004 [16]JI ET AL., 2005 COVERAGE ESTIMATION NEGATIVE SELECTION REAL-VALUED VECTOR GENERAL

[17]GALEANO ET AL., NETWORK MODEL IMMUNE NETWORK REAL VALUE REVIEW

2005 [19]ANDREWS ET AL., NO SELF/NON-SELF DISCRIMINATION NEW IMMUNE THEORIES CONCEPTUAL (CELLULAR GENERAL

2005 [20] AUTOMATA, UMLSTATECHART ET AL.

STIBOR ET AL., APPLICABILITY ISSUES OF NSA SELF/NON-SELF REAL-VALUED VECTOR ANOMALY DETECTION2005 [21]; JI DISCRIMINATIONET AL., 2006 [18]

AICKELIN ET AL., DANGER THEORY INNATE IMMUNITY STRING REPRESENTATION NETWORK SECURITY2002 [22], 2006[23]

In order to apply an immune model to solve a particularproblem from a specific domain, one should select the immunealgorithm according to the type of problem that is being solved.Then, identify the elements involved in the problem and howthey can be modeled as entities in the particular immunemodel. To model such entities, a representation for each one ofthese elements should be chosen, specifically a string representa-tion: integer, real-valued vector representation or a hybrid rep-resentation. Subsequently, appropriate affinity (distance)measure to determine corresponding matching rules should bedefined; then, to select the immune algorithm that will be usedto generate a set of suitable entities providing a good solution tothe problem at hand. Figure 4 shows the necessary steps tosolve a problem using an immune model.

A. Application in Computer SecurityThe role of the immune system may be considered analo-gous to that of computer security systems [7], [50]–[52].Host-based intrusion detection methods [53]–[55] constructa database that catalogues the normal behavior during timein terms of the system calls made, etc. As this record buildsup, the database may be monitored for any system call notfound in the normal behavior database. The authors arguethat while simplistic, this approach is not computationallyexpensive and can be easily used in real time. It also has theadvantage of being platform and software independent. Analternative method is the network-based intrusion detectionapproach. This tackles the issue of protecting networks ofcomputers rather than an individual computer. This isachieved in a similar way in monitoring network services,traffic and user behavior and attempts to detect misuse orintrusion by observing departures from normal behavior.Work in [53], [56], [57] laid foundations for a possible archi-tecture and the general requirements for an immunity-basedintrusion detection system. They used the metaphor of theinnate immune system, which resides on the user’s PC andapplies virus-checking heuristics to .COM and .EXE files. Ifan unknown virus is detected, then a sample is captured that

contains information about the virus and is sent to a centralprocessing system for further examination. This is analogousto how the innate immune system works, as the first line ofdefense. The signature extraction mechanism is akin to clon-al selection where large numbers of possible code signaturesare produced randomly and each one checked against thepotential virus until a positive match is found. NegativeSelection algorithm has been applied to the problem of net-work intrusion detection [34], [55]–[58]. Each computerruns a broadcaster, which broadcasts the source and destina-tion of each TCP SYN packet it sees to other computersrunning LISYS, and a detection node, which processes theinformation from the broadcasters. Each detection nodereceives data from broadcasters and mails an administrator ifit detects a novel TCP connection. A detection node has anarray of detectors that as a group determine whether a pack-et is anomalous. In ARTIS [66], the architecture uses dis-tributed detection strategy wherein each detection node usesa different representation: it filters incoming strings througha randomly generated permutation mask. This technique ofhaving a different representation for each detection node isequivalent to multiple detector shapes (hence, changing theshape of the detectors), while keeping the “shape” of the selfset constant.

Balthrop et al. [63] used a simpler version of LISYS [58]and developed a system that monitors network traffic and isdeployed on individual hosts. A detector set is distributed toeach of the hosts in the network, and TCP connections, basedon triplets, are monitored using these detectors. Diversity iscreated through each host independently reacting to self andnon-self. The system uses a negative selection algorithm tomature 49-bit binary detectors, which are tested against con-nections collected during a training period. The matureddetectors are then deployed on a live network. The matchingfunction used is r-contiguous and the detectors are improvedthrough affinity maturation.

Spam messages (or junk e-mail) fill electronic mailboxesthroughout the world. An extended examination of thespam-detecting artificial immune system is undertaken here[61]. An adaptive spam solution is implemented, whichwill be able to adapt to both slow and rapid changes. Thespam immune system distinguishes between a self of legiti-mate e-mail (non-spam) and a non-self of spam. The cen-tral part of the system is its detectors and lymphocytes.Detectors are regular expressions made by randomlyrecombining information from a set of libraries. These reg-ular expressions match patterns in the entire message. Digi-tal lymphocyte consists of an antibody and two associatedweights—the cumulated weighted number of spamsmatched and the messages matched. The gene library con-tains partial patterns used to build the full patterns used inlymphocytes. Three libraries were tested—heuristic, whichemerged as the most accurate for classification, theBayesian token library and English word libraries that per-formed significantly worse. FIGURE 4 Implementation steps in solving a problem using an AIS.

Representation

Affinity Measures

Immune Algorithms

Immune Entities

Solution

Application Domain


In [51] the authors, specifically relating to computersecurity discuss virus detection and process anomaly detec-tion, describe several different approaches. In UNIXprocesses, changes in behavior were detected through shortrange correlation of process system calls, especially for rootprocesses. Viruses were detected through change detectionon files, as also through the use of decoys or honeypots,which use signature-based approach and monitor decoyprograms and build signatures based on their changes. Thesystem is host-based, looking specifically at privilegedprocesses, and runs on a system that is connected to thenetwork. The system collects information in a trainingperiod, which is used to define self. This information is inthe form of root user ‘sendmail’ command sequences,which is used to construct a database of normal commands.These commands are examined and compared with entriesin this database. A command-matching algorithm is imple-mented wherein new traffic is compared with the definedbehavior in the database. Intrusions are detected wheneverthe level of mismatches with entries in the database risesabove a predefined level.

An automated detection and response system for identi-fying malicious self-propagating code and stopping itsspread has been the goal in [65]. Numerous mechanismswere implemented, which were inspired from the differen-tiation states of T-cells that can be grouped into particularstatus subsets that can be used to classify the types of T-cells. From these classifications, the various roles of diverseT-cell types can be seen. Design of a new AIS model,CARDINAL (Cooperative Automated worm Response andDetection ImmuNe ALgorithm), is described, which hasthe potential to operate as a cooperative automated wormdetection and response system. In particular, three keyproperties of T-cells have been identified: T-cell prolifera-tion to optimize the number of peer hosts polled, T-celldifferentiation to assess attack severity and certainty, and T-cell modulation and interaction to balance local and peerinformation. The T-cell algorithm worked in unison withthe novel danger-theory inspired system [62]. Danger theo-ry model appears to be useful in cyber security, as not allabnormal events (non-self) represent attacks, rather a smallpercentage of such events are of real concern. Some simpleobservations can be used to trigger a chain of defensiveactions, but the challenge is clearly to define what consti-tutes suitable danger signals.

B. Application in Fault DetectionThe field of fault diagnosis needs to accurately predict orrecover from faults occurring in plants, machines like refrig-eration systems, communications like telephone systems andtransportations like Aircrafts. In [45], the approach is to usethe ‘Learning Vector Quantization’ (LVQ) to determine acorrelation between two sensors from their outputs whenthey work properly. Each sensor is equated to a B-cell in animmune network, and sensors test one another’s outputs to

see whether they are normal using the extracted correlations.Here, reliability of the sensor is used in lieu of the similarityto neighbors. In the field of fault diagnosis, there has alsobeen some interest in creating distributed diagnostic systems.Initial work in [46] proposed a parallel-distributed diagnosticalgorithm. However, the authors likened their algorithm tothat of an immune network, due to its distributed operation,and the systems emergent co-operative behavior betweensensors. This work was then continued [47] and active diag-nostic mechanism [48] was included. Active diagnosis

continually monitors for consistency between the currentstates of the system with respect to the normal state. Eachsensor can be equated with a B-cell, connected via theimmune network with each sensor maintaining a time-vari-ant record of sensory reliability, thus creating a dynamic sys-tem. This work differs from the above in the way in whichthe reliability of each sensor is calculated.

In an interesting work [60] involving Aircraft Fault detec-tion, experiments were performed with datasets collectedthrough simulated failure conditions using NASA Ames C-17flight simulator. Three sets of in-flight sensory information—namely, body-axes roll rate, pitch rate and yaw rate—wereconsidered to detect five different simulated faults: one forEngine, two for the Tails and two for the Wings. A real-val-ued negative selection algorithm, called MILD, was utilized todetect a broad spectrum of known as well as unforeseen faults.Once the fault was detected and identified, a direct adaptivecontrol system utilized the detection information to stabilizethe aircraft by utilizing available resources.

The MILD software tool implements an immunity-basedtechnique for anomaly and fault detection where a smallnumber of specialized detectors (as signatures of known fail-ure conditions) and a set of generalized detectors forunknown (or possible) fault conditions are. Once the fault isdetected and identified, an adaptive control system woulduse this detection information to stabilize the aircraft by uti-lizing available resources (control surfaces). Experimentswere performed with datasets collected under normal andvarious simulated failure conditions using a piloted motion-based NASA simulation facility. An Article on MILD pro-ject is available at NASA Web site.

Figure 5 illustrates the performance of the detection systemwhen tested with “full tail failure” data, where this type offault is manifested in pitch error rate (starting at the 1200thtime step). The graph also shows the number of detectors


The biological immune system can beenvisioned as a multilayer protectionsystem, where each layer providesdifferent types of defense mechanismsfor detection, recognition and responses.

activated (lower bar chart), as significant deviations in datapatterns appear. The bar chart shows the arrangement of thedetectors with increased radius.

IV. ConclusionsThe biological immune system (BIS) is a subject of greatresearch interest because of its powerful information process-ing capabilities; in particular, understanding the distributednature of its memory, self-tolerance and decentralized controlmechanisms from an informational perspective, and buildingcomputational models believed to better solve many scienceand engineering problems. In the recent development of theAIS field, existing models are being studied extensively, andnew ideas from immunology are explored, such as dangertheory. This survey found that NS algorithms are widely usedcompared to other AIS approaches. In a recent survey on AISby Garrett [42], he concluded that negative selection algo-rithms have a distinct process compared with other algorithmsand may be most suitable for certain applications. On theother hand, Freitas et al. [43] pointed out that negative selec-tion algorithms are not appropriate to be used as a generalclassification method because they are a one-classapproach.However, Gonzalez [67] demonstrated that NSalgorithm can be used to generate samples for the underrepre-sented class (a class with a few samples). Stibor et al. raisedseveral possibilities that negative selection algorithms in gener-al or certain specific models may not be appropriate [44], butthe real weakness of the method, which likely may exist, wasnot satisfactorily identified. Both the relatively popular usageof this method in diverse applications and the doubt about itsvalue justify a thorough review on this approach in order toavoid existing and potential misconceptions and to facilitate itsdevelopment or evolution. Table 2 summarizes the mostlystudied models of AIS.

Despite many successes of AIS techniques, there remainsome open issues. Most importantly, the uniqueness andusability of each model needs to be determined; as the field isrelatively new, most of the existing works have beenexploratory, and these algorithms do not scale well. Amongothers, the following are some aspects that have to beaddressed in order to make the AIS a real-world problem solv-ing technique:❏ Improvement in the efficiency of the algorithms.❏ Enhancement of the representation.❏ Introduction of other immune mechanisms.❏ Development of unified architecture that can integrate sev-

eral AIS models.

References[1] D. Bradley and A. Tyrrell, “Immunotronics: Hardware fault tolerance inspired by theimmune system,” in Proceedings of the 3rd International conference on Evoluable Systems(ICES2000), vol. 1801. Springer-Verlag, Inc., pp.11–20, 2000.[2] L.N. de Castro and F.J. Von Zuben, “An immunological approach to initialize feedforwardneural network weights,” in International Conference on Artificial Neural Networks and GeneticAlgorithms (ICANNGA ‘01), pp. 126–129, 2001.[3] A. Tarakanov and D. Dasgupta, “An immunochip architecture and its emulation,” in 2002NASA/DoD Conference on Evolvable Hardware, Alexandria, VA, USA, pp. 261–265, 2002.[4] E. Hart and P. Ross, “Exploiting the analogy between immunology and sparse distributed

FIGURE 5 Illustrates the performance of the detection system whentested with “full tail failure” data, where this type of fault is manifest-ed in pitch error rate (starting at the 1200th time step). The graphalso shows the number of detectors activated (lower bar chart), assignificant deviations in data patterns appear. The bar chart showsthe arrangement of the detectors with increased radius.

MILD - a FaultDetection ToolBased on the

Negative SelectionAlgorithm Inspired

by the HumanImmune System.

EXIT

Immunity-basedFault Detection

System

MILD v1.oMILD: Fault Detection

1.5

1

0.5

0

−0.5

−10 200 400 600 800 1000 1200 1400 1600 1800

RollPitchYaw

DetectionResult

IsolationResult

DetectionInformation

ALERTSIGNAL

2000

MILD v1.0

Detector Generation

Anomaly Detection

Total NumberOf Detectors:

103Type of

Activated Detectors:

EMin. Radius: 0.17 Max. Radius: 0.56

System Input

Load Testing Data

C:\Documents and Settings\FIT

C:\Documents and Settings\FIT

Load Detectors

Detectors created on:

20-Aug-2004 22:49:11

Window Size: 3

Overlapping: 1

Detection Window 50

0 100

Sensitivity(threshold): 50 %

0 100Detector_Distribution_Plot

Detector Distribution Plot

Detect

Restart

Detector Generation

EXIT1

1

0.50.5

00

0

0.2

0.4

0.6

0.8

1

Num

ber

of T

imes

Act

ivat

ed

30

25

20

15

10

5

00 20 40

Ordered Detector Index60 80 100

COMPUTATIONAL TYPICALBIS ASPECT PROBLEM APPLICATIONS

SELF/NON-SELF ANOMALY OR - COMPUTER RECOGNITION CHANGE SECURITY

DETECTION - FAULT DETECTION

IMMUNE NETWORK LEARNING - CLASSIFICATIONTHEORY AND (SUPERVISED - CLUSTERINGIMMUNE MEMORY UNSUPERVISED) - DATA ANALYSIS

- STREAM DATA-MINING

CLONAL SELECTION SEARCH, - FUNCTION OPTIMIZATION OPTIMIZATION

MOBILITY, DISTRIBUTED - AGENTDISTRIBUTED PROCESSING ARCHITECTURES

- DECENTRALIZED ROBOT CONTROL

INNATE IMMUNITY DANGER THEORY - NETWORK SECURITY

TABLE 2


memories: A system for clustering non-stationary data,” in Proceedings of the 1st InternationalConference on Artificial Immune Systems (ICARIS), pp. 49–58, Sept. 2002.[5] C.A. Coello and N.C. Cores, “A parallel implementation of the artificial immune system tohandle constraints in genetic algorithms: Preliminary results,” in Proceedings of the 2002 Congresson Evolutionary Computation (CEC 2002), Honolulu, p. 819824, 2002.[6] J. Kim and P. Bentley, “Toward an artificial immune system for network intrusion detec-tion: An investigation of dynamic clonal selection,” in Proceedings of the 2002 Congress on Evolu-tionary Computation (CEC 2002), Honolulu, Hawaii, pp. 1244–1252, 2002.[7] D. Dasgupta, “Immune-based intrusion detection system: A general framework,” in Pro-ceedings of the 22nd National Information Systems Security Conference (NISSC), 1999.[8] D. Dasgupta, Y. Cao, and C. Yang, “An immunogenetic approach to spectra recognition,”in Proceedings of Genetic and Evolutionary Computational Conference (GECCO 1999), vol. 1.Orlando, Florida, USA: Morgan Kaufmann, pp. 149–155, July 13–17, 1999.[9] P.D. Williams, K.P. Anchor, J.L. Bebo, G.H. Gunsh, and G.D. Lamont, “Cdis: Towards acomputer immune system for detecting network intrusions” Lecture notes in Computer Science,vol. 2212, pp. 117–133, 2001.[10] A. Tarakanov and D. Dasgupta, “A formal model of an artificial immune system,” BioSys-tem, vol. 55, pp. 151–158, 2000.[11] J.I. Timmis, “Artificial immune systems: A novel data analysis technique inspired by theimmune network theory,” Ph.D. dissertation, University of Wales, Aberystwyth, UK, 2000.[12] L.N. de Castro and F.J. Von Zuben (2000a). “The clonal selection algorithm with engi-neering applications,” in Proceedings of GECCO 2000, pp. 36–39, 2000.[13] L.N. de Castro and F.J.V. Zuben, “aiNet: An artificial immune network for data analysis,”in Data Mining: A Heuristic Approach, H.A. Abbass, R.A. Sarker, and C.S. Newton, Eds.Idea Group Publishing, USA, pp. 231–259, March 2001.[14] O. Nasraoui, F. Gonzalez, C. Cardona, C. Rojas, and D. Dasgupta, “A scalable artificialimmune system model for dynamic unsupervised learning,” in Proceedings of the Genetic and Evo-lutionary Computation Conference (GECCO 2003), ser. LNCS 2723. Chicago, IL: Springer, pp.219–230, July 2003.[15] A. Iqbal and M.A. Maarof, “Towards danger theory based artificial APC model: Novelmetaphor for danger susceptible data codons,” in Proceedings of Third International Conference onArtificial Immune Systems (ICARIS 2004), pp. 161–174, 2004.[16] S. Stepney, R.E. Smith, and J. Timmis, et al., “Towards a conceptual framework for arti-ficial immune systems,” in Proceedings of Third International Conference on Artificial Immune Systems(ICARIS 2004), pp. 53–64, 2004.[17] Z. Ji and D. Dasgupta, “Real-valued negative selection algorithm with variable-sizeddetectors,” in LNCS 3102, Proceedings of GECCO, pp. 287–298, 2004.[18] Z. Ji and D. Dasgupta, “Applicability issues of the real-valued negative selection algo-rithms,” in Genetic and Evolutionary Computation Conference (GECCO), pp. 111–118, July 8–12,2006.[19] J.C. Galeano, A. Veloza-Suan, and F.A. Gonzalez, “A comparative analysis of artificialimmune network models,” in GECCO 2005: Proceedings of the 2005 conference on Genetic andevolutionary computation, Washington DC, USA: ACM 320 Press, vol. 1, pp. 361–368, June25–29, 2005.[20] P.S. Andrews and J. Timmis, “Inspiration for the next generation of artificial immune sys-tems,” in ICARIS, pp. 126–138, 2005.[21] T. Stibor, J. Timmis, and C. Eckert, “A comparative study of real-valued negative selec-tion to statistical anomaly detection techniques,” in ICARIS, pp. 262–275, 2005.[22] U. Aickelin and S. Cayzer, “The Danger Theory and Its Application to Artificial ImmuneSystems,” In the Proceedings of 1st International Conference on Artificial Immune Systems (ICARIS),University of Kent at Canterbury, UK, Sept. 9–11, 2002.[23] J. Twycross and U. Aickelin, “Libtissue-Implementing Innate Immunity, In the Proceedingsof IEEE World Congress on Computational Intelligence, Vancouver, Canada, July 17–21, 2006.[24] J. Hunt, J. Timmis, D. Cooke, M. Neal, and C. King, “Jisys: The development of anArtificial Immune System for real world applications,” Applications of Artificial Immune Systems,D. Dasgupta Ed., Pub. Springer-Verlag, ISBN 3-540-64390-7, pp. 157–186, 1999.[25] S.A. Hofmeyr and S. Forrest, Architecture for an artificial immune system, Evolutionary Com-putation, vol. 8, no. 4, pp. 443–473, 2000.[26] D. Dasgupta, S. Yu, and N.S. Majumdar, “MILA—multilevel immune learningalgorithm,” In Proceedings of the Genetic and Evolutionary Computation Conference (GECCO2003), LNCS 2723, pp. 183–194, Chicago, IL, Springer, July 12–16, 2003.[27] O. Nasraoui, F. Gonzalez, and D. Dasgupta, “The fuzzy ais: Motivations, basic concepts,and applications to clustering and web profiling,” In IEEE International Conference on Fuzzy Systems, pp. 711–717, Hawaii, May 12–17, 2002.[28] A.K. Abbas and A.H. Lichtman, “Cellular and Molecular Immunology,” Saunders, 2000.[29] N.K. Jerne, Towards a network theory of the immune system. Ann. Immunol. (Inst. Pasteur), 125C, pp. 373–389, 1974.[30] S. Forrest, A.S. Perelson, L. Allen, and R. Cherukuri, “Self-Nonself Discrimination in aComputer,” In Proceedings of the 1994 IEEE Symposium on Research in Security and Privacy, LosAlamitos, CA: IEEE Computer Society Press, 1994.[31] J. Timmis, M. Neal, and J. Hunt, “Data analysis with artificial immune systems and clusteranalysis and kohonen networks: Some comparisons,” In Proc. of IEEE Int. Conf. Systems andMan and Cybernetics, pp. 922–927, Tokyo, Japan. 1999.[32] J. Timmis, M. Neal, and J. Hunt, “An Artificial Immune System for Data Analysis,” Inthe Proceedings of the International Workshop on Intelligent Processing in Cells and Tissues (IPCAT),1999.[33] T. Knight and J. Timmis, “Assessing the performance of the resource limited artificialimmune system AINE,” Technical Report 3-01, Canterbury, Kent. CT2 7NF, May 2001.[34] F. Gonzalez and D. Dasgupta, “An Immunogenetic Technique to Detect Anomalies inNetwork Traffic,” In the Proceedings of the International Conference Genetic and Evolutionary Com-putation (GECCO), New York, July 9–13, 2002. [35] Wierzchon & Kuzelewska, “Stable Clusters Formation in an Artificial Immune System,”In 1st International Conference on Artificial Immune Systems (ICARIS), University of Kent at

Canterbury, UK, Sept. 9th–11th, 2002.[36] Y. Cao and D. Dasgupta, “An Immunogenetic Approach in Chemical Spectrum Recog-nition,” Chapter 36 in the edited volume Advances in Evolutionary Computing (Ghosh &Tsutsui, eds.), Springer-Verlag, Inc. Jan. 2003.[37] D. Dasgupta and S. Forrest, “Novelty Detection in Time Series Data using Ideas fromImmunology,” In ISCA 5th International Conference on Intelligent Systems, Reno, Nevada, June19–21, 1996.[38] J. Timmis, M. Neal, and T. Knight, “AINE: Machine Learning Inspired by the ImmuneSystem,” Published in IEEE Transactions on Evolutionary Computation, June 2002.[39] K. Krishnakumar and J. Neidhoefer, Immunized Adaptive Critic for an Autonomous Air-craft Control Application, Chapter 20 in the book entitled Artificial Immune Systems andTheir Applications, Publisher: Springer-Verlag, Inc., pp. 221–240, Jan. 1999.[40] P, Matzinger, “The Danger Model in Its Historical Context,” Scandinavian Journal ofImmunology, vol. 54, pp. 4–9, 2001.[41] P. Matzinger Tolerance, “Danger and the Extended Family,” Annual Review ofImmunology, vol. 12, pp. 991–1045, 1994.[42] S.M. Garrett, “How do we evaluate artificial immune systems?” Evolutionary Computation,vol. 13, no. 2, pp. 145–178, 2005.[43] A.A. Freitas and J. Timmis, “Revisiting the Foundations of Artificial Immune Systems: AProblem-oriented Perspective,” In the Proceeding of Second International Conference on ArtificialImmune Systems (ICARIS), Napier University, Edinburgh, UK, September 1–3, 2003.[44] T, Stibor Philipp Mohr, Jonathan Timmis, and Claudia Eckert, “Is Negative SelectionAppropriate for Anomaly Detection?” In the Proceedings of the Genetic and Evolutionary Computa-tion Conference (GECCO), Washington, D.C., June 25–29, 2005.[45] H. Bersini and F. Varela, “Hints for Adaptive Problem Solving Gleaned from ImmuneNetwork,” In Parallel Problem Solving from Nature, pp. 343–354, 1990.[46] M. Kayama, Y. Sugita, Y. Morooka, and S. Fukuodka, “Distributed diagnosis systemcombining the immune network and learning vector quantization,” Proc. of IEEE 21st Interna-tional Conference on Industrial Electronics and Control and Instrumentation. Orlando, USA.pp. 1531–1536, 1995.[47] Y. Ishida, “Fully Distributed Diagnosis by PDP Learning Algorithm: Towards ImmuneNetwork PDP Model,” Proc. of International Joint Conference on Neural Networks, San Diego, pp. 777–782, 1990.[48] Y. Ishida, “Distributed and autonomous sensing based on immune network,” Proc. of Arti-ficial Life and Robotics, Beppu. AAAI Press, pp. 214–217, 1996.[49] M. Neal, “Meta-Stable Memory in an Artificial Immune Network,” In the Proceedings ofSecond International Conference on Artificial Immune Systems (ICARIS), Napier University,Edinburgh, UK, Sept. 1–3, 2003.[50] P. D’haeseleer, S. Forrest, and P. Helman, “An immunological approach to change detec-tion: Algorithms, analysis, and implications,” In Proc. of the 1996 IEEE Symposium on ComputerSecurity and Privacy, IEEE Computer Society Press, Los Alamitos, CA, pp. 110–119, 1996.[51] S. Forrest, S.A. Hofmeyr, A. Somayaji, and T.A. Longstaff, “A sense of self for Unixprocesses,” In Proc. of 1996 IEEE Symposium on Computer Security and Privacy, 1996.[52] S. Forrest, S. Hofmeyr, and A. Somayaji, “Computer Immunology,” In Communications ofthe ACM, vol. 40, no. 10, pp. 88–96, 1997.[53] A. Somayaji, S. Hofmeyr, and S. Forrest, “Principles of a Computer Immune System,”1997 New Security Paradigms Workshop, pp. 75–82, 1998.[54] S.A. Hofmeyr and S. Forrest, “Immunity by Design: An Artificial Immune System,” InProc. of 1999 GECCO Conference, 1999.[55] S.A. Hofmeyr, A. Somayaji, and S. Forrest, “Intrusion Detection using Sequences of System Calls,” Journal of Computer Security, vol. 6, pp. 151–180, 1998.[56] C. Warrender, S. Forrest, and B. Pearlmutter, “Detecting intrusions using system calls:Alternative data models 1999,” IEEE Symposium on security and Privacy (1999).[57] J. Kim and P. Bentley, “The human Immune system and Network Intrusion Detection,”Proc. of 7th European Congress on Intelligent techniques—Soft Computing (EUFIT’99), Aachan.Germany, Sept. 13–19, 1999.[58] S. Forrest and M.R. Glickman, “Revisiting LISYS: Parameters and Normal behavior,” Inthe Proc. of the Special Track on Artificial Immune Systems, WCCI.-CEC. May 2002.[59] D. Dasgupta, “Using Immunological Principles in Anomaly Detection,” In Proc. of theArtificial Neural Networks in Engineering (ANNIE’96), St. Louis, USA, Nov. 10–13, 1996.[60] D. Dasgupta, K. KrishnaKumar, D. Wong, and M. Berry, “Negative Selection Algorithmfor Aircraft Fault Detection.” In the Proceedings of the Third International Conference, ICARIS2004 on Artificial Immune Systems, Catania, Sicily, Italy, Sept., 2004.[61] T. Oda and T. White, “Immunity from Spam: An Analysis of an Artificial Immune Sys-tem for Junk Email Detection,” In the Proceedings of the Fourth International Conference, ICARIS2005 on Artificial Immune Systems, Banff, Alberta, Canada, pp. 276–289, Aug. 2005.[62] U. Aicklen, P. Bentley, S. Cayzer, J. Kim, and J. McLeod, “Danger Theory: The linkbetween ais and ids,” In the proceedings of the Third International Conference, ICARIS 2003 onArtificial Immune Systems, Edinburgh, UK, pp. 156–167, 2003.[63] J. Balthrop, S. Forrest, and M. Glickman, “Revisiting lisys: Parameters and normal behav-ior,” Proceedings of the Congress on Evolutionary Computation, pp. 1045–1050, 2002.[64] S. Hofmeyr, An immunological model of distributed detection and its application to com-puter security, PhD thesis, University of New Mexico, 1999. [65] J. Kim and W.O. Wilson, “Uwe Aickelin, and Julie McLeod,” Cooperative Auto-mated Worm Response and Detection ImmuNe ALgorithm (CARDINAL) Inspired byT-cell Immunity and Tolerance. In the proceedings of the Fourth International Conference,ICARIS 2005 on Artificial Immune Systems, Banff, Alberta, Canada, pp. 168–181, Aug.2005.[66] S.A. Hofmeyr and S. Forrest, “Architecture for an artificial immune system,” EvolutionaryComputation, vol. 8, no. 4, pp. 443–473, 2000.[67] F. González, D. Dasgupta, and R. Kozma, “Combining negative selection and classifica-tion techniques for anomaly detection,” In Proceedings of the 2002 Congress on Evolutionary Com-putation CEC2002, pp. 705–710.


Advances in artificial immune systems

Documents

Transcript of Advances in artificial immune systems