The role of digital immune systems as a frontier within the field of computer science is our focus in this essay. A digital immune system is defined as a system that, when connected to a network, is capable of autonomously recognizing meaningful patterns in that network's transmitted packets. This recognition ability enables the immune system to store and rely upon an innate knowledge of the normal operation expected for the various types of transmissions that will utilize the network. In learning this ability, time is also spent training the immune system to disregard the many packets that will impinge on the network which do not pertain to the many capabilities of the network. This theoretical concept is here applied to the realm of cybersecurity and technology, and fleshed out in terms of mechanisms and applications.
In this essay, we will begin by exploring the relevance of thinking about immune systems with respect to both computer science and cybersecurity. We will then introduce the digital immune systems concept and explain its fundamental characteristics. Then, we will discuss the mechanisms through which these immune systems learn patterns in data. These mechanisms include the following: data receptors that scan and arbitrate incoming patterns, a system labeler that indexes the most common patterns by their function, set-matching education algorithms, and a time-lock component that determines the amount of training time necessary to educate the immune system. Finally, there will be a brief discussion on practical applications of digital immune systems.
Analogies Between Biological and Digital Immune Systems
There are several striking similarities between the biological immune system and its digital analogue. One can also identify some substantial differences because of the limitations of the digital environment. The biological organism produces a wide range of antibodies, each of which attaches to a specific antigen on the surface of a foreign organism; digital immune systems might work according to the same principle, using techniques such as signature scanning based on virus definitions or polymorphic-code detection, which is based on something akin to a 'population' approach. Alessandro Giuliani argues that the digital immune system should be unmistakably different from traditional intrusion detection systems, which use signatures or expert systems. Electronic antibodies thus differ from classical security systems, especially since the latter use prevention rather than cure, extraditing the invading agent, or keeping it from entering the protected organism. Also, after an attack is discovered and understood, the immune-system response time can be less than 20 min. The immune system, however, has also sometimes been likened to fire brigades and police services that do not prevent arson or theft but attend to the consequences.
The immune system can also be seen as an instance of the 'ecological view' of cybernetics, which Burke defines as 'the paradigm within cybernetics that focuses on large-scale networks of information processing'. According to Burke's definition, the biological immune system is a subsystem of the organism, interacting with and responding to external events, as well as with sub- and supra-systems. In this approach, the organism can be seen as a node in a system of system relations. Due to the high levels of complexity and statistical nature of the immune system's performance, the Dutch 'Virtual Laboratory' applies the ecological viewpoint. Despite some valid analogies, there are intentions and interpretations in applying the ecological view to digital immune systems that are obviously misleading.
Components of Digital Immune Systems
In the 21st century, the security of digital infrastructure is of significant importance. Companies and organizations fail to ignore one simple fact: systems handling proprietary data or business interactions are among the most sought-after targets of intrusion. Thus, digital companies invest large portions of their venture's worth in protecting their infrastructure and their data against unauthorized access. Just like in an organism's immune system, digital immune systems' components range from intelligent, general-purpose components like Intrusion Detection Systems to specializing, small-scale systems like Virus scanners or dedicated Malware Detectors. An overview of the above, and the interplay thereof, will be handled next.
IDS are systems that monitor network configurations or audit these logs for illicit, unauthorized traffic or protocols. To work in practice, they must rely on extensive descriptions of the dealt system's valid behavior. For ease of application, this is often reduced to excluding behavior that is not explicitly allowed. IDS compile extensive knowledge about the system; many tools use an extensive list of theoretical rules concerning what behavior can be deemed unsafe on an IT system. Virus scanners are software packages that look into new data packets or files for signatures of known, unauthorized agents. Drawing a comparison to the biological analogy, these dedicated malware detectors simply look for signs of an infection. Malware detectors are agents specialized in detecting known malicious code transferred across the network. A non-dedicated extension of hosts consisting of desktops and file servers is of course everything else that is attached to the local network, but not the internet. IDS, as laid out in the previous discussion, and all non-dedicated Security measurements, need to be duplicated for this realm.
Intrusion Detection Systems
3.1. Intrusion Detection Systems (IDSs)
Intrusion detection systems are considered as some of the most important components of digital immune systems, as they are designed to identify situations in which a system is under or may be under attack, compromised, suffering from an operational anomaly (such as turning into a "zombie") or simply make illegal or unauthorized accesses, or accesses that violate the system's or system owner's policy. IDSs are expected to respond to the increasing variety of cyber threats, as the conventional firewall cannot any longer handle most of such threats because its roles are limited essentially up to acting as "all or nothing" through use of rudimentary policies in effect simply opening or closing doors that are defined at the time of configuration through very simplistic programs/rules. As the "Keeper of the Keys and Guardian of the Door", the firewall seems to be incapable of preventing the increasing security breaches that are exploiting flaws and vulnerabilities of software installed in the protected networks that an event-driven type of technology cannot defend against what it does not know and lacks the technology for.
The purposes of a Digital Immune System - including the functions of the Incorporating Infrastructures or the Data That is Used and Processed - are to be adaptive to or able to react promptly (quickness), reflect the policy of digital environment, provide similar services (processing incoming data streams) continuously, provide long period services and capability growth, and defend a variety of threat types (i.e. be multi-function). If these sound familiar to any neuroscientist, it is not surprising, as the Digital Immune System is built around a functional model of biological immune systems to cope with the increasingly hostile network environment of the 21st century.
Virus Scanners and Malware Detectors
Virus scanners are used to identify (and possibly also remove) viruses or other types of harmful software on digital devices. In antivirus software, harmful software is almost always called malware – the colloquial term for malicious code of any sort. Throughout this text, viruses and other forms of malware are referred to collectively as 'viruses'. Virus scanners can be divided, basically, into simple virus through to full Internet security suites. Simple virus scanners for PCs involve little more than identifying and removing viruses. However, software of this kind begins to monitor how users access the Internet. Particularly secure (and more expensive) programs manage updates of any available security patches for the Microsoft Windows operating system as well as for other installed applications themselves. If anti-virus scans either take too long or produce excessive false positives, they frequently block harmful or faulty processes instead of just deleting the affected file.
Virus scanners for larger networks not only monitor network operations, but may also work permanently with extensive and frequently updated databases. Intrusion protection systems not only detect and contain cyber-attacks, but are equally adept at recognizing when data is being taken out of a system. A whitelisting application does not block software classes ('everything is explicitly allowed, which is not explicitly forbidden') but the 'default-deny' function ('everything is blocked which is not explicitly allowed'). An advantage of the 'default-deny' principle is it is easy to configure, provided the system was set to 'snapshot' before it went into operation and only changes are monitored. Whitelisting and 'default-deny' technologies thus correspond to configurations which take a reboot into their snapshot. They must therefore not mistake valid software for a virus. Whitelisting fails when new versions of a program keep coming out. Malware detection works independently of whitelisting. This makes it necessary to regularly deliver patches and update the program parameters. Software development (programming) can also be carried out independently of the whitelisting software. Whitelisting or 'default-deny' is, however, a useful additional line of defense.
Firewalls and Network Security Measures
The primary line of defense for networked computer systems is composed of firewalls. Firewalls come in two forms: hardware-based and software-based. Hardware firewalls are actually small routers with one side connected to the internet and the other side attached to the computer network. They prevent access from outside users and allow access to a select group of users on the inside computer network. It is also possible to place a hardware firewall between two subnets, protecting one subnet from another. Alternatively, software-based firewalls can be installed as an application on individual systems. This software firewall will verify each packet as it enters the system and determine if it should be allowed.
Firewalls can take on a number of configuration setups depending on the level of trustworthiness of the network to the outside world. A firewall is an essential ingredient of the digital immune system for the following reasons. The main function of the firewall is to regulate network traffic. It offers a degree of access control. By keeping logs of network traffic, it is possible to trace the patterns of incoming attacks.
Access control can prevent unauthorized entry to the network. Firewalls act as a vector for deploying network services. By acting as an email or web server, it is the first point of contact for any email or HTTP traffic. Firewalls act as a barrier for the dedicated server. In agile networks, hackers will usually start scanning TCP ports on an entire range of IP addresses. This usually brings up a lot of false positives (open ports used by file sharing applications such as Kazaa) and is resource intensive for the attacker. The firewall can be referenced to offload this burden from the dedicated server and is less likely to produce false alerts because it is supervising many TCP ports as opposed to a few dedicated services. As an added security measure, some firewalls can be configured to refuse the connection to a port and can actually check the connection and then accept them, making it difficult to implement a port scan. When a suspected packet or stream of packets is traced back to its source, information would be gained as to who did it and which network the attack originated from. Public-key infrastructures are set up by certification authorities that provide a centralized way of maintaining a register of everyone who is allowed access to a system and the privileges offered.
Adaptive and Self-Learning Capabilities of Digital Immune Systems
One of the fundamental characteristics of immune systems is to adapt according to prevailing conditions. This tenet is effectively exhibited by digital immune systems, which are capable of reacting to occurring security breaches and are based on the adaptive and self-learning abilities of biological immune systems. Since digital immune systems have these capabilities, they can autonomously adapt and continue developing their defensive strategies at their own pace, given an induction period of conceptual orientation, to counter new and emerging threats in a multilayered security defense system. Decision-making in immune systems is based on the evaluation of complementary information or the reinforcement of individual stimuli by the integration of global perceptions regarding the state of health of an organism. The large-scale online response integrated during the decision-making process is achieved by cross-linked action taken by different components.
The digital immune systems are therefore not conceived as frameworks but as dynamic entities which continuously acquire experience by responding to potential threats embedded in a particular situation or environment. Especially in critical national infrastructures, such as the energy infrastructure, where changes to the infrastructure are common, dynamic digital immune systems should evolve dynamically as well in order to guarantee a vital influence on emergent cybersecurity issues. Thus, an immune system can continuously refine the response of immune cells and their products against hazardous events. Based on this continuous process of quantitative and qualitative development, the immune system will successively improve its capability to respond to an extended range of harmful substances.
Challenges and Future Directions in Digital Immune System Research
The initial idea behind the use of AIS for the digital domain was mainly for intrusion detection. Over the years, more diverse avenues for digital immune systems have been suggested, yet a review found that almost all proposed digital immune systems implement some form of anomaly detection. Oftentimes, intrusion detection systems are likened to digital immune systems, essentially reducing the digital immune system architecture to nothing more than an anomaly detector. Even when attackers evolve along with the system, this adaptation occurred at a high level, not with the overall architecture itself. It is apparent in the related research that the entirety of the digital immune system must adapt, not just the immunity.
The field of digital immunity, while it has good support from the AIS community, has limitations as well. Optimization of even small digital immune systems, with about 6-30 variables, could have enormous parameter spaces with up to 10^90 possibilities, so it is not currently viable to perform exhaustive optimization of larger systems. Multiple methods are temporally robust, or non-algorithmic, and these methods seem to account for the majority of the literature in AIS, so more work in algorithmic digital immune systems may be warranted to further widen the area of digital immunity research. Though AIS are already limited in their ability to make definite influences due to the digital immune system's inclusion of humans in the loop, there are still concerns about bio-immune systems being too unpredictable to apply.
If you want to get more inspiring content on such topics, you can subscribe to Gooinn Innovation Newsletter in Linkedin. 🚀
In addition, you can follow us on our social media accounts or you can always contact us at info@gooinn.co.