Design and Implementation of Artificial Immune System for Detecting

Flooding Attacks

Najla Badie Ibraheem Al-Dabagh Ismael Ali Ali

Department of Computer Science Department of Computer Science

College of CS and Mathematics, University of Mosul Faculty of Science, University of Zakho

Mosul, Iraq Zakho, Iraq

najladabagh@yahoo.com ismael.shilani@hotmail.com

ABSTRACT

The network based denial of service attacks (DoS) are

still the big challenge to the researchers in the field of

network security. This paper handles the popular DoS

attack called TCP-SYN flood attack, and presents the

design and implementation of an Artificial Immune system

for Syn flood Detection, abbreviated by AISD, based on

the Dendritic Cell Algorithm (DCA). The AISD system is

able to detect the generated SYN flood attack and

response to its generator in a real-time. Performance and

accuracy of the system have been evaluated through five

experiments. Results of the experiments showed the

precision of intrusion detection process to the ratio of

100%, with a notable response speed, and this is shows

the benefit and suitability of using artificial immune

systems to the network security problems.

KEYWORDS: network security, fault tolerance,

biocomputing, syn flooding attack, artificial immune

system, dendritic cell algorithm

1. INTRODUCTION

The growing use of the networks and depending on them

is in parallel of rising new security challenges expressed

by the network attacks. Denial of Service (DoS) attack is

the most significant class of attacks, which targets a

specific service on the victim machine and denies its

providing of service, by mostly targeting services that

depend on the Transmission Control Protocol (TCP). The

handled problem in this work is the TCP-SYN flood

attack abbreviated by SYN flooding attack, in which the

attacker floods the targeted service on the victim machine

by a barrage of connection request packets of type

SYN[1]. Artificial Immune Systems (AIS), are a

collection of algorithms inspired from functions and

behaviors and models in the natural immune system of the

human, after the meetings between computer scientists

and immunologists [2]. Different approaches of AIS have

been applied to solve problems of network security [3].

The algorithm used in AISD system is the Dendritic Cell

Algorithm (DCA) [4]. This algorithm is a ‘2nd

Generation’ AIS system, and is based on an abstract

model of the behavior of dendritic cells (DCs) [5]. DCs

have the most important role in detecting the malicious

agents in the body. The AISD system focuses on some of

the properties of the behavior of the DC cells, one of them

is the property of compartmentalization.

Availability is often the most important attribute in

service-oriented systems [6]. Because of the openness of

the Internet and extended availability of intruding

(hacking) tools many services on the Internet have been

targeted by intruders in the form of DoS attacks. More

than 90% of the DoS attacks are flooding attacks and use

the TCP protocol [7]. Thus, hosts that provide TCP-based

services like Hyper Text Transfer Protocol (HTTP) on the

Internet are often targeted to DoS attacks. SYN flooding

attacks between other DoS attacks received international

attention. During February of 2000, Major Internet sites

including CNN, Yahoo and Amazon suffered from SYN

flood attacks, CNN and other victims claimed that the

attack caused damages totaling 1.7 billions of dollars [8].

The aim of this paper is to apply the DCA algorithm to

detect the SYN flooding attack and finding out its

generator and at the same time to be tolerant with other

hosts in the network. To achieve this goal the DCA

algorithm can correlate different malicious and suspicious

activities in the network in which the attack is occurs.

Therefore the AISD system can detect internal intrusive

activities with low computation efforts that make itself in

safe to any flooding attacks. The same idea is available in

the human body when a self and internal cell behavior is

978-1-61284-383-4/11/$26.00 ©2011 IEEE 381

changed to an anomalous way by internal or external

reasons and cause damage in its neighborhood cells and

the overall tissue.

2. RELATED WORK

Different approaches have been proposed, implemented,

and worked on to detect the SYN flooding attacks, like

state machines, firewalls, and classifiers. But Most of

previous works in countering the attack focused on

mitigating the flooding effect on the victim instead of

detecting the attack and finding its generator. Bernstein et

al. [9] developed SYN cookies which encode most of the

TCP states and encrypt them into sequence numbers

transmitted back to clients. The drawback of this schema

is the overhead of computing the cookies during an attack.

SynDefender firewall [10] works as a proxy server and

intercepts the SYN requests from the clients and sends the

SYN/ACK packet on the behalf of the server. However

the weaknesses here are the additional workload and

processing within the firewall which may not cope during

a high rate attack. Schuba et al. [11] classified IP

addresses in the network, by implementing a tool called

Synkill which operates as a state machine. The

disadvantage of this approach is when the attacker's IP

addresses do not repeat. In this case Synkill cannot use the

information contained in its database and state machine.

SYN-Cache system [12] presented by Lemon, to reduce

the time slot assigned to the received SYN packets in the

server side, and the complete assignment of the

Transmission Control Block (TCB), that keeps the

information about the connection state, is delayed up on

the final connection completion. The drawback of this

work is showed through the discussions in the same work,

that either in the case of normal behavior the normal

connection process is delayed with notable time, because

of the processing flow in the system. In the case of actual

attack, also the system performance in building normal

connections is reduced by the ratio of 15% comparing

with the normal cases [12]. Xiao et al. [13] build a

classifier for IP addresses known by DelAy pRoBing

method (DARB), in which half-open connections are

categorized to normal and abnormal half-open

connections. The idea was based on the properties appear

in normal half-open connections generated by the network

congestion case, which are hidden in the abnormal half-

open connections, by observing the time delay between

the data transmission between client and server machines.

All of these defense mechanisms are stateful, e.g. states

are maintained for each TCP connection or state

computation is required, which makes the defense

mechanism itself vulnerable to flooding attacks. By using

the DCA algorithm the designed AISD system will be

more reliable and efficient in the detection process, by

having the characteristics in correlating environmental

changes with the suspicious data in a time manner.

Furthermore system avoided the dependence on TCP

protocol states, and kept itself lightweight by working in

listening mode.

3. BACKGROUND

Denial of service attacks consume the resources of a

victim host or network that would otherwise be used for

serving legitimate users. Before all a brief description of

TCP protocol and the SYN flooding attack is required.

3.1. Transmission Control Protocol TCP

TCP/IP is the suite of networking protocols currently in

use on the Internet, which is a connection-oriented,

reliable transport protocol [14]. TCP establishes a

connection in three steps process that called 3-way

handshake as in Fig. 1.

When a SYN packet arrives at a destination port on which

a TCP server in a LISTEN state, there is a backlog queue

of finite size that keeps tracks of the number of concurrent

connections that can be in a half-open connection state,

called the SYN_RECIEVED state. This queue typically

empties quickly since the ACK packet is expected to

arrive in a in a few milliseconds after the SYN/ACK

packet. When the maximum number of half-open

connections per port is reached ( backlog queue is filled )

TCP protocol discards all new incoming connection

requests until it either cleared or completed some of the

half-open connections [15].

3.2. TCP SYN Flood Attack

The SYN flood attack exploits the TCP 3-way handshake

mechanism and its limitation in maintaining limit half-

open connections. Hence, any system connected to the

Internet and providing TCP-based network services, such

as a Web server, FTP server, or mail server, is potentially

subject to this attack. The attacker host generates TCP

SYN request packets with spoofed source IP addresses

toward a victim host that is a server machine with TCP

module in LISTENING state. TCP connection buffers of

server are allocated and rapidly exhaust. Hence, new

legitimate connection cannot be established causing all the

new incoming SYN requests to be dropped. Furthermore,

many other system resources, such as CPU and network

bandwidth used to retransmit the SYN/ACK packets, are

occupied. [11] Fig. 2. Under the normal conditions, when

a server receives a SYN request, it sends a SYN/ACK

packet back to the client and waits for client’s

acknowledgment.

382

Figure 1. Tcp 3-Way Handshake Process

Figure 2. Tcp-Syn Flooding Attack

Before the SYN/ACK packet is acknowledged by the

client, the connection remains in half-open state for a

period of up to the TCP connection timeout. The half-

open connection is not closed until the failure of two

retransmissions. The server has built in its system memory

a backlog queue to maintain all half-open connections.

The victim host sends a SYN/ACK packets back to the

spoof-source address and then adds an entry to the

connection queue. Since the SYN/ACK packets are

destined for an incorrect (spoofed) or non-existed host,

the next step of the 3-way handshake is never completed

and the connection entry remains in the connection

backlog queue until a timer expires, typically for about

one minute [15]. By generating a barrage of TCP request

packets from a spoofed host at a rapid pair, it is possible

to fill up the connection queue and deny TCP services

such as e-mail, file transfer, or web server to legitimate

user. The challenge here is how to trace back the

originator of the attack because the IP addresses in the

source IP field in the generated packets are forged.

4. THE DENDRITIC CELL ALGORITHM

DCA

The DCA is based on the work and position of the

dendritic cells in natural immune systems as activators of

the immune system [16]. It has been shown

experimentally that Dendritic Cells (DCs) process danger

signals and indicators of having disorder in the tissues.

Before beginning with DCA algorithm there is some

necessity to explain the function of biological dendritic

cells, then the DCA algorithm will be clarified.

4.1. Dendritic Cells DCs

The immune system is a decentralized, robust, complex,

and adaptive system. It performs its function through the

self-organized interaction between a diverse set of cell

populations. Classically, immunology has focused on the

body’s ability to discriminate between protein molecules

belonging to ‘self’ or ‘nonself’. This traditional theory is

faced by the research performed by the immunologist

Matzinger [5], to build a new model for the wok of the

natural immune system. Hence, numerous problems have

been uncovered with this paradigm. For example, if the

immune system is tuned to respond only to non-self then

why do autoimmune diseases occur? Why do intestines

contain millions of bacteria, yet the immune system does

not react against these colonies of non-self invaders? [17].

The DCA algorithm is inspired from the behavior of

dendritic cells whose primary role is as professional

antigen presenting cell. DCs behave very differently

among other natural immune system cells. Natural DC

cells are APCs that are capable of fusing and processing

multiple signals from separate sources, and whose purpose

is to collect, process and present antigen to T-cells in

Lymph nodes.

DCs exist in one of three states of differentiation at any

one point in time, termed immature, semi-mature and

mature [17]. The mechanism by which DCs process

signals is complicated and the three signal concentrations

are fused within the cell to influence the resulting output.

Fig. 3 outlines the various DC states, corresponding

function, and the differentiation pathways [18]. The DCs

differentiation direction is determined by the comparison

between the output cumulative semi and cumulative

mature values. PAMPs are molecules produced by

microorganisms and are indicators of microbial presence

or the case of abnormality. Safe signals (SS) are the

opposite of danger signals (DS), and are released as a

result of normal and planned cell death.

383

Figure 3. An Abstract View Of DC Maturation And

Signals Required For Differentiation. CKs Denote

Cytokines

If the cumulative semi is greater than the cumulative

mature, then the DC goes to semi-mature, otherwise it

goes to mature. The semi-mature DC returns ‘0’ context to

the sampled antigens, however the mature DC returns ‘1’

context to the sampled antigens. At the end, each antigen

gets a binary string of mature contexts which can be

calculated to get the anomaly coefficient value, termed the

MCAV - mature context antigen value through the number

of context ‘1’ divided by the number of all contexts. If the

context is ‘1’, it means the DC handled an anomalous

antigen, whereas if the context is ‘0’, the DC handled the

normal antigen [16]. Inflammation signals are various

immune-stimulating molecules can be released as a result

of injury. DCs have the ability to correlate the signal

information with the collected antigen to provide 'context'

for the categorization of antigen. If the antigen are

collected in an environment of danger and PAMP signals,

the context of the cell is 'anomalous' and all antigen

collected by the cell are deemed as potential intruders.

Conversely, if the environment contains mainly safe

signals, then the context of the cell is 'normal' and all

collected antigen are deemed as nonthreatening. The

context is used to determine if an antigen is derived from

a potential invader [17].

4.2. Algorithm Overview

Artificial Immune Systems have been applied to problems

in computer security since their development in 1990’s

[19]. A recent addition to the AIS family is the DCA,

which unlike other AISs does not rely on the pattern

matching of strings (termed antigen). The DCA has been

developed as part of an interdisciplinary project, known as

the 'Danger Project' [20]. Several key properties of DC

biology are used to form the abstract model, this model

afterward used in producing the DCA. These properties

are compartmentalization, differentiation, antigen

processing, signal processing and populations.

Compartmentalization provides two separate areas; 'tissue',

the sampling location and 'lymph node', the analyzing

location. Whilst in the lymph nodes, DCs present antigen

coupled with context signals, which is interpreted and

translated into an immune response. In AISD system the

focus is on the property of compartmentalization [17].

DCs are sensitive to differences in concentration of

various molecules found in their tissue environment [21].

The DCA is a population based system, population of

cells [17]. The purpose of a DC algorithm is to correlate

different data-streams in the form of antigen and signals. It

provides information representing how anomalous a group

of antigen is through the generation of an anomaly

coefficient value, termed the MCAV - mature context

antigen value. The signals used are pre-normalized and

pre-categorized, which respect the behavior of the system

being monitored. The signal categorization is based on the

four signal model, based on PAMP, danger, safe signals

and inflammation. The co-occurrence of antigen and

high/low signal values forms the basis of categorization

for the antigen data [17].

The output signal value from the cell representing the

costimulatory molecules (CSMs) is used as a marker of

maturation, enforcing a limit on the time a cell spends

sampling before migrating to the lymph node. The value

for CSM is incremented in proportion to the quantity of

input signals received. The input signals are combined to

form CSMs using a simple weighted sum. Once CSM

reaches a 'migration' threshold value, the cell ceases signal

and antigen collection and is removed from the population

for analysis [17]. Equation (1) shows the general form of

the signal processing, where Pw are the PAMP related

weights, Dw for danger signals and Sw for safe signals.

In the previous generic form of the signal processing

equation; Pn, Dn and Sn are the input signal value of

category PAMP (P), danger (D) or safe (S) for all signals

(n) of that category, assuming that there are multiple

signals per category. In this equation, I represents the

inflammation signal. This sum is repeated three times,

once per output signal. This is to calculate the interim

output signal values for the CSM output, the semi-mature

output and mature output signals. These values are

cumulatively summed over time. Weights for this equation

are shown in Table 1 [18]. Upon removal from the

population the cell is replaced by a new cell, to keep the

population level static. Each DC is assigned a different

migration threshold. Pseudocode for the functioning of a

single cell is presented in Algorithm 1, DCA-1[17].

384

Algorithm 1: DCA-1 Algorithm

Table 1. Weights Used For Signal Processing

Signals PAMP

Danger

Signal

(DS)

Safe

Signal

(SS)

CSM 2 1 2

Semi 0 0 3

Mat 2 1 -3

Algorithm 2: DCA-2 Algorithm

The MCAV is mean value of context per antigen type.

Pseudocode for the generation of the MCAV is given in

Algorithm 2, DCA-2 [17]. The closer the MCAV is to one,

the more likely it is that the majority of the antigen existed

in the tissue at the same time as a set of signals. Antigens

collected by the DC are logged, in combination with the

context of the cells. An average context can be calculated

for antigens of identical value or structure (type of

antigen). The total fraction of mature antigen, per type of

antigen, is derived forming the MCAV coefficient. The

nearer a MCAV is to 1; the more likely the antigen is

anomalous, as it was frequently collected in a context with

high values of danger signals and PAMPs repeatedly. The

larger the actual number of antigen presented per type, the

greater the confidence in the accuracy of the MCAV,

perhaps resulting from increased antigen sample sizes [17].

5. THE PROPOSED AISD SYSTEM

The AISD system is capable of detecting the SYN

flooding attack launcher, the invader machine in the

network among other hosts by monitoring the behavior of

the attacker machine, other machines in the network and at

the common behavior of the network segment. These

changes are observed by the means of predefined host and

network attributes in relation with the specified attack.

Such as thought in the danger theory, which a self cell is

may seem to be dangerous and do ruinations in the tissue.

The same scenario may be done by an insider intruder, a

legitimate user of the system who uses the system in an

unauthorized manner. In the case of the natural immune

system the suppression is done on the harmful self-cell

during the both of detection and response process. There

are several components that participate in these processes

like B-cells, T-cells and DC cells, but DC cells have the

main role, by monitoring the cells in the tissue and

observing abnormalities in cells.

5.1. System Design

The AISD system is consists of two parts based on the two

parts or segments of the DCA algorithm, the DCA-1 and

DCA-2. Fig. 4 illustrates modules of the AISD system and

their distributions and relationships from a high level view.

5.1.1. module1_DCA

This module is based on the part DCA-1. It is replicated

and distributed among all hosts in the under monitoring

network segment, these modules can be considered as

static agents of type low-level in the overall AISD system.

The module module1_DCA monitors the behavior of the

host that is in the responsibility of it and some general

properties of the network segment, it doing all of that in

background. This module executes all the instructions of

the part DCA-1 of the algorithm; at the end it produces the

context values for the host under its control and sends it

jointly with the antigen-ID to the analysis center DCA-2.

5.1.2. module2_DCA

This module is considered to be the lymph-node of the

network segment, and it had put in the central host in the

network. The module2_DCA receives the sent data to it

and analyze them to detect the intrusive host. This module

input: list of antigen plus context values per experiment

output: MCAV coefficient per antigen type

for all antigen in total list do

increment antigen count for this antigen type;

if antigen context equals 1 then

increment antigen type mature count;

end

end

for all antigen types do

MCAV of antigen type = mature count / antigen count;

End

input : Signals from all categories and antigen

output: Antigen plus context values (0/1)

initialiseDC;

while CSM output signal < migration Threshold do

get antigen;

store antigen;

get signals;

calculate interim output signals;

update cumulative output signals;

end

cell location update to lymph node;

if semi-mature output > mature output then

cell context is assigned as 0 ;

else

cell context is assigned as 1;

end

kill cell;

replace cell in population;

385

executes all the instructions of the part DCA-2 of the

algorithm; at the end it produces the MCAV values per

antigen type. Based on the MCAV values the

module2_DCA can discriminate anomalous host from

other hosts in the network.

5.2. Signals

The designed DCA based system needs correct and

appropriate data selection from problem domain for its

input space, involving both of signals and antigens.

Signals are mapped as the state of the hosts in the network

and the general behavior of the network. Three signal

categories are used to define the state of the host system

PAMPs, DSs (danger signals) and SSs (safe signals) with

other input signal IS (inflammatory signal) that represents

the state of network stress. These signals are collected

using a sniffing procedure in the module1_DCA module.

The raw signals are derived from pre-selected attributes of

the network interface card (NIC) then normalized to the

input signals. The outcome of the normalized signals are

in the range of 0-100 for the PAMP and DS with the SS

having a reduced range, and the binary value for the IS

signal. According to the descriptions of the four input

signals of the module1_DCA that is the part DCA-1 of the

algorithm, the following signals are selected from problem

domain, SYN flooding attack:PAMP signal: obtained from data resources that

indicate the existence of SYN flooding attack from

hosts. DS signal: derived from the properties denote to the

existence of changes in the host behavior. Low values

of this signal may not be anomalous.SS signal: also derived from the changes in the host

behavior, but high-levels of this signal appears the

changes are little in its influence. IS signal: a simplified signal as a binary signal

indicates the disturbance status in the network segment.

Figure 4. Modules Of The AISD System

The module1_DCA receives normalized input signals

after the signal derivation and attribute selection processes.

During different experiments that carried out and the

mentioned description of the problem, it has been

observed that the SYN flood attack has the ability to

generate notable changes in the behavior of host it is

going out and the general behavior of the network. The

next description explains derivation of the four signals:PAMP Signal: this signal is derived by returning back

to the Fig. 1 and 2; it has been observed that during the

occurrence of the attack there will be a notable change

in the rates of outgoing SYN and ACK packets. But the

absolute dependence on this variance in rate of packets

will be an ineffective doing, because the attacker can

easily defeat the intrusion detection system by

simultaneous sending out the packets of type ACK

from the host. Therefore another attribute has been

taken, which is the variance in the rates of the outgoing

SYN packets and the incoming SYN_ACK packets. DS Signal: is derived from the property that outgoing

number of packets of type SYN from the attacker will

be increased.SS Signal: this signal is derived on the fact that the

average size of the outgoing packets from the attacker

host is decreased down to 40 bytes during a limited

time window. This signal plays a remarkable role in

reducing false alarms in the intrusion detection process. IS inflammatory signal: a binary signal that is

indicative of presence of the state of annoyance in the

network.

Signals are normalized after proper selection then passed

to the module1_DCA. The step function has been used for

obtaining the last signal values. The normalization range

is between 0 and 100.

5.3. Antigens

The process of intrusion detection will be incomplete by

only using the four signals; the module module1_DCA

needs other data that are the name of antigens in order to

be correlated with signals as suspicious data. There are

antigen names allocated to each host in the network

segment and they are expressed by IP addresses of the

hosts. These antigen names are used in the analysis stage

in the lymph node of the network segment or the central

analysis host. This stage involves the calculation of the

anomaly coefficient per antigen type, the MCAV value.

The derivation of the MCAV values per antigen type in

the range of zero to one. The more likely the antigen type

to be anomalous is the closer to the value one.

386

6. IMPLEMENTING AISD SYSTEM

For implementation stage the AISD system programmed

in C# 2008 with the .NET Framework Ver.3.5. The both

Winsock and Multithreading concepts are employed. The

experimental data contain the network flow data from

online data captured from the Network Interface Cards

(NIC). The overall system architecture has been

implemented in client/server model. The module2_DCA

in central analysis host is implemented in the server model,

and the module1_DCA modules in the rest of the hosts are

in the client model.

6.1. Implementing Module module1_DCA

This model is implemented in client model and placed on

the NIC component of the host and has three submodules:Packet Sniffer: this submodule is reading all packets

passed through the NIC card, after putting it in

promiscuous mode. Signal Generator and Normalizer: this submodule

computes, derives and normalizes the input signals to

the module1_DCA, in a periodically manner. The

prepared signals are logged in the temporary storing

table called Tissue Signals Table (TST). The prepared

signals are remained in this table in order to be used by

the population of the DC cells.Main module, population of DC cells: the previous two

stages are regarded as the preparation of work of this

stage. The instructions of the DCA-1 part of the DCA

algorithm will be followed here. The outcomes of this

submodule are antigen-names which are host IP

addresses and context values of the DC cells, passed to

the analysis center in the system central host.

6.2. Implementing Module module2_DCA

This module implements the second part of the DCA

algorithm that is DCA-2, and programmed in the

multithreaded server mode. This module continuously

receives context values and antigen names and appends

them to a table named Ag-Context Table (ACT).

Simultaneously the module computes the MCAV values

for hosts involved in the network segment.

7. EXPERIMENTS

The aim of these experiments is to test the efficiency and

suitability of the designed AISD system in the intrusion

detection process for internal intruding incidents. For

achieving experiments some preparations and

configurations are required to build the adequate

environment.

7.1. Network Design and Configuration

All experiments are performed in a hypothetical and

experimental laboratory network that mimics the global

world network, the Internet. The system designed and

implemented then tested under the Microsoft Windows

Operating Systems, and the TCP/IP protocol suite of IPv4,

and running under a Windows XP SP2. The attacker host,

which is placed in a Local Area Network (LAN), targets

the victim host, which is to be a web server on the

presumed Internet, or an internal server. At the same time

the system modules have been distributed beforehand on

hosts of the LAN. The defined victim host which is the

web server runs on windows server 2000. The exposed

service is the Apache HTTP Server that hosts web sites on

the victim machine.

7.2. Experimenting Scenario

The designed system tested in online mode. The

experiments follow the following scenario:After configuring all hosts and properly distributing of

system modules among them, the designed network is

turned on. The hosts in the internal network segment

start their normal usage of the TCP protocol service in

the web server, by browsing the sites hosted in it. In

that meantime the AISD system modules are running

on network hosts. The module2_DCA is put in the

central analysis host, and the module1_DCA is put in

the rest of hosts including the infected host, invader

host.During that the invader host starts its SYN flood attack

against the victim machine, the web server, it can take

up 10 minutes or as attacker wants. At that time the

module1_DCA monitors its behavior, which

implements a population of cells receives its input

signals from the NIC card of the host. The main

property of the packets send to the victim host is that

the source IP addresses are faked and unreachable and

may take one of the following forms:

a) Faked, unknown and unreachable IP address in the

network,

b) Actual and known IP address in the network but

however it is unreachable during the occurrence of

the attack,

c) Actual, known and reachable IP address in the

network, moreover it is not the real IP address of

the attacker host. The process of choosing the type of the source IP

address is not significant to the attacker due to the

same outcomes of the flooding attack, that the victim

host will never complete the 3-way handshake process.

387

The rest of hosts are using the TCP service on the web

server legally. It means the send packets hold the

correct source IP addresses. During that the modules of the designed system do

their predetermined job. The modules of type

module1_DCA monitoring the behavior of their

assigned hosts and the common status of the network

then sends the antigen names and context values to the

module2_DCA, the analyzer center. The

module2_DCA periodically analyze the received data

from the hosts within 60 seconds. And finally the MCAV values are calculated per each

antigen type -hosts- by the module2_DCA. The host

with MCAV value closer to 1 is the more likely host to

be anomalous among other hosts, as it was frequently

collected in a context with high values (concentrations)

of PAMP and DS signals. Finally the attacker host is

specified and declared by a notification alarm.

7.3. Results of Experiments

The AISD system has been passed through two series of

experiments by following mentioned scenario. The first

was to verify the precision usage of two parts of DCA

algorithm; DCA-1 and DCA-2 by selecting the most

accurate attributes of host and network behaviors and

passing them to the algorithm as input signals. The second

series of experiments was for testing the capabilities of the

system in detecting the handled problem through

obtaining the accordance in the intrusion detection process

and avoiding the generation of false alarms in the system.

7.3.1. Testing precision of system inputs

The aim of these experiments is to change the mapping of

input signals to the algorithm in order to evaluate the

validity of the selected mapping. By performing different

experiments like exchanging and swapping PAMP and SS

signals the system response has low rate of false alarms.

The Table 2 shows the done swapping of input signals to

the algorithm and the ratio of observed true alarms per

experiment.

The experiments have been showed that the first and

selected swapping of signals is the most accurate for

getting lowest ratio of false alarms from the designed

intrusion detection system. Nevertheless there will be no

high rates in missing detection accuracy in the (Exp.2), in

the case of swapping PAMP and DS signals comparing to

the third experiment (Exp.3), due to the same effect of

both signals on the DC cell population. Unlike that,

swapping PAMP and SS signals in the (Expr.3) led to the

low performance of the system, because of the different

processing they have in the signal processing function of

the algorithm.

7.3.2. Testing detection accuracy of the system

After selecting the proper and adequate system inputs

from experiments followed mentioned scenario, the

detection is done by module2_DCA on invader host, after

ending the first cycle of analyzing process that take 60

seconds after starting the attack.

The followed response mechanism comprised sending a

command message from the module2_DCA exists in the

central host of the network segment to the static agent

module1_DCA exists in the invader host to reset that host

or to turn it off, then the received command carried out by

the module1_DCA after receiving it.

The module2_DCA also shows detection report for

intrusion detection process in the network after

performing the response process. The detection report

includes; detection time, the faked IP address used by the

attacker host, the anomaly coefficient MCAV value of the

host and the selected response type. The Table 3 shows

anomaly detection values in the five experiments.

The Table 3 shows MCAV values for two hosts in the

network. Comp1 has normal behavior with the web server.

Comp2 has abnormal behavior with the web server, and is

the attacker host in the network segment.

The Comp2 has larger MCAV values indicates that the

sent context values by the module1_DCA in the Comp2 to

the module2_DCA contained the value 1 more than 0,

unlike the sent values by the module1_DCA in the Comp1

to the module2_DCA that contained the value 0 more than

1 during a single analysis cycle. That means the behavior

of the host Comp2 was anomalous among the behavior of

other hosts during the attack.

This information is also displayed in Fig. 5. This can show

the performance of the proposed DCA-based system to

discriminate between abnormal and normal hosts in the

internal network. The MCAV values for the Comp2 are

higher than Comp1 in all experiments; hence the system

has a tolerance to the Comp1 host.

Table 2. Swapping The Inputs Of The Algorithm

True

Alarms

Ratio

Safe

Input

Signal

Danger

Input

Signal

PAM

P

Input

Signal

Experiment

100%SSDSPSExp.1

80%SSPSDSExp.2

40%PSDSSSExp.3

388

Table 3. MCAV, Anomaly Values In Experiments

Figure 5. MCAV Values For Comp1 And Comp2

Hosts Per Experiments

8. CONCLUSIONS

In this paper, we have applied the DCA to the detection of

a TCP SYN flooding attack. The paper describes the

selected problem and the designed system AISD that

detects the generator of the attack. The AISD system

utilized some behaviors from hosts and general behavior

of the network segment.

The components of AISD system replicated and

distributed among hosts in the network segment with the

central analysis module. The experimentation results

showed AISD is sensitive to the SYN flooding attack and

has the capabilities for discriminating between normal and

abnormal behavior of hosts in an internal network.

Additionally, the selected mapped inputs are tested among

other mapping types, and have the highest true alarm ratio

and a significant effect on the results of the intrusion

detection process.

After testing the performance of the system it has shown

that the system has many characteristics like; in time

detection and active response to the generator of the

attack. It can also detect the abuses of the authorized

users’ privileges with their hosts in the network segment.

The system is also scalable that the system accepts any

new added hosts to the network. It is also lightweight that

it is working in listening mode.

ACKNOWLEDGMENT

The authors gratefully acknowledge the department of

computers sciences in the college of the computer science

and mathematics, at the University of Mosul for

encouraging and supporting this work by their facilities,

the authors would like to thank them. The authors also

would like to thank Dr. Omar Al-Dabbagh, Ali Husain

and Zaid Abd-Alilah for useful comments, suggestion and

directives.

REFERENCES

[1] B. Lim and Md. Safi Uddin, “Statistical-based SYN-

flooding Detection Using Programmable Network

Processor”, in Proceedings of IEEE International

Conference on Information Technology and Applications

ICITA, July 2005.

[2] L. De Castro and J. Timmis, ARTIFICIAL IMMUNE

SYSTEMS: A NEW COMPUTATIONAL

INTELLIGENCE APPROACH, 1st Edition, Springer-

Verlag, London. UK., 2002.

[3] J. Kim, P. Bentley, U. Aickelin, J. Greensmith, G. Tedesco,

and J. Twycross, “Immune System Approaches to

Intrusion Detection - A Review”, In 3rd International

Conference on Artificial Immune Systems ICARIS, 2004.

[4] J. Greensmith, "The Dendritic Cell Algorithm", PhD

Thesis, University of Nottingham, 2007.

[5] P. Matzinger, "The Real Function of the Immune System",

Available: http://cmmg.biosci.wayne.edu/asg/polly.html,

2004.

[6] S. Mukkamala, A. Sung and A. Abraham, "Cyber Security

Challenges: Designing Efficient Intrusion Detection

Systems and Antivirus Tools", Dept. of C.S., New Mexico

Tech, USA, 2004.

[7] J. Lemon, "Resisting SYN flood DoS attacks with a SYN

cache", In Proceedings of the BSDCon Conference, Feb.,

2002.

[8] C. Nesson and A. Ramasastry, "Cybercrime", Technical

Report, Berkman Center for Internet & Society, Harvard

University, 2002.

[9] D. Bernstein and E. Shenk, "SYN cookies" Available:

http://cr.yp.to/syncookies.html, 1996.

MCAV values

ExperimentComp2

(attacker)

Comp1

(normal)

0.8330.333Exp.1

0.5000.166Exp.2

1.0000.500Exp.3

0.6670.166Exp.4

1.0000.333Exp.5

389

[10] CPST Ltd., "TCP SYN Flooding Attack and the firewall-1:

syndefender", Check Point Software Technologies Ltd.

SynDefender:Available:

http://www.checkpoint.com/products/firewall-1, 1996.

[11] C. L. Schuba, I. V. Krsul, M. G. Kuhn, E. H. Spafford, A.

Sundaram and D. Zamboni, "Analysis of a Denial of

Service Attack on TCP", In Proceedings of IEEE

Symposium on Security and Privacy, pages 208–223, May

1997.

[12] Lemon J., "Resisting SYN flood DoS attacks with a SYN

cache", In Proceedings of the BSDCon Conference, 11-14

Feb. 2002.

[13] Xiao B., Chen W., He Y. and Sha E., "An Active Detecting

Method Against SYN Flooding Attack", Dept. of

Computing The Hong Kong, Polytechnic University, Hung

Hom, Kowloon, Hong Kong, 2004.

[14] B. A. Forouzan, TCP/IP PROTOCOL SUITE, 3rd Edition,

networking series, The McGraw-Hill Companies, Inc.,

2006.

[15] A. Noureldien and M. Izzeldin, "A Method for Defeating

DoS/DDoS TCP SYN Flooding Attack The SYNDEF",

College of Technological Sciences, Omdurman, Sudan,

2001.

[16] D. Dasgupta, and L. F. Niño, IMMUNOLOGICAL

COMPUTATION: THEORY AND APPLICATIONS, 1st

Edition, CRC press Taylor & Francis Group, LLC., 2009.

[17] J. Greensmith, U. Aickelin, and S. Cayzer, "Detecting

Danger: The Dendritic Cell Algorithm", to appear in

'Robust Intelligent Systems' edited book, 2008.

[18] J. Greensmith, U. Aickelin, and J. Twycross, "Articulation

and Clarification of the Dendritic Cell Algorithm", In

ICARIS-06, LNCS 4163, pages 404-417, Oeiras, Portugal,

2006.

[19] D. Dasgupta, ARTIFICIAL IMMUNE SYSTEMS AND

THEIR APPLICATIONS, 1st Edition, Springer – Verlag,

1999.

[20] U. Aickelin, P. Bentley, S. Cayzer, J. Kim , and J. McLeod,

"Danger theory: The link between AIS and DS". In

Proceedings of the 2nd International Conference on

Artificial Immune Systems (ICARIS), LNCS 2787,pages

147-155. Springer-Verlag, 2003.

[21] J. Greensmith, U. Aickelin, and S. Cayzer, "Introducing

Dendritic Cells as a Novel Immune-Inspired Algorithm for

Anomaly Detection", In Proceedings Of the 4th

International Conference on Artificial Immune Systems

(ICARIS), LNCS 3627, pages 153–167. Springer-Verlag,

2005.

390