Artificial immune systems in information security

Salute, Khabrovites! This month, Otus launches a new thread on the Machine Learning course. On the eve of the start of the course, we will share with you a small copyright material in which we will talk about artificial immune systems in information security.



Article author: Svetlana Konovalova







Artificial immune systems belong to a special area of ​​artificial intelligence - evolutionary computing. In simple terms, evolution and its principles of work, namely the formation of a population, the impact on it and, as a result, selection are to blame. Based on this mechanism, two types of algorithms were developed: evolutionary and algorithms based on artificial immune systems.



From a practical point of view, evolutionary algorithms work as follows: there are individuals, mutations and crosses are applied to them, then the most “survivable” individuals are selected (the fitness function helps here). And another area of ​​evolutionary computing, namely, artificial immune systems. The artificial immune system (IMS) is built on the basis of the human immune system and copies the mechanisms and processes in it.



The functioning of the IMS is a complex matter. Three theories exist to describe it:











Based on the theories of the functioning of IMS, several classes of algorithms have been created that successfully solve these problems using neural networks and machine learning. For example, artificial immune networks are used to solve the problems of data visualization and clustering. In general, artificial immune systems can be used for optimization, classification, and modeling of the search and pattern recognition system (anomalies).



In the field of IT, the area of ​​use of IMS related to information security is of particular interest. It was there that they gained their popularity and this turned out to be quite logical. Despite the fact that there are many differences between the work of a living organism and a computer system, the principle of operation of the IIS and its properties are maximally focused on solving the problem of detecting incidents in the field of information security.



In such systems, most often, functioning is based on two “pillars”: antigen and antibody. In this case, antigens will be network packets or system calls, and antibodies will be produced by IMS in response to specific antigens. Depending on the type of antigen, antibodies can be transmissive, blocking, or annihilating. Accordingly, the packet received on the device may be recognized by the IIS as malicious, in which case it will be deleted, and the reception of such packets will be blocked, or vice versa - safe, and then the packet will be quietly passed into the system.







There is another option for using IIS to ensure the security of an information system. He proceeds from the theory of clonal selection . It is clonal selection that explains how the immune system fights antigens. I will talk about this in terms of biology. When an antigen enters our body, it begins to spread and infect cells of the body with toxins. Cells that are able to recognize the antigen also begin to multiply and mutate in the process of reproduction. This mutation allows them to better match the recognized antigen. In this case, the main immune mechanisms here are the processing of a certain volume of antibodies, the removal of antibodies that do not recognize or recognize the worst antigen, the improvement of "recognition" (affinity), as well as the cyclical selection of antibody clones in accordance with their ability to recognize the antigen.



Now imagine that an antigen is a virus, a malicious package, or any other threat to your system (organism). The mechanisms that respond best to the threat are antibodies, and their mutation is learning. Many of the principles of artificial immune systems correlate well with the sphere of ensuring information security of computer systems.

The negative selection algorithm , which relates to the theory of negative selection, deserves special attention; a separate article can be written on this topic, so we will not consider it here. I can only say that its modifications are widely used at the stages of recognition of malicious packages, non-standard calls and other elements of suspicious system behavior.



Well, there were no three-story formulas and complex biological terms, only examples and analogies that were designed to help understand the basic principles of the functioning of artificial immune systems. I hope you got a general idea of ​​what it is and where they are applied, as well as become interested in the topic of IIS in order to study it more deeply.



That's all. We are waiting for everyone today at 20.00 in a free open webinar .



All Articles