Journal of Information Security and Applications 35 (2017) 138–159 Contents lists available at ScienceDirect Journal of Information Security and Applications journal homepage: www.elsevier.com/locate/jisa Applications of artificial immune systems to computer security: A survey Diogo A.B. Fernandes ∗ , Mário M. Freire, Paulo A.P. Fazendeiro, Pedro R.M. Inácio Instituto de Telecomunicações, Department of Computer Science, University of Beira Interior, Rua Marquês d’Ávila e Bolama, 6201-001 Covilhã, Portugal a r t i c l e i n f o Article history: Keywords: Artificial immune systems Nature-inspired computing Security Survey a b s t r a c t For the last two decades, artificial immune systems have been studied in various fields of knowledge. They were shown to be particularly effective tools at detecting anomalous behavior in the security domain of computer systems. This article introduces the principles of artificial immune systems and surveys several works applying such systems to computer security problems. The works herein discussed are summarized and open issues are pointed out afterwards, elaborating on a novel applicability of these systems to cloud computing environments. © 2017 Elsevier Ltd. All rights reserved. 1. Introduction Nature has crafty ways to solve problems. The knowledge retrieved from its observation has been a source of inspiration for computer scientists throughout the years, which aim to derive solutions for problems that may be otherwise hard or impossible to solve with other methods, possibly having higher computa- tional complexity. In the cases where analytic expressions are not available, nature-inspired computing may be able to find sub- optimal solutions efficiently. Nature-inspired algorithms abstract the phenomena found in the wild and are subject to evolutionary steps or computing layers in order to converge to a solution. Examples include Ant Colony Optimization (ACO), Particle Swarm Optimization (PSO), Artificial Neural Networks (ANNs) and Artificial Immune Systems (AISs). AISs abstract many theories of the biological immune system, which is not fully understood to this date. The immune system has the responsibility of protecting the body from foreign and potentially dangerous microorganisms called pathogens. To fight them off, the immune system has developed the innate and the adaptive immune subsystems. The translation of the immune system to the computing realm seems to be contextually correct and particularly suited for security purposes. The seminal works of Forrest et al. [1] and Kephart [2], in 1994, for the detection of malware underline that view. One of the best things about the immune system is that it is capable of distributively detecting a vast number of unknown pat- ∗ Corresponding author. E-mail addresses: dfernandes@penhas.di.ubi, diogoabfernandes@gmail.com (D.A.B. Fernandes), mario@di.ubi.pt (M.M. Freire), pandre@di.ubi.pt (P.A.P. Fazen- deiro), inacio@di.ubi.pt (P.R.M. Inácio). terns using limited body resources. The ability to retain memory is also a key feature of the immune system, allowing faster responses to be triggered for pathogens that has encountered before. This behavior has distinct applications in computer security, specifically in the detection of anomalies in networks or computers. AISs are modeled with positive or negative samples so that nonself (anomalous object(s)) is distinguished from self, the set character- izing normalcy of the monitored system. Research on information and network security, particularly with the purpose of detecting security incidents, can be broken up according to different criteria. For example, one can consider deployment, purpose or scope of security solutions for such classification. For deployment and scope, systems built either for hosts, network or applications can be characterized under distinct topics. Fig. 1 depicts five of those topics, namely malicious process detection, anomaly detection, intrusion detection, scan and flood detection, and fraud detection. Whereas the detection of malicious processes is done at the host level, detection of intrusions, scans or floods is a problem ad- dressed at network points. Studies under fraud detection analyze subjects such as spam and phishing, thereby conveying the more broad meaning of the art of deception. Anomaly detection refers to more generic works that attempt to provide all-in-one, agnostic solutions for the detection of abnormality. The topics illustrated in Fig. 1 are later used for organizing this survey on AISs in Section 5. These topics cover the subjects of the related works while segregating them in a consistent manner. Various works [3–13] published throughout the time have re- viewed the field of AISs to some extent, elaborating on the theory behind AIS algorithms or gathering works on a specific topic. The goal of this article is to give an introductory view on the subject and systematically review much of the works available in the literature, considering the identification of future guidelines in the http://dx.doi.org/10.1016/j.jisa.2017.06.007 2214-2126/© 2017 Elsevier Ltd. All rights reserved.