An Innate Immune System for the Protection of Computer Networks Anastasia Pagnoni 1 , Andrea Visconti 1 1 Department of Computer Science and Communication – University of Milan, Italy pagnoni@dico.unimi.it visconti@dico.unimi.it Abstract. This paper presents design, implementation, and testing of NAIS, an artificial immune system for the protection of computer networks. Inspired by the biological innate immune system, NAIS consists of a collection of digital macrophages that scan the network for dangerous non-self processes, and kill them. NAIS is based on the observation that all significant network attacks are preceded by preparatory small-scale intrusions meant to gather the necessary information – information on servers and operating systems, logins, weak passwords, ill-installed or poorly maintained services, etc. This information is used to bypass the network’s defense barriers – access controls, firewalls – and to gain access to the machine before it is attacked. Such preparatory intrusions do not generate new processes, however the subsequent, actual intrusion will. Such processes will be recognized as non-self by the digital macrophages run by NAIS, and killed right away, thus defusing the attack. Telling illegal new processes from legal ones is a difficult matter, and amounts to providing a strong definition of non-self process. Our testing of NAIS proved our definition to be quite effective in protecting networks of one-service computers. 1 Introduction A number of authors [1,8] suggested biological immune systems as a new, promising paradigm for the design of powerful computer security systems [6,4,7,5], and different very interesting approaches have been suggested [2,7,3]. This paper suggests a different, if complementary, approach: we suggest designing intrusion detection systems that are the technological equivalent of the innate immune system. As we shall see, this approach helps overcoming some of the practical limitations [5,8]. Let us explain briefly. Biological immune systems draw up several lines of defense to protect living organisms from all kinds of potentially dangerous intruders. This defense system includes chemical and physical barriers – skin, mucus secretions, stomach pH, etc., – the innate, or native, immune system, and the acquired immune system. Computer networks also rely on several lines of defense to protect them against unwanted intrusions. Firewalls can be seen as network equivalents of the skin, as they filter external requests of access, and block all connection attempts that violate certain criteria. Login policies correspond to physiological barriers, as they let regular physiological users into the network, while blocking the access of outsiders. Let us briefly summarizes and compare the functioning of the innate and acquired immune systems. The working of both systems is based on their capability to recognize elementary components of the body that they protect as either self – i.e., endogenous and innocuous, – or non-self – i.e., exogenous and potentially pathogenic. The innate immune system is meant to protect the body from birth. Therefore, it attacks antigens right away, with no necessity of previous exposure to the pathogen; every antigen is non-self to the innate system. The acquired immune system works in a less straightforward, more complex way. The acquired immune system recognizes a smaller variety of pathogens, but kills more of them, because its attack response is antigen-specific. In time, with exposure to different antigens, the acquired immune system learns to identify different pathogens, and to respond to each of them in a specific and hence more effective way. The response of the innate system is 63 Copyright © held by author/owner