Danger Theory and Multi-agents Applied for Addressing the Deny of Service Detection Problem in IEEE 802.11 Networks Moisés Danziger, Marcelo Lacerda and Fernando B. de Lima Neto, Senior Member IEEE Department of Computing and Systems - Polytechnic School of Pernambuco University of Pernambuco, Recife-PE, Brazil. E-mails: {md, mgpl, fbln}@dsc.upe.br Abstract Deny of service (DoS) detection problem is a common and annoying network difficulty, but for IEEE 802.11 standards it becomes even more troublesome. Addressing this issue, we introduce a new approach to promptly warn the user. The detection algorithm put forward, combines second generation of Artificial Immune Systems, Danger Theory and Multi-Agent System. For the detection system, we used the dendritic cells algorithm, modified to IEEE 802.11 environments. Experimental results carried out in controlled setups have shown that the model can easily and effectively be applied for detecting DoS in IEEE 802.11 networks. 1. Introduction Intrusion detection systems (IDS) are well known and used for monitoring of networks and guarding computers. They constitute a substantial part of any computer security architecture. However, there are some limitations that can generate vulnerabilities; inability to detect new types of attacks is one example. Inspired by human biology and taking into consideration the similarities regarding protection abilities, artificial immune systems (AIS) were adapted to reduce the impact of new types of intrusion [1][2]. The negative selection algorithm (NSA) was one of the most used implementation models for detection, but, it is necessary to map what is self-nonSelf (SNS) in the system or network; this is not easy, especially regarding issues of scalability and false positives [1]. In 2003, Aickelin et al [2], proposed a new model of IDS based on the danger theory (DT) of Matzinger [3]. According to DT, AIS is then activated through the analysis of danger signals issued by dendritic cells (DC). Based on DT, the SNS task is replaced by the analysis of the concentration of different signals from the environment where DCs were exposed. In biology, DCs act as the interface between the innate system and the adaptive system of AIS. The DCs are able to process different types of signals and produce their own signals in a process known as signal transduction. After processing, the DCs present the antigens (here, source of the signals collected) in order for the system to adapt to a given context. Then, according to the antigen context, the AIS can respond adequately to the problem activating T-cells. A modified version of AIS is also presented in this paper. We use a model adapted from the dendritic cells algorithm (DCA) developed by Greensmith [4]. The DCA is based on an abstract model of the behavior of DCs, successful in detecting scanning anomalous activities in networks [5] [6]. The main difficulty to implement a model based on DT is how to define, explore and sense danger. The majority of current danger models are still unable for dealing with the real network traffic [8]. In the literature there are some patterns of scan behaviors used to create danger signals in network [5]; patterns of danger for Bot detection are also available [7]. Most of the models developed using the DT to detection are used in structured environment (i.e. cables). Conversely, in this paper we focus on the detection deny of service (DoS) in IEEE 802.11 networks. This decision is motivated by the current extreme vulnerability found in this medium. To verify the feasibility and capacity to function in a network model based on the IEEE 802.11 standard, we propose in this paper hierarchical multi-agents AIS, based on DT to carry out intrusion detection. Initially, two types of agents were used. Each one of them has distinct functions, similar to those found in the model based on DT, namely, (i) detection by dendritic cells, (ii) innate response by memory T-cells, (iii) adaptive response by creating antibodies to unknown intruders and (iv) removal of cells to prevent instability of the