Integrating Innate and Adaptive Immunity for Worm Detection

As most of existing worm detection methods have a number of significant hurdles to overcome in order to employ such actions as blocking unsecure ports, dropping potentially threatening packets, and eliminating emails carrying malicious codes, breaking communication between infected and non-infected hosts to slow down worm propagation and minimize potential damage. The most noteworthy obstacle is the high false positive rate problem. A recently developed hypothesis in immunology, the danger theory, states that our immune system responds to the presence of intruders through sensing molecules belonging to those invaders, plus signals generated by the host indicating danger and damage. Inspired by the theory, the paper proposed an artificial immune model for worm detection. The model considers the cooperation of dendritic cells (DCs) in the innate immune system and T cells in the adaptive immune system, in which system calls comprising a process generated can be viewed as antigens and the corresponding behavioral information of the system and network can be viewed as signals. The theory analysis shows that the dual detection method of DCs detecting the behavioral information caused by antigens and T cells detecting antigens can decrease false positive rate, and the model has a fast secondary response to the reinfection by the same or similar worm.