You are on page 1of 27

Artificial Immune Systems (AIS)


The Artificial Immune System Overview


NIS capabilities Generic AIS framework

Basic AIS algorithm

View models

Negative Selection Evolutionary Approaches


Selection models


The Artificial Immune System Overview(cont.)


Network based models

Artificial Immune Network (AINE) Self Stabilising AIS (SSAIS and SMAIN) aiNet


Theory Models

Adaptive Mailbox Intrusion Detection

The Artificial Immune System NIS capabilities

Needs to know structure of self/non-self cells Can distinguish between self and non-self Non-self can be sensed as dangerous/nondangerous Learn and adapt through cloning and mutation Build-up of memory Cooperation and co-stimulation among lymphocytes

Faster secondary response Network formation

The Artificial Immune System Generic AIS


detectors (artificial lymphocytes) to detect non-self patterns Needs repository of self and/or non-self patterns to train artificial lymphocytes (ALCs) Measure affinity

Memory ALC can

between ALC and pattern between two ALCs requires that ALCs and patterns have similar structure More diversity in search space

be cloned and mutated

The Artificial Immune System Basic AIS algorithm Initialize a set of ALCs as population B;
Determine the antigen patterns as training set A; while some stopping condition(s) not true do

for each antigen pattern aj A do

Select a subset of ALCs for exposure to aj, as population S B; for each ALC, bi S do end Select a subset of ALCs with the highest calculated antigen affinity as population H S; Adapt the ALCs in H with some selection method, based on the calculated antigen affinity and/or the network affinity among ALCs in H; Update the stimulation level of each ALC in H ;
Calculate the antigen affinity between aj and bi;



The Artificial Immune System Negative Selection


Determine size of ALC set While ALC set size not met


random ALC Measure affinity between the ALC and each pattern in self set If affinity higher (lower) than the affinity threshold


measured using r-continuous matching rule

Add to ALC set

The Artificial Immune System Negative Selection


matching rule

The Artificial Immune System Evolutionary Approaches


not randomly generated for screening ALCs are evolved towards non-self patterns


Maintain diversity and generality among ALCs Evolve ALC towards patterns of a class, further away from patterns of different classes Until most of non-self are detected ALC set represents specific class Repeat for other classes in the set

class problem


negative selection (GAIS) Each ALC has affinity threshold Hamming distance as affinity measure

The Artificial Immune System Evolutionary Approaches(cont.)

The Artificial Immune System CLONALG

Initialize a set of random ALCs (set C)

Subset of random ALC set as memory set M (size equal to number of patterns in training set), remainder for affinity maturation (set R)

Each pattern in training set

Affinity with all ALCs in C Select n of the ALCs with highest affinity as H Number of clones for each ALC in H proportional to calculated affinity Each clone mutated, mutation rate inversely proportional to affinity Affinity between mutated clone and training pattern is calculated Mutated ALC clone with highest affinity replace corresponding ALC in M if affinity with training is higher

Number of ALCs with lowest affinity replaced with randomly generated ALCs

Repeat until maximum number of generations reached

The Artificial Immune System MARIA


Free-antibody layer, B-Cell layer and Memory layer


interact to adapt and learn structure of antigen patterns Each layer has affinity and death thresholds Euclidean distance as affinity measure

The Artificial Immune System MARIA (cont.)

Antigen first enters free-antibody layer

Randomly presented to n free-antibodies Number of free-antibody bindings stored as nb If free-antibody binds, then remove from layer

Antigen then enters B-Cell layer

Randomly presented to each B-Cell until it binds to one of B-Cells

Mutated clone of B-Cell is generated if nb above stimulation threshold

(mutated clone added to B-Cell layer)

Activated B-Cell generates mutated clones as free-antibodies which are added to free-antibody layer

If antigen does not bind to any B-Cell then add antigen as B-Cell to B-Cell layer and generate mutated clones as free-antibodies

The Artificial Immune System MARIA (cont.)


with clone of activated B-Cell enter Memory layer

Memory cell with lowest affinity to activated B-Cell clone is selected

affinity higher than memory affinity threshold then add B-Cell clone as new memory cell If affinity lower than memory affinity threshold and affinity of B-Cell clone less than affinity of selected memory cell with antigen pattern, then replace memory cell with B-Cell clone

The Artificial Immune System AINE


(ARB) Resource limited environment ARB allocates resources ARB represents region of B-Cells AINE consists of

of Artificial Recognition Balls

Population of ARBs Links between ARBs Set of antigen patterns Clonal operations

The Artificial Immune System AINE (cont.)

Euclidean distance as affinity measure ARBs connected (linked) if affinity below Network Affinity Threshold (NAT) NAT influences number of ALC networks After each iteration of antigen set

Calculates stimulation level of each ARB calculated Number of resources allocated based on stimulation level Weakest ARBs (zero resources) removed from ARB population Mutated clones of remaining ARBs integrated into ARB population (re-linking with remaining ARBs)

The Artificial Immune System AINE (cont.)


of an ARB is defined as:

Antigen stimulation: sum of all antigen affinities (below NAT) Network stimulation: affinities with linked ARBs Network suppression: dissimilarity with linked ARBs


to set upper limit on resource pool SSAIS/SMAIN improves on AINE

The Artificial Immune System SSAIS and SMAIN

No shared pool of resources No limit on number of resources Resource of ARB with highest

stimulation is increased. ARBs with resource level lower than mortality threshold are picked from the population Stimulation of an ARB

Network suppression discarded Network stimulation: average of the summation of affinities with linked ARBs

The Artificial Immune System SSAIS and SMAIN (cont.)


levels of ARBs also geometrically decayed with certain rate ARB with highest stimulation level

Generates mutated clones Mutated clones linked to ARBs in population

The Artificial Immune System SSAIS and SMAIN (cont.)


No mutation operator on clones of highest stimulated ARB Highest stimulated ARB is cloned and half of the parents resources are assigned to the ARB clone Stimulation level

stimulation: summation of affinities with linked ARBs


also tends to overfit the data

The Artificial Immune System aiNet


population of linked memory ALCs (clonal selection) to cluster data ALC networks

Edges are pruned (similarity threshold) Pruning results into sub-networks Sub-network potential cluster in data

ALCs connected by edges (ALC pairs) Weight value assigned to each edge (indication of similarity) Results into edge-weighted graph

The Artificial Immune System aiNet (cont.)

Two phases

Clonal selection

Clonal selection (based on CLONALG) Network formation/suppression Subset of highest affinity ALCs are cloned and mutated Memory clones with affinity lower than threshold removed Remaining memory clones linked. Weighted edges pruned (below threshold) Remaining memory clones added to existing memory ALCs

Network formation/suppression

After each iteration of training antigens, percentage of lowest affinity memory ALCs replaced by random ALCs

The Artificial Immune System aiNet (cont.)

Final network of memory ALCs

Minimal spanning tree Hierarchical Agglomerative Clustering MOM-aiNet (multi-objective, multipopulation) Opt-aiNet (multi-modal function optimisation) Dopt-aiNet (improve opt-aiNet, non-stationary environments)

Other models

The Artificial Immune System Adaptive Mailbox


between interesting and uninteresting emails Two phases

Initialisation phase

user action for each new email User deletes email, generate ALC which can detect deleted email ALC set represents uninteresting emails

The Artificial Immune System Adaptive Mailbox (cont.)



Running phase

all deleted emails as uninteresting Buffers uninteresting emails as antigen patterns When buffer reaches specific size, present antigen patterns to ALC set of uniteresting emails (init phase) ALC set adapts to buffer (clonal selection) Thus, ALC set adapts to user behaviour

The Artificial Immune System Adaptive Mailbox (cont.)

Danger in mailbox

Determined by number of unread emails Number of unread emails reaches limit

Unread emails presented as antigen to ALC set Unread emails classified as uninteresting if highest affinity with an ALC exceeds affinity threshold Unread emails which are classified as uninteresting then automatically moved to temp folder or deleted

The Artificial Immune System Intrusion Detection

Simple IDS

Danger theory approach

Monitor incoming traffic of specific host Creates profile of normal user traffic Signals alarm for abnormal traffic (i.e. traffic not part of profile) Drawback: normal traffic changes through time, profile gets outdated Danger signal of abnormal CPU usage, memory usage or certain security attacks IDS only signal alarm if danger signal is also received No danger signal means that profile needs to be updated with abnormal traffic as normal traffic