Novel tracking of rogue network packets using danger theory approach

Abstract

Recently there has been heightened, continuous, and intrusive activity by remotely located rogue hacking groups, such as Anonymous and Lulzsec. These groups often aim to disrupt computer networks and gain access to private confidential data. A typical method used to steal confidential data is by SQL Injection (SI). This problem is likely to increase as Cloud Computing gains popularity, thereby moving organisations’ network security boundaries, firewall, deeper into the internet cloud environment. There is thus a strong requirement for a real-time framework that detects and mitigates any intrusion activities as, and when, they occur. Conventional firewalls lock down ports and applications, but often does little against malicious packets stealthily concealed in legitimate network packets payload, thus a framework that solely depends on network packets payload analysis for malicious finger print, rather than traditional system calls and processes is required. This paper thus presents a novel framework that introduces the vaccination of Danger Theory’s Dendritic Cells Algorithms (DCA) for the real-time detection and mitigation of network intrusions. The proposed framework draws an inspiration from the active and passive biological Immune System in which the human body has an efficient autonomous response to fight infections on encountering danger signals to indicate anomalies in cellular activities. This immunological principle is widely adopted in the computational field of study of Artificial Immune Systems (AISs). To achieve this novel bio-inspired computational framework of detection and response, there is research work in progress using .NET Framework implementation of DCA. There are two stages to this implementation which are creating detecting receptors input data to train DCA, and finally, using the trained DCA in real-time for detecting anomalous network packets payload. Take an example of database security exploits of SI that are discussed in this paper. Stage one involves creating detector precursor (receptors) by subjecting a database to be protected to a controlled SI scripts or code with the network packets payload of such exploits captured in real-time by using .NET custom built packets analyser. Stage two involves real-time monitoring of protected databases for anomaly (antigens) through the trained DCA by using r-contiguous rule to match receptors with antigens in the data pre-processing stage of immature Dendritic Cell (DC) transformation to semi-mature or matured. The structure of SI packets is now constructed to easily isolate SI malicious packets from legitimate network packets payloads between known source and destination of confidential data request. The approach in brief; is protected data or assets are modelled as cells in tissues to be monitored, while rogue network packets triggers the computational modelled DCs to co-stimulate B and T Cells as to provide detection feedback to the protected cells. The outcome of this paper can be practically applied in: detecting an attempt to steal protected data and applications by a rogue remote intruder; and detection of man-in-the-middle attacks on applications that sit in cloud. The proposed bio-inspired approach to resolving SI computer systems security challenges is a research work in progress by this paper’s author. The research proposes an easy adaptation of the system to any domain as the finger-print required for detection and training the system is now introduced by vaccination method.