Using the danger model of immune systems for distributed defense in modern data networks

This paper represents a departure from the current paradigms of centralized attack defenses and introduces the idea of the Danger model to autonomic defense systems. In existing systems, such as anti-viruses (AV) or intrusion prevention systems (IPS), a central authority generates the defense mechanisms and deploys these to the systems in the field. While this strategy works fairly well in static systems, currently the trend is towards large and more dynamically configured systems. The future is likely to belong to ubiquitous systems where the number of devices and their diversity exceed the capacity to centrally administer them. Furthermore, ubiquitous systems will also contain many devices that are not connected all the time nor to all other devices equally. To address these issues, this paper looks at the Danger Model of computer immune systems and its application to attack defense to create a fully decentralized model. The main paradigms are co-stimulation using both evidence of an attack (knowledge-based or behavior-based) with evidence of real danger or damage. By combining these two detection models we are able to reduce the chance of an auto-immune reaction in the Active Defense Network.