Artificial immune systems Survey and applications in ad hoc wireless networks

inAdHocWirelessNetworks

MartinDrozdaandHelenaSzczerbicka

UniversityofHannover,DepartmentofComputerScience,

FGSimulationundModellierung,Welfengarten1,30167Hannover,Germany.

Email:{drozda,hsz}@sim.uni-hannover.de

Keywords:wirelessadhocnetwork,misbehaviordetection,artificialimmunesystem.

Abstract

ThisdocumentreviewsrecenteffortsintheareaofArti-ficialimmunesystems(AIS)andtheirapplicationsfor(adhoc)wirelessnetworks.ItpresentsbasicmechanismofHu-manimmunesystems,introducesthereadertothelearningparadigmsofAIS,sumsupmisbehaviorinadhocwirelessnetworksanddiscussesprosandconsofAISinincreasingrobustnessofadhocwirelessnetworksagainstmisbehavior.

INTRODUCTIONANDMOTIVATION

Adhocwirelessnetworkslackacentralizedauthoritythatcontrolstheflowofpackets.Instead,eachnode(mobilede-vice)inanadhocnetwork1servesasarouter.Eachnodeisabletoforwardpacketsonlytoitsneighbors2,andvice-versaeachnodeisabletoreceivepacketsonlyfromitsneighbors.Nodesareallowedtomoveandcanbeswitchedoffandonatanytime.Duetothelackofacentralizedauthorityadhocnetworksareextremelyvulnerabletousermisbehavior.Sincenodeswithinanadhocnetworkareexpectedtohavelimitedcomputationalpowerandbebatterypowered,asystemthatisgoingtoprotectthemhastobelightweight.Additionally,ithastobeadaptiveasadhocnetworksareexpectedtooper-ateautonomouslywithsporadicmaintenance[33].Thereforeclassicalintrusiondetectionapproaches,manyofwhicharebasedonintrusionsignatures,arenotsuitableforthistask.AnexampleofsystemsthatfulfilltheaboverequirementsareArtificialimmunesystems(AIS).AISarebasedonamechanismthatispresentinhumanbodies,namely,ontheHumanimmunesystem(HIS);see[17,22,46,55,4]andref-erencestherein.AISareapartofrecentpromisingadvancesinIntrusiondetectionsystems[39,54,52,42,14,5,48,56,38].

ARTIFICIALIMMUNESYSTEMSBackground

TheHumanimmunesystemisarathercomplicatedmech-anismthatisabletoprotecthumansagainstanamazingsetof

3Self

andnon-selfinshort.

divideanddieoffslowly,maintainingahomeostaticnum-ber4ofT-cells.Onlywhenanantigenentersthebody,thishomeostaticnumberchanges.ThereareseveralbasictypesofT-cells.KillerT-cellsareabletoinitiatecelllysis(celldisso-lution).HelperT-cellsorchestratetheimmuneresponse;theycanalsoactivateanearbyB-celltoproduceantibody.TheroleofmemoryT-cellsistoresponsemoreeffectivelytorecurringpathogens(strongersecondaryresponse).

SimilartothenegativeselectionprocessofT-cellsisthepositiveselectionprocessofB-cells.B-cellsareproducedinbonemarrow.Thosethatbindanon-selfantigenareallowedtomatureandundergoclonalselection.SomeoftheseB-cellsbecomeplasmacellsthatproduceantibodies(eachB-cellproducesaspecificantibody)andsomebecomememoryB-cells.

Ausualimmunemechanismcanbeconciselydescribedasfollow:

1.Afterthefirstlineofdefense(e.g.skin)failed,anantigenentersthehumanbody.Itisimmediatelyengulfedbyamacrophage(oreatingcell)thatprocessesthisantigenanddisplayshispiecesonitssurface.

2.HelperandkillerT-cellsareactivatedbyantigenpre-sentingmacrophage,ifaT-cellrecognizesthisspecificantigen.

3.HelperT-cellsactivateB-cells.TheseB-cellsundergoclonalselectionandstartproducingantibodiesthatcanbindtothespecificantigen.Antibodiesefficientlytagantigensandinactivatethembycomplementfix-ation(celllysis),neutralization(bindingtospecificsitestopreventattachmentbyanantigen),agglutination(clumping),precipitation,etc.B-cellsthatgetactivatedmoreoftenbecomememoryB-cells.Thesecellshelptorespondmoreefficientlywheninfectionbythatkindofantigenre-occurs.

4.HelperandkillerT-cellsreplicate,someofthembecomememoryT-cellsthathelptolaunchafasterresponsenexttimethesameantigenisencountered.KillerT-cellsareactivatedbyhelperT-cells;activatedkillerT-cellsde-stroyantigen.Humansarealreadybornwitha“pre-designed”setofcells,proteinsandmolecules.Thisisapartoftheinnateimmunity.Thisinnateimmunityislaterextendedbyacquiredimmunity.Vaccinationstimulatesthefutureimmuneresponse.Vacci-nationmeansthat(weakened)antigensareartificiallyintro-ducedintothebody.Ausualimmuneresponseistriggered,thusproducingmemoryB-andT-cellsthatstaythereformanyyears,readytoreactwhenthesameorsimilarantigenenterthebodyinthefuture.

Forfurtherdetailsonhumanimmunologywereferthein-terestedreadertoclassicaltextssuchas[28].Wewouldlike

5We

willusetermsdetectorandT-cellinterchangeably.

DET

DETS

DET

S

DET

DET

DET

DET

DET

S

DET

NON−SELFFigure3.Theuniverseispartitionedintotwosets:selfandnon-self.Non-selfshouldbecompletelycoveredbydetectorsbutthisisusuallynotthecase,duetoexistingholes.S=Self,DET=Detector.

Ther-contiguousbitsmatchingruleisbyfarthemostpop-ularmeasure.Twobit-strings(ofthesamelength)matchun-derther-contiguousmatchingruleifthereexistsasubstringoflengthratpositionpineachofthemandthesesubstringsareidentical.Ithasbeenthoroughlyanalyzedandsimplifiedtother-chunksmatchingrulein[15,16].

Adetectordwitharealvaluedrecognitionradiusrnsisrepresentedbyatuple(cd,rns),cd∈[0,1]n,rns∈R,wherecdisthecenterofthedetectorandrnsisthenon-selfrecog-nitionradius.Anelementelieswithintherecognitionradiusofdifdist(d,e)Pioneeringworkinproposingefficientalgorithmsforde-tectorcreationwasdonebyP.D’haeseleerin[11,10].Aneffi-cientnegativeselectionalgorithmmaximizescoverageofthenon-selfsetandminimizesthenumberofdetectorsneededforsuchatask.Thisimpliesthattwodetectorsshouldnotoverlap,ifpossible;thisishowevernotguaranteedwhende-tectorsareproducedinapseudo-randomwayasdepictedinFigure1.Twoalgorithmsbasedondynamicprogrammingwereproposed:alineartimealgorithmwithtimeandspacecomplexityO((l−r)NS)+O((l−r)2r)+O(lNR)andO((l−r)22r),respectively,andagreedyalgorithmwithtimeandspacecomplexityO((l−r)2rNR)andO((l−r)22r),respectively,wherelisnon-selfstringlength,rspecifiesthenumberofbitsthathavetomatchunderther-contiguousbitsmatchingrule,NRisthedesireddetectorsetsize,NSistheselfsetsize.TheestimateNforNR,thedesiredsizeofthede-tectorsset,is2r(1−2−r)S.Thedisadvantageoftheseandallothernegativeselectionalgorithmswithafixedmatchingruleisthattheyintroduceholes,i.e.areasofnon-selfthatitisnotpossibletodetect;seeFigure3.Accordingto[11],holescanbeeliminatedwithadaptivematchingrulesthatproducedetectorswithhighspecificity.Thegreedyalgorithmwasex-tendedtom-aryalphabetstringsin[47];additionally,theau-thorevaluatedprosandconsofrepresentingdetectorsandantigenswithanalphabetofaritym=2andm>2.The

authorconcludesthatbothoptionsarejustifieddependentonthenatureofanomalythatshouldgetdetected.

In[15]aformalframeworkforpositiveandnegativese-lectionschemeshasbeenproposed.Theframeworkaimsatanalyzingtheseschemesintermsofthenumberofdetectorsneededtocovertheselfornon-selfset,respectively.Theau-thorsfurtherintroduceanewmatchingrule(r-chunksmatch-ingrule).

Inordertoovercomethecomplexityofnegativeselectionalgorithmsbasedonabit-stringmatchingrule,in[30]theauthorsproposedareal-valuednegativeselectionalgorithm.Underthisalgorithmthecenterofadetectorisrandomlycho-senandtherecognitionradiusisgrownuntilitcomesincon-tactwithaselfelement.In[50]acomparisonoftheabovereal-valuednegativeselectionalgorithmwiththreeotherap-proachesisundertaken.Thecomparisonisdoneonadatasetknowntoincludetracesofmisbehavior.Authorsconcludethatundertheirsettings,thereal-valuedalgorithmfailedtodominateothertechniques.

ThecurrentAISareusuallybasedonthenegativeselectionmechanism.Certainaspectsofthepositiveselectionintermsofpercolationtheory6arediscussedin[21];recognitionra-diusandshapeofdetectors,andtheirimpactonthenumberofdetectorsisstudied.

ADHOCWIRELESSNETWORKS

Theparadigmofadhocwirelessnetworksisconnectivityanywhere,atanytime,withoutanyfixedinfrastructure.

Theparadigmofadhocnetworkingisoftenrestatedingraphtheoreticframeworkasfollows:anadhocnetworkisanetN=(n(t),e(t))wheren(t),e(t)arethesetofnodesandedgesattimet,respectively.Nodescorrespondtomobileusersorautomatedsensorsthatwishtocommunicatewitheachother.AnedgebetweentwonodesAandBissaidtoexistwhenAiswithintheradiotransmissionrangeofBandviceversa.Theimposedsymmetryofedgesisausualas-sumptionofmanymainstreamprotocols.Thechangeinthecardinalityofsetsn(t),e(t)canbecausedbythefreedomthatusershavewhentheywishtoswitchonorswitchofftheircommunicationdevice,orcanbecausedbymobilityofusers,signalpropagation,linkreliabilityandotherfactors.Dataexchangeinapoint-to-point(uni-cast)scenariousuallyproceedsasfollows:auserinitiateddataexchangeleadstoaroutequeryatthenetworklayeroftheOSIstack.Aroutingprotocolatthatlayerattemptstofindaroutetothedataex-changedestination.Thisrequestmayresultinapathofnon-unitlength.Thismeansthatadatapacketinordertoreachthedestinationhastorelyonsuccessiveforwardingbyin-termediatenodesonthepath.Thereforetheabilitytoadaptroutingwhennecessaryinordertotransmitdataisanotherkeyfeatureofadhocnetworks.

Batterypowerthatisnecessaryateachnodeforreceptionortransmissionofdatapackets,andforallnecessarycompu-tationasprescribedbydifferentprotocolsisofrarenatureandthereforeitspreservationisanimportantrequirement.Wewillassume,forthesakeofthisreview,thattheprimarysourceofelectricpowerfornodesarebatteries.Thecon-sequencesofthisassumptionarethatcomputationatnodesshouldbekepttoaminimum;anydatastructurethatisim-plementedatanynodeissubjecttospacerestrictions.Fur-thermore,receptionandforwardingof“unsolicited”packetsshouldbesubjecttomonitoringand,possibly,toacorrectiveaction.

ProtocolsatanyleveloftheOSIstack,suitableforadhocnetworking,arereviewedinstandardtextbooksandotherdocumentssuchas[41,43,26].Thereforewewillnotdiscusspeculiaritiesofindividualprotocolsandtheirperformanceinscopeofadhocwirelessnetworks.

PerformanceofadhocnetworksisusuallymeasuredintermsofQualityofService(QoS)parameters.BasicQoSpa-rametersareend-to-endpacketdelay,numberofpacketsre-ceived,longandshorttermfairness,andoverheadatanyleveloftheOSIstack.OtherQoSparametersincludeoverheadatdifferentlayersoftheOSIstack7,spatialuseofcontrolpack-ets,andamultitudeofotherparametersthatareoftenspecifictoagivenprotocol.

Eventhoughadhocnetworksaretosomeextentrobusttomisbehaviorofsinglenodes,itmakessensetoprovidethemwithfeaturesenhancingtheirsurvivability.Survivabilityisdefinedasthecapabilityofasystemtofulfillitsmissioninatimelymanner,eveninthepresenceofattacks,failuresoraccidents[36].

MISBEHAVIORIN(ADHOC)WIRELESSNETWORKS

Inthissectionwereviewafewknowntypesofmisbehav-iorthatcanleadtodecreasedQualityofServiceinwirelessnetworks.8TheycanbeclassifiedasByzantinemisbehavior,impersonificationandlying,denialofservice,selfishbehav-ior,andopenlymaliciousbehavior.Wenotethatsolutionstosomeoftheseattackshavebeenalreadyproposed.Wewouldliketobringtothereader’sattentionthatpackettraceswithanomalousbehaviorcanbefoundatArachNIDS[1]9;thesecanbeusedfortestingandtrainingofanintrusiondetectionsystem.

WefocusonmisbehavioratMAC,routingandtransportlayers.Weassumethatthelimitedbatterypowermakesmis-behaviorevaluationathigherlayersprohibitivelyexpensive.Wealsoassumethatmisbehavioratthephysicallayerisne-glectable.

theassumptionsarethatthegivenhardwaredeviceisabletofunctioninpromiscuousmodeandthatpowerlevelcontrolanddirectionalantennasarenotused.

Sybilattackisdonebycreatinganumberoffictitiousnodes;see[12].

TransportLayer:

Selfishmisbehavior.Underthisscenariothesenderignoresrulesforcongestionwindowadjustment.Ittriestosetthecongestionwindowtoamaximumsizeinordertoincreasehisthroughput.

TCPSYNfloodingaimstoexploitvulnerabilityofahostwhenaTCPconnectionishalf-open.Underthisscenario,aclientattemptstoconnecttoahost,leaveshowevertheconnectionshalf-open,andcontinueswithopeningotherconnections.Theconnectionbufferofthehostoverflows;legitimateconnec-tionsisnotpossibletoopenanymore;see[32].

ACKdivision,DupACKspoofing,andoptimisticACKing.Thismisbehaviorisaimedatmanipulationofthesizeofthecongestionwindowatsenders;see[44].

JellyFishattacks.Introducedin[2],theytargetthecongestioncontrolofTCP-likeprotocols.TheseattacksobeyalltherulesofTCP,nevertheless,theyareverydamaging.ThreekindsofJellyFish(JF)attackswerediscussedin[2]:JFreorderattack,JFperiodicdroppingattack,andJFdelayvarianceattack.

APPLICATIONSNETWORKS

FOR(ADHOC)WIRELESSMobiledeviceswithinanadhocwirelessnetworksareassumedtohavealimitedcomputationalpowerandscarcebatteryresources.Thischaracteristicsisevenmoretrueforsensornetworks.Sensornetworksarestaticnetworksbuiltaroundtheadhocnetworks’paradigm.Theirgoalistomakemeasurements(temperature,humidity,movementetc.)andandforwardthisdatatoacentralpoint.Amisbehaviorde-tectionmechanismforsuchnetworksmustbethereforedis-tributed,lightweightandadaptive.Manycurrentmisbehavior(intrusion)detectionsystemsarenowadaysdesignedassig-naturebasedsystemsthatrequirethatthesetofmisbehaviorsignaturesgetsupdatedoften.Thisisclearlyhardlypossi-bleforadhocnetworks.IsisalsoclearthatanAISmightnotprovidethesamelevelofprotectionasahumanmanagedsignaturebasedsystem.Thereforeitisofhighimportancetodefinewhichperformabilityandstructuralpropertiesofadhocnetworksshouldbesubjecttoprotection.WeproposethatanAISforadhocnetworksshouldimposeahighdegreeoftheirsurvivability[49].Itisthereforeofparamountimpor-tancethattheadhocnetwork’smissionisclearlydefinedandachievableundernormaloperatingconditions.IntherestofthissectionwereviewsomeAISbasedapproachestomisbe-havior(anomaly)detectionfor(adhoc)wirelessnetworks.

In[22]theauthorsdescribeanartificialimmunesystemthatisrobustagainstanomaliesatthetransportlayeroftheOSIprotocolstack;onlywiredTCPnetworksareconsidered.SelfisdefinedasnormalpairwiseTCPconnections.Insteadofmimickingthecomplexstructureofhumanimmunede-fensetheycollapseB-cellsandT-cellsintoasingleentitycalled“detector”.Eachdetectorisrepresentedasasinglebitstringof49bits.SuchdetectorisablebystringmatchingtorecognizewhetheragivenpairofTCPconnectionsisselfornon-self.Thepatternmatchingisbasedonr-contiguousbits.Aprocessofnegativeselectionisappliedtodetectorsinordertomakethemmature,i.e.tomakethemabletode-tectnon-self.Theyassumethatnon-selfbehaviorisveryrarethereforetrainingdetectorsonarunningsystemisnotunrea-sonable.Theyalsointroduceddifferentactivationandthresh-oldconditionsthatmaketheirsystemrobustagainstincom-pletesetsofselfthatareusedduringdetectors’training.Thelearningphasedoesnotonlyincludenegativeselectionbutalsoco-stimulationandamechanismformaturingadetectorintomemorydetectors.Co-stimulationisasecondarysignalmeanttosuppressautoimmunereactions.In[22]whenade-tectormatchesastring(possibleanomaly),aco-stimulationfromahumannetworkadministratorisneededinordertoconfirmthisstringtobenon-self.Thetimewindowinwhichtheadministratorcanactwassetto24hours;ifnoreplyisreceivedthenthedetectorisreset,inothercasethedetectorentersthecompetitiontobecomeamemorydetector.

Additionally,in[17]theauthorsdiscusstheroleofsenes-cenceforimmunesystems.Theynotethatduetospaceef-ficiencymemorycellswillhavetobeeliminatedovertime.Theyalsore-introducethenotion“ballofstimulation”thatisbasedonresearchintheareaoftheoreticalbiology.BallofstimulationmodelsthefactthatBorT-cellsshouldbeabletorecognizenon-selfwithintheradiusoftheexactmatch.Theyalsodealwithholescausedbyfixed-probabilitymatch-ingrules.Theyproposepermutationmasksassociatedwithdetectorsets;apermutationmaskcontrolshowanantigenispresentedtothedetectionsystem.

Ref.[34]discussesanetworkintrusionsystemthataimsatdetectingmisbehaviorbycapturingTCPpacketheaders.Theychoseamorecomplexrepresentationthataccountsfortrafficintensity,portusedinthecommunication,TCP3-wayhandshakeunregularities,andportsareadditionallytaggedwithknownvulnerabilitiesifsuchexist.TheyreportthatAISmaybeunsuitablefordetectinganomaliesincommunicationnetworks.Thisresultisquestionedin[6]whereitisstatedthattheabovenegativeresultmaybeduetothechoiceofproblemrepresentationandtothechoiceofmatchingthresh-oldrforr-contiguousbitmatching.Apositiveresultisalsoreportedin[53]whereseveralprotocolsfromthenetworkandtransportlayersareconsidered.

Aninterestingapproachfordetectingmisbehaviorisin-troducedin[46].Thisapproachbuildsonresultsin[22]andextendstheminthedirectionofanartificialimmunesystem

fordetectionofmisbehavioratthenetworkleveloftheOSIstack.TheprotocolthatissubjecttomonitoringisDSR,orDynamicSourceRoutingoriginallyproposedbyDavidJohn-sonetal.;seeref.[31].Thepaperinvestigatestheuseofsev-eralnovelconceptswhichare“virtualthymus”,clusteringfordecreasedrateoffalsepositives,andaspecifickindofco-stimulationcalled“dangersignal”.Anapproachforamoreefficientsecondaryresponseisintroducedaswell.

TheDangertheorybyAickelinetal.[3]suggeststhatrecognitionofapossiblenon-selfisimportantonlyifthisnon-selfisarelativedangertothesystem.Thiseffortad-mitsthattheclassicaltaskofself–non-selfrecognitionforanAISisnotsufficientandmightevenbeunachievableduetonon-efficiencyofnegativeselectionalgorithms.Itishow-everquestionablehowonecanrecognizeadangerinadhocwirelessnetworksasmanyperformabilitymeasuresrequireaglobalviewofthenetwork.In[46]theauthorssuggestthatasourcenodeshouldemitadangersignalwhensentpacketsdonotgetacknowledgedbythedestinationnode.Thesignalissentovertheroutetothedestination.Thesignalcontainsin-formationaboutthetimewhenthepacketwassentandaboutnodesthatweresupposedtoforwardthispacket.Thissignalisthencorrelatedwithanobservednon-selfbehavior(packetlossinthiscase).Theauthorsdonotdiscusswhethersuchadangersignalcouldselfgetmisused.

In[13]weproposedthatanAISforadhocnetworksshouldconsistofthefollowingmodules:Datacollectionandprepro-cessing,Localandcooperativedetection,Learning,andLocalandCooperativeresponse.Thesefourlayersshouldbemutu-allyinterconnectedtoallowforanefficientfeedbackmecha-nisms.Thisstructureacknowledgesthefactthatforincreasedsurvivabilityofadhocnetworksismisbehaviordetectionequallyimportantasfindingthemisbehavingnode(ornodes),exchangeofinformationaboutmisbehavingnodes,andapos-siblecooperativecorrectiveactionagainstsuchnodes.Ade-ficiencyofcurrentAISfor(adhoc)wirelessnetworksisthattheyconcentrateonlocaldetectionofmisbehavior;theydonotconsiderdistributeddetectionandwiththeexceptionofref.[46]theyonlydistantlycopewiththeproblemofeitherlocalorcooperativeresponseagainstamisbehavingnode.Assuggestedin[3]misbehaviordetectionandpreventionshouldreactonworseningperformabilityandstructuralmea-sureswithinanadhocnetwork.Itisobviousthatinordertocomputemajorityofthesemeasuresandthustobeabletodeterminetheimpactthatagivenmisbehaviorcouldhave,itisnecessarytohaveaglobalviewofthenetwork.In[7]wediscusswhatimpactcertainstructuralpropertiescouldhaveonperformanceofadhocnetworks.Weconcludethatwhenstructuralpropertiesofanadhocnetworkareknown,thecor-relationbetweenthemandperformabilitymeasures,suchasthroughput,latencyornumberofpacketslost,isnotclear.Therefore,motivatedbyresultsin[46],itseemsonewillhavetolimititselftoindividualpacketflowsortoconsideronlyperformabilitymeasuresthatareeasytocomputelocally.

Theabovegivesanoutlineofrecentapproachesthatareapplicabletowirelessnetworkswithartificialimmunity.Weexpectthatmanyoftheapproachesthatwereappliedforwirelessnetworkswillbealsoapplicableforadhocnetwork.SincethefieldofAISisstillbeingintheearlystagesofde-velopmentthereissubsequentlyonlyverylimitednumberofreferencesthatwoulddealwithAISforadhocnetworks.AISandtheirusabilityforapplicationsotherthanwirelessnet-worksareneatlyreviewedin[4].

CONCLUSIONS

Wehavereviewedaspecificareaofanomalydetectionsystems.ArtificialimmunesystemsarebasedonpropertiesoftheHumanimmunesystemsuchassuchasselfvsnon-selfrecognition,innatevsacquiredimmunity,primaryvssecondaryresponse,generalvsspecificresponse,orcell-mediatedvshumoralimmunity.

ThekeyquestionofanAISdesigniswhichstructuralandperformabilitypropertiesofthegiven(adhoc)wirelessnet-workshouldbepreserved.Theseinvariantsincludeconnec-tivityandothergraphtheoreticmeasures[7],andamulti-tudeofvariousperformabilityparametersexamplesofwhicharepacketlatency,throughput,numberofpacketsreceivedorfairness.

Weadheretotheideathattheanarchitectureforadhocwirelessnetworksshouldimposeahighdegreeoftheirsur-vivability[49].Itisthereforedesirablethattheadhocnet-work’smissionisclearlydefinedandachievableundernor-maloperatingconditions.

Finally,wewouldliketopointoutthatanAISshouldneverbeexpectedtosuppressanexcessivelylargesetofmisbehav-ior.Therefore,whentestingandtrainingsuchasystemthecapabilityofmisbehavingnodesshouldbeclearlydefined.Ontheotherhand,anyAISsystemshouldbedesignedwithsomelevelofuniversalityinmind,thatisitshouldgobeyondthecurrentapproachesthataimatprotectingadhocnetworksagainstaspecificflavorofmisbehavior.

ACKNOWLEDGMENTS

ThisworkwassupportedbytheGermanResearchFoun-dation(DFG)underthegrantno.SZ51/24-1(SurvivableAdHocNetworks–SANE).

REFERENCES

[1]ArachNIDS;advancedreferencearchiveofcurrent

heuristicsfornetworkintrusiondetectionsystems.www.whitehats.com/ids[2]ImadAad,Jean-PierreHubaux,EdwardW.Knightly.De-nialofserviceresilienceinadhocnetworks.Proc.10thannualinternationalconferenceonMobilecomputingandnetworking,2004.

[3]U.Aickelin,P.Bentley,S.Cayzer,J.Kim,andJ.

McLeod.Dangertheory:Thelinkbetweenaisandids.Proc.InternationalConferenceonArtificialImmuneSys-tems(ICARIS’03),pages156–167,Edinburgh,UK,2003.[4]UweAickelin,JulieGreensmithandJamieTwycross.

ImmuneSystemApproachestoIntrusionDetection-AReview.Proc.the3rdInternationalConferenceonAr-tificialImmuneSystems(ICARIS2004),Catania,Italy,2004.[5]TimBaas.Intrusiondetectionsystemsandmultisensor

datafusion.CommunicationsoftheACM,vol.43,issue4,pp.99-105,2000.

[6]J.BalthropandS.ForrestandM.Glickman.Revisiting

lisys:Parametersandnormalbehavior.Proc.CongressonEvolutionaryComputing(CEC02),2002.

[7]C.L.Barrett,M.Drozda,D.C.Engelhart,V.S.AnilKu-mar,M.V.Marathe,M.M.Morin,S.S.Ravi,andJ.P.Smith.UnderstandingProtocolPerformanceandRo-bustnessofAdHocNetworksThroughStructuralAnal-ysis.Proc.IEEEInternationalConferenceonWirelessandMobileComputing,NetworkingandCommunica-tions(WiMob2005).[8]MarioCagalj,SaurabhGaneriwal,ImadAadandJean-PierreHubaux.OnCheatinginCSMA/CAAdHocNet-works.TechnicalreportNo.IC/2004/27,February2004.[9]AlvaroA.Cardenas,SvetlanaRadosavac,JohnS.Baras.

DetectionandpreventionofMAClayermisbehaviorinadhocnetworks.Proc.2ndACMworkshoponSecurityofadhocandsensornetworks,2004.[10]D’haeseleer,P.Animmunologicalapproachtochange

detection:theoreticalresults.Proc.9thIEEEComputerSecurityFoundationsWorkshop,pp.18-26,1996.[11]D’haeseleer,P.,Forrest,S.,andHelman,P.Animmuno-logicalapproachtochangedetection:Algorithms,analy-sisandimplications.Proc.IEEESymposiumonResearchinSecurityandPrivacy,1996.

[12]J.Douceur.Thesybilattack.Proc.oftheIPTPS02

Workshop,Cambridge,MA(USA),March2002.

[13]M.Drozda,H.Szczerbicka,T.Bessey,M.Becker,

R.Barton.ApproachingAdHocWirelessNetworkswithAutonomicComputing:AMisbehaviorPerspective.Proc.2005InternationalSymposiumonPerformanceEvaluationofComputerandTelecommunicationSystems(SPECTS’05).

[14]RobertDurst,TerrenceChampion,BrianWitten,Eric

Miller,LuigiSpagnuolo.Testingandevaluatingcom-puterintrusiondetectionsystems.CommunicationsoftheACM,vol.42,issue7,pp.53-61,1999.[15]Esponda,F.,Forrest,S.andHelman,P.Aformalframe-workforpositiveandnegativedetection,IEEETrans.Syst.,ManCybernet.,vol.34,pp.357–373,2004.

[16]FernandoEsponda,StephanieForrest,PaulHelman.

TheCrossoverClosureandPartialMatchDetection.Proc.ICARIS2003,pp.249-260.[17]S.ForrestandS.A.Hofmeyr.Immunologyasinforma-tionprocessing.InDesignPrinciplesfortheImmuneSys-temandOtherDistributedAutonomousSystems,editedbyL.A.SegelandI.Cohen.SantaFeInstituteStudiesintheSciencesofComplexity.NewYork:OxfordUniver-sityPress(2001).[18]FabioA.González,DipankarDasgupta,LuisFernando

Niño.ARandomizedReal-ValuedNegativeSelectionAl-gorithm.Proc.ICARIS2003,pp.261-272.[19]V.Gupta,S.Krishnamurthy,andM.Faloutsos.Denial

ofServiceAttacksattheMACLayerinWirelessAdHocNetworks.Proc.ofMilcom,2002.[20]P.Harmer,P.Williams,G.H.Gnusch,andG.Lamont.

AnArtificialImmuneSystemArchitectureforComputerSecurityApplications.IEEETransactionsonEvolution-aryComputation,6(3):252–280,June2002.[21]EmmaHart.NotAllBallsAreRound:AnInvestigation

ofAlternativeRecognition-RegionShapes.Proc.ICARIS2005,pp.29-42.[22]S.HofmeyrandS.Forrest.ImmunitybyDesign:AnAr-tificialImmuneSystem.Proc.GeneticandEvolutionaryComputationConference(GECCO),Morgan-Kaufmann,SanFrancisco,CA,pp.12-1296(1999).[23]Yih-ChunHu,AdrianPerrig,DavidB.Johnson.Ari-adne::asecureon-demandroutingprotocolforadhocnetworks.Proc.8thannualinternationalconferenceonMobilecomputingandnetworking,2002.[24]Yih-ChunHu,AdrianPerrig,DavidB.Johnson.Rush-ingattacksanddefenseinwirelessadhocnetworkrout-ingprotocols.Proc.ACMworkshoponWirelesssecurity,2003.[25]Yih-ChunHu,AdrianPerrig,DavidB.Johnson.Packet

leashes:adefenseagainstwormholeattacksinwirelessnetworks.Proc.INFOCOM2003,Twenty-SecondAn-nualJointConferenceoftheIEEEComputerandCom-municationsSocieties.[26]SamiIren,PaulD.Amer,Phillip,T.Conrad,Thetrans-portlayer:tutorialandsurvey,ACMComputingSurveys,vol.31,no.4,pp.360-404,1999.[27]M.JakobssonandS.WetzelandB.Yener.Stealthat-tacksonadhocwirelessnetworks.Proc.VTC,2003.[28]CharlesA.JanewayJr.Howtheimmunesystemworks

toprotectthehostfrominfection:apersonalview.Proc.Natl.Acad.Sci.USA.,2001Jun19;98(13):7461-8.[29]N.K.Jerne.Towardsanetworktheoryoftheimmune

system.AnnualsofImmunology,1974.

[30]ZhouJi,DipankarDasgupta.Real-ValuedNegativeSe-lectionAlgorithmwithVariable-SizedDetectors.Proc.Proc.GeneticandEvolutionaryComputationConfer-ence2004(GECCO-2004),2004:287-298[31]D.JohnsonandD.Maltz.DynamicSourceRoutingin

AdHocWirelessNetworks.MobileComputing,TomaszImielinskiandHankKorth,Eds.Chapter5,pages153-181,KluwerAcademicPublishers,1996.[32]A.JuelsandJ.Brainard.Clientpuzzles:Acrypto-graphiccountermeasureagainstconnectiondepletionat-tacks.InDistributedSystemsSecurity(SNDSS),pages151–165,February1999.[33]JeffreyO.Kephart,DavidM.Chess.TheVisionofAu-tonomicComputing.IEEEComputermagazine,January2003.

[34]Kim,J.andBentley,P.J.EvaluatingNegativeSelec-tioninanArtificialImmuneSystemforNetworkIntru-sionDetection,Proc.GeneticandEvolutionaryCompu-tationConference2001(GECCO-2001),SanFrancisco,pp.1330-1337,July7-11,2001.[35]P.KyasanurandN.H.Vaidya.Detectionandhandling

ofmaclayermisbehaviorinwirelessnetworks.Technicalreport,CSL,UIUC,August2002.[36]HowardF.LipsonandDavidA.Fisher.Survivability-ANewTechnicalandBusinessPerspectiveonSecurity.Proc.1999NewSecurityParadigmsWorkshop,Associa-tionforComputerMachinery,2000.[37]SergioMartiandT.J.GiuliandKevinLaiandMary

Baker.Mitigatingroutingmisbehaviorinmobileadhocnetworks.MobileComputingandNetworking,pp.255-265,2000.[38]BiswanathL.Mukherjee,ToddHeberlein,andKarlN.

Levitt,NetworkIntrusionDetection.IEEENetwork,vol.8no.3,pp.26-41,May/June1994.[39]StevenNoel,DumindaWijesekera,CharlesYouman.

ModernIntrusionDetection,DataMining,andDegreesofAttackGuilt.InApplicationsofDataMininginCom-puterSecurity,D.BarbaràandS.Jajodia(eds.),KluwerAcademicPublisher,2002.[40]VenkataN.Padmanabhan,DanielR.Simon.Secure

traceroutetodetectfaultyormaliciousrouting.ACMSIGCOMMComputerCommunicationReview,vol.33,issue1,pp.77-82,2003.[41]CharlesE.Perkins.AdHocNetworking.AddisonWes-ley,2001.

[42]AdrianPerrig,JohnStankovic,DavidWagner.Secu-rityinwirelesssensornetworks.CommunicationsoftheACM,vol.47,issue6,pp.53-57,2004.[43]T.S.Rappaport.WirelessCommunications.Prentice-Hall,1996.

[44]StefanSavage,NealCardwellandDavidWetheralland

TomAnderson.TCPCongestionControlwithaMisbe-havingReceiver.ComputerCommunicationReview,vol.29,number5,1999.[45]StefanSavage,DavidWetherall,AnnaKarlin,TomAn-derson.NetworksupportforIPtraceback.IEEE/ACMTransactionsonNetworking,vol.9,issue3,pp.226-237,2001.[46]SlavišaSarafijanovi´candJean-YvesLeBoudec.An

ArtificialImmuneSystemforMisbehaviorDetectioninMobileAd-HocNetworkswithVirtualThymus,Cluster-ing,DangerSignalandMemoryDetectors.Proc.ICARIS(Thirdinternationalconferenceonartificialimmunesys-tems),2004.[47]S.Singh.Anomalydetectionusingnegativeselec-tionbasedonther-contiguousmatchingrule.Proc.1stInternationalConferenceonArtificialImmuneSys-tems(ICARIS),pp.99–106,2002.

[48]FrankStajano,RossAnderson.TheResurrectingDuck-ling:SecurityIssuesforAd-hocWirelessNetworks.Se-curityProtocols,Proc.7thInternationalWorkshop,1999.[49]JamesP.G.Sterbenz,RajeshKrishnan,ReginaRosales

Hain,AldenW.Jackson,DavidLevin,RamRamanathan,JohnZao.Survivablemobilewirelessnetworks:issues,challenges,andresearchdirections.Proc.ACMworkshoponWirelesssecurity,2002.[50]Stibor,T.,J.TimmisundC.Eckert.AComparative

StudyofReal-ValuedNegativeSelectiontoStatisti-calAnomalyDetectionTechniques.Proc.4thInterna-tionalConferenceonArtificialImmuneSystems(ICARIS-2005),Banff,Canada,2005.

[51]BoSun,KuiWu,UdoW.Pooch.Alertaggregationin

mobileadhocnetworks.Proc.ACMworkshoponWire-lesssecurity,2003.[52]GiovanniVigna,FredrikValeur,RichardA.Kemmerer.

Designingandimplementingafamilyofintrusiondetec-tionsystems.Proc.9thEuropeansoftwareengineeringconference,2003.[53]PaulD.Williams,KevinP.Anchor,JohnL.Bebo,Gregg

H.Gunsch,GaryD.Lamont.CDIS:TowardsaComputerImmuneSystemforDetectingNetworkIntrusions.Proc.RAID2001,LNCS2212,pp.117-133,Jan2001.[54]HaoYang,XiaoqiaoMeng,SongwuLu.Self-organized

network-layersecurityinmobileadhocnetworks.Proc.ACMworkshoponWirelesssecurity,2002.[55]YongguangZhang,WenkeLee,andYianHuang.In-trusionDetectionTechniquesforMobileWirelessNet-works,ACM/KluwerWirelessNetworksJournal(ACMWINET),vol.9,No.5(September2003).[56]LidongZhouandZygmuntJ.Haas.SecuringAdHoc

Networks.IEEENetwork,vol.13,number6,pp.24-30,1999.