MCSoft Security Solutions



MCSoft Projekt - Computer Immune System for Intrusion and Virus Detection

Publication is available at (for example)

The design for the Computer Immune System (CIS) presented here is inspired by the Immune System (IS) of the human body. The CIS consists, in analogy to the IS, of many cells which are working independently with no centralized control. The cells are the detectors of the CIS. The huge amount of trained detectors leads in a computer system to the detection and elimination of malicious code segments in packets of the network traffic. The detectors of the CIS are distributed over the local area network (LAN). The training of the detector set is fulfilled in each computer system independently.

The CIS Sensor is implemented as a SNORT Preprocessor Plugin, which communicates through a Monitor Application with a central MYSQL-Database on the Web. The database stores successful detectors. A standardized format (IODEF) will ensure an easy exchange of successful detectors in the whole CIS. The database also allows their export to external frameworks. In this way the CIS is a powerful network protection tool.

1. Introduction

This work shows how the Computer immune system (CIS) detects malicious code in packets of the network traffic. The targets for this system are Internet worms, different kinds of viruses and shellcodes which are possibly polymorph. The targets are further all other pieces of code that have a negative effect on the continued functioning of computer systems and on larger scale local area networks (LANs). Today's computer systems are running (mostly) one kind of operating system which makes it easy for a new virus to spread rapidly. Independently evolving immune systems will make computers in a network more diverse. Because of that, systems will become more robust to today's common threats. The implementation in this work is intended to shield computers in a LAN from new network driven attack attempts.
Each network node is equipped with a sensor which is used to train an individual set of detectors. This set evolves in response to the network traffic at this node. The set of detectors will be different in each node. That makes the whole network system highly diverse. A vulnerability in one system refers not automatically to the same kind of security hole in another system. Applying the computer immune system with multiple independent sensors across a network ensures a distributed detection system which is not centrally or hierarchically controlled.
The implementation takes advantage of the Open Source Network Intrusion detection system called Snort. It provides the basis for processing the packets of the network traffic. Since it is an open source intrusion detection system it also has a large community of users from which newly developed plug-ins can be tested.