Linux Kernel Immune System (KIS)


KIS is an immune-inspired Intrusion Prevention System (IPS) based on ideas of The Danger Theory and developed as a Linux kernel module. You can read about Artificial Immune Systems (AIS) and The Danger Theory in the following papers: Uwe Aickelin, Steve Cayzer, "The Danger Theory and its application to artificial immune systems" and Uwe Aickelin, Peter Bentley, Steve Cayzer, Jungwon Kim,Julie McLeod, "Danger Theory: The Link between AIS and IDS?".

The main idea of this system is a presentation of the pair of socket and process as a biology cell and observation of it for an anomaly deviation of process's behavior (another words cell's distress) from normal profile. At present time we calculate the cell's distress by average values and average square deviations. An average values are calculated for such parameters as CPU and memory usage, file system access, attitude of network requests and responses etc. and are worked out in a tolerization (learning) period of time. Also, a two thresholds for every parameters are worked out in a tolerization period. A separate module (APC (Antigen Presenting Cell)) is responsible for this observation and learning.

KIS doesn't observe all system processes, instead it observes processes which were pointed by binaries' (program) names with its parameters as a cells in a configuration files. A tolerization period of KIS has a two types: a hard tolerization and a soft tolerization. If a security officer specifies some cell's parameters (such as FS tree, average value of mapped pages etc.) by approximate or exact values, then KIS can adjust this parameters and catch a sizable deviations (which can be the results of system training by an attacker). Such learning is called the hard tolerization period for specified parameters. But if a security officer doesn't know an approximate average values for any parameters, then KIS can't catch hacker's attempts to train it, so this learning is called the soft tolerization period.

KIS also observes network traffic received by the server process for signature matching when the deviation of some process's parameters exceeds a first threshold (we can say that it was generated danger signal one). T-helper lymphocyte module is responsible for search signatures in network traffic. If it match, then KIS tries to prevent the attack by calling the T-killer lymphocyte (we can say that danger signal two was generated). T-killer is an another module which can block a syscalls, network traffic and perform a logging. Actually, KIS observes a process's parameters and network traffic concurrently, but one type of signatures can arise a prevention activity only after "receiving" of the first danger signal (this is a default behavior for prevention of a false positives because corresponding traffic doesn't affect the process work) and second type which can generate second danger signal independently of process's behavior. So if it's known that any types of network attacks doesn't affect a process's behavior sizable, then they should be specified by the second type of signatures. When the deviation of a parameter exceeds the second threshold (generation of danger signal two), KIS will try to automatically generate signatures for the attack, which leaded to this deviation, from network traffic received by the process. This generation is called the clonal selection mechanism which selects unusual sub-sequences of parts of application level messages from a whole sequence of packets messages received by the process and tries to generate a regexps for new signatures.

KIS consists of the kernel patch and the user-space configuration tool kisctl.

Project Goals

Project Status

KIS is currently in the development phase.


All downloads are available from here.

Last Updated Jun 01, 2006. Please, send email to the project admin for your questions or propositions. Logo