General functioning procedure of the immune-like system for external intrusions detection in information security systems

. The subject of the research is the problem of constructing an immune-like system for external intrusions detection in information security systems (ISS) of automated data processing systems (ADPS) that function similarly to the human immune system (ImS) when it counteracts during viruses, bacteria and other foreign elements penetrate into the human body. The objects of research are the ImS and ISS in ADPS. Methodological studies on the development of intrusion detection procedures are carried out using methods of artificial intelligence, system analysis, the theory of neural and immune systems in the field of ISS based on the achievements of the system-conceptual approach to information protection in ADPS. The main result obtained in this work is the developed general procedure (model) for the functioning of immune-like ISS at external intrusions countering in the form of a block-diagram and its description.


Introduction
The immune systems of living organisms, as well as ISS in ADPS of various purposes, are meant not only for external threats (intrusions) counteracting, but also internal ones. In the article there is investigated the problem of constructing ISS in ADPS that functions like the human ImS while protecting against external intrusions. The authors have chosen for research the human immune system, as one of the perfect and learned systems [1,2]. First of all, we will carry out a comparative analysis of the conceptual basis in the field of the ImS and in the field of information security. The authors proceed from the basic conceptual requirements for constructing the intrusions detection systems and their activities managing on the basis of a system-conceptual approach [3][4][5]. All defense mechanisms that take place in the ImS can be divided into innate and adaptive, i.e. acquired. By analogy, in ISS these are the mechanisms that are included in the protection system at the stage of its development and the mechanisms that are implemented in ISS at the stage of its operation. These mechanisms are realized in the form of intelligent systems for network attacks detection based on the mechanisms of an artificial immune system [6][7][8].
One of the main concepts of the adaptive ImS is the concept of an antigen -a foreign substance or structure that can cause an immune response, that is, an aggressive reaction to this substance/structure of the immune system, aimed at neutralizing (usually destroying) this object. An analogue of an antigen in ISS is the concept of a threat (attack, intrusion, infiltration). The next important concept in the ImS is the concept of an antibody (immunoglobulin) -special proteins (globulins) that "stick" to microbes and cause their neutralization and death. There is no direct analogue of the antibody in ISS. In addition, the ImS and ISS are realized on the basis of different management principles. ISS is realized on the basis of the principle of centralized management of ISS agents, but immune systems are realized on the basis of one of the variants of distributed decentralized control, when there are many independent agents with their own adaptive response mechanisms, and one of them can become a control center (there are several of them in the ImS of the human organism) and influence these agents through the environment in which they are located. The main elements of the ImS that protect against external intrusion are natural barriersthe skin, sensory organs, digestive tract, and respiratory system. With regard to ISS, first of all, let us distinguish three main possible environments for infiltration penetration: physical environment -external fences of the ADPS territory, premises (doors, windows and their openings, roof, basement); information environment -software and hardware means for firewall information protection of local and global networks; field environment -means of shielding rooms and constructions, active and passive suppressors of electromagnetic radiation and parasitic interference.
Let us adduce the main types of immune cells which are the first ones that encounter a danger, identify it and signal the ImS about the intrusion, and also describe their possible analogues in ISS: 1. T-helper cells that belong to the group of T-lymphocytes; their function is to recognize specific types of microbes and viruses. With regard to ISS, analogues are subsystems for controlling access to an information system, including identification and authentication systems.
2. Basophils that are the cells involved in allergic reactions. But when foreign objects appear, they react to them as an allergen, releasing a large amount of signaling substances (cytokines) and thereby attracting other immune cells to the inflammation focus. Thus, basophils mainly perform a signaling function. The means of informing all responsible components (software and hardware modules) and subjects about the occurrence of an atypical situation, which can also be caused by an unauthorized infiltration, can be considered as analogues in ISS. However, in ISS this function is usually not separated from the procedures for monitoring the state of data processing systems. Taking into account the experience and effectiveness of the immune system, it may be advisable to allocate this signal system in a separate model. 3. T-killers that destroy virus-infected cells to stop the development of infection. Again, this function in ISS, associated with blocking and possible destruction of infected software modules, their updating and replacing, is not used as actively as in the ImS. Therefore, it is advisable to analyze the possible allocation of this function as a separate independent hardware and software module. 4. T-suppressor cells regulate the strength and duration of the immune response. That is, they control the amount of allocated resources to neutralize the infiltration that has arisen, as well as register the fact of successful neutralization of the attack and the possibility of disabling the funds and resources allocated to counter the intrusion. Exactly the same problem is solved in ISS. However, the fundamental difference between the solution to the given problem in ISS is the centralized solution of this problem, while in the ImS this problem is solved independently by each T-suppressor. Thus, there are no direct analogues and they cannot be for T-suppressors in ISS due to the centralized principle of control in the latter. This issue was discussed above. When ISS with decentralized control mechanisms appear, analogues of T-suppressors can be created in them.
5. B-lymphocytes are meant for the destruction of foreign microbes and viruses. The mechanism of their work: they produce (synthesize) special proteins -antibodies that "stick" to microbes and cause their death. Antibodies can also neutralize some toxins. In ISS their possible analogues are various means for neutralization and destruction of intrusions.
6. Natural killer cells (NK-cells). These cells find and kill virus-infected cells and cancer cells. Unlike T-killers, which belong to the adaptive immune system, NK-cells belong to the innate immune system. They have no analogues in modern ISS. To implement ISS ideology, which assumes the existence of analogues of natural killers, it is necessary to divide large software systems into a large set of separate autonomous modules, and mechanisms for restoring individual modules are required in case of infection with malicious programs, damage, etc. Many existing software systems do not meet the described requirements for modular construction. Therefore, in the near future, there will apparently be no analogues of natural killers in ISS.
7. Neutrophils and macrophages. They are meant for phagocytosis, that is, for catching and digesting microbes, as well as the remains of dead cells and other foreign or toxic for the organism particles. They are part of the innate immunity system, in contrast to Blymphocytes, which are part of the adaptive immunity system. Neutrophils are the "rapid response forces" in the antimicrobial defense system. About 70% of all neutrophils are stored in the form of a reserve, from where they can urgently move through the blood to the focus of tissue destruction under the influence of appropriate stimuli. Macrophages in the innate immunity system are "special forces". Macrophages adaptively mature in concrete tissues of the organism from immature cells -monocytes. Macrophages are not very fast cells, but they are dispersed in all tissues, and, unlike neutrophils, they do not need such urgent mobilization. In addition, macrophages realize the most important role in the antigen presentation process, when the macrophage introduces other cells of the immune system to pieces of the digested microbe, which allows the organism to better fight infection.
Thus, in the ImS there are "rapid response forces" and "special forces" that oriented on the protection of concrete human organs. In ISS personal protective means (i.e. "special forces") there are in many large software systems, for example, in database management systems. But there are almost no "rapid response forces", that is, means of protection (even the most primitive ones) that can respond very quickly to an infiltration, especially in the information media of intrusion penetration. With regard to physical means, we can mention the means of immediate blocking of all external and internal doors, windows, thoughtful strengthening and extinguishing of lighting. In field environments, such means are, for example, means of active protection with the help of interferences installation. Therefore, this matter in ISS requires additional research and development.
8. Eosinophils protect our organism from parasites, they provide anthelmintic immunity. In ISS this category includes means of protection against threats of natural and man-made origin.
Note that this list is far from complete, and reflects the desire of the authors to present only the principal basic foundation of the human ImS. In particular, antigen-presentational (AP) cells, dendritic cells that respond to mutated cells of the organism are not given. This is subject to further investigation.
Summing up, we conclude that the ImS has a branched multivariate system of protection against external intrusion and internal threats, covering all the main logically possible technologies for protecting the organism. A comparative analysis of the ImS with ISS has shown that ISS have large reserves for their improvement based on the use the principles and mechanisms implemented in the ImS of higher animals and human.
Before describing the technology of interaction of all the components listed above (i.e., immune cells) of the ImS, let us consider those components of the ImS infrastructure that are responsible for the production of all the listed above components of the ImS. That is, we will indicate those main organs of the body's immune system that are associated with the listed immune cells of the organism and which provide the formation, maturation and location for life of immune cells.
All cells involved in immune responses are formed (in whole or in part) in the bone marrow. It is the central organ of immune genesis. Its analogue, with some approximation, can be considered the information protection service in ISS.
The key immune cells in the ImS are T-lymphocytes with all their varieties listed above and B-lymphocytes. T-lymphocytes, after being formed in the bone marrow, mature in the thymus gland -the thymus. Its analogue in ISS systems can be considered the department of operational monitoring of the state by ISS.
Ripening of B-lymphocytes (after the bone marrow) occurs in the spleen. The department of control of ISS can be taken as its analogue with a big stretch. In addition, the spleen is actively involved in the process of phagocytosis, when special cells of the immune system (listed above) catch and digest microbes that have entered the organism, fragments of their own dead cells, toxins, etc.
Finally, lymph nodes include in the composition of the ImS infrastructure. In their structure they resemble a sponge, in the pores of which there are a lot of immune cells, and these cells, like powerful filters, catch and digest microbes that have entered the organism. Thus, the lymph nodes realize one more important function of the protection system -the function of total filtration. Note that all other systems of the organism, apparently, are not well adapted for the implementation systems of overall filtration. In ISS the analogue of lymph nodes for their (main) function is partially throughput systems and systems for controlling the movement of subjects for the physical medium. For information and field environments there are apparently no active end-to-end filtering systems yet. This issue deserves further analysis and development.
As part of the ImS, lymph nodes perform another important function -the function of "learning". Namely, in the lymph nodes there are memory cells -special cells of the immune system that store information about microbes that have already entered the organism earlier, and when they re-encounter the ImS of organism, the code (individual for this type of microbes or viruses) fragment of the microbe cell is transmitted to the immune cells. The required information is also transferred to the bone marrow for the appropriate antibodies formation. In ISS this function is realized using expert systems based on precedents, databases (in particular, anti-virus databases).
Based on the above analysis, a number of conclusions can be drawn. There is no complete analogy between the structures of the ImS and ISS, although they are largely similar. Moreover, many important functions implemented in the ImS are either almost not implemented in ISS, or they are partially implemented and are not allocated as separate independent modules. However, the reverse side of the analysis should also be noted: many functions implemented in ISS are not implemented in the ImS (at least, there is no data on their implementation in the ImS yet); in particular, systems for searching of vulnerability, prophylactic, and self-healing based on redundant encoding. Since the ImS is considered as an ideal example of intrusion protection systems, the aforesaid raises a number of fundamental questions about the importance and place of these functions in the ImS and ISS. The actuality of solving the listed problems in ISS is also due to the fact that, in contrast to ImS (at least at the current time), malicious attacks usually tend to be carried out as stealthily as possible for ISS systems, and this often succeeds. For the present, cases of secret penetration into the human organism without activating the ImS are unknown to science (although this is allowed in esotericism).
Based on the analysis of the ImS, we will form a general procedure for the functioning of the anti-intrusion system that is as close as possible to the natural human ImS in order to further implement it in ISS.
In the following description of the ImS operation process, only that core of the ImS operation process is highlighted, which is of interest from the point of view of increasing the efficiency of the ImS in ADPS. Note that the given description does not pretend to be complete, detailed and the associated complete adequacy of the description and requires further developments to improve the developed mechanisms.
The procedure for the functioning of the immune system in countering external intrusions for a human ImS is shown in Fig. 1. For this, we first describe the general algorithm for the functioning of the ImS when implementing its main function of protecting against external intrusions. Let us distinguish three stages of the meeting of the ImS cell with the antigen: stage 1 -to recognize the antigen; stage 2 -to give an immunological response; stage 3 -to remember the antigen. At this stage, memory cells are produced. During the immune response, the cells release the necessary biologically active substances. Without them the fight is impossible. Let us consider each of the stages in more detail.
The first stage of the process of opposition between antigens and the ImS consists in attempts of various external living and inanimate objects of various natures to penetrate into the human body, overcoming all the controlling elements of the ImS (units 1 -3) -the skin, digestive tract, respiratory system, sensory organs. It was noted above that the following media (channels) can be considered analogues of the listed channels of penetration of threats in ISS: physical, information and field.
If the antigen managed to overcome the outer border of the body, then it collides with the cells responsible for controlling the border zone and identifying foreign objects. Let us explain the content of this mechanism (units 4, 5). In the human organism there is the following system of "friend or foe" recognition of its own cells of the organism and alien cells, proteins, substances and other foreign objects, as well as mutated cells of own organism. There are two variants for recognizing and destroying the antigen.
The first variant is the innate immune system. The key component of this system is MHC-1 -a group of proteins that is individual for each person, which is located on the surface of each cell in our organism -the "passport" of the cell. According to this "passport", the ImS distinguishes native non-mutated cells of the organism. The cells of the organism, called natural killers, and T-killers are able to recognize the MHC-1 receptor, and if it is absent or does not correspond to the "passport", they destroy the object. As an analogue of the adaptive mechanism in ISS, specialized subsystems for the authentication of all objects in the information system can be considered based on the mechanism that is created in the information system at the time of its design. This mechanism gives all objects of the information system a single code for the entire information system. This code is managed according to the design order: it is updated, checked, etc.
The second variant of the immune response to the intrusion of an antigen is called adaptive (cellular) immunity, when the form and content of counteraction to the intrusion is selected individually for each type of antigen, virus, or microbe. In this case, the ImS relies on antibodies -they are synthesized by B-lymphocytes. These antibodies bind to foreign objects (antigens) and neutralize them. Key feature of antibody: each antibody is specialized for a specific antigen code and therefore can neutralize only antigens with this code, i.e. a specific type of antigen.
In ISS systems, an analogue of an adaptive response can be considered an anti-virus protection procedure based on databases, various intelligent systems for monitoring and countering intrusions/attacks based on analogues and precedents, systems for searching and identifying vulnerabilities (also having their own databases), authentication and identification of an individual character, etc.
If microbes managed to penetrate the body, then first of all they encounter congenital IMS (units 5-10). Initially, the components of the congenital ImS rush to the affected area: neutrophils (from the red bone marrow) and macrophages from the nearest tissues of the organism. If the antigen is destroyed only with the help of neutrophils, then the process of immune protection is completed.
Macrophages devour and digest the antigen. The involvement of macrophages is also necessary to form an image of the destroyed foreign object in the "database" of microbes that the organism has encountered previously; this database is located in the lymph nodes.
If the innate ImS also failed to neutralize the intrusion of microbes, then the adaptive ImS is involved in the process of counteraction (units 11, 13-18). That is, if it was still not possible to cope with the lesion focus only with the help of neutrophils and macrophages for a certain control period of time, then the cellular immune response is activated. It is based on MHC-2 class receptors that respond to the individual code (a specific individual sequence of amino acids) of this antigen. MHC-2 class receptors are found only on the surface of T-and B-lymphocytes, as well as specialized cells that absorb everything that does not have an individual body code. At that the T-helper takes information about the microbe from the macrophage, transfers it to the B-lymphocyte and promotes the formation of a clone of T-killers, oriented on the destruction of this particular microbe. Note that Blymphocytes themselves can take virus fragments from the macrophage surface. But only B-lymphocytes activated by T-cells (more precisely, only a part of them) turn into memory cells containing information about the microbe. At the repeated encounter with the same type of bacteria, thanks to memory cells, the organism begins to synthesize the necessary antibodies much faster, and the immune response starts earlier.
In order for the process of confrontation with intruded microbes not to get out of control, and the ImS killer cells did not begin to destroy healthy cells of the organism itself (but such a development of events is possible), special cells of the immune system are sent to the intrusion zone -T-suppressors, meant for control the process of confrontation and, if necessary, they take measures to stabilize the situation (unit 12). Thus, the whole process is controlled by T-suppressors, which regulate its intensity, decide on the moment of completion of the process. In particular, an excessive influx of neutrophils into the focus of intracellular infection can lead to the appearance of purulent inflammation.
If, despite all the efforts made, the ImS failed to neutralize the intrusion and the organism resources are significantly undermined, then external intervention and assistance to the organism in neutralizing the penetrated microbes is necessary. The question of the need for external assistance is as a whole resolved outside the ImS (by the host of organism and / or its environment).
When the required antibody is selected, B-cells are converted into plasma cells capable of mass synthesis of the required antibodies. Antibodies cling to the antigen, it is captured by the macrophage and destroyed. An important element of the entire system is cytokines of different types, which are the basis of the signaling system (signaling substances) and ensure interaction between all cells.
The more serious and dangerous the microbial-viral attack on the organism is, the more actively the immune response is occurred according to the adaptive principle. However, the initial operational immune response of the organism always takes place on the basis of an innate response. In this case there are two possible variants: with the participation of Thelpers and without their intervention. Thus, there are two mechanisms for antigen recognition and its destruction. The first mechanism is aimed at identification of the organism "passport" in the cell, and if it is absent or damaged, the object is destroyed. The second mechanism, on the contrary, searches for objects with a specific code, and when they are found, destroys these objects. The first mechanism responds quickly to intrusion in real time. The reaction of the second mechanism is more delayed, since it takes time for the antibody formation (usually no more than two weeks). But the second mechanism allows destroying the most dangerous antigens. Moreover, the second mechanism makes it possible to form a "database" (memory) for previously identified antigens, it settles in the lymph nodes. And it is this mechanism that allows further formation of antibodies for completely new, unknown to the organism antigens.
All of the listed procedures and components of the ImS have their analogues in ISS, which will be discussed in the subsequent publications.
However, the question arises: what happens if the organism fails to create an antibody for some completely new microbe? To analyze the possibility of such an outcome, we will describe in more detail the mechanism for searching for new antigens, as far as it is currently known. The main components responsible for the formation of a new type of antibody are B-lymphocytes. It is exactly B-lymphocytes, based on the fragments of the killed microbe, which the T-helper transmits to them or which they themselves take from the macrophage, try to choose an antibody that would stick to this fragment. In the sequel, these antibodies will stick to similar parts of the microbe, allowing the killer-cells in the organism to get to the body of the microbe. There is no data on how B-lymphocytes create antibodies. But in any case, there are serious reasons to believe that the mechanism for finding the antibody is random: numerous experiments are carried out before it turns out that an antibody will be accidentally created for a randomly found fragment of a microbe cell. And if macrophages cannot destroy the required number of microbes to produce the desired number of microbe fragments, the organism will not be able to create an antibody. Such a real danger exists, in particular, taking into account the data of numerous secret laboratories around the world that work with microbial and viral material.
When the transition to mass" production " of the found antibodies, which occurs in the thymus, work is carried out to select T-lymphocytes for subsequent functioning as cells of the immune system. In the thymus, a strict selection of all the required B-lymphocytes takes place: all lymphocytes that react too strongly to "their own" are destroyed, the selection of those T-cells that poorly recognize "foreign" is performed. In the thymus not pass selection and die 95% of the cells entering there. The remaining 5% of the cells are located in their places of deployment and are there in full readiness. The foregoing gives certain grounds to conclude that, in general, a random mechanism of antibody formation is used for the formation of an antibody for a new microbe. But a random mechanism does not give complete guarantees of finding an antibody for any microbe. Therefore, this mechanism cannot potentially be considered perfect.
Note that in the field of ISS, similar problems also arise, but they are solved in completely different ways. For example, when a new computer virus appears, a complete analysis of its code is carried out in order to identify its characteristic features. Only after that the corresponding part is formed in the anti-virus program. That is, to solve the problem of finding a means of neutralizing the virus, intelligence is involved. It is possible that in especially exceptional cases, the ImS may also involve the cerebral hemispheres to solve the problem. We also point out that to solve this problem, neural networks can be effectively used both in relation to the ImS and to ISS. With the help of neural networks, first of all, it is possible to identify the most promising directions for continuing the search for antibodies in the ImS and malicious program in ISS. These tasks are a subject for further study.

Conclusions
Based on the results of the analysis, it can be concluded that the human ImS appears to be impeccable and capable of responding to any danger. However, the above fact about the asymptomatic course of the disease with the COVID-19 virus, as well as the inability of the human body to effectively resist HIV infections, indicates an imperfection of the described scheme of the immune response to external invasion. A natural question arises as to how COVID-19 manages to bypass or hack the described impeccable immune system of the organism. It is mentioned that usually the ImS enters into a balanced confrontation with the attacking microbes and, therefore, a sharp confrontation does not occur. However, even such a passive confrontation should be reflected in the symptomatology, which in many cases is not observed. Therefore, it is logical to assume that in some cases certain types of microbes and viruses (in particular, COVID-19) manage to bypass the ImS. There are other mechanisms for overcoming attacks on the ImS. In particular, some viruses (such as HIV) can be embedded in the human genome. Antibodies do not affect a number of microbes (for example, tuberculosis), because for most of the life cycle they are located inside the host's cells, and therefore antibodies cannot get there from the outside.
A few more important conclusions. The first to respond to the invasion of microbes is the innate ImS, which blindly (not adaptively) implements the mechanisms of damaged cells in the organism: all damaged cells are eaten by NK-cells from the innate ImS and Tkillers from the adaptive ImS. The presence of two parallel functioning independent systems for the destruction of damaged cells requires understanding, especially in relation to ISS. But it is also noteworthy that damaged cells are not restored. For all regenerated cells, this approach is acceptable (it is "more profitable" to regenerate a cell than to "repair" a damaged one). But nerve cells are not regenerated. It turns out that the organism loses part of its nervous system?
In this work, on the basis of a systemic analysis of the human immune system as a structure aimed at protecting the human organism from various external and internal threats, an analogue of such a system is proposed in relation to the field of information security. A certain parallelism of concepts and procedures for these two areas of protection has been determined. General diagrams of the process of functioning of such systems are presented. Some recommendations for improving existing information security systems are proposed.