An Attacker’s Day into Human Virology 2: Structure and Hallmarks of the Immune System

Having introduced the subject, Guillaume Lovet breaks down the human immune system into constituents and does some comparing with computer defense mechanisms.

Structure of the immune system

Structure of the immune system

What do we have in our bodies to fight against viruses? (see right-hand image) Basically, the immune system is divided in two different subsystems. You have the innate subsystem, which is the non-specific and generic response, which is made of the complement system, phagocytes, and NK cells – we will go over all that further. And the adaptive system is a specific response. It implements some memory mechanisms, and it’s made of helper T cells, killer T cells, and B cells. We will go over those as well.

Innate Subsystem

How the complement system works

How the complement system works

So, the complement system (see right-hand image) is perhaps the most complex system and, possibly, not the most interesting. It’s made of large combinations of proteins flowing into the veins, in the blood flow. Those proteins will mark the intruders – viruses or bacteria – by binding to their surface because of some special complementarity. That will attract macrophages, which are part of innate subsystem, too. They will also try to clump and group the intruders, and sometimes those proteins in the complement system will also chemically attack the intruders. So, all those have scientific names: opsonization, chemotaxis, membrane attack complex, and clumping.

Hallmarks of the phagocytes

Hallmarks of the phagocytes

More interesting perhaps are the phagocytes (see image to the left). Phagocytes are: granulocytes, in the top left corner, macrophages here, and dendritic cells. Basically, they eat viruses by binding to them. Now, how do they bind to the viruses and then eat them up? They have on their surface some receptors that bind to some proteins or some characteristics on the surface of viruses and bacteria. Generically, they can bind to any virus.

Now, you would think – since viruses and bacteria are supposed to evolve along the Darwinian rules of evolution, which is mutation and selection of mutations that are not deleterious to the organism – that those characteristics that the macrophages use to bind to the viruses would be eliminated by evolution, but it’s not the case because those characteristics are critical, so critical that even though they are deleterious to the virus or bacterium, they are still conserved. So, this is what they call the evolutionary conserved characteristics.

OK, so the macrophages, phagocytes bind to the viruses because of critical characteristics that cannot be eliminated, and then they digest them by chemical reactions. This is a bit like a heuristic engine, if you want to compare this to the computer world. Because it is very generic, it matches all different viruses, it relies on characteristics of viruses. For example, a heuristic engine in the AV world would have flags for usage of specific APIs or some other critical characteristics that viruses cannot really not use.

In computer terms, the way NK cells recognize viruses is basic whitelisting.

Also, phagocytes release cytokines, which are some proteins used in communication between cells, to help NK cells. NK cells are natural killer cells. They are part of innate subsystem, meaning that they are generic also. That is kind of interesting because they will bind to viruses and intruders and then kill them by releasing some chemicals.

The way they recognize the viruses is they basically use whitelisting. They recognize everything that is non-self, because all the cells of your body have on their surface a specific antigen, which is called HLA, human leukocyte antigen, which is specific to you only. So, those NK cells recognize when a cell doesn’t have your own marker on its surface; it’s basic whitelisting, if you want to translate it into the AV world.

Adaptive Subsystem

Helper T cells' workflow

Helper T cells’ workflow

Now, some facts on the adaptive subsystem which is made of helper T cells, killer T cells, and B cells. When the macrophages, part of the innate subsystem, eat up viruses, like I explained above, and digest them with some chemical reactions, some little pieces of the virus remain and they are going to be presented at the surface of the macrophage in the form of antigens. It’s a bit like saying: “Hey guys, I just got that virus, I ate that virus and these are some bits of that virus. Do you recognize it?” Some helper T cells bind to the macrophage, recognize the antigens, and activate the adaptive subsystem.

What is important to understand in the adaptive subsystem is that each T cell – should it be helper T cell or killer T cell – and the B cells, each one of those is specific to one virus only. For example, flu type A – some cells will be specifically dedicated to that virus, and flu type B will be other cells, B cells and T cells. This is because the T cells and B cells have on their surface specific receptors that only match the shape of one virus.


So, killer T cells and B cells eliminate the viruses after being activated by the helper T cells (see left-hand image). Basically, the killer T cells, as I said, bind to the virus because of the specific receptor, and then release some chemicals and kill it. They pretty much function like blacklisting in the AV world, they are basically AV signatures, if you want to translate this into the AV world. Each signature, each pattern is dedicated to a certain virus.

Now, for B cells, those are the ones that are also dedicated to one virus only. When they bind to it they release antibodies. Antibodies are dedicated to one virus only also. Antibodies will bind to the virus surface, and they make it easy for phagocytes, macrophages to spot the viruses. So, I would say, you may compare the B cells to unpacker in the AV world, because it makes it easier for the generic system to spot the viruses. For example, when you have a packed computer virus all its characteristics are hidden and there are some layers of obfuscation.

Memory mechanism implementation

Memory mechanism implementation

So, heuristic engines will not see much. They will only see this is packed, they will not see what API it uses, they will not see if it replicates or whatever. So, you need to first unpack the virus, and then the generic subsystem becomes more efficient.

As I said earlier, the adaptive subsystem implements a memory mechanism (see image). So, when the T cells and B cells are activated by helper T cells, they multiply to fight the virus, and when the infection is finished some of these cells will remain as memory cells. So, if the same virus comes in again, they can multiply very fast and react faster. Now I will turn it over to Ruchna.

Read previous: An Attacker’s Day into Human Virology: Human vs Computer

Read next: An Attacker’s Day into Human Virology 3: Common Properties of Human and Computer Viruses

Like This Article? Let Others Know!
Related Articles:


  1. Sanjay says:

    Nice comparison but I would say that if you read about “artificial immune system”, you will find that academic research has already explored this aspect. There are, in fact, many research proposals (intrusion detection systems) based on this analogy.

    • Sanjay says:

      For example (for the ones who want to read on this topic):
      1. “Danger Theory Based SYN Flood Attack Detection in Autonomic Network” Rawat et al, SIN’09 (Has a pictorial description of biological vs computer world)
      2. U. Aickelin, P. J. Bentley, S. Cayzer, J. Kim, and
      J. McLeod. Danger theory: The link between AIS and
      IDS. In Proc. of 2nd Internation Conference on
      Arti¯cial Immune Systems (ICARIS-03), volume 2787
      of LNCS, pages 147{155. Springer, 2003.
      3. S. A. Hofmeyr. An interpretative introduction to the
      immune system. In C. I. and S. L., editors, Design
      Principles for the Immune System and other
      Distributed Autonomous Systems, pages 3{27. Oxford
      University Press, 2000.

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: