Tools Coming for Digital Immunity
Coming for information security: tools for adaptive and resilient computing.
Computerworld - The battle against computer viruses and system intruders is often described as an arms race, in which increasingly powerful weapons are countered by ever stronger defenses. But this particular arms race isn't in a dead heat; the mavens of malware are winning it.
There are several reasons: Computers are increasingly connected by high-speed links, facilitating the spread of malware; software is growing in complexity, and with complexity comes vulnerability; and attack weapons are increasing in sophistication and ease of use [see diagram].
But there is hope, say a new breed of computer security researchers. A number of them met recently at a workshop called Adaptive and Resilient Computing Security at the Santa Fe Institute in New Mexico and unveiled ideas for an arsenal of new defenses. The measures are based on widely varying concepts, and they range from ideas to working prototypes to nascent commercial products. But they share these characteristics:
- They don't rely on predetermined definitions such as virus signatures, attack scenarios and vulnerability exploits. Thus, they're able to recognize attacks that haven't occurred before.
- They're intended to allow a system to keep running in the face of an attack, albeit often at a reduced level of effectiveness.
- They learn and adapt to changing attack scenarios.
- They limit false alerts, which can render defense systems unusable.
Some researchers are drawing inspiration from biology. "The biological immune system is an elaborate defense system which has evolved over millions of years, probably through extensive redesigning, testing, tuning and optimization," says Dipankar Dasgupta, director of the Intelligent Security Systems Research Lab at The University of Memphis. Dasgupta points out that the human body protects itself in multiple ways. The skin and mucous membranes act to prevent the entry of pathogens into the body. But if pathogens do succeed in entering the body, innate immune reactions come into play, as do acquired or "adaptive" immunities that learn from past infections. In addition, the body employs defense mechanisms at various levelscellular, molecular, peptide/protein and DNA.
|Dipankar Dasgupta of the University of Memphis|
But Dasgupta's lab has built software prototypes that address that weakness. His Security Agents for Network Traffic Analysis uses mobile software agents for intrusion detection in a network of computers. Agents monitor at multiple levelspacket, process, system and userusing neural networks to spot anomalous behavior and "fuzzy rules" to decide what action the agents should take in the face of an attack.
Stephanie Forrest, a computer science professor at The University of New Mexico, points out that diversity in biological and ecological systems leads to robustness and resilience. "But our software is almost a monoculture," she says. She's working on "automated diversity for security," in which each system is made unique by arbitrary random changes. "That increases the cost of attack, because the attack has to be adapted for each computer," she says.
Diversity can be created in a number of ways, such as by adding nonfunctional code, reordering code or randomizing memory locations, file names or system calls.
Other researchers are experimenting with a measure called Kolmogorov Complexity, the minimum number of bits a character string can be compressed into without losing information. Scott Evans, a researcher at GE Global Research, has used it to study attack scenarios.
Evans analyzed file transfer protocol logs and found that attacks, such as a stealth port scan, tend to be more or less complex than normal behavior by predictable amounts, allowing a defense tool to identify and block the attacks. The technique is attractive because it is adaptive and requires no attack signature database, Evans says.
Real-world application of some of these ideas lies years in the future, but Steven Hofmeyr, a former graduate student under Forrest, has already commercialized some of them. He's developed Primary Response, which monitors and protects applications at the operating system kernel level. It uses agents to build a profile of an application's normal behavior based on the code paths of a running program, then continually monitors those code paths for deviations from the norm.
Primary Response works at the application level, where 75% of attacks occur, says Hofmeyr, chief scientist and a founder of Sana Security Inc. in San Mateo, Calif. Protection at the application level will become more vital as it becomes more difficult to define the network perimeter, where firewalls work, Hofmeyr says. "When something like Web services really takes off, it will really deal a death blow to perimeter [security], because it's very difficult to determine what's inside the network and what's outside."
When a Primary Response agent spots abnormal behavior, it sends an alert to a central server where it may be directed to block that behavior while letting other activities continue, Hofmeyr says.
Hofmeyr says he'd like to extend Primary Response to tuning and debugging. "A lot of what we see in production environments won't be malicious, but it will be indicators that something is wrong, such as configuration problems or hardware problems," he says. "When I look at the bigger picture, I see this sort of tool as something for system health in general."