Tools Coming for Digital Immunity

Computerworld - The battle against computer viruses and system intruders is often described as an arms race, in which increasingly powerful weapons are countered by ever stronger defenses. But this particular arms race isn't in a dead heat; the mavens of malware are winning it.
There are several reasons: Computers are increasingly connected by high-speed links, facilitating the spread of malware; software is growing in complexity, and with complexity comes vulnerability; and attack weapons are increasing in sophistication and ease of use [see diagram].
But there is hope, say a new breed of computer security researchers. A number of them met recently at a workshop called Adaptive and Resilient Computing Security at the Santa Fe Institute in New Mexico and unveiled ideas for an arsenal of new defenses. The measures are based on widely varying concepts, and they range from ideas to working prototypes to nascent commercial products. But they share these characteristics:

• They don't rely on predetermined definitions such as virus signatures, attack scenarios and vulnerability exploits. Thus, they're able to recognize attacks that haven't occurred before.


• They're intended to allow a system to keep running in the face of an attack, albeit often at a reduced level of effectiveness.


• They learn and adapt to changing attack scenarios.


• They limit false alerts, which can render defense systems unusable.

Some researchers are drawing inspiration from biology. "The biological immune system is an elaborate defense system which has evolved over millions of years, probably through extensive redesigning, testing, tuning and optimization," says Dipankar Dasgupta, director of the Intelligent Security Systems Research Lab at The University of Memphis. Dasgupta points out that the human body protects itself in multiple ways. The skin and mucous membranes act to prevent the entry of pathogens into the body. But if pathogens do succeed in entering the body, innate immune reactions come into play, as do acquired or "adaptive" immunities that learn from past infections. In addition, the body employs defense mechanisms at various levels—cellular, molecular, peptide/protein and DNA.

Dipankar Dasgupta of the University of Memphis

Just as no one biological protection suffices to keep us healthy, no single computer defense is adequate for all attacks, Dasgupta says. "Today, these things operate independently. They are by different vendors; they don't talk to each other very well."
But Dasgupta's lab has built software prototypes that address that weakness. His Security Agents for Network Traffic Analysis uses mobile software agents for intrusion detection in a network of computers. Agents monitor at multiple levels—packet, process, system and user—using neural networks to spot anomalous behavior and "fuzzy rules" to decide what action the agents should take in the face of an attack.
Variation Helps
Stephanie Forrest, a computer science professor at The University of New Mexico, points out that diversity in biological and ecological systems leads to robustness and resilience. "But our software is almost a monoculture," she says. She's working on "automated diversity for security," in which each system is made unique by arbitrary random changes. "That increases the cost of attack, because the attack has to be adapted for each computer," she says.
Diversity can be created in a number of ways, such as by adding nonfunctional code, reordering code or randomizing memory locations, file names or system calls.
Other researchers are experimenting with a measure called Kolmogorov Complexity, the minimum number of bits a character string can be compressed into without losing information. Scott Evans, a researcher at GE Global Research, has used it to study attack scenarios.
Evans analyzed file transfer protocol logs and found that attacks, such as a stealth port scan, tend to be more or less complex than normal behavior by predictable amounts, allowing a defense tool to identify and block the attacks. The technique is attractive because it is adaptive and requires no attack signature database, Evans says.
Real-world application of some of these ideas lies years in the future, but Steven Hofmeyr, a former graduate student under Forrest, has already commercialized some of them. He's developed Primary Response, which monitors and protects applications at the operating system kernel level. It uses agents to build a profile of an application's normal behavior based on the code paths of a running program, then continually monitors those code paths for deviations from the norm.
Primary Response works at the application level, where 75% of attacks occur, says Hofmeyr, chief scientist and a founder of Sana Security Inc. in San Mateo, Calif. Protection at the application level will become more vital as it becomes more difficult to define the network perimeter, where firewalls work, Hofmeyr says. "When something like Web services really takes off, it will really deal a death blow to perimeter [security], because it's very difficult to determine what's inside the network and what's outside."
When a Primary Response agent spots abnormal behavior, it sends an alert to a central server where it may be directed to block that behavior while letting other activities continue, Hofmeyr says.
Hofmeyr says he'd like to extend Primary Response to tuning and debugging. "A lot of what we see in production environments won't be malicious, but it will be indicators that something is wrong, such as configuration problems or hardware problems," he says. "When I look at the bigger picture, I see this sort of tool as something for system health in general."

Attacks Get Easier, More Powerful 1 2 Next » Recommend Digg Twitter ShareThis Email Print Send Feedback Reprints Additional Resources Xerox Win a color printer! By using solid ink technology only from Xerox, you could save up to 65% by printing color for the cost of black and white. Enter for a chance to WIN a PhaserTM 8860 network color printer! Microsoft Upgrade to Internet Explorer 8 today. Save time and mitigate security risk. Deploy it now. Sybase NEXT-GENERATION MOBILITY PLATFORMS In this white paper, IDC analyzes the role of next-generation mobile enterprise platforms as organizations seek a more strategic deployment of mobile solutions. Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase. White Papers & Webcasts Centralized Data Backup and Your WAN Is your organization prepared to tackle the massive challenge of protecting your data in a cost effective and timely manner? With a growing...   Why Compliance Pays This OnDemand webcast explores the relationship that firms with best compliance records have higher revenue, greater customer retention, lower financial losses from data... An All-in-One Approach to Web Security Granting web access to employees poses challenges to IT administrators and introduces unique security risks. Even as companies have perfected their security techniques...   Best Practices for Managing Business Risks from the Use of IT (Source: Symantec) Based on exhaustive benchmarks conducted by the IT Policy Compliance, this session highlights the relationship between business risks and use of... The Hidden Dangers of Spam Beyond the well-understood productivity drain that spam inflicts on businesses, threats posed by illicit email circulating through a network are causing many security...   Managing And Protecting Your Ever Increasing Mobile Assets (Source: Absolute Software) Your users are becoming more mobile each day. This is great for productivity - yet challenging for IT control. Natalie... Open Source Security Myths Dispelled (Source: Astaro) Open Source Software is computer software whose source code is available to the general public. This openly viewable nature...   Sun OpenSSO Enterprise Webinar (Source: Sun) This webinar replay discusses Sun OpenSSO Enterprise innovation--the single, open-source solution that helps your business solve the challenges around internal access... Best Practices for Backing Up VMware® with Veritas NetBackup™ VMware® is used by enterprises large and small to increase the efficiency and cost-effectiveness of their IT operations. With this in mind, Symantec...   Agile Enterprise Content Management (ECM) for Rapid ROI (Source: IBM) Content rich business processes are a core feature of daily operations at just about any organization today. Very often these essential... All White Papers | All Webcasts Computerworld Reports An Interactive eBook: Enterprise Security The Business Case for Server Virtualization Computerworld Technology Briefing: Intelligent Users Use Business Intelligence All Computerworld Reports Sign up to receive updates on the latest Security resources   White Papers Centralized Data Backup and Your WAN The Hidden Dangers of Spam Best Practices for Backing Up VMware® with Veritas NetBackup™ Symantec Security Compliance Brochure Improving Results for Legal Custody of Information Risk Readiness and Redundancy: PCI Compliance Automation Managing Spend on Information Security and Audit for Better Results How Controlling Access to Privileged Accounts Can Keep Insider Threat from Hurting Your Bottom Line From Trust to Process: Closing the Risk Gap in Privileged Access Control Archiving Technical Overview An All-in-One Approach to Web Security Open Source Security Myths Dispelled IT Compliance Interactive Tools Solution Overview: Symantec Control Compliance Suite 9.0 Information Security Brief by Enterprise Strategy Group EMA's 2008 Survey of IT Governance, Risk and Compliance Management in the Real World Butler Group Technology Audit: E-Mail and Web Security SaaS Symark PowerBroker: Root Access Risk Control for the Enterprise How to Protect Business from Malware at the Endpoint and the Perimeter Case Study: The Ritz London Sponsored Links HP StorageWorks products-control, consolidation and confidence. 64-page prescriptive guide to security, compliance, and IT operations. Looking to add Unix/Linux functionality to Windows? FREE guide to saving up to 95% on network hardware costs. Start saving today! Enhance your career with a Boston University online Master's in CIS Find IT jobs in the Healthcare industry on Dice.com Network Tools Made By Engineers for Engineers Live Webcast: Building a More Productive Organization  A User Perspective With the NEW KODAK i700 Series Scanners get full speed at 300dpi! ITwhitepapers.com - Access thousands of white papers on 300+ technical topics. Leverage Your Cisco infrastructure for Superior Application Performance Learn about the AMD Virtual Experience Introducing: Project Icebreaker Introducing the new HP ProLiant G6 server family Wait for the upturn, or get ready for it with Capgemini's Technovision study. Download it here. Instantly know your IT service state - anytime, anywhere @ AccelOps.net Try the best rules engine free! Decisions.FICO.com Learn How to Create a High Performance Workplace Thrill Dad this Fathers Day and save up to 66% plus 4 FREE Caramel Apple Tartlets from Omaha Steaks. ESET NOD32 with ThreatSense(R) - Get your free trial now! Join the conversation about the hottest IT trends with Computerworld on Twitter. Create business data you can believe in with data governance Not All QSAs Are Created Equal: What You Should Know Before You Buy The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability The AMD Virtual Experience Virtual Trade Show About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.