Can IT defenses work like the body's? The model IT system of the future will learn independently and react autonomously--like the human immune system.As information technology (IT) systems increase in scale and complexity, they become more difficult to secure. We can see this in the growing number of successful attacks. If networks are to be made more secure, the IT community must move away from traditional approaches to security, which are knowledge-intensive, requiring human expertise and control at every stage of the process. What is the alternative? We need fully automated systems that can learn independently and react rapidly and autonomously to deal with attacks. The problem is that these are much harder to design and build. But a model for this approach already exists: the biological immune system immune system Cells, cell products, organs, and structures of the body involved in the detection and destruction of foreign invaders, such as bacteria, viruses, and cancer cells. Immunity is based on the system's ability to launch a defense against such invaders. . This system secures an enormously complex environment--the human body--against a vast array of ever-changing threats. And the immune system is very successful. Most of us are healthy most of the time, and failures are rare. Most importantly Adv. 1. most importantly - above and beyond all other consideration; "above all, you must be independent" above all, most especially , the immune system does this all autonomously, with no centralized control 1. In air defense, the control mode whereby a higher echelon makes direct target assignments to fire units. 2. In joint air operations, placing within one commander the responsibility and authority for planning, directing, and coordinating a military operation or group/category of and no human input. The immune system is the reverse of the top-down, knowledge-intensive approach. [ILLUSTRATION OMITTED] What lessons should we draw from the immune system? One of the key differentiators is that the system is self-learning and adaptive. We call such systems autodidactic au·to·di·dact n. A self-taught person. [From Greek autodidaktos, self-taught : auto-, auto- + didaktos, taught; see didactic. . The immune system is an autodidactic system that learns to distinguish self (the body) from nonself nonself /non·self/ (non´self) in immunology, pertaining to foreign antigens. non·self n. That which the immune system identifies as foreign to the body. (everything else). Likewise, we want an IT security system that can learn to distinguish between acceptable (legitimate) behavior and unacceptable (illegitimate) behavior. The trick is determining how to define what constitutes acceptable behavior. In the immune system, self is implicitly defined as everything that is both frequent and harmless. If we use a similar definition in an IT system, we need to understand what it means to be harmless. We know that we want the system to operate efficiently and without interruptions. Therefore, we can say at a minimum that any behavior that results in a loss of efficiency or that brings the system down is harmful. But beyond that simple definition, defining harmful behavior can be more complicated. For example, reading confidential data is harmful, but only if you are not authorized to do so, which is a policy decision that may be open to interpretation. Adapting the immune system's approach to a network and defining the equivalent of self--which is essentially acceptable behavior--as everything frequent can also be problematic in a dynamic environment, where various aspects of the environment are changing rapidly and continually. The key is to define self in terms of characteristics of the environment that are largely invariant (programming) invariant - A rule, such as the ordering of an ordered list or heap, that applies throughout the life of a data structure or procedure. Each change to the data structure must maintain the correctness of the invariant. , but are nonetheless perturbed per·turb tr.v. per·turbed, per·turb·ing, per·turbs 1. To disturb greatly; make uneasy or anxious. 2. To throw into great confusion. 3. by attacks. The characteristics used by the immune system are peptides, or short protein fragments. These are good characteristics because they are ubiquitous and essential to the functioning of all parts of the body, and they provide a relatively stable basis for the definition of self. Any IT security system needs the equivalent of peptides--characteristics that are largely invariant. These characteristics must lead to a stable definition of normal. But it may be unreasonable to expect that any single type of characteristic will be ubiquitous. For example, sequences of system calls emitted by running programs result in stable profiles of normal behavior for certain applications, such as servers, and other programs that exhibit repetitive programmatic pro·gram·mat·ic adj. 1. Of, relating to, or having a program. 2. Following an overall plan or schedule: a step-by-step, programmatic approach to problem solving. 3. behavior. However, sequences of system calls may not be effective for the highly varied and intermittent behavior of some direct-user applications such as word processors; a different way of identifying normal characteristics will be needed. In addition to being autodidactic, the immune system has a number of other key properties that we need to emulate if we are to build effective, large-scale security systems. For example, the immune system is highly distributed, and all interaction and communication is localized. This structure enables the immune system to adapt its response level to protect every aspect of the body without needing a disproportionate increase in resources. Furthermore, the lack of a central point of failure makes the immune system very robust. Although the immune system can be evaded or overwhelmed, it is not generally subject to sudden, catastrophic failure A catastrophic failure is a sudden and total failure of some system from which recovery is impossible. The affected system not only experiences destruction beyond any reasonable possibility of repair, but also frequently causes injury, death, or significant damage to other, often . To achieve scalability for IT security, we will need the autodidactic security system to be distributed across all locations in the enterprise, and we will need fine-grained protection at the level of applications running on computers. We cannot rely on network-level defenses alone, just as the body cannot rely on the skin alone for protection. The immune system protects beyond the skin, and we need a security system to likewise protect the core, beyond the firewall, and beyond network monitoring The term network monitoring describes the use of a system that constantly monitors a computer network for slow or failing systems and that notifies the network administrator in case of outages via email, pager or other alarms. tools. In addition, although there is a need for centralized reporting and control, we will have to surrender most if not all of that centralized power if we want systems to scale and be robust. If a single operator has the power to turn off the security system, any attacker that steals that power will be able to cause a catastrophic failure. Clearly, we will not get to this point until we have sufficient faith in our defenses to let them run autonomously. Such a step will mark the true beginning of a new paradigm New Paradigm In the investing world, a totally new way of doing things that has a huge effect on business. Notes: The word "paradigm" is defined as a pattern or model, and it has been used in science to refer to a theoretical framework. in security. To establish the new paradigm, security designers must work toward autodidactic systems that can be deployed throughout the IT infrastructure, onto every node, including desktops, laptops, servers, PDAs, and next-generation cellphones. These autodidactic systems must be largely autonomous, automatically learning normal behavior and regulating responses to minimize harm, all without human control. We are currently some distance from realizing this dream. But if we look to our own biological systems for inspiration, we will get there. BY STEVEN HOFMEYR, PH.D. Steven Hofmeyr, Ph.D., is founder and chief scientist of Sana Security. San Mateo, California San Mateo is a city in San Mateo County, California, in the San Francisco Bay Area. It is one of the larger suburbs on the San Francisco Peninsula, located between Burlingame to the north, Foster City to the East, and Belmont to the south. . He has authored numerous papers and served on the committee for the Artificial Immune Systems An artificial immune system (AIS) is a type of optimisation algorithm inspired by the principles and processes of the vertebrate immune system. The algorithms typically exploit the immune system's characteristics of learning and memory to solve a problem. workshop at the IEEE (Institute of Electrical and Electronics Engineers, New York, www.ieee.org) A membership organization that includes engineers, scientists and students in electronics and allied fields. World Congress on Computational Intelligence Computational intelligence (CI) is a successor of artificial intelligence. As an alternative to GOFAI it rather relies on heuristic algorithms such as in Fuzzy systems, Neural networks and Evolutionary computation. . |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion