Digital antibodies will stimulate your computer's defences and
reveal a thing or two about your body's immune system as well.
When malicious programs started spreading havoc through the
computer world, security experts were quick to spot the similarity
with disease and dub the invaders 'viruses'. The analogy is apt
because computer viruses carry the information they need to
replicate. They need the resources of a host to survive and can
wreak havoc on whatever they infect. And having replicated, they
exploit their host to spread to others.
The computer industry has been remarkably slow in taking the
analogy to its logical conclusion - that to protect themselves from
attack, computers need an immune system. In the US, researchers
have now taken that step. Using immunology as their guide, they
have developed security systems for computers that automatically
detect and respond to an intruder, even if it's one they've never
seen before. And the methods don't just work for viruses, they will
repel hackers too.
Computer viruses invade their hosts by hiding in files, programs or
email messages that are passed from one computer to another. Once
inside the computer, they deliver a payload that can range from a
jokey message displayed on screen to a destructive routine that
alters key files on the hard disk or even wipes it completely.
Hackers have a similar effect: they invade by stealth and then
carry out some destructive action on the host.
So far, our defences against malicious attack have relied on a
mixture of vigilance and technical barricades, but these methods
are no longer adequate. With millions of machines hooked up to the
Internet, new viruses can spread like wildfire, and hackers have a
huge arena in which to exercise their subversive skills. Security
measures can't keep up.
In this hazardous environment, computers need to be able to defend
themselves, says Stephanie Forrest, who leads an antivirus research
programme at the University of New Mexico in Albuquerque. "We want
computers to take care of themselves," she says.
BACK TO NATURE
To enable them to do so, she has turned to the natural world for
guidance. "The immune system is operating in a similarly open-ended
environment, but it's able to protect us against a range of
unpredictable threats auton-omously and adaptively," she
says.
Your immune system protects you from attacks by constantly watching
out for molecules that are non-self proteins made by viruses,
bacteria, parasites and so on. Detection of a non-self molecule
triggers a cascade of defensive processes designed to kill or
disable the intruder.
To detect non-self molecules, the body generates enormous numbers
of white blood cells. Each cell recognises just a single type of
molecule, but the body generates them in vast numbers and alters
their intruder-recognition apparatus at random. Between them, they
can see off almost all potential threats.
There are a number of features of the immune system that make it a
useful model for computer security. White cells circulate widely
and act independently: there is no central command, so no single
point of weakness. Because it generates detectors at random, the
system can recognise a first-time intruder. Immunological memory
means it can quickly ward off attacks from intruders it has
defeated before. The system can also tolerate some mistakes, and
has built-in error-checking: a process called co-stimulation
requires white cells to get confirmation from a helper cell before
they raise an alarm. Overall, it's a robust, adaptive and
autonomous system. Computer security experts couldn't ask for
anything more.
MAKING CONNECTIONS
In their first stab at emulating immunity in 1998, Forrest and
graduate student Steven Hofmeyr designed a system to detect hacker
attacks. Their experimental body was a LAN of 50 computers in the
university's computer science department. Since what they were
looking for was unusual Internet connections from outside the LAN,
they defined self as normal connections between machines. They
expressed these connections as fragments of code 49 bits long, each
one representing the Internet Protocol addresses of the two
computers and the data port by which they communicated.
A program on each computer generated 100 random 49-bit strings -
the equivalent of white blood cells in the body. The computers
compared these strings against real connections on the network and
any strings that matched were destroyed. The survivors were then
ready to go into service.
Just as lymphocytes patrol the body looking for microbes, the
49-bit strings policed the LAN trying to match themselves to bit
strings generated by external connections. When all is well they
should never match, because all the strings that match legitimate
connections should have been destroyed from the start. So whenever
a detector matched a bit string, it raised the alarm by sending an
email to the system administrator. If this turned out to be a
genuine threat, the administrator initiated evasive action and
logged that bit string in the system's immunological memory.
The detectors weren't looking for exact matches. There are more
than half a million billion possible 49-bit strings, so with just
100 detectors per computer, spotting an attack would be less likely
than winning the lottery. To sound the alarm, a detector had to
match just 12 out of 49 bits on the incoming bit string, much as a
white blood cell recognises small surface features rather than
whole viruses or bacteria. This enabled a few hundred detectors to
spot most of the possible incoming strings.
Every so often, non-self bit strings would go undetected. You can
improve the odds by generating more detectors, but that imposes a
processing burden on the network. A network that puts so much of
its energy into keeping out viruses that it can't do any useful
work is no good to anyone. But immunology comes to the rescue again
with a simple solution.
Some pathogens, particularly viruses, can hide inside host cells,
so the immune system uses special molecules that form what's called
the major histocompatibility complex (MHC). These continually take
protein fragments from within a cell and display them on its
surface where passing white blood cells check if they are
dangerous.
There are two varieties of MHC and each one displays proteins in a
different way. Chances are that within a population, a foreign
protein will be displayed in a way the immune system can recognise.
Borrowing this idea, the researchers made random changes to which
portions of incoming bit strings the detectors looked at. So
although there was a limit to the number of unauthorised
connections an individual computer could spot, the network as a
whole covered all the bases.
This detector system, however, wasn't enough. One of the big
problems with computer security systems is false alarms, and
Hofmeyr and Forrest's was no exception. Too many of these end-users
tend to disable software or ignore warnings. In a computer with an
immune system, a false alarm would lock out genuine users or
innocent files.
ATTACK ALARM
Fortunately, immunology has another ready-made solution. White
blood cells are bristling with detector molecules and are only
activated if a sufficient number of them pick up an intruder. This
stops the immune system launching a full-scale response every time
a white cell makes a mistake. To mimic this, the researchers
imposed thresholds on their detectors so that they would only react
if more than one of the detector strings flagged incoming
connections as suspect. They also borrowed the concept of
co-stimulation, with human administrators playing the role of
helper cells. If the threat turned out to be a false alarm, the
administrators simply did nothing.
The thresholding system stopped the false alarms, but it also
introduced a new weakness. Hackers sometimes launch attacks from
several different computers simultaneously, so the incidence of any
one suspect connection is low. To overcome this, the researchers
imported yet another immunological mechanism. When a detector
discovered an intrusion, it reduced the other detectors'
thresholds, making them more likely to pick up an attack. This is
analogous to the role inflammation plays in immunity. It sensitises
the system as a whole by making blood vessels near a site of
infection leaky. In this way, more white blood cells come into
contact with the invader.
The researchers say they were surprised by how many of the features
of human immunity they needed to bring in to build an effective
defence. "We did it one step at a time, importing a mechanism as we
needed it," says Forrest. "But because of this, we have a good
account of why we needed each mechanism and how it helped our
system."
Charles Orosz, an immunologist at Ohio State University College of
Medicine in Columbus, says this may even help the biological
systems from which they borrowed their ideas. By reassembling her
system bit by bit, Forrest has learned what its essential elements
are, and how they work together to keep infection at bay.
"Stephanie may now understand the immune system better than most
immunologists," Orosz says.
So how will Forrest's electronic immune system fare under a genuine
attack? In 1998, her group ran an experiment that simulated
activity on the LAN for 30 days, with 1.5 million connections and
3,900 different bit strings. Hidden among those connections were
reconstructions of seven genuine hacker attacks and a mock attack
launched from multiple locations. None of them got through, and
better still the number of false alarms was kept extremely low by
the use of thresholding and co-stimulation. The results are at
least as good as conventional approaches, Forrest claims.
DETECTING INSTRUCTIONS
Forrest's next goal is to develop immune systems for individual
computers. The problem here is what to use in place of the network
connections to define the standalone computer's self. Working with
student Anil Somayaji, she has focused on system calls - messages
that programs send to the operating system to access various
resources such as memory, disk drives and so on. Particular
programs tend to have characteristic patterns of system calls, and
from these patterns, Forrest and Somayaji have built up a profile
of an individual computer.
To detect intrusions, they monitor the computer's system calls,
looking for changes in the normal patterns that might indicate an
attack. The researchers have successfully used this strategy to
detect Trojan horses - the class of virus that includes the Love
Bug - and other forms of foreign code.
Forrest is quick to recognise that artificial immune systems have
weaknesses, which attackers are sure to exploit. There is even the
danger that those bent on destruction could get in with the help of
the very system that is supposed to keep them out. Nature has
already devised a virus that attacks the human immune system, so
what's to stop virus writers and hackers borrowing the idea? Watch
out for the first outbreak of CIV-computer immunodeficiency virus.