Virus protection: nature's approach

Enterprise networks contain vulnerabilities and are likely to do so until the economics of system design and implementation change dramatically. The best defence against the exploitation of these vulnerabilities currently involves using reactive measures against viruses and spyware, and using intrusion prevention systems such as firewalls.

Enterprise networks contain vulnerabilities and are likely to do so until the economics of system design and implementation change dramatically. The best defence against the exploitation of these vulnerabilities currently involves using reactive measures against viruses and spyware, and using intrusion prevention systems such as firewalls.

These measures are reactive in that prior knowledge of an attack's characteristics is required before a threat signature can be developed. The time required to get a sample of the attack to the security supplier, through analysis and distributed to the clients is much longer than it potentially takes for the malware to spread, which can cause considerable damage.

What is needed is a more systematic and immediate way of creating threat signatures and deploying them to where they are needed as quickly as possible. The cure must spread faster than the disease. The convergence of various security technologies can help IT professionals to achieve this goal.

Taking inspiration from nature

Many of the developments, both good and bad, in IT have been inspired by biological systems like the human immune system. The immune system has inspired many defence systems, particularly in the field of intrusion and virus detection. In particular, the self/non-self (SNS) detection mechanism used by mammals' immune systems has been used as a way of thinking about computer viruses.

The SNS model relies on the ability to differentiate between an entity's own proteins and foreign proteins, as well as the ability to establish a memory of past infections.

In order to function, SNS requires stimulation and co-stimulation between B-cells, which destroy threats T-cells, which among other things facilitate communication and APC-cells, which identify the original threat. In practice, this model does not explain all observed phenomena in immunology and has not succeeded as an intrusion detection defence.

An alternative model has been proposed by scientist Polly Matzinger called the "danger model". It departs in one significant way from classical immunology in that it does not rely on SNS to find foreign entities. Instead, it relies on danger signals from injured cells for the APC cells to activate the T-cells and thereby the appropriate B-cells that eliminate the antigen.

For IT professionals, the lesson to be learnt from this model is that it is potentially possible to identify a threat through co-stimulation of a signal that identifies the threat as dangerous.

What is needed for IT threat detection is a number of well-defined danger signals that together confirm a valid threat. The resulting composite alert could then be used to stimulate all components of the defence network.

Because the danger model allows users to have greater confidence in their identification of an attack, it becomes possible to derive signatures automatically from the system. These signatures are then spread out from the originator to neighbouring systems.

The sensors that use these signatures can dismiss unused ones over time, for example, because that type of sensor never sees that sort of traffic. Keeping old signatures active too long may degrade sensor performance or cause false positives.

Collectively, however, the entire network must be able to maintain a complete set of signatures. This is close to the biological model, where fewer and fewer T-cells are available to detect a long-gone threat, but always remain in minute quantities and quickly replicate if stimulated by a recurrence of that threat.

Agents in the system process and disseminate the signatures, but a top-down structure is avoided. Instead, the signatures spread in a peer-to-peer fashion.

In a practical implementation of this model of threat detection, various types of monitors are deployed. Program filters such as TCPWrapper are employed to screen the input to programs. These can be used for signature or behaviour-based scanning or even filtering.

Special application monitors are used to monitor programs, look for signs of distress and extract signatures of the attack when one has been detected. These are the danger sensors and are the cornerstone of the danger model approach.

An example of this sort of sensor is the crash dump that occurs when a program crashes due to a buggy attack - where a hacker's failed attempts to break in can provide an early warning of an imminent wider attack. An even better approach is to use a normal resource-usage profile to determine when a program is misbehaving. So long as this and the former sensor complement each other, the combined signal will be useful.

Network monitors, such as a network intrusion detection system, can be used as alternatives or as an augmentation to the other sensors. To be able to prevent known attacks from reaching their targets it is possible to employ conventional systems at the router and firewall level.

The infrastructure of the defence network is based on spreading the various kinds of alerts throughout the network and the capacity to maintain the complete set of attack signatures. Because the danger model eschews a centralised design, the distribution must happen in a bottom-up way but must still reach all nodes.

The larger and more complex networks of the future are going to require that infrastructures are self-organising. Moreover, a central authority can be the weakest link in an attack if it is cut off from the network it is supposed to be administrating.

The solution to this problem could be as simple as using subnet broadcasting or a more structured approach such as zero-configuration networking. The components must all be in a trust relationship with one another and communication must be secured by encrypting the signals with either shared keys or the destination's public key. The infrastructure is probably the most daunting challenge of the danger model approach.

The memory of immunology must collectively stay intact, but that does not mean that detection signatures need to be kept in their original form techniques such as the Teiresias algorithm have been created for consolidating information about threats. In cases where signatures are causing false positives they can also be hand pruned from the collection by sending an anti-signature through the network.

Some nodes may decide to "grandfather out" - meaning delete - older signatures. If an old threat pattern re-emerges, it may later become necessary to re-enable old signatures by having any monitor that sees an attack pattern report this throughout the network by re-sending the signature and thereby reactivating it in all the nodes.

The path to automated security

It is expected that the current trend of ever-larger and more complex networks, coupled with a steady flow of vulnerabilities, will eventually cause completely centralised security management to be given up in favour of a more autonomous security system.

Luckily, anti-virus technology and, in a more limited fashion, intrusion detection system technologies, are starting to provide us with more generic, automated detection methodology, and this trend is likely to continue. Many recent market entries have not had the luxury of starting with a large corpus of malware to test, and have instead concentrated on generic methods that detect evidence of attacks instead of specific known threats.

What is therefore missing is collaboration between the various tools that are emerging. For this reason, it is unfortunate that the industry is fragmented, and the few companies that have most of the pieces of the puzzle do not integrate them into a single, collaborative system.

To reach the goal of automatic security, the industry needs the convergence of all defensive technologies so that the whole system becomes greater than the sum of its parts.

Read more on Antivirus, firewall and IDS products