快猫短视频

E-mmune from attack

WHEN MALICIOUS PROGRAMS started spreading havoc through the computer world,
security experts were quick to spot the similarity with disease and dub the
invaders 鈥渧iruses鈥. The analogy is apt. Computer viruses carry the information
they need to replicate. They need the resources of a host to survive and can
wreak havoc on whatever they infect. And having replicated, they exploit their
host to spread to others.

The computer industry has been remarkably slow in taking the analogy to its
logical conclusion鈥攖hat to protect themselves from attack, computers need
an immune system. But now US researchers have taken that step. Using immunology
as their guide, they have developed security systems for computers that
automatically detect and respond to an intruder, even if it鈥檚 one they鈥檝e never
seen before. And the methods don鈥檛 just work for viruses, they鈥檒l repel hackers
too.

Computer viruses invade their hosts by hiding in files, programs or e-mail
messages that are passed from one computer to another. Once inside the computer,
they deliver a payload that can range from a jokey message displayed on-screen
to a destructive routine that alters key files on the hard disc or even wipes it
completely. Hackers have a similar effect: they invade by stealth and then carry
out some destructive action on the host. Nowadays, attacks on computers often
involve both.

So far, our defences against malicious attack have relied on a mixture of
vigilance and technical barricades. Both are less than perfect. We all know it鈥檚
a bad idea to open e-mail attachments with dodgy names like 鈥淚 love
you鈥濃攜et sooner or later we all do it, whether out of curiosity or
carelessness. Technical barriers go some way to protect us from such foibles.
Computer networks are protected by 鈥渇irewall鈥 software that checks incoming
messages and blocks any connections it considers suspect. Computers can also be
equipped with virus-checking software that can identify and deal with malicious
code. Here too, the medical analogy holds sway. Victims call in 鈥渄octor鈥
programs to isolate the virus and remove it for examination. The programs can
cure damaged files, and issue a 鈥渧accination鈥 鈥攁 small section of the
virus鈥檚 code鈥攖hat will enable anti-virus software to identify the same
invader in future.

But these methods are no longer adequate. With millions of machines on the
Internet, new viruses can spread like wildfire, and hackers have a huge arena in
which to exercise their subversive skills. Security measures can鈥檛 keep up. Last
year, an FBI survey of some 300 US companies and government agencies revealed
that 90 per cent had suffered security breaches in the previous year, resulting
in about a quarter of a billion dollars鈥 worth of losses. Even the most powerful
technology companies aren鈥檛 immune. Microsoft was among the victims.

As fast as security experts develop techniques to block one method of
intrusion, trespassers find another. Hackers find 100 new ways to attack systems
each year, according to Cyrano, a French Internet software company. Symantec,
the company that sells Norton antivirus software, says that while it has
identified almost 50,000 strains, new ones are appearing at a rate of 500 a
month. Some of them can be devastating. Last year鈥檚 Love Bug caused around
$6.7 billion worth of damage.

In this hazardous environment, computers need to be able to defend
themselves, says Stephanie Forrest, who leads an antivirus research programme at
the University of New Mexico in Albuquerque. 鈥淲e want computers to take care of
themselves,鈥 she says. To enable them to do so, she has turned to the natural
world for guidance. 鈥淭he immune system is operating in a similarly open-ended
environment, but it鈥檚 able to protect us against a wide range of unpredictable
threats autonomously and adaptively,鈥 she says.

Your immune system protects you from attacks by constantly watching out for
molecules that are not 鈥渟elf鈥濃攑roteins made by viruses, bacteria,
parasites and so on. Detection of a 鈥渘on-self鈥 molecule triggers a cascade of
defensive processes designed to kill or disable the intruder.

To detect non-self molecules, the body generates enormous numbers of white
blood cells. Each cell recognises just a single type of molecule, but the body
generates them in vast numbers, and alters their intruder-recognition apparatus
at random. This means that between them they can see off almost all potential
threats.

White cells mature in the thymus, where they undergo a selection process to
weed out any cells that detect 鈥渟elf鈥 and would therefore trigger an autoimmune
disease. If a lymphocyte detects self it is destroyed; if not it is sent out
into the bloodstream to hunt for invaders. If it detects an intruder, it raises
an alarm that brings in other specialised cells to carry out an attack. Once the
invader is repelled, the body makes copies of the white cells that raised the
alarm and archives them, so it鈥檚 primed against repeat invasions. It鈥檚 thanks to
this 鈥渋mmunological memory鈥 that we don鈥檛 get measles twice.

There are a number of features of the immune system that make it a useful
model for computer security. White cells circulate widely and act independently:
there is no central command, so no single point of weakness. Because it
generates detectors at random, the system can recognise intruders the body has
never seen before. Immunological memory means it can quickly ward off attacks
from intruders it has defeated before. The system can also tolerate at least
some mistakes, and has built in error-checking: a process called
鈥渃o-stimulation鈥 requires white cells to get confirmation from a 鈥渉elper鈥 cell
before they raise an alarm. Overall, it鈥檚 a robust, adaptive and autonomous
system. Computer security experts couldn鈥檛 ask for anything more.

In their first stab at emulating immunity in 1998, Forrest and graduate
student Steven Hofmeyr designed a system to detect hacker attacks. Their
experimental 鈥渂ody鈥 was a local area network (LAN) of 50 computers in the
university鈥檚 computer science department. Since what they were looking for was
unusual Internet connections from outside the LAN, they defined 鈥渟elf鈥 as normal
connections between machines. They expressed these connections as fragments of
code 49 bits long, each one representing the Internet Protocol addresses of the
two computers and the data port by which they communicated.

A program on each computer generated 100 random 49-bit strings鈥攖he
equivalent of white blood cells in the body. During a training period analogous
to the time white cells spend in the thymus, the computers compared these
strings against real connections on the network. Any strings that matched were
destroyed. The survivors were then ready to go into service.

Just as lymphocytes patrol the body looking for microbes, the 49-bit strings
policed the LAN trying to match themselves to bit strings generated by external
connections. When all is well they should never match, because all the strings
that match legitimate connections should have been destroyed from the start. So
whenever a detector matched a bit string, it raised the alarm by sending an
e-mail to the system administrator. If this turned out to be a genuine threat,
the administrator initiated evasive action and logged that bit string in the
system鈥檚 immunological memory.

The detectors weren鈥檛 looking for exact matches. There are more than 5 脳
1014 (that鈥檚 half a million billion) possible 49-bit strings, so with just 100
detectors per computer, spotting an attack would be less likely than winning the
lottery. To sound the alarm, a detector had to match just 12 out of 49 bits on
the incoming bit string, much as a white blood cell recognises small surface
features rather than whole viruses or bacteria. This enabled a few hundred
detectors to spot most of the possible incoming strings.

Most, but not quite all. Every so often 鈥渘on-self鈥 bit strings would go
undetected. You can improve the odds by generating more detectors, but that
imposes a processing burden on the network. A network that puts so much of its
energy into keeping out viruses that it can鈥檛 do any useful work is no good to
anyone. But immunology comes to the rescue again with a simple solution.

Some pathogens, particularly viruses, can hide inside host cells, so the
immune system uses special molecules that form what鈥檚 called the major
histocompatibility complex (MHC). These continually take protein fragments from
within a cell and display them on its surface where passing white blood cells
can check if they are dangerous.

There are two varieties of MHC, and each one displays proteins in a different
way. Chances are that within a population, a foreign protein will be displayed
in a way the immune system can recognise. Borrowing this idea, the researchers
made random changes to which portions of incoming bit strings the detectors
looked at. So although there was a limit to the number of unauthorised
connections an individual computer could spot, the network as a whole covered
all the bases.

This detector system, however, wasn鈥檛 enough. One of the big problems with
computer security systems is false alarms, and Hofmeyr and Forrest鈥檚 was no
exception. Too many of these and users tend to disable software or ignore
warnings. In a computer with an immune system, a false alarm would lock out
genuine users or innocent files.

Fortunately, immunology has another ready-made solution. White blood cells
are bristling with detector molecules and are only activated if a sufficient
number of them pick up an intruder. This stops the immune system launching a
full-scale response every time a white cell makes a mistake. To mimic this, the
researchers imposed thresholds on their detectors so that they would only react
if more than one of the detector strings flagged incoming connections as
suspect. They also borrowed the concept of co-stimulation, with human
administrators playing the role of helper cells. If the threat turned out to be
a false alarm, the administrators simply did nothing.

Attack alarm

The thresholding system stopped the false alarms, but it also introduced a
new weakness. Hackers sometimes launch attacks from several different computers
simultaneously, so the incidence of any one suspect connection is low. To
overcome this, the researchers imported yet another immunological mechanism.
When a detector discovered an intrusion, it reduced the other detectors鈥
thresholds, making them more likely to pick up an attack. This is analogous to
the role inflammation plays in immunity. It sensitises the system as a whole by
making blood vessels near a site of infection leaky. In this way more white
blood cells come into contact with the invader.

The researchers say they were surprised by how many of the features of human
immunity they needed to bring in to build an effective defence. 鈥淲e did it one
step at a time, importing a mechanism as we needed it,鈥 says Forrest. 鈥淏ut
because of this, we have a good account of why we needed each mechanism and how
it helped our system.鈥

Charles Orosz, an immunologist at Ohio State University College of Medicine
in Columbus, says this may even help the biological systems from which they
borrowed their ideas. By reassembling her system bit by bit, Forrest has learned
what its essential elements are, and how they work together to keep infection at
bay. 鈥淪tephanie may now understand the immune system better than most
immunologists,鈥 Orosz says.

So how will Forrest鈥檚 electronic immune system fare under a genuine attack?
In 1998 her group ran an experiment that simulated activity on the LAN for 30
days, with 1.5 million connections and 3900 different bit strings. Hidden among
those connections were reconstructions of seven genuine hacker attacks and a
mock attack launched from multiple locations. None of them got through, and
better still the number of false alarms was kept extremely low by the use of
thresholding and co-stimulation. The results are at least as good as
conventional approaches, Forrest claims.

Forrest鈥檚 next goal is to develop immune systems for individual computers.
The problem here is what to use in place of the network connections to define
the standalone computer鈥檚 鈥渟elf鈥. Working with student Anil Somayaji, she has
focused on 鈥渟ystem calls鈥濃攖he messages that programs send to the operating
system to access various resources such as memory, disc drives, and so on.
Particular programs tend to have characteristic patterns of system calls, and
from these patterns, Forrest and Somayaji have built up a profile of an
individual computer.

To detect intrusions, they monitor the computer鈥檚 system calls, looking for
changes in the normal patterns that might indicate an attack. The researchers
have successfully used this strategy to detected Trojan horses鈥攖he class
of virus that includes the Love Bug鈥攁nd other forms of foreign code. At
first, the researchers focused on detecting unusual behaviour at the network and
operating system levels, but more recently they have been looking at
applications such as e-mail or word processing programs.

Conventional security systems simply raise the alarm; they are not usually
allowed to take any further defensive action because of the havoc false alarms
can cause, Forrest says. But she hopes the system call approach will prove
reliable enough to remove this limitation and is already experimenting with a
range of actions that the immune system could invoke when it detects abnormal
activity. Simply slowing down system calls, for example, could repel a hacker
attack because the target computer would no longer respond as expected. And if
anomalous activity persists, the system could block system calls altogether.

Forrest is quick to recognise that artificial immune systems have weaknesses,
which attackers are sure to exploit. There is even the danger that those bent on
destruction could get in with the help of the very system that鈥檚 supposed to
keep them out. Nature has already devised a virus that attacks the human immune
system, so what鈥檚 to stop virus writers and hackers borrowing the idea? Watch
out for the first outbreak of CIV鈥攃omputer immunodeficiency virus.

More from 快猫短视频

Explore the latest news, articles and features