Directory UMM :Networking Manual:computer_network_books:
Principles of a Computer
Immune System
Anil Somayaji, Steven
Hofmeyr, & Stephanie Forrest
Presented by: Jesus Morales
1
Introduction
Written in 1997
Introduces biological approaches to
computer security
The problem:
Computer systems are plagued of security
vulnerabilities
We’ve seen many: buffer overflows, viruses,
denial of service attacks and so on
Need a new approach to computer security
2
Traditional approach
Good in theory, not in
practice
Computer systems are
dynamic: system state
continuously changed
Formal verification of a
dynamic system is
impractical
Security policies flaws
+ implementation flaws
+ configuration flaws
= imperfect security
3
Biological approach
Dealing with an imperfect, uncontrolled
and open environment.
Similar to the environment the human
body has to deal with
Look at the human immune system as
a model
4
The immune system (IMS)
Protects the body
Constantly under attack
Parasites, bacteria, viruses
Highly effective
Vastly more complicated than any computer
system
We’re healthy most of the time
Works autonomously
If IMS were at the same technical state as
computer security systems, we’d be extinct
5
IMS: Pattern recognition:
self vs. nonself
IMS must distinguish molecules and
cells of the body (self) from extraneous
ones (nonself)
Huge problem:
10^5 different types of self
10^16 different types of nonself (estimate)
Human genome contains about 10^5 genes
6
IMS: multilayered architecture
1st Layer: skin and
physiological
conditions (pH,
temperature)
2nd Layer: innate IMS
(scavenger cells clean
pathogens and debris)
3rd Layer: adaptive IMS
(acquired immune
response)
7
IMS: adaptive immune system
Primarily white blood cells
(lymphocytes)
Circulate in the blood and lymph
systems
Negative detectors
Detection by molecular bonds
Detection is approximate
8
IMS: adaptive immune system (cont.)
Problem: how to avoid autoimmune
disorders?
Lymphocytes are self-tolerant
Clonal deletion process
Problem: how to recognize the potentially
huge number of pathogens?
Genetic process: generate lymphocytes
randomly
10^8 lymphocyte receptors vs. 10^16 potential
foreign patterns
Constant lymphocyte turnover (short-lived: few days)
Learning and memory
9
IMS: adaptive immune system (cont.)
IMS response to
viruses
Result: immune
memory
10
IMS: diversity
Immune system is diverse across a
population
Each individual has a unique immune
system
Different lymphocyte population = different
detector set
Different Major-Histocompatibility Complex
(MHC) (genetically determined)
11
Organizing Principles
Can’t really implement the same IMS in a
computer system
We can derive a set of guiding principles
Distributability: Immune system detectors
are able to determine locally the presence of
an infection. No central coordination takes
place, which means there is no single point of
failure.
Multi-layered: Multiple layers of different
mechanisms are combined to provide high
overall security.
12
Organizing Principles (cont.)
Diversity: By making systems diverse, security
vulnerabilities in one system are less likely to be
widespread.
Disposability: No single component in the system is
essential.
Adaptability:
Diverse protection systems, or
Diverse protected systems
Learn to detect new intrusions
Ability to recognize signatures of previously seen attacks
No secure Layer:
Any cell can be attacked by a pathogen---including those of
the immune system itself.
Mutual protection among immune system components
replaces dependence on a secure underlying layer.
13
Organizing Principles (cont.)
Dynamically changing coverage:
Identity via behavior:
Space/time tradeoff
Can’t maintain a set of detectors large enough
Use randomness and replacement
IMS uses proteins (peptides) as behavior indicators:
“running code” of the body
Computer analog: short sequences of system calls
Anomaly detection:
The ability to detect intrusions or violations that are not
already known is an important feature of any security
system.
14
Organizing Principles (cont.)
Imperfect detection:
Accepting imperfect detection increases the flexibility to
allocate resources.
Example: less specific detectors respond to a wider
variety of patterns but are less efficient at detecting a
specific pathogen.
The numbers game:
The immune system replicates detectors to counteract
replicating
Computers subject to similar numbers game:
hackers freely trading exploit scripts on the Internet
denial-of-service attacks
computer viruses.
Pathogens in the computer security world are playing the
numbers game---traditional defense systems, however,
are not.
15
Possible Architectures
Protecting static data
Self: uncorrupted data
Nonself: any change in self
Change detection algorithms
Protecting active processes on a single host
Self: normal behavior
Nonself: abnormal behavior
View each active process as a cell
Passwords, group/file permissions as skin
Adaptive immune layer: rotating “lymphocyte”
processes query other processes looking for behavior
anomalies
If anomaly is detected: slow, suspend, or kill process
16
Possible Architectures (cont.)
Protecting a network of mutually trusting
computers
Process is a cell. Computer is an organ. Individual is
a network
Innate immune system
Host-based and network security mechanisms
Adaptive immune system
Lymphocyte processes (kernel-assisted)
Can migrate between computers and take appropriate action
One computer (or set) produces/selects/releases
“lymphocytes”
No centralized response
17
Possible Architectures (cont.)
Protecting a network of mutually trusting
disposable computers
Each computer a cell. Network is the individual
Host-based security is the skin
Innate immune system
Network defenses (Kerberos, firewalls)
Adaptive immune system
Lymphocyte machines monitor each other state
If anomaly is detected: isolate affected machine, reboot
or shut down
18
Limitations
Different goals:
Biological IMS goal: survival
Computer security: confidentiality,
integrity, availability, accountability and
correctness
Most obvious is confidentiality. Biological
IMS does not care about protecting
secrets
19
Conclusion
Skin and innate IMS (passwords,
access controls, careful design) are
important
Adaptive IMS is still mostly lacking in
computer systems. We need it to
make systems more secure
20
Immune System
Anil Somayaji, Steven
Hofmeyr, & Stephanie Forrest
Presented by: Jesus Morales
1
Introduction
Written in 1997
Introduces biological approaches to
computer security
The problem:
Computer systems are plagued of security
vulnerabilities
We’ve seen many: buffer overflows, viruses,
denial of service attacks and so on
Need a new approach to computer security
2
Traditional approach
Good in theory, not in
practice
Computer systems are
dynamic: system state
continuously changed
Formal verification of a
dynamic system is
impractical
Security policies flaws
+ implementation flaws
+ configuration flaws
= imperfect security
3
Biological approach
Dealing with an imperfect, uncontrolled
and open environment.
Similar to the environment the human
body has to deal with
Look at the human immune system as
a model
4
The immune system (IMS)
Protects the body
Constantly under attack
Parasites, bacteria, viruses
Highly effective
Vastly more complicated than any computer
system
We’re healthy most of the time
Works autonomously
If IMS were at the same technical state as
computer security systems, we’d be extinct
5
IMS: Pattern recognition:
self vs. nonself
IMS must distinguish molecules and
cells of the body (self) from extraneous
ones (nonself)
Huge problem:
10^5 different types of self
10^16 different types of nonself (estimate)
Human genome contains about 10^5 genes
6
IMS: multilayered architecture
1st Layer: skin and
physiological
conditions (pH,
temperature)
2nd Layer: innate IMS
(scavenger cells clean
pathogens and debris)
3rd Layer: adaptive IMS
(acquired immune
response)
7
IMS: adaptive immune system
Primarily white blood cells
(lymphocytes)
Circulate in the blood and lymph
systems
Negative detectors
Detection by molecular bonds
Detection is approximate
8
IMS: adaptive immune system (cont.)
Problem: how to avoid autoimmune
disorders?
Lymphocytes are self-tolerant
Clonal deletion process
Problem: how to recognize the potentially
huge number of pathogens?
Genetic process: generate lymphocytes
randomly
10^8 lymphocyte receptors vs. 10^16 potential
foreign patterns
Constant lymphocyte turnover (short-lived: few days)
Learning and memory
9
IMS: adaptive immune system (cont.)
IMS response to
viruses
Result: immune
memory
10
IMS: diversity
Immune system is diverse across a
population
Each individual has a unique immune
system
Different lymphocyte population = different
detector set
Different Major-Histocompatibility Complex
(MHC) (genetically determined)
11
Organizing Principles
Can’t really implement the same IMS in a
computer system
We can derive a set of guiding principles
Distributability: Immune system detectors
are able to determine locally the presence of
an infection. No central coordination takes
place, which means there is no single point of
failure.
Multi-layered: Multiple layers of different
mechanisms are combined to provide high
overall security.
12
Organizing Principles (cont.)
Diversity: By making systems diverse, security
vulnerabilities in one system are less likely to be
widespread.
Disposability: No single component in the system is
essential.
Adaptability:
Diverse protection systems, or
Diverse protected systems
Learn to detect new intrusions
Ability to recognize signatures of previously seen attacks
No secure Layer:
Any cell can be attacked by a pathogen---including those of
the immune system itself.
Mutual protection among immune system components
replaces dependence on a secure underlying layer.
13
Organizing Principles (cont.)
Dynamically changing coverage:
Identity via behavior:
Space/time tradeoff
Can’t maintain a set of detectors large enough
Use randomness and replacement
IMS uses proteins (peptides) as behavior indicators:
“running code” of the body
Computer analog: short sequences of system calls
Anomaly detection:
The ability to detect intrusions or violations that are not
already known is an important feature of any security
system.
14
Organizing Principles (cont.)
Imperfect detection:
Accepting imperfect detection increases the flexibility to
allocate resources.
Example: less specific detectors respond to a wider
variety of patterns but are less efficient at detecting a
specific pathogen.
The numbers game:
The immune system replicates detectors to counteract
replicating
Computers subject to similar numbers game:
hackers freely trading exploit scripts on the Internet
denial-of-service attacks
computer viruses.
Pathogens in the computer security world are playing the
numbers game---traditional defense systems, however,
are not.
15
Possible Architectures
Protecting static data
Self: uncorrupted data
Nonself: any change in self
Change detection algorithms
Protecting active processes on a single host
Self: normal behavior
Nonself: abnormal behavior
View each active process as a cell
Passwords, group/file permissions as skin
Adaptive immune layer: rotating “lymphocyte”
processes query other processes looking for behavior
anomalies
If anomaly is detected: slow, suspend, or kill process
16
Possible Architectures (cont.)
Protecting a network of mutually trusting
computers
Process is a cell. Computer is an organ. Individual is
a network
Innate immune system
Host-based and network security mechanisms
Adaptive immune system
Lymphocyte processes (kernel-assisted)
Can migrate between computers and take appropriate action
One computer (or set) produces/selects/releases
“lymphocytes”
No centralized response
17
Possible Architectures (cont.)
Protecting a network of mutually trusting
disposable computers
Each computer a cell. Network is the individual
Host-based security is the skin
Innate immune system
Network defenses (Kerberos, firewalls)
Adaptive immune system
Lymphocyte machines monitor each other state
If anomaly is detected: isolate affected machine, reboot
or shut down
18
Limitations
Different goals:
Biological IMS goal: survival
Computer security: confidentiality,
integrity, availability, accountability and
correctness
Most obvious is confidentiality. Biological
IMS does not care about protecting
secrets
19
Conclusion
Skin and innate IMS (passwords,
access controls, careful design) are
important
Adaptive IMS is still mostly lacking in
computer systems. We need it to
make systems more secure
20