1 principles of a computer immune system anil somayaji, steven hofmeyr, & stephanie forrest...
TRANSCRIPT
1
Principles of a Computer Immune System
Anil Somayaji, Steven Hofmeyr, & Stephanie Forrest
Presented by: Jesus Morales
2
Introduction
Written in 1997 Introduces biological approaches to
computer security The problem:
Computer systems are plagued of security vulnerabilities
We’ve seen many: buffer overflows, viruses, denial of service attacks and so on
Need a new approach to computer security
3
Traditional approach
Good in theory, not in practice
Computer systems are dynamic: system state continuously changed
Formal verification of a dynamic system is impractical
Security policies flaws + implementation flaws+ configuration flaws = imperfect security
4
Biological approach
Dealing with an imperfect, uncontrolled and open environment.
Similar to the environment the human body has to deal with
Look at the human immune system as a model
5
The immune system (IMS)
Protects the body Vastly more complicated than any computer
system Constantly under attack
Parasites, bacteria, viruses Highly effective
We’re healthy most of the time Works autonomously
If IMS were at the same technical state as computer security systems, we’d be extinct
6
IMS: Pattern recognition: self vs. nonself
IMS must distinguish molecules and cells of the body (self) from extraneous ones (nonself) Huge problem:
10^5 different types of self 10^16 different types of nonself (estimate)
Human genome contains about 10^5 genes
7
IMS: multilayered architecture
1st Layer: skin and physiological conditions (pH, temperature)
2nd Layer: innate IMS (scavenger cells clean pathogens and debris)
3rd Layer: adaptive IMS (acquired immune response)
8
IMS: adaptive immune system
Primarily white blood cells (lymphocytes)
Circulate in the blood and lymph systems
Negative detectors Detection by molecular bonds
Detection is approximate
9
IMS: adaptive immune system (cont.)
Problem: how to avoid autoimmune disorders? Lymphocytes are self-tolerant Clonal deletion process
Problem: how to recognize the potentially huge number of pathogens? Genetic process: generate lymphocytes
randomly 10^8 lymphocyte receptors vs. 10^16 potential
foreign patterns Constant lymphocyte turnover (short-lived: few days) Learning and memory
10
IMS: adaptive immune system (cont.)
IMS response to viruses
Result: immune memory
11
IMS: diversity
Immune system is diverse across a population
Each individual has a unique immune system
Different lymphocyte population = different detector set
Different Major-Histocompatibility Complex (MHC) (genetically determined)
12
Organizing Principles
Can’t really implement the same IMS in a computer system
We can derive a set of guiding principles Distributability: Immune system detectors
are able to determine locally the presence of an infection. No central coordination takes place, which means there is no single point of failure.
Multi-layered: Multiple layers of different mechanisms are combined to provide high overall security.
13
Organizing Principles (cont.) Diversity: By making systems diverse, security
vulnerabilities in one system are less likely to be widespread. Diverse protection systems, or Diverse protected systems
Disposability: No single component in the system is essential.
Adaptability: Learn to detect new intrusions Ability to recognize signatures of previously seen attacks
No secure Layer: Any cell can be attacked by a pathogen---including those of
the immune system itself. Mutual protection among immune system components
replaces dependence on a secure underlying layer.
14
Organizing Principles (cont.)
Dynamically changing coverage: Space/time tradeoff Can’t maintain a set of detectors large enough Use randomness and replacement
Identity via behavior: IMS uses proteins (peptides) as behavior indicators:
“running code” of the body Computer analog: short sequences of system calls
Anomaly detection: The ability to detect intrusions or violations that are not
already known is an important feature of any security system.
15
Organizing Principles (cont.) Imperfect detection:
Accepting imperfect detection increases the flexibility to allocate resources.
Example: less specific detectors respond to a wider variety of patterns but are less efficient at detecting a specific pathogen.
The numbers game: The immune system replicates detectors to counteract
replicating Computers subject to similar numbers game:
hackers freely trading exploit scripts on the Internet denial-of-service attacks computer viruses.
Pathogens in the computer security world are playing the numbers game---traditional defense systems, however, are not.
16
Possible Architectures Protecting static data
Self: uncorrupted data Nonself: any change in self Change detection algorithms
Protecting active processes on a single host Self: normal behavior Nonself: abnormal behavior View each active process as a cell Passwords, group/file permissions as skin Adaptive immune layer: rotating “lymphocyte”
processes query other processes looking for behavior anomalies If anomaly is detected: slow, suspend, or kill process
17
Possible Architectures (cont.) Protecting a network of mutually trusting
computers Process is a cell. Computer is an organ. Individual is
a network Innate immune system
Host-based and network security mechanisms
Adaptive immune system Lymphocyte processes (kernel-assisted)
Can migrate between computers and take appropriate action One computer (or set) produces/selects/releases
“lymphocytes” No centralized response
18
Possible Architectures (cont.)
Protecting a network of mutually trusting disposable computers Each computer a cell. Network is the individual Host-based security is the skin Innate immune system
Network defenses (Kerberos, firewalls)
Adaptive immune system Lymphocyte machines monitor each other state If anomaly is detected: isolate affected machine,
reboot or shut down
19
Limitations
Different goals: Biological IMS goal: survival Computer security: confidentiality,
integrity, availability, accountability and correctness
Most obvious is confidentiality. Biological IMS does not care about protecting secrets
20
Conclusion
Skin and innate IMS (passwords, access controls, careful design) are important
Adaptive IMS is still mostly lacking in computer systems. We need it to make systems more secure