Principles of a Computer Immune System

1
Principles of a Computer Immune System

• Anil Somayaji, Steven Hofmeyr, Stephanie
  Forrest
• Presented by Jesus Morales

2
Introduction

• Written in 1997
• Introduces biological approaches to computer
  security
• The problem
• Computer systems are plagued of security
  vulnerabilities
• Weve seen many buffer overflows, viruses,
  denial of service attacks and so on
• Need a new approach to computer security

3
Traditional approach

• Good in theory, not in practice
• Computer systems are dynamic system state
  continuously changed
• Formal verification of a dynamic system is
  impractical
• Security policies flaws implementation
  flaws configuration flaws imperfect security

4
Biological approach

• Dealing with an imperfect, uncontrolled and open
  environment.
• Similar to the environment the human body has to
  deal with
• Look at the human immune system as a model

5
The immune system (IMS)

• Protects the body
• Vastly more complicated than any computer system
• Constantly under attack
• Parasites, bacteria, viruses
• Highly effective
• Were healthy most of the time
• Works autonomously
• If IMS were at the same technical state as
  computer security systems, wed be extinct

6
IMS Pattern recognition self vs. nonself

• IMS must distinguish molecules and cells of the
  body (self) from extraneous ones (nonself)
• Huge problem
• 105 different types of self
• 1016 different types of nonself (estimate)
• Human genome contains about 105 genes

7
IMS multilayered architecture

• 1st Layer skin and physiological conditions (pH,
  temperature)
• 2nd Layer innate IMS (scavenger cells clean
  pathogens and debris)
• 3rd Layer adaptive IMS (acquired immune response)

8
IMS adaptive immune system

• Primarily white blood cells (lymphocytes)
• Circulate in the blood and lymph systems
• Negative detectors
• Detection by molecular bonds
• Detection is approximate

9
IMS adaptive immune system (cont.)

• Problem how to avoid autoimmune disorders?
• Lymphocytes are self-tolerant
• Clonal deletion process
• Problem how to recognize the potentially huge
  number of pathogens?
• Genetic process generate lymphocytes randomly
• 108 lymphocyte receptors vs. 1016 potential
  foreign patterns
• Constant lymphocyte turnover (short-lived few
  days)
• Learning and memory

10
IMS adaptive immune system (cont.)

• IMS response to viruses
• Result immune memory

11
IMS diversity

• Immune system is diverse across a population
• Each individual has a unique immune system
• Different lymphocyte population different
  detector set
• Different Major-Histocompatibility Complex (MHC)
  (genetically determined)

12
Organizing Principles

• Cant really implement the same IMS in a computer
  system
• We can derive a set of guiding principles
• Distributability Immune system detectors are
  able to determine locally the presence of an
  infection. No central coordination takes place,
  which means there is no single point of failure.
• Multi-layered Multiple layers of different
  mechanisms are combined to provide high overall
  security.

13
Organizing Principles (cont.)

• Diversity By making systems diverse, security
  vulnerabilities in one system are less likely to
  be widespread.
• Diverse protection systems, or
• Diverse protected systems
• Disposability No single component in the system
  is essential.
• Adaptability
• Learn to detect new intrusions
• Ability to recognize signatures of previously
  seen attacks
• No secure Layer
• Any cell can be attacked by a pathogen---including
  those of the immune system itself.
• Mutual protection among immune system components
  replaces dependence on a secure underlying layer.
  

14
Organizing Principles (cont.)

• Dynamically changing coverage
• Space/time tradeoff
• Cant maintain a set of detectors large enough
• Use randomness and replacement
• Identity via behavior
• IMS uses proteins (peptides) as behavior
  indicators running code of the body
• Computer analog short sequences of system calls
• Anomaly detection
• The ability to detect intrusions or violations
  that are not already known is an important
  feature of any security system.

15
Organizing Principles (cont.)

• Imperfect detection
• Accepting imperfect detection increases the
  flexibility to allocate resources.
• Example less specific detectors respond to a
  wider variety of patterns but are less efficient
  at detecting a specific pathogen.
• The numbers game
• The immune system replicates detectors to
  counteract replicating
• Computers subject to similar numbers game
• hackers freely trading exploit scripts on the
  Internet
• denial-of-service attacks
• computer viruses.
• Pathogens in the computer security world are
  playing the numbers game---traditional defense
  systems, however, are not.

16
Possible Architectures

• Protecting static data
• Self uncorrupted data
• Nonself any change in self
• Change detection algorithms
• Protecting active processes on a single host
• Self normal behavior
• Nonself abnormal behavior
• View each active process as a cell
• Passwords, group/file permissions as skin
• Adaptive immune layer rotating lymphocyte
  processes query other processes looking for
  behavior anomalies
• If anomaly is detected slow, suspend, or kill
  process

17
Possible Architectures (cont.)

• Protecting a network of mutually trusting
  computers
• Process is a cell. Computer is an organ.
  Individual is a network
• Innate immune system
• Host-based and network security mechanisms
• Adaptive immune system
• Lymphocyte processes (kernel-assisted)
• Can migrate between computers and take
  appropriate action
• One computer (or set) produces/selects/releases
  lymphocytes
• No centralized response

18
Possible Architectures (cont.)

• Protecting a network of mutually trusting
  disposable computers
• Each computer a cell. Network is the individual
• Host-based security is the skin
• Innate immune system
• Network defenses (Kerberos, firewalls)
• Adaptive immune system
• Lymphocyte machines monitor each other state
• If anomaly is detected isolate affected machine,
  reboot or shut down

19
Limitations

• Different goals
• Biological IMS goal survival
• Computer security confidentiality, integrity,
  availability, accountability and correctness
• Most obvious is confidentiality. Biological IMS
  does not care about protecting secrets

20
Conclusion

• Skin and innate IMS (passwords, access controls,
  careful design) are important
• Adaptive IMS is still mostly lacking in computer
  systems. We need it to make systems more secure