A human connection to intrusion detection |
 |
By Niall McKay, Contributor
14 Sep 2005 | SearchSecurity.com |
|
|
Increasingly, security experts are looking to the human body for inspiration on how to deal with computer viruses. Why not? After all, the body has developed complex security systems to keep it safe from disease over millions of years.
Uwe Aickelin, a computer science professor, and his colleagues at the University of Nottingham have teamed up with immunologists at the University of the West of England in Bristol (UWE) to build an "artificial immune system" for computer intrusion detection systems based on knowledge gleaned from protections in human immune systems.
"The University of the West of England is carrying out 'wet' experiments to look at various aspects of cell behavior and passing on their findings to us," says Jamie Twycross, research associate with the University of Nottingham's Automated Scheduling Optimization and Planning Lab. "We use the results to try and build a computational model."
The project, which is funded by an EPSRC Adventure fund research grant and supported by Hewlett-Packard Research, e-Commerce Security Consultants (ECSC), the University of Bristol and University College London, is based on the controversial concept in immunology called "danger theory." This suggests that the human immune system is alerted by a complex system of signals and weighs the danger depending on their origin, seriousness and frequency, rather than the relatively simple equation of distinguishing between self (the body) or non-self (a foreign object) as previously thought.
Similarly, primitive intrusion detection systems that simply determine threats by recognizing incoming malicious code are not as effective as systems that are able to assess risk by gathering information from a variety of sources.
In the human body, dendric cells (DCs) are the garbage collectors that roam the body. When they are triggered, they turn into fighter cells and attack the infection. For example, DCs are seemingly able to assess threats because they can tell the difference between tissue undergoing natural cell death, inflammation or an attack.
"What makes the cell change between its garbage-collector and fighter state is critical," Twycross says. "How does it distinguish between those three basic states?"
Twycross and his colleagues are trying to reproduce that scenario in an artificial immune system. The software controls an input/output device akin to an artificial dendric cell and a system call serving as an antigen. Then the I/O device can be programmed to treat system calls more seriously than other types of traffic. "The challenge is to figure out the receptors and how to weigh potential threats," he says.
By taking the data generated by a mixture of DCs with cells in varying states of decay, such as cells that are stressed or inflamed, Twycross and Aickelin were able to map these conditions to data points such as CPU load, disk usage and signals from standard off-the-shelf IDS software packages.
"When is the system damaged or inflamed but not in critical danger?" Twycross observes. "You might, for example, put a monitor on the password file that when activated would indicate that the system is in great danger."
Such long-term research projects rarely deliver the exact result intended, but the effort is usually worth it, according to Twycross. That's because both computer viruses and human viruses are scale-free networks.
|
