Autoimmune Computer Systems

For half a century, developers have protected their systems by coding rules that identify and block specific events. Edit rules look for corrupted data, firewalls enforce hard-coded permissions, virus definitions guard against known infections, and intrusion-detection systems look for activities deemed in advance to be suspicious by systems administrators.

But that approach will increasingly be supplemented by one in which systems become their own security experts, adapting to threats as they unfold and staying one step ahead of the action. A number of research projects are headed in that direction.

At the University of New Mexico, computer science professor Stephanie Forrest is developing intrusion-detection methods that mimic biological immune systems. Our bodies can detect and defend themselves against foreign invaders such as bacteria and parasites, even if the invaders haven't been seen before. Forrest's prototypes do the same thing.

Her host-based intrusion-detection system builds a model of what is normal by looking at short sequences of calls by the operating system kernel over time. The system learns to spot deviations from the norm, such as those that might be caused by a Trojan horse program or a buffer-overflow attack. When suspicious behavior is spotted, the system can take evasive action or issue alerts.

The central challenge with computer security is determining the difference between normal activity and potentially harmful activity. The common solution is to identify the threat and protect against it, but in many ways, this is the same as constantly fighting the last war, and it can be quite inefficient in environments that are rapidly changing.

In another project Forrest and her students are developing intrusion-detection systems even more directly modeled on how the immune system works. The body continuously produces immune cells with random variations. As the cells mature,the ones that match the body's own proteins are eliminated, leaving only those that represent deviations as guides to what the body should protect against. Likewise, Forrest's software randomly generates “detectors”， throws away those that match normal behavior and retains those that represent abnormal behavior.

Each machine in the network generates its own detectors based on that machine's unique behavior and experiences, and the detectors work with no central coordination or control. In fact, just how the detectors work isn't precisely known, Forrest says.

Indeed, these experimental approaches don't work perfectly, Forrest acknowledges, but she points out that no security measure, including encryption or authentication, works perfectly either. She says the most secure systems will employ multiple layers of protection, just as the human body does. The advantage of this type of system is that it is largely self-maintaining and doesn't require continual updating by experts.

參考譯文

自免疫計(jì)算機(jī)系統(tǒng)

半個(gè)世紀(jì)以來，開發(fā)人員通過編制能識(shí)別和中斷特別事件的規(guī)則來保護(hù)其系統(tǒng)。編輯規(guī)則尋找已被破壞了的數(shù)據(jù)，防火墻實(shí)施硬編碼的許可，病毒定義防止已知的(病毒)感染，入侵檢測(cè)系統(tǒng)則尋找由系統(tǒng)管理員事先認(rèn)定好的可疑行為。

但是這種辦法將越來越多地得到另一個(gè)辦法的補(bǔ)充，即系統(tǒng)自己成為安全希賽網(wǎng)，當(dāng)它們發(fā)現(xiàn)威脅時(shí)對(duì)威脅自適應(yīng)，并提前一步采取措施。很多研究項(xiàng)目正在向此方向前進(jìn)。

在(美國(guó))新墨西哥大學(xué)，計(jì)算機(jī)科學(xué)教授 Stephanie Forrest正在開發(fā)模仿生物免疫系統(tǒng)的入侵檢測(cè)系統(tǒng)。我們的身體能探測(cè)和自我防御外來入侵者，如細(xì)菌和寄生蟲，甚至在以前根本沒有看到過它們。Forrest的樣機(jī)做同樣的事。

她的這個(gè)基于主機(jī)的入侵檢測(cè)系統(tǒng)建立一個(gè)模型，即通過操作系統(tǒng)內(nèi)核察看短序列調(diào)用，看看它是否正常。系統(tǒng)學(xué)會(huì)找出偏離正常的地方，如由特洛伊木馬程序或緩存溢出攻擊造成的異常。當(dāng)發(fā)現(xiàn)可疑行為時(shí)，系統(tǒng)能采取規(guī)避行為或發(fā)出警報(bào)。

對(duì)計(jì)算機(jī)安全的主要挑戰(zhàn)是確定正常行為與潛在的可疑行為之間的差異。常見的解決辦法是識(shí)別威脅和針對(duì)它采取保護(hù)措施，但是在很多方面，這與上一次與(病毒)打仗常常是一樣的，這在快速變化的環(huán)境中效率可能很低。

在另一個(gè)項(xiàng)目中， Forrest和她的學(xué)生正在開發(fā)的入侵探檢系統(tǒng)更是直接以免疫系統(tǒng)為模型。身體連續(xù)不斷產(chǎn)生能隨機(jī)變異的免疫細(xì)胞，當(dāng)細(xì)胞成熟時(shí)，那些與體內(nèi)已有蛋白質(zhì)相匹配的免疫細(xì)胞被消滅了，只留下那些有變異的細(xì)胞，指導(dǎo)它們?nèi)メ槍?duì)那些應(yīng)防御的(病毒)。同樣，F(xiàn)orrest的軟件隨機(jī)地產(chǎn)生“探測(cè)元”，摒棄那些與正常行為匹配的探測(cè)元，保留那些代表異常行為的探測(cè)元。

網(wǎng)絡(luò)中的每臺(tái)機(jī)器都基于該機(jī)器的行為和經(jīng)歷產(chǎn)生自己的探測(cè)元，這些探測(cè)元在沒有集中協(xié)調(diào)或控制的情況下工作。 Forrest稱，探測(cè)元的工作實(shí)際上是沒法精確了解的。

事實(shí)上， Forrest承認(rèn)，這些試驗(yàn)性的方法還不太完美，包括加密或認(rèn)證在內(nèi)。她說最安全的系統(tǒng)如同人體那樣采用多層次的保護(hù)。這類系統(tǒng)的優(yōu)點(diǎn)是，在很大程度上它是自我維護(hù)的，不需要希賽網(wǎng)連續(xù)不斷地更新。