Autoimmune Computer Systems

For half a century, developers have protected their systems by coding rules that identify and block specific events. Edit rules look for corrupted data, firewalls enforce hard-coded permissions, virus definitions guard against known infections, and intrusion-detection systems look for activities deemed in advance to be suspicious by systems administrators.

But that approach will increasingly be supplemented by one in which systems become their own security experts, adapting to threats as they unfold and staying one step ahead of the action. A number of research projects are headed in that direction.

At the University of New Mexico, computer science professor Stephanie Forrest is developing intrusion-detection methods that mimic biological immune systems. Our bodies can detect and defend themselves against foreign invaders such as bacteria and parasites, even if the invaders haven't been seen before. Forrest's prototypes do the same thing.

Her host-based intrusion-detection system builds a model of what is normal by looking at short sequences of calls by the operating system kernel over time. The system learns to spot deviations from the norm, such as those that might be caused by a Trojan horse program or a buffer-overflow attack. When suspicious behavior is spotted, the system can take evasive action or issue alerts.

The central challenge with computer security is determining the difference between normal activity and potentially harmful activity. The common solution is to identify the threat and protect against it, but in many ways, this is the same as constantly fighting the last war, and it can be quite inefficient in environments that are rapidly changing.

In another project Forrest and her students are developing intrusion-detection systems even more directly modeled on how the immune system works. The body continuously produces immune cells with random variations. As the cells mature,the ones that match the body's own proteins are eliminated, leaving only those that represent deviations as guides to what the body should protect against. Likewise, Forrest's software randomly generates “detectors”， throws away those that match normal behavior and retains those that represent abnormal behavior.

Each machine in the network generates its own detectors based on that machine's unique behavior and experiences, and the detectors work with no central coordination or control. In fact, just how the detectors work isn't precisely known, Forrest says.

Indeed, these experimental approaches don't work perfectly, Forrest acknowledges, but she points out that no security measure, including encryption or authentication, works perfectly either. She says the most secure systems will employ multiple layers of protection, just as the human body does. The advantage of this type of system is that it is largely self-maintaining and doesn't require continual updating by experts.

參考譯文

自免疫計算機系統(tǒng)

半個世紀以來，開發(fā)人員通過編制能識別和中斷特別事件的規(guī)則來保護其系統(tǒng)。編輯規(guī)則尋找已被破壞了的數(shù)據(jù)，防火墻實施硬編碼的許可，病毒定義防止已知的(病毒)感染，入侵檢測系統(tǒng)則尋找由系統(tǒng)管理員事先認定好的可疑行為。

但是這種辦法將越來越多地得到另一個辦法的補充，即系統(tǒng)自己成為安全希賽網(wǎng)，當它們發(fā)現(xiàn)威脅時對威脅自適應，并提前一步采取措施。很多研究項目正在向此方向前進。

在(美國)新墨西哥大學，計算機科學教授 Stephanie Forrest正在開發(fā)模仿生物免疫系統(tǒng)的入侵檢測系統(tǒng)。我們的身體能探測和自我防御外來入侵者，如細菌和寄生蟲，甚至在以前根本沒有看到過它們。Forrest的樣機做同樣的事。

她的這個基于主機的入侵檢測系統(tǒng)建立一個模型，即通過操作系統(tǒng)內核察看短序列調用，看看它是否正常。系統(tǒng)學會找出偏離正常的地方，如由特洛伊木馬程序或緩存溢出攻擊造成的異常。當發(fā)現(xiàn)可疑行為時，系統(tǒng)能采取規(guī)避行為或發(fā)出警報。

對計算機安全的主要挑戰(zhàn)是確定正常行為與潛在的可疑行為之間的差異。常見的解決辦法是識別威脅和針對它采取保護措施，但是在很多方面，這與上一次與(病毒)打仗常常是一樣的，這在快速變化的環(huán)境中效率可能很低。

在另一個項目中， Forrest和她的學生正在開發(fā)的入侵探檢系統(tǒng)更是直接以免疫系統(tǒng)為模型。身體連續(xù)不斷產(chǎn)生能隨機變異的免疫細胞，當細胞成熟時，那些與體內已有蛋白質相匹配的免疫細胞被消滅了，只留下那些有變異的細胞，指導它們去針對那些應防御的(病毒)。同樣，F(xiàn)orrest的軟件隨機地產(chǎn)生“探測元”，摒棄那些與正常行為匹配的探測元，保留那些代表異常行為的探測元。

網(wǎng)絡中的每臺機器都基于該機器的行為和經(jīng)歷產(chǎn)生自己的探測元，這些探測元在沒有集中協(xié)調或控制的情況下工作。 Forrest稱，探測元的工作實際上是沒法精確了解的。

事實上， Forrest承認，這些試驗性的方法還不太完美，包括加密或認證在內。她說最安全的系統(tǒng)如同人體那樣采用多層次的保護。這類系統(tǒng)的優(yōu)點是，在很大程度上它是自我維護的，不需要希賽網(wǎng)連續(xù)不斷地更新。