A Biologically Inspired Immune System for Computers
Jeffrey O. Kephart
High Integrity Computing Laboratory
IBM Thomas J. Watson Research Center
P.O. Box 704, Yorktown Heights, NY 10598
Summary:
The study primarily focuses on the computer viruses that are in fact being thought of as a serious problem in the industry nowadays. According to the study, two alarming trends are likely to make computer viruses a much greater threat. The first one is the speed at which new viruses are being written is high and accelerating. Imagine that new computer viruses are being created and being spread almost every after minute! The second is the trend towards the increasing the interconnectivity and interoperability among computers which would result to the fast spreading of the computer viruses.
Then, the IBM conducted a study and was able to create an immune system for computers. The primary features of the immune system are the following:
1. Recognition of known intruders.
2. Elimination/neutralization of intruders.
3. Ability to learn about previously unknown intruders.
o Determine that the intruder doesn't belong.
o Figure out how to recognize it.
o Remember how to recognize it.
4. Use of selective proliferation and self-replication for quick recognition and response.
Their system develops antibodies to the viruses and worms that were once encountered by the computer system, the computer system remembers them and would respond quicker if those viruses and worms will again attack the system.
With respect to the immune system of the computers, the system would not recognize a virus via exact match or exact information or data with regards to that virus but it is detected via an exact or fuzzy match to a relatively short sequence of bytes occurring in the virus (termed as the signature).
How do they eliminate the intruders? If the computer immune system were to find an exact or fuzzy match to a signature for a known virus, it could take the analogous step of erasing or otherwise inactivating the executable file containing the virus.
Their system also has the ability of learning about the previously unknown intruders. First, the process by which the proposed computer immune system establishes whether new software contains a virus has several stages. Integrity monitors, which use checksums to check for any changes to programs and data files, have a notion of ``self'' that is as restrictive as that of the vertebrate immune system: any differences between the original and current versions of any file are flagged, as are any new programs. Then, Mechanisms that employ the complementary strategy of ``know thine enemy'' are also brought into play. Among these are activity monitors, which have a sense of what dynamic behaviors are typical of viruses, and various heuristics, which examine the static nature of any modifications that have occurred to see if they have a viral flavor.
If one of the virus-detection heuristics is triggered, the immune system runs the scanner to determine whether the anomaly can be attributed to a known virus. If so, the virus is located and removed in the usual way. If the anomaly can not be attributed to a known virus, either the generic virus-detection heuristics yielded a false alarm, or a previously unknown virus is at large in the system.
At this point, the computer immune system tries to lure any virus that might be present in the system to infect a diverse suite of ``decoy'' programs. A decoy program's sole purpose in life is to become infected. The algorithms extract from a set of infected decoys information on the attachment pattern of the virus, along with byte sequences that remain constant across all of the captured samples of the virus. Next, the signature extractor must select a virus signature from among the byte sequences produced by the attachment derivation step. The signature must be well-chosen, such that it avoids both false negatives and false positives. In other words, the signature must be found in each instance of the virus, and it must be very unlikely to be found in uninfected programs.
With regards to the usage of self proliferation and self-replication for the quick recognition of the viruses and worms, their system also has the ability that when a computer discovers that it is infected, it can send a signal to neighboring machines. The signal conveys to the recipient the fact that the transmitter was infected, plus any signature or repair information that might be of use in detecting and eradicating the virus. If the recipient finds that it is infected, it sends the signal to its neighbors, and so on. If the recipient is not infected, it does not pass along the signal, but at least it has received the database updates -- effectively immunizing it against that virus.
Their system develops antibodies to the viruses and worms that were once encountered by the computer system, the computer system remembers them and would respond quicker if those viruses and worms will again attack the system.
Evaluation:
The research is not bias. It is interesting that the IBM develops an immune system similar to the immune system of human beings. The research is very informative in a sense that it shows how to avoid and even fight the computer viruses by providing an immune system for computers.
0 comments:
Post a Comment