Release Date: August 20, 2004

What Biology Can Teach Us About Computer Security

Witty Worm. Code-Red. Nimda. Sapphire/Slammer SQL.

Their names are curious, engaging, almost comical, but computer worms and other viruses are no laughing matter. Viruses and other malicious software cost businesses billions each year, and cause users hours of frustration.

Part of the problem is that modern viruses spread so quickly, the old ways of combating them are no longer effective. Machines are highly connected, and the Internet is open to everyone, so malicious code can spread remarkably quickly.

In 2003, the Cooperative Association for Internet Data Analysis reported that the Sapphire/Slammer SQL worm spread worldwide in only 10 minutes, and at its peak — three minutes after its release — scanned the Internet at more than 55 million addresses per second. Researchers have speculated that a well-designed worm could infect all vulnerable machines on the Internet within a few hours of its launch.
When an attack spreads that quickly, traditional anti-virus defenses fail.

The problem with our current methods of fighting computer virus attacks is that we cannot cope with unfamiliar enemies. Computer antivirus software recognizes the signatures of known viruses, and gets rid of them. But it can’t get rid of a virus that it hasn’t seen before. Human intervention is needed to identify and analyze the attack code, create a signature for detecting it, and update anti-virus software to recognize and prevent the new attack.

Truly effective defenses must be able to defend systems from attacks that do not yet exist.
One promising approach takes its inspiration from biology. Organisms have no way of knowing what attacks they might face from parasites before they are born, since the parasites are continually evolving. Yet, species manage to survive.

Consider the way in which the human immune system works. Viruses and bacteria attack their human hosts. The human immune system responds by isolating and attacking the foreign bodies. It does this, responding to unfamiliar things, by recognizing what is familiar and concluding that what is not familiar is foreign and must be eliminated. Unlike computer anti-virus software that recognizes the signatures of known viruses, the human immune system is able to recognize and destroy previously unknown viruses.
Diversity also plays a vital role in natural survival. Species survive because individual organisms are diverse – a parasite that attacks one organism will not necessarily be able to successfully attack other organisms in the same species.

Computer systems, however, suffer from a lack of diversity. Nearly all computers on the Internet run the same operating systems and applications. Without diversity, systems all are vulnerable to the same attacks. A monoculture enables people to share programs and data, but means attacks can be shared in the same way.

Researchers are beginning to develop ways to build systems that are diverse as far as attackers are concerned, but still appear the same for legitimate users. DARPA, the Defense Advanced Research Project Agency, is funding research to develop technologies for computer systems that provide critical functions even while under attack. The projects funded under this new initiative include a $1 million contract to researchers at the University of Virginia and Carnegie Mellon University to explore the idea of biologically inspired diversity as an approach to computer security. The project goal is to add an element of diversity throughout the system without changing the way users interact with it.

Researchers are still grappling with the problem of how to automatically create enough diversity to foil attacks, while preserving the program behavior and performance users expect.

Unlike nature, where attacks evolve, computer attacks are engineered, and sophisticated attackers can design malicious code intended to circumvent or fool defenses. As in natural selection, there is a continual arms race between those attempting to build secure computer systems, and those attempting to compromise them.

For now, computer professionals are racing to keep pace with the attackers and struggling to develop specific defenses for every new attack. Before long, we hope to be able to create the computer equivalent of a broad-based antibiotic that can protect systems from any attack, known or unknown.

The Author:

David Evans is an assistant professor in the Department of Computer Science whose research focuses on encryption and computer security.