|
Protecting Static DataA natural place to begin is at the level of computer viruses, which typically infect programs or boot sectors by inserting instructions into program files stored on disk. Under this view, the protection problem is essentially the same as that of protecting any kind of stored data-self is interpreted as uncorrupted data and non-self is interpreted as any change to self. Many change-detection algorithms have been devise to address this problem, including some inspired by biology.Protecting Active Processes on a Single HostThe adaptive human immune system is made primarily out of cells, which monitor and interact with other cells. If we view every active process in a computer as a cell, we can think of a computer running multiple processes as a multi-cellular organism and a set of networked computers as a population of such organisms. Traditional security mechanism such a password, group file permission etc. would play a role analogous to that of a computer?s skin and innate immune system. To create an adaptive immune system layer, we would implement a lymphocyte process, which with help from kernel is able to query other processes, to see whether they are functioning normally. Just as in the natural immune system, we assume that if a process is acting abnormally, it is either damaged or under attack. In response, the lymphocytes process could slow, suspend, kill or restart the misbehaving process. To complete the picture, each lymphocyte process could have a randomly generated detector or set of detectors, living for a limited amount of time, after which it would be no predefined location or control thread at which the protection system could be attacked. Lymphocytes that proved particularly useful during their lifetime (example: detecting new anomaly) could be given a longer life span or allowed to spawn related processes. In this architecture, self would be defined by normal behavior and non-self would be abnormal behavior in the form of intrusions either in privileged or in user processes. Such a system adapt to changes in user behavior and system software through the turnover of lymphocytes (also making it vulnerable to ?training? by malicious users). The level of security could be tuned by adjusting the number and lifetime of the lymphocytes and by adjusting the number and quality of detectors in the lymphocytes. In order to implement this architecture, we need an analog for peptide/MHC binding and a mechanism for eliminating self-reactive detectors. In the former, we examine approximate matching of short sequences of systems calls as a candidate for distinguishing normal and abnormal behavior. But a method for tolerance and a complete implementation are subjects of future work.NEXT: Artificial Immune System
|