The Biology of Computer Security

Name this system: it effectively protects its host from foreign attacks. It's extremely resilient and able to adapt to changing environments. It's massively parallel with an estimated 108 independent components running at the same time. And it's all around you.

What is this amazing organism? It's your immune system. And it's the model for a new class of computer security programs created by a research team led by Stephanie Forrest, professor of computer science at UNM.

A Multidisciplinary Dialogue

forrestForrest has been exploring ways to apply concepts from biology-particularly the immune system - to computer security since the early 1990's. "I was interested in the immune system as a computational device. It performs a lot of information processing and it does it in a way that's very different from how our computers work today. Our immune systems do an especially good job of noticing when you're infected, deciding what response is appropriate, selecting a response and knowing when to turn it off," explains Forrest.

Since she began her research, Forrest and a team of collaborators have translated biological processes into programs that protect privacy and shield computers from attacks. "It's a dialogue between biology and computer science. It's not a one way mapping, but rather a conversation between the two disciplines," says Forrest. The approach was a breakthrough in computer science. "There are few other groups that have focused as deeply on biology and computer science as we have." Other institutions and researchers are now delving into the field.

From Principle to Program

New commercialized security products already use concepts that stem from Forrest's line of research. Now she and graduate student Justin Balthrop are working together with Matthew Williamson, Senior Research Scientist at Sana Security Inc., on a personal computer firewall called Riot. The program uses immunological principles to detect and respond to attacks from worms and email viruses.

On the detection side, Riot generates detectors, which are random strings - each, a unique combination of sixty to seventy zeros and ones - that can learn a computer's normal rate for making various connections to other computers, like http connections for searching the web and smtp connections for sending email. Attacks on the computer cause connection rates to rise, so the detectors go to work. They act much like their biologic counterparts, the evenly distributed lymphocytes, or T-cells and B-cells in our bodies that are responsible for sensing foreign pathogens. These specialized cells have receptors that bind to bacteria and neutralize them similar to the way that Riot's detectors make matches which connect with patterns of viruses and worms.

That binding process triggers a response mechanism called "throttling" which returns connection speeds to normal levels and creates a queue for the remaining connections. Throttling slows the spread of the attack, allows the computer to allocate resources normally, causes most of the malicious connections in the queue to automatically time out, and gives the computer owner more time to prevent damage or install a patch. The throttle concept also has biologic roots. It is based on homeostasis-our body’s ability to maintain an array of physiological mechanisms within certain acceptable parameters as the environment changes.

Like our immune system, Riot is adaptive. It is capable of learning norms for its environment and, by generating randomized detectors, it is able to keep pace with those changes and respond accordingly. The researchers hope that Riot will be able to detect and limit damage from a wide variety of viruses, worms, port scans, misconfigurations, hijacked computers, and even prevent stolen computers from being used by others.

Forrest and her team are currently testing Riot on their own computers. "An important part of our research strategy is building prototypes of our ideas and then living with them running on our own computers," says Forrest. She says that once Riot is mature enough, the team will release it as open-source code. Riot's predecessors and other biologically based programs are already available at http://www.cs.unm.edu/~immsec.

As the Internet expands, processing speeds increase, and attackers become more aggressive, Forrest's research is even more important for the everyday computer user. "I do feel that computer security is now everybody's problem. And I hope that these methods will eventually lead to solutions that are incorporated into software people will run on a daily basis," she says. "I think computer security has become a problem of national significance."