Principles of a Computer

Immune System

Anil Somayaji, Steven

Introduction



Written in 1997



Introduces biological approaches to

computer security



The problem:

 Computer systems are plagued of security

vulnerabilities

 We’ve seen many: buffer overflows, viruses,

Traditional approach

 Good in theory, not in

practice

 Computer systems are

dynamic: system state continuously changed

 Formal verification of a

dynamic system is impractical

 Security policies flaws

Biological approach



Dealing with an imperfect, uncontrolled

and open environment.



Similar to the environment the human

body has to deal with



Look at the human immune system as

The immune system (IMS)



Protects the body

 Vastly more complicated than any computer system



Constantly under attack

 Parasites, bacteria, viruses



Highly effective

 We’re healthy most of the time  Works autonomously



If IMS were at the same technical state as

IMS: Pattern recognition:

self vs. nonself



IMS must distinguish molecules and

cells of the body (self) from extraneous

ones (nonself)



Huge problem:

 10^5 different types of self

 10^16 different types of nonself _(estimate)

IMS: multilayered architecture

 1st Layer: skin and physiological

conditions (pH, temperature)

 2nd Layer: innate IMS (scavenger cells clean pathogens and debris)

 3rd Layer: adaptive IMS (acquired immune

IMS: adaptive immune system



Primarily white blood cells

(lymphocytes)



Circulate in the blood and lymph

systems



Negative detectors



Detection by molecular bonds

IMS: adaptive immune system (cont.)



Problem: how to avoid autoimmune

disorders?

 Lymphocytes are self-tolerant  Clonal deletion process



Problem: how to recognize the potentially

huge number of pathogens?

 Genetic process: generate lymphocytes randomly

IMS: adaptive immune system (cont.)



IMS response to

viruses



Result: immune

IMS: diversity



Immune system is diverse across a

population



Each individual has a unique immune

system



Different lymphocyte population = different

detector set



Different Major-Histocompatibility Complex

Organizing Principles



Can’t really implement the same IMS in a

computer system



We can derive a set of guiding principles



Distributability

: Immune system detectors

are able to determine locally the presence of

an infection. No central coordination takes

place, which means there is no single point of

failure.



Multi-layered

: Multiple layers of different

Organizing Principles (cont.)

 Diversity: By making systems diverse, security

vulnerabilities in one system are less likely to be widespread.

 Diverse protection systems, or  Diverse protected systems

 Disposability: No single component in the system is

essential.

 Adaptability:

 Learn to detect new intrusions

 Ability to recognize signatures of previously seen attacks

 No secure Layer:

 Any cell can be attacked by a pathogen---including those of

Organizing Principles (cont.)

 Dynamically changing coverage:

 Space/time tradeoff

 Can’t maintain a set of detectors large enough  Use randomness and replacement

 Identity via behavior:

 IMS uses proteins (peptides) as behavior indicators:

“running code” of the body

 Computer analog: short sequences of system calls

 Anomaly detection:

 The ability to detect intrusions or violations that are not

Organizing Principles (cont.)

 Imperfect detection:

 Accepting imperfect detection increases the flexibility to

allocate resources.

 Example: less specific detectors respond to a wider

variety of patterns but are less efficient at detecting a specific pathogen.

 The numbers game:

 The immune system replicates detectors to counteract

replicating

 Computers subject to similar numbers game:

 hackers freely trading exploit scripts on the Internet

 denial-of-service attacks

 computer viruses.

Possible Architectures



Protecting static data

 Self: uncorrupted data

 Nonself: any change in self  Change detection algorithms



Protecting active processes on a single host

 Self: normal behavior

 Nonself: abnormal behavior

 View each active process as a cell

 Passwords, group/file permissions as skin

 Adaptive immune layer: rotating “lymphocyte”

Possible Architectures (cont.)



Protecting a network of mutually trusting

computers

 Process is a cell. Computer is an organ. Individual is a network

 Innate immune system

 Host-based and network security mechanisms

 Adaptive immune system

 Lymphocyte processes (kernel-assisted)

 Can migrate between computers and take appropriate action

Possible Architectures (cont.)



Protecting a network of mutually trusting

disposable computers

 Each computer a cell. Network is the individual

 Host-based security is the skin

 Innate immune system

 Network defenses (Kerberos, firewalls)

 Adaptive immune system

 Lymphocyte machines monitor each other state

Limitations



Different goals:



Biological IMS goal: survival



Computer security: confidentiality,

integrity, availability, accountability and

correctness



Most obvious is confidentiality. Biological

Conclusion



Skin and innate IMS (passwords,

access controls, careful design) are

important



Adaptive IMS is still mostly lacking in