Wednesday, January 18, 2006

Human immune system and computer security

Today's discussion was on an exciting topic. It was all about how an analogy could be drawn from human immune system to computer systems in the interest of identifying security. I was so thirilled to know the nitty gritty details that goes way beyond than i thought. Actually .. as soon as i heard these i thought i should take up a biology course. It was so insightful. proteins, amino acids , peptides t-cells, etc It fascinating to see how the human immune system protects them by constantly checking every cell. This drove the direction of my professor's research. The idea of defining a self to a computer system and the nevel finding was the use of sequence of system calls. It was like the peptides being checked by the immune system with MHC. ( now i may be wrong in some cases.. so better read the paper on this) but trust me..it was so intersting.. here is the link for the paper.. Forrest, Hofmeyr, & Somayaji (1997), Computer Immunology

Here is what i thought about the paper..
The approach to ID in this paper is very compelling. The detection model by defining the self of a computer is still debatable. But the choice to use a sequence of system calls seems like a good choice because this is what any executing program is all about. However, by not considering the parameters to the system calls may still fail to detect buffer overflow attacks in an early stage. The problem of autoimmune systems can also be a problem for IDS and that's when we get false-positives. But the suggestion of a multilayered approach may solve the issue as it is solved in human immune system. An important fact that is discussed in this paper is the fact that for an IDS to be effective it has to be distributed and parallel. The idea of IDS being parallel is something newly introduced by this analogy to human immune system. Also the fact that "one size does not fit all" is identified through this analogy. The recommendation for a customized version of the IDS is big different from previous models which considered a generalized approach. Because the model uses simple attributes that are compact and universal to any computer system, this research has got the possibility for achieving a nearly real-time response to ID. However, the two phase approach of the design requiring a learning time for the system prior to deployment in production may have some limitations to this approach. Because the question could be "when is it good to stop learning?". The second approach taken in this paper, distributed change detection has got lots of complexities into it. The questions raised upon the design of these techniques define the core of this approach and has a big impact on the success of this approach as they are the ones that will detect novel abnormal activities.

No comments: