Maximize
Bookmark

VX Heavens

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Principles of a Computer Immune System

Anil Somayaji, Steven Hofmeyr, Stephanie Forrest
New Security Paradigms Workshop pp. 75-82
1998

3
PDFDownload PDF (58.29Kb) (You need to be registered on forum)
[Back to index] [Comments (0)]
Department of Computer Science
University of New Mexico
Albuquerque, NM 87131
{soma, steveah, forrest}@cs.unm.edu

Abstract

Natural immune systems provide a rich source of inspiration for computer security in the age of the Internet. Immune systems have many features that are desirable for the imperfect, uncontrolled, and open environments in which most computers currently exist. These include distributability, diversity, disposability, adaptability, autonomy, dynamic coverage, anomaly detection, multiple layers, identity via behavior, no trusted components, and imperfect detection. These principles suggest a wide variety of architectures for a computer immune system.

1 Introduction

Modern computer systems are plagued by security vulnerabilities. Whether it is the latest UNIX buffer overflow or bug in Microsoft Internet Explorer, our applications and operating systems are full of security flaws on many levels. From the viewpoint of traditional computer security, it should be possible to eliminate such problems through more extensive use of formal methods and better software engineering. We believe that such an approach is unlikely to succeed.

To see why, consider Figure 1a. This diagram is a slight caricature, but it does point out three key assumptions of the traditional view:

  1. Security policy can be explicitly and correctly specified,
  2. Programs can be correctly implemented, and
  3. Systems can be correctly configured.

Although these statements might be true theoretically, in practice all are false. Consider Figure 1b. Computers are not static systems: vendors, system administrators, and users constantly change the state of a system. Programs are added and removed, and configurations are changed. Formal verification of a statically defined system is time-consuming and hard to do correctly; formal verification of a dynamic system is impractical. Without formal verifications, tools such as encryption, access controls, firewalls, and audit trails all become fallible, making perfect implementation of a security policy impossible - even if a correct policy could be devised in the first place.

Once we accept that our security policies, our implementations, and our configurations will have flaws, we must also accept that we will have imperfect security. This does not mean that we must be content with no security at all. As in the physical world, better security can be achieved with additional resources and better design. So, the real question is: how can we achieve better security than we currently have?

We believe it is possible to build better computer security systems by adopting design principles that are more appropriate for the imperfect, uncontrolled, and open environments in which most computers currently exist. As a case in point, we look to natural immune systems, which solve a similar problem, but in a radically different way from traditional computer security. For example, consider the human immune system. It is composed of many unreliable, shortlived, and imperfect components. It is autonomous. It is not "correct," because it sometimes makes mistakes. However, in spite of these mistakes, it functions well enough to help keep most us alive for 70+ years, even though we encounter potentially deadly parasites, bacteria, and viruses every day.

Some of the imperfections in current computer security are discussed in [15, 1]. The analogy between computer security problems and biological processes was recognized as early as 1987, when the term "computer virus" was introduced by Adelman [2]. The connection between immune systems and computer security was introduced in [7, 12] and elaborated in [6, 5]. However, in past work, we have concentrated on isolated ideas and mechanisms from the immune system and how they might be applied to concrete computer security problems without explaining the overall framework. In this paper, we begin articulating the larger vision by discussing the immune system in terms of a set of organizing principles and possible architectures for implementation.

We believe that the success of the immune system is due in large part to its organization and that an understanding of the immune system can help us design a robust, practical "computer immune system." Such a system would incorporate many elements of current security systems, augmenting them with an adaptive response layer.1 Parts of this layer might be directly analogous to mechanisms present in the immune system; others will likely be quite different from those found in biology, even if they are based on similar principles to those found in the human body.

Figure 1: (a) Traditional view of secure systems development. (b) Real-world software development is an ongoing process, with vendor, system administrators, and users adding, modifying, and removing software continuously.

Figure 1: (a) Traditional view of secure systems development. (b) Real-world software development is an ongoing process, with vendor, system administrators, and users adding, modifying, and removing software continuously.

In the remaining sections of the paper, we first sketch how the human immune system works.2 Then, we present a set of organizing principles that we argue accounts for much of the immune system's success. We also present some possible architectures for implementing computer security systems based on these principles. Finally, we discuss some limitations of the immune-system analogy.

2 Immune System Overview

The immune system defends the body against harmful diseases and infections. It is capable of recognizing virtually any foreign cell or molecule and eliminating it from the body. To do this, it must perform pattern recognition tasks to distinguish molecules and cells of the body (called "self") from foreign ones (called "nonself"). Thus, the problem that the immune system faces is that of distinguishing self from dangerous nonself. The number of foreign molecules that the immune system can recognize is unknown, but it has been estimated to be greater than 1016 [10]. These foreign proteins (kinds of molecules) must be distinguished from an estimated 105 different proteins of self, so recognition must be highly specific. These are staggering numbers, especially when one considers that the human genome, which encodes the "program" for constructing the immune system, only contains about 105 genes.

The architecture of the immune system is multilayered, with defenses provided at many levels. The outermost layer, the skin, is the first barrier to infection. A second barrier is physiological, where conditions such as pH and temperature provide inappropriate living conditions for some foreign organisms (pathogens). Once pathogens have entered the body, they are handled by the innate immune system and by the adaptive immune response. The innate immune system consists primarily of circulating scavenger cells such as macrophages that ingest extracellular molecules and materials, clearing the system of both debris and pathogens. The adaptive immune response (also called "the acquired immune response") is the most sophisticated and involves many different types of cells and molecules. It is called "adaptive" because it is responsible for immunity that is adaptively acquired during the lifetime of the organism. Because the adaptive immune system provides the most potential from a computer security viewpoint, we will focus on it in this overview. The material for this overview is largely based on [11]; we necessarily leave out many important details and emphasize the aspects most relevant to this paper.

The adaptive immune system can be viewed as a distributed detection system which consists primarily of white blood cells, called lymphocytes. Lymphocytes function as small independent detectors that circulate through the body in the blood and lymph systems. Lymphocytes can be viewed as negative detectors, because they detect nonself patterns, and ignore self patterns. Detection, or recognition, of nonself occurs when molecular bonds are formed between a pathogen and receptors that cover the surface of the lymphocyte. The more complementary the molecular shape and electrostatic surface charge between pathogen and lymphocyte receptor, the stronger the bond (or the higher the affinity). Detection is approximate; hence, a lymphocyte will bind with several different kinds of (structurally related) pathogens.

The ability to detect most pathogens requires a huge diversity of lymphocyte receptors. This diversity is partly achieved by generating lymphocyte receptors through a genetic process that introduces a huge amount of randomness. Generating receptors randomly could result in lymphocytes that detect self instead of nonself, which would then likely cause autoimmune problems in which the immune system attacks the body. Autoimmune disorders are rare because lymphocytes are self-tolerant, i.e. they do not recognize self. Tolerance of self is achieved through a process called clonal deletion: lymphocytes mature in an organ called the thymus through which most self proteins circulate; if they bind to these self proteins while maturing they are eliminated.

Even if receptors are randomly generated, there are not enough lymphocytes in the body to provide a complete coverage of the space of all pathogen patterns; one estimate is that there are 108 different lymphocyte receptors in the body at any given time [14], which must detect potentially 1016 different foreign patterns. The immune system has several mechanisms for addressing this problem, mechanisms which make the immune response more dynamic and more specific. Protection is made dynamic by the continual circulation of lymphocytes through the body, and by a continual turnover of the lymphocyte population. Lymphocytes are typically short-lived (a few days) and are continually replaced by new lymphocytes with new randomly generated receptors. Dynamic protection increases the coverage provided by the immune system over time: the longer a pathogen is present in the body, the more likely it is to be detected because it will encounter a greater diversity of lymphocytes.

Protection is made more specific by learning and memory. If the immune system detects a pathogen that it has not encountered before, it undergoes a primary response, during which it "learns" the structure of the specific pathogen, i.e. it evolves a set of lymphocytes with high affinity for that pathogen, through a process called affinity maturation. This is a Darwinian process of variation and selection resembling the genetic algorithm. [9] High-affinity lymphocytes (those that bind most tightly with available pathogens) are stimulated to reproduce in great numbers, and the resulting lymphocytes have a large number of mutations. These new (mutated) lymphocytes then compete for pathogens with their parents and with other clones. Affinity maturation produces a large number of lymphocytes that have high affinity for a particular pathogen, which accelerates its detection and elimination. Speed of response is important in the immune system because most pathogens are replicating and will cause increasing damage as their numbers increase. Speed of response to previously encountered pathogens is generally high, because the information encoded in adapted lymphocytes is retained as immune memory. On subsequent encounters with the same antigen pattern the immune system mounts a secondary response. In this case, the adapted lymphocytes eliminate the pathogens so rapidly that the symptoms of the infection are not noticeable by the individual.

Even with all of these mechanisms, the coverage provided by the immune system is necessarily incomplete. The consequence is an immune system that is vulnerable to particular pathogens. However, not all individuals will be vulnerable to the same pathogens to the same degree, because each individual has a unique immune system. This diversity of immune systems across a population greatly enhances the survival of the population as a whole.One way in which immune systems differ from one individual to the next is by having different lymphocyte populations, and hence, different detector sets. Another key component that gives an immune system its uniqueness is the variation in a molecule called Major-Histocompatibility Complex (MHC). MHC molecules enable the immune system to detect intracellular pathogens (e.g., viruses) that reside inside cells. Intracellular pathogens are problematic because the inside of a cell is not "visible" to lymphocytes, that is, lymphocytes can only bind to structures on the surface of cells. MHC molecules bind to protein fragments called peptides (which could be viral) within a cell and transport the peptides to the surface, effectively displaying the contents of the cell to passing lymphocytes. The set of proteins to which an MHC molecule can bind is dependent on the structure of the MHC, which is genetically determined. Each person has only a limited number of MHC types and so is vulnerable to particular pathogens that cannot be readily transported by the available MHC types. However, as a whole, a population is far less vulnerable, because each individual has a different set of MHC types, and so is vulnerable to different pathogens.

To summarize, the natural immune system has many features that are desirable from a computer science standpoint. The system is massively parallel and its functioning is truly distributed. Individual components are disposable and un-reliable, yet the system as a whole is robust. Previously encountered infections are detected and eliminated quickly, while novel intrusions are detected on a slower time scale, using a variety of adaptive mechanisms. The system is autonomous, controlling its own behavior both at the detector and effector levels. Each immune system detects infections in slightly different ways, so pathogens that are able to evade the defenses of one immune system cannot necessarily evade those of every other immune system.

3 Organizing Principles

Although the system described in the previous section is appealing, it is not immediately obvious how to use the immune system as a model for building successful computer security systems. There are several fundamental differences between the biology and computer systems. First, we desire an electronic system, built out of digital signals, not one constructed from cells and molecules. Further, we would like to avoid recreating all of the elaborate genetic controls, cell signalling, and other aspects of the immune system that are dictated by the physical constraints under which it evolved. Finally, the immune system is oriented towards problems of survival, which is only one of many considerations in computer security. Thus, the task of creating a useful system based on the immune-system analogy is a difficult one. In spite of these difficulties, a study of the immune system reveals a useful set of organizing principles that we believe should guide the design of computer security systems:

These properties can be thought of as design principles for a computer immune system. Many of them are not new, and some have been integral features of computer security systems; however, no existing computer security system incorporates more than a few of these ideas. Although the exact biological implementation may or may not prove useful, we believe that these properties of natural immune systems can help us design more secure computer systems.

4 Possible Architectures

One approach to building computer security architectures that incorporate the principles discussed in the previous section is to design systems based on direct mappings between immune system components and current computer system architectures. A few such possibilities are described below.

5 Limitations

Although we believe it is fruitful to translate the structure of the human immune system into our computers, ultimately we are not interested in imitating biology. Not only might biological solutions not be directly applicable to our computer systems, we also risk ignoring non-biological solutions that are more appropriate. A more subtle risk, however, is that through imitation we might inherit inappropriate "assumptions" of the immune system.

Computer security is supposed to address five issues: confidentiality, integrity, availability, accountability, and correctness. In the immune system, however, there is really only one important issue, survival, which can be thought of primarily as a combination of integrity and availability. If we view immune system memory as a type of audit trail, it might be possible to argue that there is also a form of accountability, but it clearly is not the same kind of accountability that we typically associate with computer security. Correctness and confidentiality are largely irrelevant to survival. By correctness, we generally mean that it can be proved that a certain program meets its specifications. Immune systems are not formally specified systems, so by definition they cannot be called correct (in the formal sense). If we think of the environment in which an organism evolves as an implicit formal specification of "survival," it is still true that natural immune systems are not correct, because they sometimes fail - pathogens sometimes successfully evade the immune system. Likewise, the immune system is not concerned with protecting secrets, privacy, or other issues of confidentiality. This is probably the most important limitation of the analogy, and one that we should keep in mind when thinking about how to apply our knowledge of immunology to problems in computer security.

6 Conclusions

Good passwords, appropriate access controls, and careful design are still needed for good security. As indicated earlier, all of these measures can be seen as equivalent to the body's skin and innate immune system, which are responsible for preventing most infections. We have focused on the human immune system's adaptive responses, because these are the types of mechanisms current computer systems do not have. By remedying this shortcoming, we should be able to make our computer systems much more secure than they currently are.

7 Acknowledgments

The authors wish to thank David Ackley for his insightful suggestions and inspiring aphorisms that have helped us focus our ideas. Also, Alan Perelson has introduced us to the world of immunology, and Gene Spafford has helped us understand the finer points of computer security.

The authors gratefully acknowledge support from the National Science Foundation (grant IRI-9157644), the Office of Naval Research (grant N00014-95-1-0364), DefenseAdvanced Research Projects Agency (grants N00014-96-1-0680 and N66001-96-C-8509), the MIT Artificial Intelligence Laboratory, Interval Research Corp., and the Santa Fe Institute.

References

  1. R. Blakley. The emperor's old armor. In Proc. New Security Paradigms '96. ACM Press, 1997.
  2. Fred Cohen. Computer viruses. Computers & Security, 6:22-35, 1987.
  3. Mark Crosbie and Gene Spafford. Active defense of a computer system using autonomous agents. Technical Report 95-008, Department of Computer Science, Purdue University, February 1995.
  4. D. E. Denning. An intrusion detection model. In IEEE Transactions on Software Engineering, Los Alamos, CA, 1987. IEEE Computer Society Press.
  5. S. Forrest, S. Hofmeyr, and A. Somayaji. Computer immunology. Communications of the ACM, (submitted Dec. 1996).
  6. S. Forrest, S. Hofmeyr, A. Somayaji, and T. Longstaff. A sense of self for UNIX processes. In Proceedings of the 1996 IEEE Symposium on Computer Security and Privacy. IEEE Press, 1996.
  7. S. Forrest, A. S. Perelson, L. Allen, and R. Cherukuri. Self-nonself discrimination in a computer. In Proceedings of the 1994 IEEE Symposium on Research in Security and Privacy, Los Alamos, CA, 1994. IEEE Computer Society Press.
  8. S. Forrest, A. Somayaji, and D. H. Ackley. Building diverse computer systems. In Sixth Workshop on Hot Topics in Operating Systems, 1997.
  9. J. H. Holland. Adaptation in Natural and Artificial Systems. MIT Press, Cambridge, MA, 1992. Second edition (First edition, 1975).
  10. J. K. Inman. The antibody combining region: Speculations on the hypothesis of general multispecificity. In G. I. Bell, A. S. Perelson, and Jr. G. H. Pimbley, editors, Theoretical Immunology, pages 243-278. M. Dekker, NY, 1978.
  11. C. A. Janeway and P. Travers. Immunobiology: the immune system in health and disease. Current Biology Ltd., London, 2nd edition, 1996.
  12. J. O. Kephart. A biologically inspired immune system for computers. In R. A. Brooks and P. Maes, editors, Artificial Life IV: Proceedings of the Fourth International Workshop on the Synthesis and Simulation of Living Systems, pages 130-139, Cambridge, MA, 1994. MIT Press.
  13. B. C. Neuman and T. Ts'o. Kerberos: An authentication service for computer networks. IEEE Communications Magazine, 32(9):33-38, September 1994.
  14. S. Tonegawa. Somatic generation of antibody diversity. Nature, 302:575-581, 1983.
  15. W. A. Wulf, C. Wang, and D. Kienzle. A new model of security for distributed systems. Technical Report CS-95-34, University of Virginia, August 1995.

1 The adaptive response layer is similar in purpose to traditional intrusion-detection systems [4], although we are proposing a system that would be more autonomous.

2 Although we describe the human immune system, other vertebrate immune systems are quite similar. Other natural immune systems, such as those of plants, have different architectures and mechanisms; however, they too have organizing principles similar to the human immune system.

3 This mechanism can be seen as a generalization of the kill-signal described in [12].

[Back to index] [Comments (0)]
deenesitfrplruua