Digital Ants Promise New Security Paradigm
by George Lawton
A prototype distributed security system uses an army of "digital ants" to help sniff out computer malware. Researchers at Wake Forest University and the Pacific Northwest National Laboratory (PNNL) developed the system to improve anti-malware technology by leveraging behavioral analysis and swarm intelligence. It's based on a technique conceived by PNNL researcher Glenn Fink, who took it to Wake Forest for the design, implementation, and testing.
Each ant is a type of script that monitors for signs of malware and leaves an electronic "pheromone" trail to attract other ants to investigate. Each ant Researchers at Wake Forest University and the Pacific Northwest National Laboratory (PNNL) have developed monitors a single basic metric, such as the operating system process table, CPU utilization, or network entropy rate. Errin Fulp, associate professor of computer science at Wake Forest University, said the scripts aren't necessarily helpful in isolation. "But collectively, with several different types of ants visiting a location, they can indicate the presence of a threat."
Ant Hierarchy
The system comprises a hierarchy of agents that run in specially designed swarm software deployed on all the hosts in a protected network. At the bottom of the hierarchy, the ants are simple programs that look for a particular statistic as they travel from host to host. Each ant has a memory of what it finds to be normal across the previous five hosts it visits.
One level up, a sentinel agent runs on each host. On the basis of information it collects from the ants, the sentinel forms an idea of the host's normal state. When an ant finds something unusual, it reports this to the host sentinel. For example, if the ant reported 8,000 connections per minute, the sentinel might see this as an anomaly. In that case, it would reward the ant by raising its pheromone value. The ant stores this information. As it moves on to other hosts, its high pheromone value attracts other ants and communicates the information about the host that raised its pheromone value. This encourages the other ants to investigate that host as well.
If these additional ants find other anomalies, they would also be rewarded, which would attract ants from other hosts. A certain threshold of messages triggers a threat signal.
Sergeant ants haven't yet been implemented in the prototype system, but they will sit between the computing ecosystem and human analysts. When a threat signal is triggered, the sergeants will report it to a human for further action. The sergeants also let humans specify what types of behavior the system allows. For example, a system administrator could tell the sergeant not to allow peer-to-peer file sharing, and the sergeant would create agents to disable this on all the hosts.
If a particular type of ant appears to work better than others, a human could tell the sergeant to create more of them and share this information with other sergeants. This could improve security across multiple networks.
The researchers expect future system implementations to integrate with more sophisticated anti-malware tools to take remedial action, rather than depending on human intervention.
Hybrid Approach
The two main types of security commonly used today run on either a host or a network gateway.
A host-based system, such as anti-virus software, protects an individual computer. These systems typically look for a virus signature and take remedial action when they detect one. However, they generally don’t share information between hosts.
Network-based security systems, such as a firewalls or intrusion detection systems, protect multiple computers on the same network but don't optimally protect an individual computer. This inflexibility can prevent a computer user from, for example, adjusting firewall settings to run novel applications.
The digital ants project is a hybrid of host-based and network-based systems. Each computer is protected by the digital sentinel that runs on the host and the ants traveling between hosts. The sergeants protect the network by tracking what happens across multiple hosts and communicating with users.
Behavioral Analysis
Host-based security systems typically use signature analysis to detect the presence of malware. The software looks for a string of code to indicate a specific threat. However, hackers have developed techniques to change malware code automatically, thus making it more difficult to detect.
The digital ants technique uses behavioral analysis to look for specific computer system changes that are associated with malware. Fulp said that the approach is not signature based, because it doesn't look for one signature per possible threat. "A system cannot easily perform all the different tests continuously," he explained. "Therefore, the approach relies on the population of ants to indicate what tests should be run based on the current threat level and conditions."
Because of the variety of changes that might be associated with malware, the researchers hope to develop approximately 3,000 different kinds of ants to look for different kinds of system changes.
Fulp said the technique is best suited for large installations, such as those found in corporations, universities, and government labs. The prototype system has been tested on various forms of malware. The researchers haven't announced any specific plans for commercialization, but Fink said they're looking for commercial and/or government sponsors to make the technology more practical for real-world security because it’s still in very early development.
Fink explained, "This is a different way of thinking about security. Typically, we have a lot of information at the edge, and we gather it all in one place. But we have so much information we can't handle it all. We're trying to change the game by bringing security to the edge and making lots of local decisions automatically that contribute to the global security of the infrastructure."
The biggest challenge for swarm security is the established anti-malware vendors, noted Bradley Antsis, Chief Security Office at M86 Security. "Because their desktop anti-virus revenue is typically their largest revenue source," Antsis said, "they protect that source very aggressively, making it very difficult for the up and coming technologies that have something very real to add to become noticed and appreciated."
George Lawton is a freelance technology writer based in Monte Rio, California. Contact him at glawton@glawton.com.
