Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Biological Network Security 83

mercut writes: "A friend of mine recently wrote a Guest Feature on SecurityFocus about Biological Network Security. It has some interesting implications and I thought the /. community could provide some good perspective into IDS communication and security."
This discussion has been archived. No new comments can be posted.

Biological Network Security

Comments Filter:
  • pee in a cup now to use our network?

    I can just see it now - Bosses using this to run drug and other tests on us at the same time as we "authenticate" ;)
  • by Nick Smith ( 321087 ) <nsmith@webone.c[ ]au ['om.' in gap]> on Tuesday January 29, 2002 @08:29PM (#2922761) Homepage
    Does this mean having a cadre of Winged Monkeys to despatch upon evidence of network intrusion?

    "A DDOS attack coming from some script kiddie in Newark... Fly, my pretties, fly..."
    • by Anonymous Coward
      Couldn't get past this "...Initially, little consideration was given to network security,...
      What is this guy talking about? I've seen this kind before. Their facts are fudged in the 1st few sentences.
      As an example, the decentralized design of ARPARNET then later on the Internet had lot of security in mind.

      MILITARY(read security) + SCIENCE/ENGINEERING (read brains) = ARPARNET :: INTERNET.
      • You can only secure yourself for known forms of atack. In the begging of the internet, as far as I know, were indeed very insecure, since no one never thougth of atacks coming from the network. The intenet began to be secured after the first worm were made that was realy a great-grand-father of the nimda that used a combination of shell scripts and compiled code to propagate and installing it self and it did propageted as fast as wild fire, the net was almost shuted down because of it. After that the net wasn't safe anymore.

        Careless? No, I don't think so. You simply can't prevent something that yuo don't even know where it is coming from. No one would think to protect a city against a comercial airplane, now I bet people think about that, rather seriously.
  • very intelligent. (Score:3, Interesting)

    by prizzznecious ( 551920 ) <hwky@@@freeshell...org> on Tuesday January 29, 2002 @08:41PM (#2922804) Homepage
    Those working with computers stand to gain a great deal from considering biology and anatomy when designing systems. Artificial Intelligence is a field where this has already been applied extensively and beneficially, with the use of genetic programming.

    The human body (used here only because it's the most familiar to the average person) works. It has some problems, but the design is solid. We don't experience network downtime, and the majority of infections or intrusions we suffer are automatically dealt with. It makes sense to look to a model that's had 4 billion years to evolve- computer networks are pretty similar in function if you're not too pedantic about it.
    • We don't experience network downtime

      • Heh. Yeah.

        Er, I imagine a network that could automatically manage its resources well enough to be able to sleep (for powersaving reasons or otherwise) when not in use would be quite useful to most.
    • I would think that the redundancy of a "living breathing network" would produce so much overhead that upon activating a defence to a antigen, the network would be bogged down by the "immune system" communicating and travelling to the destination in a severe form of overkill.

      That's pretty much what a fever is, and couldn't be too good for a enterprise, mission critical, high dollar amount network.

      However, the transport system on a cellular level,
      internal packets could be treated as water, and "osmosis" would let packets flow one way, and selective permeability could allow certain packets in and keep others out. (Very much like a firewall protects, but a intricately layered firewall that protects and admits with stunning accuracy.)

      Packets could only leave through an active
    • by foobar104 ( 206452 ) on Wednesday January 30, 2002 @01:01AM (#2923726) Journal
      The human body (used here only because it's the most familiar to the average person) works. It has some problems, but the design is solid.

      I think the human body can only be said to work in the statistical sense. Pick any given cell, and you'll find that the body (any complex organism, really) is a pretty dangerous place. The body works as designed because the component parts are unbelievably vast in numbers and practically (in fact, literally) disposable.

      Stephenson dealt with an idea like this in The Diamond Age, his book about nanotech. The idea is that, because of an absurd but logical application of economies of scale, it's about as expensive to produce one nanotechnological computer as it is to produce one trillion of them.

      If we lived in a world like that, where fairly autonomous disposable computers could be practically manufactured and used, the "computer network as biological system" idea might make some sense.

      Remember that life as we have observed it is basically tuned to the idea that the problem is hard, but the raw materials are cheap and time is no object. The only thing that situation has in common with our world is that the problems are hard; in our case, the materials are really expensive (in dollars, but also in labor and opportunity cost) and time is of the essence.

      That's not an area in which biology does very well.
    • I like his anology of firewall more:

      To protect a city and its occupants a wall was built around the city, with a few gates provided
      to allow regulated access. If a city was conquered, the walls were simply rebuilt higher and wider. This is much the same approach people are taking with Firewalls; and ultimately it is ignoring the true problem,

      In this anology there are more solutions. Some city's make countries. (ISP buy each other). cities contain houses.(and each house has his own front door). etc etc. The segmentation is comparable to WAN country.

      If someone find a generic key to a house he can be fenced off at the firewall (be it at ISP/LAN/MACHINE level).

      Does this help: yes, more and more filters are implemented by ISP's, windows XP contains its own filerwall, Firewalls ge to know more and more about the traffic they let trhough.

      Even real countries (china) are firewalled completely).

      And if a firewall goes down, a bigger wall is made (including .
  • by Jamuraa ( 3055 ) on Tuesday January 29, 2002 @08:45PM (#2922809) Homepage Journal
    Great, just what I need, for my new security system to 'isolate and sacrifice' all the Secretary's computers, noticing their computers are the ones which most viruses get onto the network with.
  • speaking of cancer (Score:2, Interesting)

    by gluke ( 93629 )
    or chemotherapy, for that matter...
    you know, there's something to be said about targeting the immune system.
  • by danheskett ( 178529 ) <danheskettNO@SPAMgmail.com> on Tuesday January 29, 2002 @08:55PM (#2922842)
    This author believes that Biological Network Security is the next step in security, and the most important factor to make BNS work is Open Standards.

    I have to strongly disagree. Published and well renowed or not, anyone who makes that claim is utterly and completely wrong.

    The next step in security will be nothing like that. I have to deal with security related issues on pretty much continual basis, and I will say that the next step isn't BNS, but rather, just actually implementing existing idea, best practices, and software.

    A really good administrator and network architect can create a secure, robust, and fully functional environment today, right now, with off the shelf products (OpenBSD to start).

    What's most importantt to security is, and what will be the 'next step' is:

    a. Using fundamentally secure software (ie, an actual solution to the C-buffer overun problems that plague most everything).

    b. Increased awareness at all levels of organizational management to the effects and risks related with poor security

    c. The investment by administration and sys-admins in training, brain-power, thought, hardware, software, and other resources dedicated to security.

    d. Getting my goddamn users to use any passwords at all, let alone strong passwords!

    e. Widescale adoption of better system than passwords for user authentication - whether smart cards, thumbprints, retinal scans, ANYTHING.

    Artifical Intelligence is great and all. But would you base your network-security on something like it basically guessing (just like a human would have to do) whether or not to deny or accept connections? Users? How long will it be before Mitnick-esque hackers are socially engineering BNS to access to private networks?

    The next step will be all about getting fundamentals into place. Firewalls, good strong user policies, filling in human weaknesses, basic IDS systems, astute administrators, and fundamentally secure software is the place where we should be aiming - not some pie in the sky Biological system.
    • by Wier ( 196038 )
      1. The next step in security will be nothing like that. I have to deal with security related issues on pretty much continual basis, and I will say that the next step isn't BNS, but rather, just actually implementing existing idea, best practices, and software.

      The main problem with your next step is that it relies on Joe User becoming smarter. It also completely ignores a DDoS attack. Better passwords does not stop attacks from occuring.

      Computers were built to do complex things in shorter times than humans. Recognizing and acting upon those attacks seems to be a natural evolution of something computers should be doing, not relying on Joe User to get smart.

      1. The next step will be all about getting fundamentals into place. Firewalls, good strong user policies, filling in human weaknesses, basic IDS systems, astute administrators, and fundamentally secure software is the place where we should be aiming - not some pie in the sky Biological system.

      The thought that everyone will accomplish these things seems less likely than a "Biological System" being implemented.
      • by sabinm ( 447146 ) on Tuesday January 29, 2002 @09:28PM (#2922982) Homepage Journal
        I would say that both points are valid, a system is usually compromised by an outside person finding out INSIDE information. (passwords, p2p, trojans,) If access were locked down at the USER or NODE level then the 733t hax0r has a big box of cookies with no milk to dunk them in. That coupled with an outside defense system (firewall), trebled with a "compromised network" response (biological defense) would make a lockdown absolute.

        This however gives a very false sense of security without stiff penalties for violating the security policies. Remember, security is only as secure as the *least* secure factor. or person.
        • This however gives a very false sense of security without stiff penalties for violating the security policies.

          IMO, this is a key point that was almost completely ignored in the article, but I would apply it at the societal level. Since technological threats are created by humans, an effective defense strategy must include a deterrent (e.g. criminal prosecution) as well as a response. One of the tricky parts is that in order for this to work, the deterrent must be credible - investigation and prosecution must be a matter of course, and this must apply across national boundaries. Given the emerging definition of terrorism, we may well see this happen in the next decade. Of course, then we'll find ourselves faced with another tricky issue - where to draw the line. What constitutes malevolence vs. research, attack vs. investigation, prevention vs. tyranny? These are questions we already are starting to ask, but they will need to be answered before any effective deterrent can be implemented.
    • by Anonymous Coward
      1. The C buffer overflow problem will not be solved as long as pointer arithmetic is allowed. When computing resources were tight, it made sense to combine control and data into a single stack. Now, we are stuck with that decision. We have programming language solutions that people choose not to use (e.g., Java). Buffer overflow is no longer a technical problem; it is a social problem.

      2. I agree with everything else. I think security policies and access control is the next great area for security research. There is a huge disconnect between low-level policies (e.g., file permissions) and higher-level policies (e.g, use groups). As things become more distributed, the gap will widen.
    • You say: A really good administrator and network architect can create a secure, robust, and fully functional environment
      today, right now, with off the shelf products (OpenBSD to start).

      Yes, and a REALLY GOOD programmer won't have buffer overflows or memory leaks, and a REALLY GOOD secretary won't reveal private data by social engineering or click on email attachments, and a REALLY GOOD..., oh, never mind.

      Any security policy that depends on the whole human race suddenly getting genetically superior to what it is now is a non-starter.
    • I will say that the next step isn't BNS, but rather, just actually implementing existing idea, best practices, and software.

      You got that right. I have a security textbook. About 350+pages. 30 odd on encryption and such matters. The rest on organizational issues. Dumpster diving and social engineering are always a threat.

      If you can pick some developer's brain for a password or pay the secretary $5K for a way in... cheaper than trying to crack a 128 bit encryption scheme. And probably more interesting because in addition to getting info on how to get in, you can get info on where what you want might be located!

      Security starts with a well-thought out policy covering the organization, the employees, and the computer systems. Then the next step is implementation of those policies in a meaningful way. Passwords that are too short or easy to guess, people who write their passwords on their desk pad, employees who run anything that arrives in their inbox including viruses and trojans, etc - these are the threats to security that we have to beat before fancy shmancy AI biological and biometric systems matter a whit.

  • Interesting idea, (Score:3, Insightful)

    by Danielle Gatton ( 534290 ) <dgatton45@NoSpAm.hotmail.com> on Tuesday January 29, 2002 @08:58PM (#2922854)
    but the implementation will be a bear. First there is the relatively low hurdle of standardizing communications between IDS's. The IETF has been working on such a format [ietf.org] for a while.

    The main problem, though, will be in establishing automatic systems that are able to judge "threat levels" and act accordingly. People will sign on to such a network only if it's more likely to benefit than to inconvenience them. Such a system won't be of much use if it requires human intervention every time an alert goes up, but it is notoriously difficult to program computers to take the place of simple human judgement.
    • by Tora ( 65882 )
      The intention would be to supplement the existing human workforce, not replace it. Currently there is just too much information for even a large team of individuals to handle well; a system like this would supplement their efforts and massage them into something more manageable for both sending AND RECEIVING alerts (I would love to receive alerts from other people about anomolous behaviour from my network)
    • Similar system (Score:2, Informative)

      by psyclone ( 187154 )
      This article reminds me of a similar system developed at my university. It has threat levels and the software can act on those threat levels. Check it out here [uidaho.edu]. Unfortunately, the documentation on the web is a bit out of date, but conference papers have been written on it and it's available for download.

      I agree that the "universal" IDS information format will be a long time comming. It's been worked on and thought about for years, but the security corporations seem to be doing just fine on their own. In the realm of security, implementation is usually the most difficult obstacle to any solution.

  • So after my firewall has been exposed to MS Exchange traffic a few times it will go into anaphylactic shock?
    • Well, if you're saying that your system is already flawed. Anaphalectic shock is produced when an antigen accepting compound, which usually attracts killer cells, attaches to the killer cell and then does sort of a "wish bone" effect, tearing open the killer cells and releasing the poison intended for the antigens into your body. So, I guess if you mean that your system's AI is flawed, then yes, your system could go into shock.

      Sorry I replied in such a terrible manner to an obvious joke. But anaphalactic shock is most certainly caused by inherent flaws in the auto-immune system and not so much as the attacking organisms.
  • by mcrbids ( 148650 ) on Tuesday January 29, 2002 @09:12PM (#2922911) Journal
    This, like many other similar ideas, sounds good, and just won't work.

    Can you imagine the number of people who'd have to co-operate to make this happen? And it wouldn't even be possible for CONGRESS to make it happen, since the Internet is International now.

    However, there is already a good amount of work done to secure the Internet - take a look at Bind 9 and its secure DNS, IPv6, ISP border address verification, etc.

    The foundations of the failure of these ideas is that of "trust" - who do you trust, anyway? What happens when somebody you trust suddenly changes heart?

    Following your representation of the "biological" model, can you successfully argue for "biological" home security? How many houses do you know don't lock their doors and rely on super-intelligent robots or dogs to defend them?

    I thought so.

    Notice that even your "biological" model breaks down for biology! Nearly every organism has skin, an exoskeleten, cellular wall, etc - in other words, a biological firewall!

    These other methods work in conjunction with a good firewall, but the firewall is here to stay.

  • The threat level can be determined from many factors: Previous trends of the attack The origin of the attack The target of the attack; does it even apply to the targeted system, or does the target have a different version or operating system from what is being targeted? After the threat level has been determined the CAS may decide to act on the alert. In this case, it sends a message to the targeted system, firewall, router and other perimeter defense mechanisms, requesting them to deny access from the origin to the targeted services and protocols. Immediately a warning flag should go up in everybody's mind about possible exploits of this step, and there certainly should be a strong mechanism of trust built between the CAS and the local network it is considering.

    This sounds a lot like setting up neural network for defense... i seem to recall some people working on neural nets that might be applicable. http://hebb.cis.uoguelph.ca/home/ns.html [uoguelph.ca]

  • Flawed analogy (Score:4, Insightful)

    by Anonymous Coward on Tuesday January 29, 2002 @09:39PM (#2923015)
    Immune-system defense works great when the attacker is no smarter than the immune system. Ie., when the attacker is naturally-evolving bacteria and virii.

    When the attacker has human-level intelligence, on the other hand, the immune system folds like a beat puppy - thus the success of poisoners. To defeat poisoners you have to harden your kitchen.

    So computer immune systems are liable to work, as long as intruders are no smarter than bacteria. That oughta keep out the script kiddies, though...

  • This system isn't biological, its not even artificial intelligence.

    The proposed method of preventing a (DoS) attack by notifying your upstream provider to cut off traffic has been proposed before, and discarded as a bad idea. Imagine if I sent a bunch of messages from my workstation to my ISP which had just such a system :

    "Help Help! microsoft.com is DoSsing me!"

    .. and then the automated "biological" response system at my ISP acted on it, forwarded it to microsoft.com's ISP and had them cut off from the Internet. Actually, on the other hand, that might not be such a bad idea ......

    But in all seriousness, the scope for misuse is so large that nobody would ever put this kind of system in place.
  • While certain aspects of this idea are interesting, I think it raises several serious problems.

    The currently used shorthand of this security posture is the use of active defenses such as Sentry. While useful in a remote network with a limited range of applications (read: small, and by applications, I'm talking layer7, not Word), rigidly predefined responses to certain incident conditions almost always cause trouble on a large system used for a wide variety of purposes. Even if one were to make the incident response logic near-omnipotent in its ability to respond appropriately, the openness of the standards involved would mean that any intruder would have a VERY good idea of how your systems will react to attack, to say nothing of being able to monitor the response by looking for outbound BNS traffic.

    There is also another more sinister possiblity for how this type of protocol might be used. If network security structures could be organized into an "authoritative cloud" of trusted BNS devices controlling the Internet, it would provide a great way for people currently annoyed at the free exchange of information on the Internet to have a good chance of shutting it down.

    Would you want to hear about legislation pending in your state government that would force your ISP to shut you down for surfing porn?
  • by Toast ( 3221 ) on Tuesday January 29, 2002 @11:12PM (#2923328) Homepage
    While attempting to stop network attacks, including Denial of Service attacks, the author has proposed an excellent DoS tool.

    Given how easy it is to spoof traffic over the insecure IP and TCP protocols, all an attacker would have to do is spoof some attacks coming from some of AOL's IPs, and all of a sudden all AOL users can't access your site, since the CAS system told the backbone routers to block all the AOL IPs .

    If you use the biology metaphor, this is an alergy. Your system is reacting aggressively to something that isn't a threat.

    IDSs have had the ability to configure firewall ACLs for years via OPSEC SAMP, etc., but almost no-one uses it for this very reason, it's just too easy to trick.

    The real solution is to redesign the internet protocols with security in mind. Something like IPSec does a lot more than this proposes system ever would.

    The one good idea the article had was centralized analysis, but as the article mentioned, this was discussed more thoroughly in a previous article on securityfocus.

  • Don't you know... (Score:4, Insightful)

    by naasking ( 94116 ) <naasking AT gmail DOT com> on Tuesday January 29, 2002 @11:15PM (#2923349) Homepage
    Humans are always the weakest link in any security system. Adaptive system won't help if you have idiots setting them up, running and using them. Education people, education. That's what's needed.

  • by justin.warren ( 14556 ) <daedalus&eigenmagic,com> on Tuesday January 29, 2002 @11:22PM (#2923381) Homepage
    It was an interesting read, but the author is a little off base with the analogy. I believe an analogy with more direct correlation to the real world would be more like this:

    Semi-permeable membranes, aka firewalls. A person's skin acts as a pretty good firewall, allowing certain substances in or out and is mostly successful. It is possible to exploit it through making harmful substances appear to have the signature of allowed substances, in the same way that allowing inbound connections of any kind permits other connection types to mimic it: eg, hijacking a terminated telnet connection and sending traffic in the reverse direction. I can't think of a skin analogy for access-list allow host port established syntax, but I'm sure one exists. Firewalls thus play an important part of a biological system.

    Complex system interactions. If one were to use an individual cell as an analogy for a computer network and pathways into and out of the cell as the routes through the firewall then you come close to the biological analogy proposed in the article. Note that cells do not in fact advertise that they are under attack from viruses. Other cells notice that a virus attack in underway and react accordingly, with varying degrees of success. It is this approach that would be more useful to take by analogy from biological systems and apply to the computer/network security field. The same problems exist.

    Firstly there is the problem of the existing IDS not noticing an intrusion or failing to take sufficient action, such as for any biological infection which causes the death of the host. The biological solution to this is to immunise the system by exposing it to a non-lethal form of the pathogen to educate it for what to look for. A virus-scanner is a good example: Virus signature updates are the computer/network security version of immunisation.

    Then there is the problem of overreaction. In a biological system this is equivalent to the so-called '20th Century Syndrome' of boy-in-bubble fame. The biological system's IDS incorrectly registers normal operations as an intrusion and acts as it would for a normal intrusion, causing illness or death. This is a 'false-positive' reaction and is even more likely in a poorly designed IDS. As an example, reference the number of false positives generated by end users who install ZoneAlarm or equivalent personal firewalls. This is the same 'Microsoft is DoS-ing me!' argument mentioned by another respondent.

    So, the analogy has merit, but is poorly expressed in the article. I wish to point out that the main advance in IDS and security in general is not the establishment of a new analogy, paradigm or any other buzzword. I believe there are two key aspects that become increasingly important:

    1. Correctness of implementation. This is fixing inherent security problems that allow infection to occur. This requires hardening of software, systems and networks. Most people in the field acknowledge this to be true.

    2. Greater correlation. This is the ability to more correctly diagnose likely causes from symptoms. The security administrator becomes the highly trained doctor, using knowledge gained from analysis of known pathogens, methods of attack and problems inherent in existing symptoms and uses this knowledge to faster and more accurately diagnose root causes, and prescribe a solution. The use of tools, preferably automated, greatly increase the effectiveness of this approach. I believe it is in this area that the greatest advances have yet to occur.

  • IDS taking actions is a very complex issue. Most of our IDS nowadays are based on signature detection. It is not 100% accurate, it can detect false positive or can miss attacks that are not signature based (I actually wrote my SANS GCIA paper on one of these non-signature based attacks)

    IDS triggered action is not safe at all, it could cause unnecessary DoS to unintended target if IDS ever gets too smart.

    The best solution with todays technology is still active alert (even better at real time) and have analysis by human to determine whether there was actually an attack.

    Remeber, a lot of traffic is stange but there might be a legitimate reason behind it. Anyone remeber the faulty router at daemon.net?
  • by cjsnell ( 5825 ) on Wednesday January 30, 2002 @01:06AM (#2923744) Journal
    IDS and biological security are neat but it will be quite some time before they can be deployed on a large network. The reason: bandwidth. If you read the article and look at the included architecture diagram, this should be obvious. To make IDS work, your IDS device must, at a minimum, see all of the incoming ("dirty") traffic on your network. If you have anything more than a single T3 coming in, the amount of data to be analyzed is just too great. Correct me if I'm wrong but is there any machine which is capable of analyzing (in real time, mind you) 150+Mbit/sec of traffic? In addition to monitoring this traffic, a true IDS needs to look for patterns and signatures over a period of time. The processor and storage requirements for this sort of thing are just too enormous.

    • Bandwith scalability -> distribution of devices.

      So, no, there's not many machine which analyzes Gbit/s but if you separate this traffic to many devices, you just have more devices who analyzes and centralize the information.
  • You know what I think? I think security isn't all that important. Especially if you have NO backups of your important data, and even more especially if the data you have contains trade secrets or other stuff you don't want anybody to see. The reason is simple. Most people don't even know about computer security. They're afraid to get dust on their mouse because they think it'll give them a "virus"... and they think that when the plug of the monitor falls off the VGA output, that's caused by a "virus" as well. Because most users are FUCKING IDIOTS. Therefore, security isn't important at all. It's much easier to just arrest some teenager for using Microsoft Word to write a research paper on why cigarettes kill (an activity that could be defined as the epitome of international terrorism, and should be punished by immediate death by removal of the head) than it is to fix the bugs.

    Oh well.

  • I thought that this [slashdot.org] was the story of Ping?
  • Some are getting too hung up on carrying the biological metaphor too far. There is no way these systems can, in the short term, be anywhere near as complicated as that of a living system. But neither do they have do be, since the environment in which it operates is vastly less complicated than the physical world. Past success in applying simplistic biological models (GAs, etc) to limited domains seems very encouraging to me.

    This link might give some good reading:
    http://www.cs.unm.edu/~immsec/ [unm.edu]
  • The idea of identifying the abusing traffic, and throttling it back to the source sounds like closed loop congestion control.

    It's a concept that has existed in Frame Relay/ATM, for example, for a decade (at least on StrataCom/Cisco) equipment. They use an algorithm called ForeSight(tm) on their core switches to throttle VC traffic in the case of congestion at the source. This later evolved into the ATM ABR standard, with input from other vendors.

    In this type of automatic "biological" response, as long as no other traffic is attempting to use the bandwidth, the activity is permitted (who knows, it could be a "normal burst"). When other traffic is active, the offender is throttled back to to the source to its minimum rate.

    While it doesn't stop the problem, it makes the offender ineffective at impacting service. As a result, it's no longer a "denial of service". Some more information on ForeSight and ABR in this whitepaper [cisco.com]. The functionality predates the BPX product mentioned in the whitepaper (the StrataCom IPX had it), but that's before Cisco purchased StrataCom.

    Frame and ATM are "session oriented"; a PVC or SVC defined the communications along a path, so it's easy to define the parameters to control traffic characteristics. I'm not that familiar with IP QOS; is there an equivalent functionality that would apply? If so, could the problem be solved by making the attack "unattractive" (nondisruptive)?

  • What would prevent a user of a LAN that a CAS is on from spoofing the CAS' IP address and sending a false alarm flying to every corner of the net?

No line available at 300 baud.