Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Security Worms IT

Ants Vs. Worms — Computer Security Mimics Nature 104

An anonymous reader writes with this excerpt from Help Net Security: "In the never-ending battle to protect computer networks from intruders, security experts are deploying a new defense modeled after one of nature's hardiest creatures — the ant. Unlike traditional security devices, which are static, these 'digital ants' wander through computer networks looking for threats ... When a digital ant detects a threat, it doesn't take long for an army of ants to converge at that location, drawing the attention of human operators who step in to investigate. 'Our idea is to deploy 3,000 different types of digital ants, each looking for evidence of a threat,' [says Wake Forest Professor of Computer Science Errin Fulp.] 'As they move about the network, they leave digital trails modeled after the scent trails ants in nature use to guide other ants. Each time a digital ant identifies some evidence, it is programmed to leave behind a stronger scent. Stronger scent trails attract more ants, producing the swarm that marks a potential computer infection.'"
This discussion has been archived. No new comments can be posted.

Ants Vs. Worms — Computer Security Mimics Nature

Comments Filter:
  • by sopssa ( 1498795 ) * <> on Saturday September 26, 2009 @05:14AM (#29547255) Journal

    What's with the ridiculous reference to ants? If they had said this in a technical way, I might actually even understand what they mean. Now it's basically "ants travel inside your network". The article doesn't tell a lot more.

    Obviously nothing is "traveling" inside your lan cable. So do they mean they have every machine in promiscuous lan that tries to seek what is traveling there? What kind of "scent" does it leave when it detects some threat and how are the other computers interact with that?

    Stop doing some stupid nature references just for the hell of it, give technical details.

    • by buchner.johannes ( 1139593 ) on Saturday September 26, 2009 @05:21AM (#29547275) Homepage Journal

      They are talking about an ant-based algorithm, often used in optimization (routing, for example). Some information is here [] and here.

      • by buchner.johannes ( 1139593 ) on Saturday September 26, 2009 @05:24AM (#29547281) Homepage Journal

        Second link: [] (sorry)

        I think this is just some theoretical research that got picked up by someone never heard of Ant algorithms (it sounds impressive when you hear it the first time), but it can often be outperformed.

        • XKCD []
        • by mikael ( 484 ) on Saturday September 26, 2009 @01:19PM (#29549135)

          He just uses "ants and swarms" to replace "daemon and daemons".

          His research is based on a network of 64 computers and has identified all sorts of different types of security breach that can be detected on a network (unauthorized ssh/ftp, botnet commands, spam-mailer, virus-in-a-mail-message, backdoor trojan) and that it might not be possible to detect where the originating commands are coming from - a whole load of servers or PC's might be infected.

          The article states that there is a performance gain from having a separate task to detect each of these (he calls these ants). Since there are so many files, ports and devices to be checked, it is better to have multiple copies of each task. OS people would call these 'daemons'. Testing for all of these security breach requires a "swarm of ants" or a "plague of daemons" (whatever the aggreggate work of daemon is).

          I guess talking about daemons in the server network would probably scare the h*ll out of Christian Managers.

          • Thanks for the link in your sig, signed the e-petition and already had plans to get rid of virgin when I move house next year, they're wang. I shall add the phorm thing to the letter I send them, explaining my opinion of their service. yes I know it's meaningless, but if enough people do it.....
          • Just get nmap, configure it to run as multiple instances form multiple computers, and configure each running instance to have certain search parameters. If this is what they are talking about, not much to see here, you just downplay the load on a server, by telling it to play only certain vulnerabilities, leaving others to look for different types.

            Seriously, sounds like alot of BS just to fill up a story, once you find an exploit, it stops there, sends you an email and waits for you to log back on to fix or

      • Re: (Score:3, Interesting)

        by Jurily ( 900488 )

        They are talking about an ant-based algorithm, often used in optimization (routing, for example).

        I'm sorry, but neither you nor the article make any fucking sense whatsoever. This is an IT geek site, stop with the fucking metaphores. Why do these people expect us to understand "virtual ants wander around the network" any more than "a network scanner that looks for the same security holes as the worms, only this notifies the sysadmin about them"?

        • I wouldn't know what TFA says, I don't read 'em. What the GP is trying to say is not a metaphor, the mathematical behaviour of ant colonies is usefull from a networking and logistics POV [].
        • by TheLink ( 130905 )
          Maybe the reason is if people understood it, they'll know it's mostly bullshit or useless.

          Having stuff "wander around" networks isn't going to be very useful, especially when you don't want stuff wandering around all your networks in the first place.

          What might be useful is machines that raise an alert when they think something is going wrong, or even quarantine themselves (or networks). I believe such systems already exist.

          Anyway, just put some controls over info flow via firewalls and proxies. Then get use
        • by mikael ( 484 )

          I've tried explaining computer technology to my retired relatives..

          Me: "Ok, here's your power cable - that plugs into the back of the base unit just like your DVD player. The cable here goes to the screen just like the SCART connctor to the TV. Now this is the keyboard which is just like a typewriter keyboard, and this is the mouse...."

          Relative: "What? Where's the mouse? That plastic thing there? It doesn't look much like a mouse to me. Where are it's whiskers, feet and tail?"

          Me: "OK, let's call it an input

        • by dodobh ( 65811 )

          The "ant" terminology comes from the chaos/complexity/emergent phenomena fields. Individual ants are stupid, but the behaviour of the colony is not.

          It's a technical term from a non-computing field, not a metaphor.

    • by kbw ( 524341 )

      I can't see anything new either. Let's think about this. There are processes that look for suspicious files or configuration and does something about it. Surely the fundamentals haven't change, you still have to find a threat and then act on it. The article has conveyed no new information.

    • by Fred_A ( 10934 ) <fred@fredshom[ ]rg ['e.o' in gap]> on Saturday September 26, 2009 @05:45AM (#29547343) Homepage

      Obviously nothing is "traveling" inside your lan cable.

      So why does your network crawl all of or sudden ?

    • Sure hope someone releases some dung beetles to clean up the bowels of my Snow Leopard.
    • MOD PARENT UP. It is apparently correct to be skeptical.

      The Serenity Project [] in the European Union is using the same approach. They call it "Ambient Intelligence(AmI)." The level of intelligence in the Serenity project may be indicated by the fact that, at present, 2009-09-26, 02:47 PDT, there is no space before "(AmI)". The Ambient Intelligence in the Serenity Project is very low, apparently.

      Someone who worked for SAP Labs France [] told me the SAP Labs France part of the Serenity Project is so poorly managed that smart people leave as soon as they can find other jobs.

      Apparently the only way of providing security that actually works is the Open BSD method []: Audit the code. No number of "ants" can provide the security of audited code.

      Want more biological humor? Read about SAP's customer-focused ecosystem []. It supposedly fosters "... an ideal environment for ongoing innovation and value creation..." Biological references are apparently the hot new thing in corporate-speak. Biological references concerning computers are very useful to people who have no technical knowledge and don't want any, because they are so vague the speaker can never be found wrong.
    • What's with the ridiculous reference to ants?

      It implies you can put a stop to them by pouring boiling water on their nest!

      • Grasshopper: When the water rises the phish eat the ants, and when the water falls the ants eat the phish.

    • by noundi ( 1044080 )
      Aren't ants and worms ultimately -- well bugs?
    • by Jessta ( 666101 )

      If they stopped the stupid nature reference it wouldn't be impressive at all and you'd realise they had made something completely useless.

      1. If you know enough about a security threat to detect it, then you also know enough about the threat to actually prevent it.
      This is computer security(where you can have complete security) not physical security(where all it takes is time to bypass).

      2. These 'ants' are software running on infected machines, and thus any response they give can't be trusted.

      3, you want to f

      • I believe the "stupid nature reference" is just to state where they got their inspiration from, and it also serves as a non-technical analogy that laymen can understand. It's a pretty standard practice that you'll find in many CS textbooks. Also, you're making a lot of assumptions and outright illogical statements.

        1. You clearly aren't very knowledgeable about network/system security. Sure, you can have complete security if you leave your computer off or don't connect it to an external network, but that's n

    • What's with the ridiculous reference to ants?

      They couldn't come up with a decent analogy involving drunken cheerleaders?

      • by arminw ( 717974 )

        ..a decent analogy...

        involving automobiles is what is needed.

      • Re: (Score:3, Funny)

        by lewko ( 195646 )

        Because hearing "Drunken cheerleader" and "virus" in the same sentence kinda spoils the fantasy.

    • If you can stop waving your freak out stick for a second, you'd see that he's trying to make an analogy to the natural world so as to better illustrate the mechanism behind this technique. Furthermore, seeing as how the natural ant mechanism was the inspiration for this, how exactly is it ridiculous? Or is the issue that you just lack the imagination to take one model and superimpose it's properties onto another setting?
    • Oh great, now the blackhats will just start using "ant" tech to create their botnets. One will find a big cache of bank data, start shouting, "hey guys, here's a goldmine!" and they'll go nom nom nom all over our computer networks. Sheesh, just require admin password for the installation and first run of ALL executable code.

  • Obvious questions. (Score:3, Insightful)

    by ( 1195047 ) <philip DOT paradis AT palegray DOT net> on Saturday September 26, 2009 @05:21AM (#29547277) Homepage Journal
    The second question depends heavily on the answer to the first.
    • Who gets to decide what qualifies as malware or a "threat?"
    • Why should user agents trust this assessment?
    • Re: (Score:3, Funny)

      My idea for network security would be this:

      Measure network traffic for a normal week or two, no limitations. Everyone should do the things they usually need to do. Ports, Types of traffic, etc. and Bandwidth is recorded.
      Then the admin creates a firewall setting from that (hopefully automatically).
      In the following weeks, differences to the behavior is measured, allowing the admin to extend or restrict the rules.

      And it would have colorful buttons.

      • And walk straight into pitfall #1 with punji sticks in it.

        What if there is already something wrong with your network. I should send your comment to Marcus J. Ranum sometime, he's always amused by these ideas.

        You HAVE to know exactly what is on the network, not making assumptions that it is clean. Examine everything, catalog everything. Deny all, permit known.

    • In the heirarchy of information technology it's the role of the Network Administrator (NA) to identify and defeat threats to the network and its nodes, to be the enterprise's last line of defense against the leakage of proprietary or sensitive information and to defend each node not just against the wider world but also against each other. The network is not a trusted space no matter how many firewalls you have, and it was never intended to be. Far more attention is paid these days to connectivity. Disco

  • by t0qer ( 230538 ) on Saturday September 26, 2009 @05:25AM (#29547285) Homepage Journal

    I just gotta run..

  • by AdamInParadise ( 257888 ) on Saturday September 26, 2009 @05:26AM (#29547289) Homepage

    In nature, an ant can get infected by many kinds of fungus, and when they return to the colony or meet another ant, the fungus can spread to another host.

    Similarly, deploying this kind of "digital agents systems" opens another path of transmission for viruses and worms.

    It's nice to see that some people are still active in this research area, but does anyone knows of a product that actually use such a principle for real?

    • by Lesrahpem ( 687242 ) <`devnull' `at' `'> on Saturday September 26, 2009 @05:43AM (#29547335) Homepage
      This reminds me of how one of the first worms was actually created. Xerox made it for going around their computers after hours and doing various checks and system maintainence. It got out of control and DoS'ed their network.
    • Similarly, deploying this kind of "digital agents systems" opens another path of transmission for viruses and worms.

      I think they are talking more like digital observers, sort of like a multi-threaded passive search as opposed to a huge beam laser like contemporary virus programs use. As long as this new element uses no added privileges over any other read authorized thread then this doesn't add a path for transmission but it does increase the search area. It also decentralizes the virus protection protocols allowing the system to function despite basic malware attacks on the root level virus protection. Imagine if your v

    • Re: (Score:3, Interesting)

      but does anyone knows of a product that actually use such a principle for real?

      Yes. Ants []

      It's a p2p program that uses a similar principle to vastly increase user anonymity. Currently, the only downside of the program (that I've noticed) is that it is in such minimal usage. The ant-like functionality of it, however, is really quite intelligent.

  • by Norsefire ( 1494323 ) * on Saturday September 26, 2009 @05:38AM (#29547323) Journal
    We've got Worms and Spiders, now Ants!? I'm going to have to find a new hobby; computing doesn't seem very entomophobiac-friendly.
  • by turing_m ( 1030530 ) on Saturday September 26, 2009 @05:52AM (#29547361)

    The internet is a lady of ill repute. My approach to security when "connected" to the internet is like 3 layers (hardware firewall, running as unprivileged user, whitelisting javascript/flash) of prophylactic separated by 2 layers of Deep Heat (logging, and tripwire). If either of the outer layers are "breached", I get a prompt warning.

  • I for one welcome our new digital insect overlords.
    • That's overladies to you buddy. Hello from your ant Mabel.

    • by Hatta ( 162192 ) *

      Ants vs. Worms sounds like a great video game.

  • So... bugs? (Score:5, Funny)

    by jamesh ( 87723 ) on Saturday September 26, 2009 @06:33AM (#29547451)

    If I wanted 3000 bugs swarming inside my computer i'd run Windows.

    • Re: (Score:3, Funny)

      by dissy ( 172727 )

      If I wanted 3000 bugs swarming inside my computer i'd run Windows.

      This is why, even with just one hard drive, I always load drivers for RAID.

    • by antdude ( 79039 )

      Ants aren't bugs. They're insects! :P

  • Bound to fail (Score:4, Insightful)

    by Tinctorius ( 1529849 ) * on Saturday September 26, 2009 @06:38AM (#29547465)

    Taking the obvious problems with this approach aside (using viral programs to identify viral infections), it should be easy to distract the flock of "ants" by one or more decoy infection(s), and then start the 'real' infection on the "other side" of the network. The "ants" have built a highway of warning signs towards the decoy(s), so the probability of ants traversing to the 'really' infected machines is lowered.

    It's always fun to apply theories from one field of CS (namely optimization) to another (security), but if you give it a short thought, you know this can't be a good idea. It wouldn't be science if they didn't test that hypothesis, but I certainly hope they're not that stupid to test it in production systems.

    • The scent signal only travels so far. This will not create a defense void at the side opposite the infection. But, the "ants" should not only lay down scent trails when they pick up a threat, they should clone themselves. This will select for the repertoire of ants than can identify this type of threat. That way you bring more effort to bear at the site of infections with out worrying about depleting resources on the "other side" of the network. Once the initial threat is over, the cloned ants disperse, cov
  • by misnohmer ( 1636461 ) on Saturday September 26, 2009 @06:54AM (#29547499)

    Having anything "crawl" through your network seems like a huge security risk to me. Any security solutions will have be aware of those crawlers and allow them to crawl from computer to computer. What's to stop viruses to simply impersonate such crawling ant - free pass to every computer on the network!

    Another problem may be as they all "converge" on threats. What is they bug down the target machine, or the network? If my browser cookie looks "yummy" to the "ant" (no pun intended - browser cookie may be classified as a threat), next thing I know my network interface is crawling with these "ants"! My administrator cannot log in because of all the ants plugging my bandwidth!

  • by garompeta ( 1068578 ) on Saturday September 26, 2009 @07:08AM (#29547535)
    The genus "pseudacteon" of the Phorid flies zombifyies ants laying eggs in the ants thorax. The larvae moves to the head of the ant and it feeds itself until it is big enough to come out, decapitating the ant.

    So yeah, I think I know how this story of swarming ants are going to turn out.

  • by FatherDale ( 1535743 ) on Saturday September 26, 2009 @07:53AM (#29547665)
    Forget ants. Gimme a can of Raid.
    • The one paralled in nature, I think, is that the whole offense/defense is an evolving dynamic system. There will never be a 'done.'

      New attacks will be found/invented each time a new defense is found for existing threats.

      For me, it is 'so far, so good!' in using Debian stable, and an unpriviledged user, sudo'ing as needed.

    • Redundant array of inexpensive disks is good! :)

  • Obligatory reference to MUTE, an anonymous p2p system for file sharing which is apparently based on the process by which ants find food: []

  • Our idea is to deploy 3,000 different types of digital ants, each looking for evidence of a threat

    That's not an "idea", that's an analogy. An analogy with nature is a nice way of explaining something, not an idea.

    There "idea" seems to be that if there is evidence of an infection, then the infected system should be examined further for evidence of other infection. I'm not sure why that's useful. Why not investigate all systems for all infections? Why continue to run an infected system at all?

    it is progra

    • I'm also having a hard time trying to understand the "use" here. But I'm not a network guy. I'm assuming though these ants will try to identify individual patterns that are not specific to a threat but are potential threats based on behavior. As the ants swarm they identify other similar behavior taking up more CPU time looking for other occurrences of the behavior...I'm assuming once the ant arrives on the system the bandwidth would no longer be an issue as the local daemon that accepts the ant would be do
  • There is no way i let ants in my box.
    Lemme buy some insecticide.

  • Or better still, uncles, a type of ant that fights network ants, scattering them and making them useless.

  • How long before these 'ants' are set loose to sniff out people the State finds undesirable?
  • Ants are not a good analogy. What they are describing is much more like an adaptive immune system - the "ants" in their system are circulating T-cells. Dr. Rodney Langman, an immunologist from the Salk Institute and UCSD, proposed exactly what the article describes. He described the conceptual elements required to form a synthetic immune system in the early 90's. Initially the goal was to model and understand our own adaptive immunity, but he often used computers and network protection from viruses as examp
  • Hewlett Packard did this 15+ years ago for purposes of device discovery and management.

    They had a constrained abstract machine environment in some of their products that was intended to be "infected" by one of their worker programs.

    Worker code would "infect" a machine, would send back reports about the machine, would serve as a contact point for management, and try to propagate itself to other machines.

  • which step here involves 'When wintertime rolls around, the gorillas simply freeze to death'? Is it the one that comes right before the 'Profit' line?

  • and the name of the ant? Tron. Will it keep an eye on the Master Control Program also?
  • "Ants" in the network is an idea that has been around for a decade. For a short while it got a lot of interest as a network-routing tool

What is algebra, exactly? Is it one of those three-cornered things? -- J.M. Barrie