Beyond Crypto: Adaptive Security

by Owen Densmore

Anyone involved with securing systems now days is likely to become
rather too involved with only part of the problem: Prevention.  In Bruce Schneier's Secrets and Lies,
he stresses the importance of "the rest" of the analysis: Detection and
Response, which together with Prevention form the synergistic triad of
security.



Bruce can take heart: a recent Santa Fe Institute workshop entitled "Resilient & Adaptive Defense of Computing Networks" is setting the stage for a different approach to security, one modeled on natural resilience often seen in nature.  These techniques
are adaptive: they respond in natural ways to the behavior of the
system.  One holds opinion polls amongst the participating cache
servers to agree/disagree on the integrity of the data they
hold.  Another looks at the packet traffic within a network,
looking for signatures of "normal" use and responds when abnormal
behavior is seen.



Another interesting theme is that several techniques can be used
together, one protecting from virus attacks, another from break-ins, a
third on data integrity, another checking the subnet health.  The
Whole is greater than the Sum of the Parts in these situations.
 By their simplicity and independence, these adaptive approaches
avoid the brittleness typical of Prevention-only systems. Much of this
work originated with Stephanie Forrest's ground-breaking "Computer Immunology" work at University of New Mexico.



Let me give one concrete example
(click on Acrobat logo for .pdf file) to illustrate these
approaches.  This is from Matt Williamson, of HP Research Labs,
and a earlier a student of Stephanie's. It is based on the observation
that systems tend to limit the number of hosts they talk to at any
given moment.  Matt keeps a short list (5 is common) of "active"
hosts that get full response by the computer.  New hosts are put
into a queue that is slightly delayed, typically by a second.  As
old active hosts age, they are replaced by the new nodes which now
operate at full speed.



This approach works quite well, tolerating "false positives" yet
effectively throttling viruses.  And it and others like it are
getting interested coverage in the media.



Generally, these systems have in common the idea of the computer
monitoring its environment, and learning what is normal behavior for
that system.  By carefully allowing new behavior to be first
checked, then adapted to, false positives are made benign.



Robert Ghanea-Hercock
(click on "people"), who holds these workshops at SFI, notes that the
next workshop will be November 5-6 2003, just preceding SFI's Annual
Business Meeting.


What's your take on moving beyond crypto?