On decision support for distributed systems protection: A perspective based on the human immune response system and epidemiology

https://doi.org/10.1016/j.ijinfomgt.2007.02.003Get rights and content

Abstract

Information system availability is contingent on a robust security infrastructure that provides protection via preventive, detective, and corrective mechanisms. In this paper, we provide architecture inspired by biological metaphors from immunology and epidemiology for the security infrastructure of distributed information systems. The proposed architecture consists of an immunological model at the micro-level to detect and identify computer pathogens (e.g. viruses and worms), and an epidemiological model at the macro-level to identify distributed attacks.

Introduction

The protection of information systems and its infrastructure from attacks (particularly those that are distributed) has focused on the detection of pathogens (e.g. viruses, worms, and other code that violates the integrity and availability of such systems)1 and intruders solely at the initial points of entry of both computer networks and individual computers. However, it is important to acknowledge that a detection system will not always recognize a pathogen at the points of entry, which can lead to pathogens further propagating throughout a network or within a single machine to degrade performance and availability.

A robust security infrastructure for information systems should be able to detect pathogens at these points of entry as well as monitor and control their spread. The detection process should allow recognition of pathogens using detection evasion mechanisms. The monitoring and control process, on the other hand, should incorporate information-sharing of pathogen detection so even distributed attacks (against a number of nodes in the network) will not lead to Denial-of-Service (DoS).

While recent literature has dealt with either pathogen detection or spread, to the best of our knowledge, no study has attempted to integrate these two research themes in order to design a robust defense against distributed attacks. Integration of these two components is necessary due to the polymorphic nature of many viruses and worms and the ability of viruses (e.g. macro viruses) to proliferate quickly over the network. The task of integrating pathogen detection and control of spread through use of biological paradigms is the focus of this paper.

We adopt the human immune system as a metaphor for computer pathogen detection. While discussed previously in the literature, our approach differs from others in that a two-tier defense is proposed. In the first-tier, the (TCP or UDP) packets entering the network are sampled for inspection against substrings of known pathogen signature mutations, and matching packets are destroyed. At the first-tier inspection, substrings of signatures rather than full strings are used in matching, since a pathogen signature can in general straddle more than one packet.

Since inspection at the first-tier is based on sampling and signature patterns are matched using substrings, some pathogens may evade detection. For the rest of this paper, the packets that pass first-tier inspection, but contain pathogens, will be referred to as carriers. When such carriers are executed on individual machines, they can replicate and infect other network nodes. Therefore, it is important to have a second-tier defense that deters pathogen spread by carriers. In the second-tier inspection, each file assembled from packets passing first-tier inspection is inspected against full pathogen signatures of all known pathogens (and mutations). These two tiers of inspection provide network protection against pathogens by detecting them, destroying them when detected, and preventing carriers from spreading pathogens through replication and network distribution.

However, to provide a greater measure of network protection, it is important that the detection information is shared at both inspection tiers between network nodes so that the pathogen signature database can be updated and the activity of detected pathogens can be monitored. Such protection can be provided through a centralized repository of pathogen signatures augmented by a network-wide pathogen proliferation monitoring system. The disadvantage of a centralized facility is that it also is vulnerable to pathogen attack. The solution that we propose in this model is to use a distributed pathogen signature database where each network node maintains its own database of pathogen signatures and detectors, and shares such information with its neighbors. Such information sharing is crucial to thwart any distributed DoS attacks, where external parties attack multiple network nodes in order to degrade network availability. This idea of distributed network protection borrows from epidemiological literature. Just as public health systems share and statistically analyze information on the incidence of diseases in order to detect their spread (and respond to them), we apply this practice into our framework for detection of computer pathogen spread throughout a network such that remedial action can be taken to maintain network health.

This view is consonant with the information systems auditing discipline, which emphasizes controls similar to those in medicine and public health: preventive (prophylaxis), detective (diagnostic), and corrective (therapeutic). At the micro-level, all three controls are an integral part of medical practice, and systems-in-practice support decision-making in all three. At the macro-level, public health systems include mechanisms for prevention (through dissemination of advisories), detection (reporting systems for infectious diseases and epidemiological models for detection), and treatment (dissemination of information on treatment) of infectious diseases. Inspired by these systems in medicine and public health, an integrated architecture is proposed that supports all three controls in the protection of computer networks and the information systems that rely on them.

In Section 2, we contrast our work to that done in the area of computer/network security. Section 3 provides a brief review of defense measures in networked systems and motivates the metaphor used in the paper. Section 4 gives a background of the immune system and epidemiological paradigm, describes the security models based on the paradigms, and discusses the limitations of those models. An innovative security model is proposed to address current model limitations. This is followed by concluding remarks with future work directions.

Section snippets

Related Information Security Research

Security research covers a variety of issues (Guttman & Robackand, 1995) including: secure communication, unauthorized intrusions, authentication, and authorization as well as requires interaction of several disciplines (i.e. computer science, law, psychology, and finance). However, the paper focuses on the immediate problem of unauthorized intrusion into networks by computer pathogens.

While a large number of technological advances have been made in the area of computer security, most of these

Biological analogy for computer network security

It is not difficult to draw analogies between computer network security and biological models in immunology (in medicine) and epidemiology (in public health). These analogies have received some attention in literature pertaining to computer immunology and computer epidemiology in works such as that on artificial immune systems (AISs) by Kephart (1994), Kephart and White (1991), Kephart, Chess, and White (1993) and Forrest and Hefmeyr (1999), as well as the work on computer epidemiology in the

Architecture for comprehensive security

Earlier in the paper, it was concluded that pathogen detection is needed at two-levels to ensure detection of pathogen spread when pathogens escape detection at the points-of-entry. In this section, architecture is presented that incorporates two-level detection mechanisms at both levels and suggestions are made for its software implementation. Before introducing the architecture, the main deficiencies of detection mechanisms and how they will be dealt with will be discussed.

Concluding observations

Protection of networks from pathogen attacks has gained added importance due to vulnerabilities manifested by recent events. Since traditional modes of defenses claim inordinate resources, it is important to develop new architectures for network defense and the information systems critically dependent on them. A distributed architecture for pathogen detection and their destruction is proposed. The model we propose is inspired by immunology and epidemiology research. We also propose an

Sanjay Goel is an Assistant Professor in the School of Business at the University at Albany, SUNY. He is also the Director of Research at the New York State Center for Information Forensics and Assurance at the University. Before joining the University, he worked at the General Electric Global Research Center. Dr. Goel received is Ph.D. in Mechanical Engineering in 1999 from Rensselaer Polytechnic Institute. Dr. Goel teaches several classes including computer networking and security,

References (49)

  • J. Backhouse et al.

    Structures of responsibility and security of information systems

    European Journal of Information Systems

    (1996)
  • A.-L. Barabasi et al.

    Emergence of scaling in random networks

    Science

    (1999)
  • R. Baskerville

    An analytical survey of information systems security design methods: Implications for information systems development

    ACM Computing Surveys

    (1993)
  • Bernoulli, D. (1760). Essai d’une nouvelle analyse de la mortalite cause par la petite verole et des advantages de...
  • E. Bonabeau et al.

    Swarm intelligence: From natural to artificial systems

    (1999)
  • CERT/CC Statistics 1988–2003, Retrieved May 16, 2003 from...
  • F. Cohen

    Models of practical defenses against computer viruses

    Computers & Security

    (1989)
  • F.B. Cohen

    A short course on computer viruses

    (1994)
  • Dasgupta, D. (1998). Artificial immune system as a multi-agent decision support system. Proceedings of the 1998 IEEE...
  • D’haeseleer, P., Forrest, S., & Helman P. (1996). An immunological approach to change detection: Algorithms, analysis,...
  • G. Dhillon

    Managing information system security

    (1997)
  • G. Dhillon et al.

    Information system security management in the new millennium

    Communications of the ACM

    (2000)
  • G. Dhillon et al.

    Current directions in IS security research: Towards socio-organizational perspectives

    Information Systems Journal

    (2001)
  • Erbacher, R. F., Walker, K. L., & Frincke, D. A. (2002). Intrusion and misuse detection in large-scale systems. IEEE...
  • Evans, S., & Bush, S. F. (2001). Symbol compression ratio for string compression and estimation of Kolmogorov...
  • Evans, S. C., & Barnett, B. (2002). Conservation of complexity for network security. Proceedings of military...
  • Forrest S., & Hofmeyr S. A. (1999). John Holland's invisible hand: An artificial immune system. Presented at the...
  • Forrest, S., Perelson, A. S., Allen, L., & Cherukuri, R. (1994). Self-Nonself discrimination in a computer. In...
  • R.D. Gopal et al.

    Preventive and deterrent controls for software piracy

    Journal of Management Information Systems

    (1997)
  • Guttman, B., & Robackand, E. (1995). National Institute of Standards and Technology (U.S.). An introduction to computer...
  • Hiraishi, H., & Mizoguchi, F. (2001). Design of a visual browser for network intrusion detection. Tenth IEEE...
  • S. Hofmeyr et al.

    Intrusion detection using sequences of system calls

    Journal of Computer Security

    (1998)
  • Hunt, J., King, C., & Cooke, D. (1996). Immunizing against fraud. IEEE colloquium on knowledge discovery and data...
  • J. Kennedy et al.

    Swarm intelligence

    (2001)
  • Cited by (7)

    View all citing articles on Scopus

    Sanjay Goel is an Assistant Professor in the School of Business at the University at Albany, SUNY. He is also the Director of Research at the New York State Center for Information Forensics and Assurance at the University. Before joining the University, he worked at the General Electric Global Research Center. Dr. Goel received is Ph.D. in Mechanical Engineering in 1999 from Rensselaer Polytechnic Institute. Dr. Goel teaches several classes including computer networking and security, information security risk analysis, security policies, enterprise application development, database development and Java language programming. In 2006, he was awarded the SUNY Chancellor's Award for Excellence in Teaching, the University at Albany Excellence in Teaching Award, and the Graduate Student Organization Award for Faculty Mentoring. His current research interests include investigation of computer crimes including botnets and virus/worm propagation, security risk analysis and security policy creation. He also works in the development of autonomous computer security systems based on biological paradigms of immune systems, epidemiology, and genetics. His portfolio of research includes distributed service-based computing, network resilience, and active networks. He also uses machine-learning algorithms to develop self-learning adaptive optimization strategies for solving engineering optimization problems. In addition, he is working on developing algorithms for self-organization of nanosensors for remote sensing in harsh environments.

    Jagdish S. Gangolly is currently the Chairperson of the Department of Accounting & Law in the School of Business, and the Director of the Ph.D. Program in Information Science at the Department of Informatics, College of Computing & Information at the State University of New York at Albany. He is also an affiliate and advisor at the Institute for Informatics, Logic & Security Studies at SUNY, Albany. He was the Interim Director of the New York State Center for Information Forensics & Assurance (CIFA) during 2003–5. He holds a Bachelor's degree with a major in Mathematical Statistics, a master's degree with a major in Operations Research, and a Ph.D. degree in Business Administration (Accounting). He is also a Certified Internal Auditor. He has previously taught at the University of Pittsburgh, University of Kansas, Claremont McKenna College and the Claremont Graduate School, and California State University at Fullerton. He has worked in senior executive positions in management services in the pulp & paper industry as well as in soft drink franchising in India. In 1989, he was the guest editor of Advances in Accounting; and he currently serves on the editorial boards of the American Accounting Association's Journal of Emerging Technologies in Accounting, and the journal International Journal of Digital Accounting Research. He is also an Associate editor of the e-Services Journal. He serves on the Technical Committee Working Group 11.1 on Information Security Management, of the International Federation for Information Processing (IFIP). His current research activities are primarily in the areas of conceptual information organization, and the formal specification of control in accounting information systems. He also has collateral research interest in the relationships between Accounting and Legal Philosophy.

    View full text