Steven Hofmeyr [sic], computr immunologist
Image by Esthr
Steven Hofmeyr, a computer scientist specializing in immunology with ties both to the MIT AI Lab and to the Santa Fe Institute, founded Company51 in 2000 to apply some of his insights about biological immune systems to computer security. The company, now called Sana (as in “health”) security, has just released a standalone desktop product called SafeConnect. (I own a small share. Hofmeyr is now a consultant to the company and is working on a new start-up, exploring new ways of building distributed storage systems.)
Time is a key factor in assessing behavior as suspicious. Someone sending out files at 4 pm is probably normal; the same person sending the same files at 4 *am* – assuming he’s not traveling in some other time zone – is suspicious. Any security system probably assesses such factors and then – if it’s not in the system – some human will check to see where Juan was that particular morning. Was he traveling in France on business? Or was he – supposed to be – on vacation? It’s the combination of factors that counts. But there are many more subtle uses of time, says Hofmeyr.
Any suspicious event becomes more suspicious if it occurs along with another suspicious or non-routine event. For example, a file upload that happens around the time of a door-lock malfunction. Or the attempted use of an expired password shortly after an employee retires.
But, notes Hofmeyr, “After the first detection of something odd, you can’t act immediately or you’ll end up on constant alert. You have to wait to see if it’s a real threat… but you can’t wait too long…”
He resorts to immune-system analogies. “The immune system exploits time. You bet that you have the time to build up an effective response… Besides, if you react immediately to something you think is bad, that reaction itself could hurt you, so you have to wait for some damage before reacting. The problem is that what appears unusual may be benign – so the immune system waits until damage occurs because then it can be sure that the unusual behavior is not benign – but then of course the immune system has to play catch-up – it’s a case of giving the pathogen “enough rope to hang itself.” Knowing precisely what that timing should be is what distinguishes good security from ineffective responses.
Now that Hofmeyr is leaving, one of Sana’s key employees is Matt Williamson, who came up with the concept of “virus throttling” at HP Labs. Viruses are most harmful (obviously) when they spread rapidly… and that’s something that “normal” programs don’t do. Even P2P music files, spread by individuals, don’t spread that fast; even p2p software limits the number of concurrent downloads from one computer to a just a couple.
An individual using a computer, even a busy browser, is unlikely to connect to more than five or so new addresses in a minute. (Any security system knows how to make an exception for a mass mailer, though an ISP’s security system monitoring a customer base of consumer machines might rightly not make such an exception.) “For a virus, that’s slow. An infected machine might try to connect to thousands of other systems in a minute.” So you can just default to prevent such behavior by limiting the number of new connections a computer makes per minutes, and alert a monitor when it is attempted.
“That slows the propagation of viruses, but doesn’t bother people. We exploit the different meaning that time has for people and machines.”
Yet the similarities are useful too. There’s a truism in immunology that pathogens don’t want to be too harmful because they want their hosts to survive. As software becomes more and more malicious, it also becomes benign in some way because it wants host to stay alive. So a virus inside a host population – if the population doesn’t fight it – tends to become benign. But if other pathogens are around, then it may become virulent –if only because it has little to lose. “Whoever kills the host first wins, because he gets the most out of it,” says Hofmeyr. And then there’s the phenomenon of pathogens attacking one another, while the host is simply an innocent bystander/environment. All this happens over time; the security expert’s task is to figure out these cycles and exploit the vulnerabilities.
In the spyware world for example, we have the phenomenon of spyware packages trying to de-instlall one another in order to gain exclusive access to the host.
Or, notes Hofmeyr, “there were 11 variants of the Zotob worm competing ferociously, all trying to delete each other. They were so busy harming one another they did may have done less harm to the host – even though they may also have spread faster in an attempt to get to the vulnerable hosts first. Imagine a worm that spreads and makes you less vulnerable to other guy [worm], but then it does its own damage three months later.”