Our study of the immune system has revealed a useful set of organizing principles that we believe should guide the design of computer security systems:
- Distributability: Immune system detectors are able to determine locally the presence of an infection. No central coordination takes place, which means there is no single point of failure.
- Multi-layered: Multiple layers of different mechanisms are combined to provide high overall security. This is not a new concept in computer security, but we believe it is important and should be emphasized in system design.
- Diversity: By making systems diverse, security vulnerabilities in one system are less likely to be widespread. There are two ways in which systems can be diverse: the protection systems can be unique (as in natural immune systems) or the protected systems can be diversified (as in our security through diversity project}.
- Disposability: No single component in the system is essential.
- Automated response/self repair: The immune system is autonomous, regenerating damaged components and classifying and eliminating infections, all without outside intervention. As network and CPU speeds increase and the use of mobile code spreads, it will be increasingly important for computers to handle most security problems automatically.
- No secure layer: Any cell in the human body can be attacked by a pathogen---including those of the immune system itself. Mutual protection among immune system components replaces dependence on a secure underlying layer.
- Dynamically changing coverage: The immune system makes a space/time tradeoff in its detector set: It cannot maintain a set of detectors (lymphocytes) large enough to cover the space of all pathogens, so instead at any time it maintains a random sample of its detector repertoire, which circulates throughout the body. This repertoire is constantly changing through cell death and reproduction.
- Identity via behavior: In cryptography, identity is proven through the use of a secret. The human immune system, in contrast, does not depend on secrets; instead, identity is verified through the presentation of peptides, or protein fragments. Because proteins can be thought of as "the running code" of the body, peptides serve as indicators of behavior.
- Anomaly detection: The ability to detect intrusions or violations that are not already known is an important feature of any security system.
- Imperfect detection: By accepting imperfect detection, the immune system increases the flexibility with which it can allocate resources. For example, less specific detectors respond to a wider variety of patterns but are less efficient at detecting a specific pathogen.
- The numbers game: The immune system replicates detectors to counteract replicating pathogens---otherwise, the pathogens would quickly overwhelm any defense. Computers are subject to a similar numbers game, by hackers freely trading exploit scripts on the Internet, by denial-of-service attacks, and by computer viruses. Pathogens in the computer security world are playing the numbers game---traditional defense systems, however, are not.
These properties can be thought of as design principles for a computer immune system. The exact biological implementation may or may not prove useful, but we believe that the principles behind them can help us design more secure computer systems. This material was excerpted from Principles of a computer immune system.
© 1997 Steven A Hofmeyr