* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download An Innate Immune System for the Protection of
Survey
Document related concepts
Immunocontraception wikipedia , lookup
Adoptive cell transfer wikipedia , lookup
Complement system wikipedia , lookup
DNA vaccination wikipedia , lookup
Sociality and disease transmission wikipedia , lookup
Autoimmunity wikipedia , lookup
Social immunity wikipedia , lookup
Molecular mimicry wikipedia , lookup
Polyclonal B cell response wikipedia , lookup
Immunosuppressive drug wikipedia , lookup
Cancer immunotherapy wikipedia , lookup
Adaptive immune system wikipedia , lookup
Immune system wikipedia , lookup
Hygiene hypothesis wikipedia , lookup
Transcript
An Innate Immune System for the Protection of Computer Networks Anastasia Pagnoni1, Andrea Visconti1 1 Department of Computer Science and Communication – University of Milan, Italy [email protected] [email protected] Abstract. This paper presents design, implementation, and testing of NAIS, an artificial immune system for the protection of computer networks. Inspired by the biological innate immune system, NAIS consists of a collection of digital macrophages that scan the network for dangerous non-self processes, and kill them. NAIS is based on the observation that all significant network attacks are preceded by preparatory small-scale intrusions meant to gather the necessary information – information on servers and operating systems, logins, weak passwords, ill-installed or poorly maintained services, etc. This information is used to bypass the network’s defense barriers – access controls, firewalls – and to gain access to the machine before it is attacked. Such preparatory intrusions do not generate new processes, however the subsequent, actual intrusion will. Such processes will be recognized as non-self by the digital macrophages run by NAIS, and killed right away, thus defusing the attack. Telling illegal new processes from legal ones is a difficult matter, and amounts to providing a strong definition of non-self process. Our testing of NAIS proved our definition to be quite effective in protecting networks of one-service computers. 1 Introduction A number of authors [1,8] suggested biological immune systems as a new, promising paradigm for the design of powerful computer security systems [6,4,7,5], and different very interesting approaches have been suggested [2,7,3]. This paper suggests a different, if complementary, approach: we suggest designing intrusion detection systems that are the technological equivalent of the innate immune system. As we shall see, this approach helps overcoming some of the practical limitations [5,8]. Let us explain briefly. Biological immune systems draw up several lines of defense to protect living organisms from all kinds of potentially dangerous intruders. This defense system includes chemical and physical barriers – skin, mucus secretions, stomach pH, etc., – the innate, or native, immune system, and the acquired immune system. Computer networks also rely on several lines of defense to protect them against unwanted intrusions. Firewalls can be seen as network equivalents of the skin, as they filter external requests of access, and block all connection attempts that violate certain criteria. Login policies correspond to physiological barriers, as they let regular physiological users into the network, while blocking the access of outsiders. Let us briefly summarizes and compare the functioning of the innate and acquired immune systems. The working of both systems is based on their capability to recognize elementary components of the body that they protect as either self – i.e., endogenous and innocuous, – or non-self – i.e., exogenous and potentially pathogenic. The innate immune system is meant to protect the body from birth. Therefore, it attacks antigens right away, with no necessity of previous exposure to the pathogen; every antigen is non-self to the innate system. The acquired immune system works in a less straightforward, more complex way. The acquired immune system recognizes a smaller variety of pathogens, but kills more of them, because its attack response is antigen-specific. In time, with exposure to different antigens, the acquired immune system learns to identify different pathogens, and to respond to each of them in a specific and hence more effective way. The response of the innate system is Copyright © held by author/owner 63 much quicker, though less precise than that of the acquired system. Notice that the recognition capability of the acquired immune system is not perfect – some antigens will go unrecognized, – while that of the innate immune system is perfect. Every artificial immune system is based on some partition of a given set of possible actions into two subsets: the set of self and the set of non-self actions. This requires unambiguous definitions of self and non-self actions. A number of ground-breaking solutions to this problem have been published [1-8]. However, practical application of the proposed ideas has has not developed that much so far, due to some unsolved problems. The difficulties come from the necessity of providing a strong, reliable discrimination between normal and abnormal patterns of behavior [5]. The necessity of maintaining a complete – and therefore large – database of “good or bad actions”, that are to be used by the self/non-self recognition algorithms, is crucial to the performance of any AIS; this is because bad behavior patterns not stored in the database may result in unchallenged network attacks [8]. Manipulating this large database (extracting and clustering a proper training set matrix, or searching the database itself, etc.) entails a substantial degree of slowness that is sometimes avoided by settling for a weaker discrimination of self/non-self patterns. In order to overcome these problems, we designed NAIS (Native Artificial Immune System), an intrusion detection system based on the paradigm of the innate immune system. Indeed, though less precise than the acquired one, the innate immune system is the first one to attack any pathogen, known or unknown, that enters the body. Here the idea is not to find, recognize, and kill specific antigens in the most effective way [8], but to find and kill any antigen as quick as possible. The innate immune system is the first line of defense against antigens that succeed in entering the body in spite of its physical and chemical barriers. It is meant to attack any antigen that enters the body immediately. NAIS models the behavior of the innate immune system by building a number of processes that act as macrophages that detect and immediately kill any non-self process running on a server. The sequel of this paper is organized following the AIS-design guidelines suggested by Leandro de Castro and Jonathan Timmis in [1]. Section 2 presents our problem description; Section 3 discusses the immune principle applied in NAIS, and the reasons for our choices. Section 4 presents the design and engineering of NAIS: our model of the innate immune system, its dynamics and its metadynamics (how new macrophages are generated, and how they die). It also explains how NAIS is actually engineered. Finally, conclusions and future work are briefly discussed in Section 5. 2 Problem Description Intrusion detection systems are based on some definition of a system intruder and some algorithm for the detection of intrusive system components – in the language of AIS we say that an IDS is based on a definition of self and non-self system components, and a capability of recognizing both of them [5]. The problem addressed in this paper is the design, implementation, and testing of an intrusion detection system modeled on the workings of the innate immune system. As we shall see, this approach helps overcoming some of the practical limitations. In particular, we wanted (a) to avoid the need for a comprehensive database of self/non-self system components, and (b) to provide for a strong, reliable discrimination between normal and abnormal behaviors. The overall design of NAIS, the prototype IDS we came up with, will be discussed in Section 3. In this section, we will refine our problem description and discuss its motivation. The goal of designing and implementing an intrusion detection system modeled on the innate immune system is better specified and understood by focusing on a set of features that characterize effective immune systems. This is a clear discrimination between intrusive (nonself) and regular (self) system components, the detection and elimination of infections, and 64 the absence of autoimmune threats to the hosting system (no risk that the immune system attacks the system it is supposed to protect). With this specification, our problem breaks down quite naturally into the following five simple sub problems. The first subproblem is that of providing an unambiguous definition of self and non-self system components in the framework of a computer network. For the innate immune system, self-system components are innate components, that is, components that are there at birth; everything else is held to be non-self, and will be attacked. The problem is to define what an innate component is in the context of a running network of computers. Our solution is that of considering innate, – meaning “self”, – all processes running on a network before it is connected to the internet. The second subproblem is that of modeling digital macrophages capable of detecting and eliminating computer infections. Our macrophages are running processes that monitor the activities of the server, and kill any non-self process. The third subproblem is that of providing digital macrophages with the capability of recognizing new infections. A new infection is defined as an unknown attack that exploits some system bug, and generates at least one new running process. Any non-self process of this kind will have to be recognized and killed by our macrophages. The fourth subproblem is that of automatically repairing previous infections based on system bugs. The fifth subproblem is that of making sure that our approach does not cause autoimmune pathologies, that is, that the macrophages do not attack and/or kill self system components. Our solution to these problems and the engineering of its implementation are discussed in Section 4. The next section presents a short introduction to the innate immune system, and may be skipped by readers already familiar with it. 3 The Innate Immune System The immune system is a multi-layered defense system that evolved to protect living organisms from diseases. Several layers of defense interact to shelter the body from pathogenic intruders; these layers mainly consist of physical and chemical barriers, and specialized cells that can recognize and/or kill antigens. The mechanical and chemical barriers provide the first line of defense in the fight against antigens; most importantly skin, mucous secretions, and enzymes, with their changing pH and temperature features. Bacterial colonies present on the skin surface are in general unable to pass the through the skin barrier, though a skin injury may allow the bacteria to enter the body. In this case, as a consequence of the trauma, the cells surrounding the injured area release a range of chemicals; this causes local blood vessel dilation. This in turn brings more blood to the area to help the healing process. The blood released into the affected tissue causes swelling, and signals the inflammatory cells, the phagocytes, to gather at the trauma site. The phagocytes can recognize antigen particles and engulf them, in a process called phagocytosis. The second line of defense is the innate immune system. It consists of a family of cells, collectively called phagocytes (more specifically, macrophages, neutrofils, monocytes, basophiles, etc.), which recognizes, attacks, engulfs, and finally kills antigens. The innate, or native, response is a non antigen-specific barrier of the immune system, meant to fight against any infection without the need of previous immunization. Its response consists in actions of two different types: rapid action, which lasts from four minutes to four hours, performed by macrophages, and medium-to-slow action, performed either via inflammation, or by natural killer (NK) cells. Macrophages play a key role in the destruction of microorganisms. They are a type of white blood cell that behaves like a patrol cell, as it engulfs and kills foreign infectious 65 invaders. Macrophages are activated during the innate response by their receptors, and during the adaptive response by the immunoglobulin. Macrophage activation is triggered by the liberation of several kinds of cytokines, and produces a further secretion of cytokines, which in turn induces more inflammation in the second phase of the innate response. NK cells appear in larger quantities in young mammals, and diminish, as the animal gets older. This means that the role of NK cells is akin to that of the innate immune response mechanisms, and not triggered by a specific antigenic stimulation. NK cells are immediately activated against cells infected by any antigen. The size of NK cells is not always the same. We can see small or medium sized NK cells without granules, as in pigs, and large and granulated NKs, as in humans. Macrophages and stimulated natural killer cells produce different cytokines that induce local inflammation and other general effects, such as the elevation of body temperature. These actions attract immune cells to the affected area. When the innate immune system fails, an infection is established, and an acquired immunity starts to develop. The acquired immune response is based on a complex learning process, that lets the immune system adaptively acquire ever better immunity during its lifetime. When it comes to artificial immune systems, the definition of a non-self system component is at the heart of every model, and must be formulated in a way that makes telling intrusive system components (system calls, programs, data files, etc.) from legitimate ones reasonably easy. Without the capability of making this distinction there is no intrusion detection. In the language of immune systems, we call intrusive system components non-self, and legitimate system components self. This crucial problem has been addressed, and solved in a number of very ingenuous ways by researchers working in the field of AIS [6,5,8,7]. For the innate immune system, however, this distinction is readily made: self components are components that are there at birth. 4 Design and Engineering of NAIS The design and engineering of NAIS (Native Artificial Immune System) is based on the following observations. In the first place, many years of monitoring intrusion techniques and studying effective countermeasures convinced us that most network intrusions take place while server administrators are not connected to the server, and cannot control the running processes. This situation offers attackers the best chances of success. In the second place, more and more often LAN administrators try to protect their networks from some of the damage caused by intrusions by running different services on different machines. A machine is used as a web server, a second one as an e-mail server, a third as a ftp server, and so on. By distributing essential services over a cluster of computers, a network administrator achieves two significant advantages. First, the LAN becomes more secure, because if one of the servers comes under attack, the remaining machines will be unaffected, and the services on them will still be running. Secondly, the workload can be distributed more evenly over the network. We conceived NAIS with this kind of architecture in mind. NAIS consists in a collection of processes that runs on a server, and acts as digital macrophages. If network services are distributed over several machines, every server machine will have its own service-specific macrophages. NAIS must be initialized through a training phase. This procedure is necessary to identify the system components to be considered innate. This is done by analyzing the list of the processes running on the web server at “birth”, that is, before the server is connected to the internet. During the training phase we surf our site, while the immune system compiles an exhaustive list of actually running processes; all of them are recognized as innate, i.e., defined as “self”. This list contains two kind of processes: (a) system processes (like init, mingetty, etc.), and (b) web surfing processes (basic web surfing processes like apache, and mysql). 66 A regular user who tries to surf a site will always generate new processes, but these will only be “known” apache, or mysql processes belonging to list (b) of self web surfing processes. Hence, the immune system will recognize these processes as self, and leave them alone. On the contrary, an intruder who tries to exploit system bugs to enter the network will want to try to open a shell, or compile a program, install a new server, create a new user, etc. In order to achieve such goals, s/he will inevitably have to generate some new processes. The digital macrophages of NAISA will immediately recognize such new processes as non-self, because they will neither appear on list (a) of self system processes, nor on list (b) of site surfing processes. In fact, such processes will compile source code, or install programs, clean system logs, and so on. For this reason, NAIS will also deny apache and mysql processes any kind of operation but web surfing. Macrophages will kill non-self processes right away. After the training phase is completed, and the server is connected to internet, macrophages will keep polling the list of active server processes in search of potential intruders. Notice that potential intruders trying to take advantage of system bugs to enter the network will necessarily generate new, and hence non-innate, processes. Macrophages will immediately recognize such new processes as non-self, and kill them right away. This response to any kind of intruder does not address specific system bugs directly. It is a first, generalized defense reaction of the system against intruders of any kind. Of course, macrophages will recognize new processes as self if they are web surfing processes of the same, innocuous, kind as the processes generated during the training phase. This method has the advantage of blocking never encountered infections well – exploits based on new server bugs or new attack methods. NAIS will counter all new infections right away, and block them quite effectively. The number of macrophages running on a machine is not constant, but varies between a lower and an upper threshold; both of them are established experimentally. Between these boundaries, the number of macrophages may be increased by the immune system itself, either to replace macrophages killed by intruders, or simply to improve the performance of NAIS. If the number of macrophages decreases under the lower threshold, new macrophages will be automatically created. The upper threshold makes sure that an overwhelming number of running macrophages does not affect the performance of NAIS negatively. Both thresholds have to be optimized experimentally because they depend on the hardware features and the workload of the server. NAIS has been developed as a Linux-based intrusion-detection system for a LAN running different services on different machines. Presently, NAIS is executed on two server machines, on which we previously installed a web server, apache, ftp server, and vsftp. Intensive testing is still underway, but excellent intrusion detection performance has already been established. NAIS has been tested on a PIII server with 1Gb RAM, running Apache 1.3.31 and 1.3.27 under Linux Red Hat 7.1. On a machine of this type the number of running macrophages was always between 15 and 50. Two kinds of tests have been performed to this day: a. tests generating new processes: opening shells, creation of new users with root privileges; b. tests that do not generate new processes: weak password lookups, sniffing information on legitimate users of the tested computer. NAIS does not block attacks that do not execute processes on the attacked computer – such as port scanning, weak passwords lookups, DoS attacks. An intruder will still be able to gather information on the system, and access the machine via its bugs, but this will result in no harm, because NAIS will block the execution of any subsequent illegitimate operation. 67 5 Conclusions NAIS is an intrusion detection system based on the idea of providing computer networks with the technological equivalent of an innate immune system. NAIS works on machines on which either a web server or a ftp server has been installed. Though still at a preliminary stage, NAIS provides a completely reliable discrimination between normal and abnormal processes. It is able to detect and protect servers against new and unknown attacks, and is quite effective in denying foreign processes access to the server. NAIS is not meant to replace firewalls, and will therefore not block attacks that do not execute processes, such as port scanning or DOS attacks. An intruder will still be able to gather information on the system, and access the machine via its bugs, but this will result in no harm, because NAIS will block the execution of any subsequent illegal operation. Future work will be devoted to extend NAIS to different services: telnet, ssh and possibly others. This requires solving the problem of finding a strong definition of self and non-self processes in the specific context of these services. This is no easy task because for these services the a-priori behavior of each user is unknown. Moreover, making a comprehensive list of self processes during the training phase is not possible. Acknowledgements We are pleased to thank José Bidot and his research group at Segurmática, La Habana, Cuba, for the fruitful and pleasant discussions with them, and their useful suggestions. References 1. L.N. De Castro, J. Timmis, Artificial Immune System: a new computational intelligence paradigm, Springer-Verlag, Heidelberg, New York, 2002 2. P. D'haeseleer, S. Forrest, P. Helman, An immunological approach to change detection: algorithms, analysis and implication, 1996 Symposium on Computer Security and Privacy, IEEE Computer Society Press, 1996 3. F. Esponda, S. Forrest, P. Helman, Positive and Negative Detection, IEEE Transactions on System, Man, and Cybernetics, in press, 2004 4. S. Forrest, S. Hofmeyr, A. Somayaji, Computer immunology, Communication of ACM, Vol. 40, No. 10, 1997 5. S. Forrest, S. Hofmeyr, A. Somayaji, T. Longstaff, A sense of self for UNIX processes, 1996 Symposium on Research in Security and Privacy, IEEE Press, 1996 6. S. Forrest, A. Perelson, L. Aleen, R. Cherukuri, Self-nonself discrimination in a computer, 1994 Symposium on Research in Security and Privacy, Los Alamos, CA, IEEE Computer Society Press, 1994 7. S. Hofmeyr, S. Forrest,Architecture for an Artificial Immune System, Evolutionary Computation, Vol. 7, No. 1, Morgan-Kaufmann, San Francisco, CA, 2000 8. A.O. Tarakanov, V.A. Skormin, S.P. Sokolova, Immunocomputing: Principles and Applications, Springer-Verlag, Heidelberg, New York, 2003 68