Cybersecurity as a Living Thing

Blind monks examining an elephant by Hanabusa Itchō [Public domain], via Wikimedia Commons
Our immune systems, nervous systems, and even fungus-mediated networks in the forest may hold keys to cybersecurity.

In my recent article “Escaping Dark Age Cybersecurity Thinking”, I attributed much of what’s wrong in our approach to the security of our computers and networks and automated things, to antiquated “Motte and Bailey” thinking, but only hinted briefly at what should replace it. I wrote:

What we need in cyber security is not a firewall, not a motte and palisade to keep our bailey inviolate, but an immune system.

In this article, I will expand on that idea, explaining how a dynamic, responsive, intelligent system approach is better suited to our modern needs than simple barrier methods. This approach is in many ways a complement to what I described variously—and somewhat poetically—as “the Way of Security, the Tao of Awareness” in my earlier article “The Ancient Art of Cybersecurity”.

In “Dark Age”, I wrote about how a simple fort might be surrounded by a wall with a single gate, but as castles, towns and cities became larger and more complex, the walls required more gates, more ports, more ways in and out. At the same time, life within the walls became more and more complex and dangerous. This led to a revolution in urban security: the infrastructure-based work of Paris’s first police chief, and those who followed.

This serves as a good metaphor for the evolution of cybersecurity thinking, but, just as the huge growth of cities since M. de la Reynie’s day have stretched the capabilities of the systems he introduced, the complexity of our high tech landscape, our computers, networks, mobile devices, self-driving cars, and the emerging Internet of Things (IoT) suggests that it is time for a different metaphor, a different approach.

Just as the palisade or the city wall was an enclosure designed to be a barrier protecting the inner bailey, safe from dangers outside the wall, human skin, or that of any animal can be seen as a barrier. Moreover, just as the city walls required multiple ports or gates, so our bodies must have many openings so that we can eat, breathe, excrete, reproduce, see, hear and so forth. Coat us in an impenetrable barrier and we would die.

Just as cities became ever larger, with more and more people inside the wall, each a potential danger, our bodies contain both systems of body parts and innumerable microorganisms, some of which we would die without and some of which are a danger to us. Likewise, our homes, offices, phones, cars, city streets, our very lives are host to an ever increasing number of automated systems, programs, applications and devices, and more and more these are all connected in a webwork of communications networks.

Starting with the Immune System

So let’s look at the analogy between the human immune system and the problems of insuring cybersecurity. The following description borrows from a 20-year-old artificial immune system project and other descriptions of the human immune system including Wikipedia.

When an antigen enters the body, two means are used to neutralize it. The first is the innate immune system, which consists of barriers, such as the skin and mucus, functions such as fever and inflammation, and various cellular and chemical processes. The second is the adaptive immune system, comprising a complex system of specialized cells that learn to recognize and combat antigens.

Immunization, the process of inducing an immune response may be either active—acquired when the body responds to infection—or passive—when the antibodies from an actively immunized individual are transferred to a second, non-immune subject. The components of these systems are transported throughout the body via the circulatory and lymphatic systems. A key factor in the operation of the system is detecting the difference between self and non-self cells.

If we replace the term “antigen” with “malware”, “body” with “system” or “network”, “cell” with “software” and so on, we can come up with a simple, but suggestive analogy, and in fact, earlier projects did just that. However, I think that it is worthwhile to take a less literal approach. What I see as key here is that the immune system is a multi-layered system that combines passive and adaptive elements, that can learn and communicate, and is embedded throughout the higher-level system that it is part of.

The body’s defenses start with barriers built along natural boundaries, like a motte & bailey castle—the skin is a good example. Beyond that, like later cities and towns that grew up around the early forts and castles, the body uses what security people call “Defense in Depth”, additional barriers, such as mucous membranes, the walls of the digestive system, and the membranes that surround various organs and cavities. At a lower level, each cell is protected by a cell membrane. Likewise, our networks and computers often each come with firewalls; system code runs in protected address space, and so on.

These various walls, gateways and filters represent layers of static “innate” defenses, defenses which are often augmented by simple automated systems that deal with intruders in non-specific ways. These ancillary systems are termed the “complement system” in descriptions of the immune system which we share with plants and other simple life forms. What sets apart the immune system of higher animals (jawed vertebrates and the like) is the adaptive immune system.

The specific details of the workings of the adaptive immune system, with its elaborate B cells, T cells, effector and memory cells, dual signaling and so forth are fascinating but not particularly relevant.

What is important about the adaptive immune system is that it supplements the innate immune system, learning to recognize pathogens by their features or their behaviors, and actively defends against them, and that while there are organs, such as the bone marrow, with specialized functions in the immune system, the system is present throughout the entire body, and not just defending the orifices which act as ports in the wall.

A cybersecurity system designed to mimic the functions of the immune system would likewise be active, pervasive, and capable of learning, and not merely located at points of ingress through the protective walls at the boundaries. It would also be part of the architecture of the system and not an after-market add-on.

Machine learning gives us some very real opportunities for creating systems that can detect anomalies, behaviors, and structures that are not the system responding to the commands and needs of the user, but rather malicious software operating for its own purposes.

For the last quarter century, anti-virus software has generally worked by looking for files whose code contains characteristics of known malicious software, comparing them against databases of “signatures” that it receives in periodic updates. In some ways, this resembles the manner in which vaccines are used to distribute antibodies. Unfortunately, it is a remedy that can be used only after an outbreak has occurred and an example of the malware is obtained. Using Machine Learning trained on a sufficiently large pool of malware, a system should be able to recognize threats based upon either code elements or the behavior of the malware or the infected system.

For instance, a few months ago, a number of services became unavailable to a significant portion of the Internet because of a Distributed Denial of Service (DDOS) attack launched against it by a botnet comprising many thousands of IoT devices—webcams and DVRs. The compromised devices that were used in this attack suddenly changed their behavior, sending large numbers of requests to the DNS service, Dyn. A cybersecurity expert—or a properly trained AI—could easily recognize this behavior as typical of botnets and DDOS attacks, and take immediate remedial action.

An adaptive system could also take into account information such as what application is generating the unusual behavior, whether it has been signed, whether it came from a trusted source, and whether the user is actively using the device, as well as what sort of device it is. A system capable of machine learning ought to be able to diagnose and deal with suspected malware based on this sort of input.

Existing operating systems already have access to much of this data, and use it in a limited way. Apple’s Mac OS, for instance, knows whether an application was obtained from the App Store, downloaded from the Internet or installed from external media, and will ask the user to confirm that they intentionally downloaded an app from the web the first time they run it. Access to this sort of information is one of the reasons that immune system-like security software should be fully integrated into the host operating system. Third-party antivirus and security software often has to reverse engineer its way into the system, effectively taking the role of an invasive foreign body, the sort of thing that an immune system would naturally protect against.

This brings us to an area where the immune system analogy breaks down, or is at least stretched. One of the main features of an immune system is to distinguish self from non-self cells and substances. They are not well suited to accommodating new beneficent additions. Witness the rejection of transplanted organs, for instance. Given how often we add new programs to our computers, apps to our mobile devices and devices to our networks, cybersecurity systems need to be able to handle the equivalent of frequent transplants, something an immune system is not designed for.

An Apple “foreign body” warning that the user sees and the data that allowed the OS to trace it back to the zip file it came from and the web site the zip, in turn, came from.

Contemporary computer operating systems have had to develop more sophisticated techniques to account for this need to distinguish desired transplant-like additions from the intrusion of foreign malware. Apple, for instance, tags both applications and Zip or other archives that contain them, that were down loaded from the Internet in order to be able to warn the user and seek confirmation the first time that the user runs them. Tracing the app’s heritage to the zip file, and from there to the browser and the specific web page is, in ways, similar to checking its DNA. Other mechanisms that are used for this purpose are insisting that apps come from a curated app store and checking cryptographic signatures on all files containing code.

Being able to recognize devices and code as self or trusted by means of cryptographic signatures, and manner of ingress, and allowing for ways to extend trust to new devices and apps is a desirable enhancement to the design of a “cybersecurity immune system”, and thus my claim that the analogy needn’t be too constraining. There, as it happens, nature provides us with other instructive models beyond the immune system.

More Than an Artificial Immune System

The salient aspects of the immune system identified above can be summarized as follows. It is:

  • A distributed detection system, pervading the system it defends
  • Layered: 1: static, 2: non-specific reactive, 3: “intelligent”/adaptive
  • A learning system, distinguishing harmful from neutral/self

In all of this, it is like a number of other systems in nature, such as the human nervous system and the mycorrhizal systems of the world’s forests.

The comparison to the nervous system is the most obvious. The ability to learn is a major component of the nervous and immune systems. Where they differ is that command and control along with communications is the main feature of the nervous system, and the system is much more tightly integrated than the immune system. That tightly integrated dedication to learning and recognizing can help us in designing our dynamic cybersecurity defensive system. Rather than using mechanisms that parallel those of the immune system, we can base our designs of the learning and recognition components on AI techniques that are based on the mechanisms of the nervous system to one degree or another. Early artificial neural nets were only crude analogues to real neurons, whereas the more sophisticated Deep Learning techniques are closer, and the biologically constrained design of Jeff Hawkins’ HTM strives to simulate the detailed workings of the human neocortex.

In fact, we see an increasing number of stories these days about the uses of AI for detecting and combating malware (see, for instance, this paper that surveys the field). AI is being used in many point solutions. Weaving those diverse systems into a coherent collaborative whole is what is needed to make it more immune-system like. The difficulty here, though, is that to be immune system-like, one would need a coherent system tying together all the devices and networks in a residence, small business or enterprise.

While it is possible to create such a system where the preponderance of devices come from a single architecture or vendor, IoT is growing so quickly that “foreign devices” are inevitable. I might be able to use iMacs and MacBooks for my computers, iPhones, iPads and Apple Watches for my mobile devices, AirPorts and Time Capsules for routing and backup, but Apple doesn’t make the TVs, thermostats, lights, networked scales, door bells and household security systems and so on that are wending their ways into our lives. The same is true of Google or Microsoft’s ecosystems. Monocultures are only plausible if we are very limited in the number and types of devices we adopt.

This is where another natural system may serve as an example, specifically mycorrhizal networks (networks of fungus, the roots of trees and other plants). Over the last few decades, we’ve been learning a lot about the importance of networks of mycelia (the underground root-like mass of fungi that lies beneath the mushrooms and similar above-ground parts of the system) and plant roots (“rhiza” in scientific lingo). It turns out that both information and resources are transported from place to place through these networks, causing some to dub them “the wood wide web”.

It has been shown that large trees whose leaves get a lot of sunlight actually share some of the carbon that their photosynthesis allows them to pull out of the air, with smaller shaded plants and plants that have no chlorophyl. More importantly, in terms of the analogy to animals’ immune systems, plants that have been attacked by blights or insects, and which then produce chemical defenses against these attackers have been shown to share these chemicals through the network with nearby plants, which start to produce them on their own, giving them a jump start in their own defenses. The network acts almost as if it were the adaptive immune system of a large “organism” comprising the many plants and fungi spread out over a whole forest.

The individual plants and fungi in a given mycorrhizal network are, of course, separate organisms from separate species (and much more than that, fungi being a completely separate taxonomic kingdom from plants or animals, closer, perhaps, to the animals). Nonetheless, they have coevolved into an ecosystem that collaborates to the advantage of all. While each has its own goals, its own design, they fit together into a dynamic, working whole. We often paint nature in terms of competition, but that tells only one side of the story. The more we understand its workings, the more we see the interdependencies. It’s not just something that happens in the forest. If we study the human body, we find that many of our vital processes, such as digestion are facilitated by microbes that are not actually part of our human body. If we study the workings of individual cells, we find that they contain organelles that are believed to have their origins as separate micro-organisms, such as mitochondria in animals and chloroplasts and other plastids in plants.

Clearly, the precise mechanisms by which various chemical signals are transmitted through these networks is not applicable to cybersecurity design. The lessons that we have to learn from them can also be found elsewhere. The first one is a principle that we can also see in the works of Enlightenment-era philosophers and economic theorists: “Enlightened Self-Interest”, the notion that when the system as a whole is healthy it is good for the constituent individuals. The second is that a collection of very disparate entities can work together and form what amounts to a living organism. Simple mechanisms can lead to very complex behaviors.

Mycorrhizal networks have been covered in both scholarly articles (cf Rooting Theories of Plant Community Ecology in Microbial Interactions), and the popular press (see Plants talk to each other using an internet of fungus), and Suzanne Simard has a TED Talk (How trees talk to each other) on the subject, for those who want to learn more.

Pulling it all together

And so that brings us around to the blind men and the elephant that I used as the banner for this story.

by Herbert E. Martini, via Google Books and Wikimedia Commons

The important thing about the elephant is not that his trunk is like a snake, his leg like a tree and his tail like a rope, but that he is a living animal, a complete, self-sustaining system. No part would survive without the rest. Just so, the ecosystem that comprises our networks, computers, mobile and smart devices, needs to be seen as a whole, and the cybersecurity system must be adaptive, coördinated, capable of learning and communicating. It must, in short, be dynamic and reactive much like a living organism, an ecosystem or a large modern city. It cannot afford to be static, piecemeal, and ad hoc, relying on mere isolation to protect it, nor selfish to the exclusion of mutual self-interest.

Finally, just as no animal or other macroscopic living organism is 100% completely free of invasive microorganisms, just as no city is perfect, without crime and dangers, our complex cyber environment can never be perfectly secure. What it can be, if it and the cybersecurity system that protects it are well enough integrated and tuned to the threat level of its environment, is healthy.