Beyond Crypto

Beyond Crypto: Adaptive Security

A recent workshop held at the Santa Fe Institute brought together researchers working on innovative alternatives to today's crypto-centric approach to security. These methods are refreshing in their approach and could easily be integrated into today's systems.

Anyone involved with securing systems now days is likely to become rather too involved with only part of the problem: Prevention. In Bruce Schneier's Secrets and Lies, he stresses the importance of "the rest" of the analysis: Detection and Response, which together with Prevention form the synergistic triad of security.

Bruce can take heart: a recent Santa Fe Institute workshop entitled "Resilient & Adaptive Defense of Computing Networks" is setting the stage for a different approach to security, one modeled on natural resilience often seen in nature. These techniques are adaptive: they respond in natural ways to the behavior of the system. One holds opinion polls amongst the participating cache servers to agree/disagree on the integrity of the data they hold. Another looks at the packet traffic within a network, looking for signatures of "normal" use and responds when abnormal behavior is seen.

Another interesting theme is that several techniques can be used together, one protecting from virus attacks, another from break-ins, a third on data integrity, another checking the subnet health. The Whole is greater than the Sum of the Parts in these situations. By their simplicity and independence, these adaptive approaches avoid the brittleness typical of Prevention-only systems. Much of this work originated with Stephanie Forrest's ground-breaking "Computer Immunology" work at University of New Mexico.

Let me give one concrete example (click on Acrobat logo for .pdf file) to illustrate these approaches. This is from Matt Williamson, of HP Research Labs, and a earlier a student of Stephanie's. It is based on the observation that systems tend to limit the number of hosts they talk to at any given moment. Matt keeps a short list (5 is common) of "active" hosts that get full response by the computer. New hosts are put into a queue that is slightly delayed, typically by a second. As old active hosts age, they are replaced by the new nodes which now operate at full speed.

This approach works quite well, tolerating "false positives" yet effectively throttling viruses. And it and others like it are getting interested coverage in the media.

Generally, these systems have in common the idea of the computer monitoring its environment, and learning what is normal behavior for that system. By carefully allowing new behavior to be first checked, then adapted to, false positives are made benign.

Robert Ghanea-Hercock (click on "people"), who holds these workshops at SFI, notes that the next workshop will be November 5-6 2003, just preceding SFI's Annual Business Meeting.