Charles Darwin's 1st Edition of On the Origin of Species will be 150 on the 24th of November 2009. Given the complexity of Information Security and the rate at which the security landscape changes it might be appropriate to see if the concepts of Evolutionary Biology can be applied to Security.
In Evolutionary biology there is the concept referred to as the Red Queen hypothesis. Van Valen defined the Red Queen hypothesis as follows; "For an evolutionary system, continuing development is needed in order to maintain its fitness relative to the systems it is co-evolving with." The name of the hypothesis is based upon Lewis Carroll's Through the Looking Glass in which the Red Queen tells Alice, "It takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!"
Security appears to fit will within the conditions of the Red Queen hypothesis. It is an evolving system composed of co-evolving entities. For example, an enterprise creates an information system in an effort to assist in accomplishing a business goal. In order for the information system to be successful, it must contain a set of strategies that will allow it to accomplish the business goal in a way that does not compromise the goal in the process. These strategies are implemented in order to deal with existing threats (crackers, insiders, malware, etc), and in order for these threats to continue to survive, they must either modify their existing strategies or evolve entirely new strategies. The system must then deal with these new strategies and respond. On the other hand it could choose to ignore these evolved strategies, but then the business goals would become compromised. So each side must continue to evolve in order to survive, and so the race continues.
When attempting to draw parallels between evolutionary biology and information security, it is helpful to think of things with a slightly different terminology. Instead of thinking about attacker using exploits and defenders using signatures, these can be thought of as entities employing various strategies in competing for resources. In the case of evolutionary biology, this would be organisms using what ever characteristics or tools they have to exploit resources in the environment that allows for their survival, while in information security, it would be the various programs competing for processor cycles and system resources. Although there is a selection process for determining what survives in information security, it is not natural selection. Natural selection requires four conditions to operate (based upon those found within Evolution, 3rd Edition by Mark Ridley);
- Reproduction - Entities must reproduce to form a new generation.
- Heredity - Entities produced via reproduction must tend to possess the characteristics (e.g. traits) from the previous generation.
- Individual Variation - The population of entities is not identical.
- Characteristic Fitness - Individual characteristics have varying degrees of fitness which allows them to propagate their traits to subsequent generations.
The idea of applying evolutionary biology to information security was the result of recently completing the Selfish Gene (Dawkins), the Red Queen (Ridley), and the Extended Phenotype (Dawkins).