Friday, March 6, 2009

Evolutionary Costs and the Life/Dinner Principle

As illustrated previously, the time it takes to evolve strategies and/or the ability to exploit existing environments (or a population) is important. An additional factor that should be considered when examining exploits are the associated costs. Within evolution these items are referred to as the evolutionary costs.

There are costs associated with utilizing a strategy, evolving a new strategy, and neglecting the use of an existing strategy.
  • In utilizing a strategy, an entity must pay the costs of maintaining that strategy. It should be recognized that in employing or retaining the capability of a strategy consumes resources that could have been spent elsewhere.
  • Evolving a new strategy also consumes resources, and those resources have to be taken from another source. They are going to come from resources that could have been spent to refine another strategy, develop a different strategy or continuing the usage of a existing strategy (i.e. allowing a current strategy to atrophy).
  • Lastly neglecting the use of an existing strategy could have the cost of preventing an organism from surviving from the fact the organism may have misspent resources. Not using an existing strategy could adversely affect an entity in that the resources consumed during development a new strategy could have been used elsewhere to form a necessary new strategy (and are considered to have been wasted in this effort).
Evolution and development are two different concepts within evolutionary biology. In a simplistic form, evolving refers to the process of creating a strategy through natural selection. Development is the process of creating a strategy for an individual entity. To more clearly illustrate the difference; birds as a class have evolved wings but while they are individuals in the egg as embryos they develop wings.

When dealing with the costs of employing strategies for survival, it should be noted that the costs for all entities involved are not shared equally. This potential asymmetry is summed up in the life/dinner evolutionary principle (as popularized in both the Selfish Gene and the Extended Phenotype written by Richard Dawkins, but originated by M. Slatkin in Models of Coevolution). Slatkin uses the rabbit and fox from one of Aesop's fables to illustrate the basic idea of the asymmetrical costs in association with life/dinner principle.

Consider the case when a rabbit is being chased by the fox. The rabbit is running for its life, while the fox is only running for its dinner. The cost of failing is different for those involved. For the rabbit, if it fails it looses its life, while for the fox; if it fails it only looses its dinner. So the rabbit is going to be willing to spend more to ensure its survival in a given race, because if it is unsuccessful there will not be another generation of rabbits produced (at least from this rabbit's germ line). The fox can afford to lose this specific race; as if it fails it will have an opportunity to pursue another rabbit in the future.

It could be argued that if after several of these races and the fox remains unable to catch a rabbit, then it could very well be facing its final race too. This is true, but if you compare the costs associated with a single race, the rabbit is still going to face the more severe cost of failure.

Within this co-evolutionary race, the rabbit/fox race can pursue a number of different strategies to ensure their survival. The simplest way to continue the race would be that the fox can attempt to run faster as well as the rabbit can attempt to run faster. It is important to consider that this is not the only strategy that the rabbit can pursue; it could also develop better camouflage, better sensory systems to learn of the foxes presence before he comes too close, or even become more maneuverable so that if the fox does pursue him he can out maneuver the fox and escape, or the rabbit can just produce so many rabbits that in general the likelihood of a single individual becoming dinner is small. In general which ever method becomes more prominent in the rabbit population, the fox will have to escalate his attacks to deal with these new strategies.

Although the co-evolution is occurring in the rabbit/fox competition, there are costs and trade offs associated with each of these potential advancements. Obviously as we do not see rabbits that can run arbitrarily fast (out side of cartoons and comics). In order to evolve a strategy, there are costs associated with this development. The development takes resources that could have been devoted to creating or even just maintaining something. In the security field there are trade offs which must be considered, and the penalties for not maintaining the proper balance of strategies can be just as severe for an information system as it is for a rabbit.

The penalty asymmetry is commonly seen in the development of an information system. When a system is designed, it has to address all of the threats that will be present in its environment, but an attacker only needs to find one successful strategy to compromise the system. An attacker also has additional advantages;
  • They do not have the expectation that they are not going to compromise every system they encounter. If they were unsuccessful in exploiting the initial target, they can move on to another system. It is built into their strategy, that they will not compromise every system they encounter only just enough to find dinner.
  • They have time to attempt multiple strategies against the system and continue using different combinations of strategies until they find one that works.
  • They do not have to play by the rules. Even more than that they have no expectation that they are going to stay within the design requirements of the system.
Unlike the general case in evolutionary biology in which if any animal's strategy fails, it pays for the costs of that failure directly. While within information security those who fail do not necessarily pay the costs for the failure. For example, spear phishing (e.g. targeted phishing) and whaling targets an individual within an organization to gain access to its resources and information. When an individual opens an email that contains a targeted attack, although they are the cause of the failure, it is the organization which pays the cost of the failure. Another cost to consider in information security is who pays the cost of failure.

Although there are response lags to develop or deploy new strategies and it takes time to exploit other resources. There are costs for developing, maintaining and even using evolutionary strategies. These evolutionary costs are also not necessarily paid evenly by all involved in the red queen race.

No comments:

Post a Comment