Tuesday, July 7, 2009

Reducing the Time for Adaptation

Periodically security professionals and security vendors tout the idea that reducing the reaction time between an event and employing a counter strategy can potentially resolve the evolutionary arms races within information security. This idea is similar to an Observe, Orient, Decide and Act (OODA) loop.

In strategy, there is Boyd's OODA loop which emphasizes the idea that reducing the time required for planning and reacting faster than an opponent will provide an advantage and subsequently enhances the likelihood of the opponent making a mistake. By deceasing the time that is required to react appropriately to a situation, the initiative is maintained and consequently an opponent is always responding to the situation. The more time an opponent spends reacting, the less time they have to observe and plan; increasing the likelihood that a mistake will be made. This concept has been raised recently on the panel discussions at the CATCH 2009 conference. References to this particular type of strategy, arise periodically from malware vendors in that if the time between the release of malware and the release of generally available anti-malware signatures can be reduced, it could help to solve or alleviate the malware threat.

Applying the OODA loop or simply reducing the reaction time could potentially go a long way towards helping to alleviate the malware threat. But, it should be considered that malware will always be able to evolve more quickly than an operating system, a web application, a database or even the anti-malware tool as it has the initiative and malware is typically smaller in size and less complex. Looking at this strategy from an evolutionary biology perspective, it is similar to the Red Queen hypothesis that occurs between diseases/parasites and their hosts. It is also similar to the evolutionary arms race between malware and the rest of the information security community (anti-virus,browsers, office automation applications, operating systems, application services, etc). Viruses have genomes on the order of 10^4 base pairs, bacteria have genomes on the order of 2x10^6 base pairs, and humans have genomes on the order of 6.6x10^9 base pairs (Evolution 3rd Edition, Ridley). Modern operating systems have about 40 - 55 million lines of code (equating to 2.5 - 4 GB installed), while most malware is a few orders of magnitude smaller, approximately 119 - 134 KB in the case of Conficker.

As is the case with viruses and other more complex organisms within the real world, smaller organisms are capable of evolving at a much faster rate than large complex organisms. Consider the case of RNA viruses which have a mutation rate of about 1 mutation/generation. While bacteria have about 10^-3 mutations/generation, and humans have about 200 mutations/generation (Evolution 3rd Edition, Ridley and Evolutionary Biology 3rd Edition, Futuyma). Some diseases mutate frequently enough that every replication event experiences the likelihood that the disease will have changed. Although humans have a much higher mutation rate than diseases (such as viruses and bacteria), the generation span of a human is much longer than that of most diseases. The generation lifespan on a human is on the order of 15 - 30 years, while diseases typically have generation lifespans on the order of seconds to minutes. Per unit time diseases (e.g. viruses and bacteria) can evolve much more rapidly, and yet large complex organisms are able to survive as they have strategies which allow them to combat these adaptations. Despite the rate at which diseases are capable of evolving, they do not always win. Influenzavirus has the potential of being fatal but in most cases it is not considered life threatening.

Large complex organisms have multiple methods for allowing them to survive in an environment where diseases can rapidly evolve. Entities with smaller genomes have effectively less space in which to maintain a set of strategies which they can use to exploit their environment, while larger more complex organisms have more space in which they can record their survival strategies. Some bacteria use enzymes to protect against viral infections. Eukaryotes employ even more defenses against infection, while entities like vertebrates have evolved immune systems which are capable of responding to infection by disease. One segment of the Human genome, the Major Histocompatibility Complex (MHC) contains approximately 3.6 million base pairs or 140 genes which control a portion of the human immunological system. As of October 2004, the Immunogenetic Related Information Source (IRIS) database estimates the percentage of the human genome that controls the human immune system is approximately 7%, or 1562 genes. Although the percentage of the human genome related to the human immune system seems small, it is important to consider that a significant portion of the human genome is inactive. It is estimated that 25% of the genome is attributed to diseases which have inserted their genetic code into our genome and are now inactive, while other sections contain pseudogenes which are no inactive version of ancient genes. The percentage of the human active genome which relates to the immune system could be substantially higher than currently theorized. The cost of surviving in an evolutionary arms race can be high, as significant resources are required to defend an organism from infection by diseases and parasites.

Recently researchers, such as Banerjee in An Immune System Inspired Approach to Automated Program Verification, have looked at applying some of the methods that the immune system uses for protecting itself from disease by investigating an Automated Immune System (AIS) which can be implemented in information systems.

Implementing an immune system to handle rapidly evolving threats does not eradicate the threat. Immune systems will act as a selection pressure that will cause only those diseases which are capable of adapting to survive. Some adaptations can include methods for remaining undetected by the immune system, while others can include methods for exploiting the immune system and subverting it for its own use. In essence, these systems represent another vector in which disease can exploit a host. Human Immunodeficiency Virus (HIV) actively exploits the immune system; even at the cost of its own reproductive fitness to remain active in the host to survive when anti-HIV drugs are administered. Similarly with anti-malware products, flaws in these systems have allowed malware to exist and even spread in the form of computer worms. Malicious code routinely attempts to disable anti-virus before downloading and installing malicious components. In order to remain undetected, some malware will re-enable the anti-virus products to prevent the user from noticing anything conspicuous. Anti-virus software is complex enough that it has its own vulnerabilities which may be exploited by malware. In 2006, Symantec Anti-virus had a vulnerability (CVE-2006-2630) which allowed for a privilege escalation that was exploited by the W32.Rinbot.L worm.

Simply reducing the response time will not eradicate the threat. It will provide an advantage but it will not solve the problem. In order to respond to diseases which are able to quickly adapt to host evolutionary responses, large complex organisms have had to evolve complex responses that do not rely on a single strategy to ensure their survival. The cost of ensuring survival in an evolutionary arms race can be high, as numerous strategies need to be available to counter act the threat of disease and parasites.

No comments:

Post a Comment