Saturday, January 3, 2009

Enter the Red Queen

The Matrix is well known through out the information security profession and has become ingrained within the hacker culture. The iconic scene when Neo makes the ultimate choice is a pivotal point to the mythos. But when one examines the situation, a different path appears and perhaps the one Neo should have taken. Morpheus offers Neo the choice: "You take the blue pill; the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill; you stay in Wonderland and I show you how deep the rabbit-hole goes." Neo wants to learn the truth, so he accepts the Red pill and is brought into an adjacent room to be born into the real world. There sitting besides Neo is a Looking Glass. While Morpheus' crew is attempting to locate Neo, the Looking Glass changes and responds to Neo's touch. Maybe he should have accepted neither pill, and went through the Looking Glass instead. There instead of finding the Architect in white, who created and oversees the Matrix, Neo would have found the Red Queen, who determines the strategies that the entities within the Matrix use to respond to their reality.

Charles Darwin's 1st Edition of On the Origin of Species will be 150 on the 24th of November 2009. Given the complexity of Information Security and the rate at which the security landscape changes it might be appropriate to see if the concepts of Evolutionary Biology can be applied to Security.

In Evolutionary biology there is the concept referred to as the Red Queen hypothesis. Van Valen defined the Red Queen hypothesis as follows; "For an evolutionary system, continuing development is needed in order to maintain its fitness relative to the systems it is co-evolving with." The name of the hypothesis is based upon Lewis Carroll's Through the Looking Glass in which the Red Queen tells Alice, "It takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!"

Security appears to fit will within the conditions of the Red Queen hypothesis. It is an evolving system composed of co-evolving entities. For example, an enterprise creates an information system in an effort to assist in accomplishing a business goal. In order for the information system to be successful, it must contain a set of strategies that will allow it to accomplish the business goal in a way that does not compromise the goal in the process. These strategies are implemented in order to deal with existing threats (crackers, insiders, malware, etc), and in order for these threats to continue to survive, they must either modify their existing strategies or evolve entirely new strategies. The system must then deal with these new strategies and respond. On the other hand it could choose to ignore these evolved strategies, but then the business goals would become compromised. So each side must continue to evolve in order to survive, and so the race continues.

When attempting to draw parallels between evolutionary biology and information security, it is helpful to think of things with a slightly different terminology. Instead of thinking about attacker using exploits and defenders using signatures, these can be thought of as entities employing various strategies in competing for resources. In the case of evolutionary biology, this would be organisms using what ever characteristics or tools they have to exploit resources in the environment that allows for their survival, while in information security, it would be the various programs competing for processor cycles and system resources. Although there is a selection process for determining what survives in information security, it is not natural selection. Natural selection requires four conditions to operate (based upon those found within Evolution, 3rd Edition by Mark Ridley);
  1. Reproduction - Entities must reproduce to form a new generation.
  2. Heredity - Entities produced via reproduction must tend to possess the characteristics (e.g. traits) from the previous generation.
  3. Individual Variation - The population of entities is not identical.
  4. Characteristic Fitness - Individual characteristics have varying degrees of fitness which allows them to propagate their traits to subsequent generations.
The selection process which operates on the entities within information security does not follow any of these conditions. Some programs reproduce by installation or infection, but they do not have any individual variation which natural selection can use for determining what survives to the next generation. Stated another way, there is no flow of selected characteristics between subsequent generations of programs via reproduction. Program heredity is passed on by design, and not by reproduction. In general, programs are identical when installed, although there exists some polymorphic and metamorphic malware.

The idea of applying evolutionary biology to information security was the result of recently completing the Selfish Gene (Dawkins), the Red Queen (Ridley), and the Extended Phenotype (Dawkins).