and epidemiology â could be exploited in Cyber security ... their behaviour based on the outcome of the previous experience .... [12] J. Oberheide, E. Cooke and F. Jahanian, âCloudAV: N-Version Antivirus in the Network Cloud,â University of.
Complexity theory in Cyber Security It is the mark of an educated mind to be able to entertain a thought without accepting it.” ― Aristotle, Metaphysics
1. Introduction With computer systems becoming ubiquitous and the IT lexicon becoming omnipresent in most organisations, IT security is one of the top priorities for most organisations. The annual economic impact of Cyber crime is estimated to be higher than that of the Drug trade [1] and by some estimates it’s twice as much as the economic impact of the 9/11 attack [2]. The global spend on IT Security is expected to hit $120 Billion by 2017 [3], and that is one area where the IT budget for most companies either stayed flat or slightly increased even in the recent financial crises [4]. Our traditional approaches have brought limited success so far. This article argues that principles from Complexity science – inspired by system thinking and natural science, something that has been extensively used social science, finance & economics, and epidemiology – could be exploited in Cyber security
The US Government has been preparing for a “Cyber Pearl Harbour” [17] style all-out attack that might paralyze essential services, and even cause physical destruction of property and lives. It is expected to be orchestrated from the criminal underbelly of countries like China, Russia or North Korea.
There is a need to fundamentally rethink our approach to securing our IT systems. Our approach to security is siloed and focuses on point solutions so far for specific threats like anti viruses, spam filters, intrusion detections and firewalls [5]. But The economic impact of Cyber we are at a stage where Cyber systems are much more than just crime is $100B annual in the tin-and-wire and software. They involve systemic social, United states alone [3]. economic and political components. The interconnectedness of systems, intertwined with a people element makes IT systems un-isolable from the human element. Cyber systems are complex adaptive systems that we have tried to understand and tackle using more traditional theories.
2. Cyber systems are Complex and Adaptive In very simple terms, a Complex system is any system in which the parts of the system and their interactions together represent a specific behaviour, which cannot be explained by the analysis of all its constituent parts - “the whole is greater than the sum of its parts”. The cause and effect can not necessarily be related and the relationships are non-linear - a small change could have a disproportionate impact. A traffic system is a popular example; analysis of individual cars and car drivers cannot help explain the patterns and emergence of traffic jams. While a Complex Adaptive system (CAS) also has characteristics of self-learning, emergence and evolution among the participants of the complex system. The key characteristics for a system to be characterised as Complex Adaptive are: The behaviour or output cannot be predicted simply by analysing the parts and inputs of the system
The behaviour of the system is emergent and changes with time. The same input and environmental conditions do not always guarantee the same output. The participants or agents of a system (human agents in this case) are self-learning and change their behaviour based on the outcome of the previous experience Complex processes are often confused with “complicated” processes. A complex process is something that has an unpredictable output, however simple the steps might seem. A complicated process is something with lots of intricate steps and difficult to achieve pre-conditions but with a predictable outcome. Making tea is Complex, building a car is Complicated. Complexity as a field of study isn’t new, its roots could be traced back to the work on Metaphysics by Aristotle [6]. Complexity theory is largely inspired by biological systems and has been used in social science, epidemiology and natural science study for some time now. It has been used in the study of economic systems and financial risk analysis (Refer my paper on Complexity in Financial risk analysis here).
Cyber systems need the Holism approach Most organisations have multiple layers of defence for their critical systems (layers of firewalls, IDS, hardened O/S, strong authentication etc), but attacks still happen. More often than not, computer break-ins are a collision of circumstances rather than a standalone vulnerability being exploited for a cyber-attack to succeed. In other words, it’s the “whole” of the circumstances and actions of the attackers that cause the damage. Reductionism and Holism are two contradictory philosophical approaches for the analysis and design of any object or system. The Reductionists argue that any system can be reduced to its parts and analysed by “reducing” it to the constituent elements; while the Holists argue that the whole is greater than the sum so a system cannot be analysed merely by understanding its parts [7]. Most of the modern sciences and analysis methods are based on the reductionist approach, and it works well to understand the behaviour of a wrist watch, a car or the celestial space. Reductionism has a strong focus on causality – there is a cause to an affect. When it comes to emergent systems like the human behaviour, Socio-economic systems, Biological systems or Socio-cyber systems, the reductionist approach has its limitations. The human body, the response of a mob to a political stimulus, reaction of the financial market to a merger, or a traffic jam – cannot be predicted by studying its constituent members. We have traditionally looked at Cyber security with a Reductionist lens with specific point solutions for individual problems and tried to anticipate the attacks a cyber-criminal might do against known vulnerabilities. It’s time we start looking at Cyber security with an alternate Holism approach as well.
Cyber attacks are like pathogen infections Computer break-ins are like microbial infections, they can propagate the infections; impact large portions of the population if they are “connected” to each other and on detection the systems are generally ‘isolated’; as are people put in ‘quarantine’ to reduce further spread [8]. Even the lexicon of Cyber systems uses biological metaphors – Virus, Worms, infections etc. It has many parallels in epidemiology, but the design principles often employed in Cyber systems are not aligned to the natural selection principles. Cyber systems rely a lot on uniformity of processes and technology components as against diversity of genes in organisms of a species that make the species more resilient to epidemic attacks [9].
3. Traditional approach to Mitigating security threats 3.1
Formal validation and testing
The most common approach, it relies on the testing teams to discover any faults in the system that could expose a vulnerability and can be exploited by attackers. The scope of this testing is generally the system itself, not the frontline defences that are deployed around it. For most other interconnected systems, formal validation alone is not sufficient as it’s never possible to ‘test it all’. Test automation is a popular approach to reduce the human dependency of the validation processes, but as Turing’s Halting problem of Undecideability1 proves – it’s impossible to build a machine that tests another one in all cases. Testing is only anecdotal evidence that the system works in the scenarios it has been tested for, and automation helps get that anecdotal evidence quicker.
3.2
Encapsulation and boundaries of defence
For systems that cannot be fully validated through formal testing processes, we deploy additional layers of defences in the form of Firewalls or network segregation or encapsulate them into virtual machines. Other additional defence mechanism are Intrusion Prevention systems, Anti-virus etc.
4. Complexity based approach to Mitigating security threats Approaches using Complexity sciences could prove quite useful complementary to the more traditional ways. The versatility of computer systems make them unpredictable, or capable of emergent behaviour that cannot be predicted without “running it” [9]. Also running it in isolation in a test environment is not the same as the real thing, it’s the collision of multiple events that causes the apparent emergent behaviour (recalling holism!).
4.1
Diversity over Uniformity
Robustness to disturbances is a key emergent behaviour in biological systems. Imagine a species with all organisms in it having the exact same genetic structure, same body configuration, similar antibodies and immune system – the outbreak of a viral infection would have wiped out complete community. But that does not happen because we are all formed differently and all of us have different resistance to infections. Similarly some mission critical Cyber systems especially in the Aerospace and Medical industry implement “diverse implementations” of the same functionality and centralised ‘voting’ function decides the response to the requester if the results from the diverse implementations do not match. It’s fairly common to have redundant copies of mission critical systems in organisations, but they are homogenous implementations rather than diverse – making them equally susceptible to all the faults and vulnerabilities as the primary ones. If the implementation of the redundant systems is made different from the primary – a different O/S, different application container 1
Alan Turing – a mathematician who came to fame for his role in breaking the Enigma machines used to encrypt communication messages during the second world war – proved that a general algorithm whether or not a program would even terminate (or keep running forever) for all program-input pairs cannot exist.
or database versions – the two variants would have different level of resilience to certain attacks. Even a change in the sequence of memory stack access could vary the response to a buffer overflow attack on the variants [10]. Multi variant Execution Environments (MVEE) have been developed, where applications with slight difference in implementation are executed in lockstep and their response to a request are monitored [10]. These have proven useful in intrusion detection trying to change the behaviour of the code, or even identifying existing flaws where the variants respond differently to a request. On similar lines, using the N-version programming concept [11]; an N-version antivirus was developed at the University of Michigan that had heterogeneous implementations looking at any new files for corresponding virus signatures. The result was a more resilient anti-virus system, less prone to attacks on itself and 35% better detection coverage across the estate [12].
4.2
Agent Based Modelling (ABM)
ABM is a simulation technique used to analyse and predict the behaviour of Complex adaptive systems. The individuals or groups interacting with each other in the Complex system are represented by artificial ‘agents’ and act by predefined set of rules. The Agents could evolve their behaviour and adapt as per the circumstances. Contrary to Deductive reasoning2 that has been most popularly used to explain the behaviour of social and economic systems, Simulation does not try to generalise the system and agents’ behaviour. ABMs have been popular to study crowd management, spread of epidemics, explain market behaviour and recently financial risk analysis. It is a bottom-up modelling technique wherein the behaviour of each agent is programmed separately, and can be different from all other agents. The evolutionary and self-learning behaviour of agents could be implemented using various techniques, Genetic Algorithm implementation being one of the popular ones [13]. Cyber systems are interconnections between software modules, wiring of logical circuits, microchips, the Internet and a number of users and administrators. These interactions and actors can be simulated in a model in order to do ‘what-if’ analysis, predict the impact of changing parameters and interactions between the actors of the model. Simulation models have been used for analysing the performance characteristics based on application characteristics and user behaviour for a long time now – some of the popular Capacity & performance management tools use the technique. Similar techniques can be applied to analyse the response of Cyber systems to threats, designing a fault-tolerant architecture and analysing the extent of emergent robustness due to diversity of implementation. One of the key areas of focus in Agent Based modelling is the “self-learning” process of agents. In the real world, the behaviour of an attacker would evolve with experience. This aspect of an agent’s behaviour is implemented using Genetic Algorithms. They have been used for designing automobile and aeronautics engineering, optimising the performance of Formula one cars [14] and simulating the investor learning behaviour in simulated stock markets (implemented using Agent Based models).
2
Deductive reasoning is a ‘top-down’ reasoning approach starting with a hypothesis and data points used to substantiate the claim. Inductive reasoning on the other hand is a ‘bottom-up’ approach that starts with specific observations which are then generalised to form a general theory
An interesting visualisation of Genetic Algorithm – or a self-learning process in action – is the demo of a simple 2D car design process that starts from scratch with a set of simple rules and end up with a workable car from a blob of different parts: http://rednuht.org/genetic_cars_2/ The self-learning process of agents is based on “Mutations” and “Crossovers” - two basic operators in Genetic Algorithm implementation. They emulate the DNA crossover and mutations in biological evolution of life forms. Through crossovers and mutations, agents learn from their own experiences and mistakes. These could be used to simulate the learning behaviour of potential attackers, without the need to manually imagine all the use cases and user journeys that an attacker might try to break a Cyber system with.
5. Conclusion Complexity in Cyber systems, especially the use of Agent Based modelling to assess the emergent behaviour of systems is a relatively new field of study with very little research done on it yet. There is still some way to go before using Agent Based Modelling becomes a commercial proposition for organisations. But given the focus on Cyber security and inadequacies in our current stance, Complexity science is certainly an avenue that practitioners and academia are increasing their focus on. Commercially available products or services using Complexity based techniques will however take a while till they enter the mainstream commercial organisations.
References [1] J. A. Lewis and S. Baker, “The Economic Impact of Cybercrime and Cyber Espionage,” 22 July 2013. [Online].
Available: http://csis.org/publication/economic-impact-cybercrime-and-cyber-espionage. [Accessed 17 June 2014].
[2] L. Kugel, “Terrorism and the Global Economy,” E-Internatonal Relations Students, 31 Aug 2011. [Online]. Available: http://www.e-ir.info/2011/08/31/what-is-the-impact-of-terrorism-on-the-ipe/. [Accessed 17 June 2014].
[3] “Interesting Facts on Cybersecurity,” Florida Tech University Online, [Online]. Available:
http://www.floridatechonline.com/online-degree-resources/interesting-facts-on-cyber-security/. [Accessed 12 June 2014].
[4] “Global security spending to hit $86B in 2016,” 14 Sep 2012. [Online]. Available: http://www.infosecuritymagazine.com/view/28219/global-security-spending-to-hit-86b-in-2016/.
[5] S. Forrest, S. Hofmeyr and B. Edwards, “The Complex Science of Cyber Defense,” 24 June 2013. [Online]. Available: http://blogs.hbr.org/2013/06/embrace-the-complexity-of-cybe/.
[6] “Metaphysics (Aristotle),” [Online]. Available: http://en.wikipedia.org/wiki/Metaphysics_(Aristotle). [7] S. A. McLeod, Reductionism and Holism, 2008. [8] R. Armstrong, “Motivation for the Study and Simulation of Cybersecurity as a Complex System,” 2008. [9] R. C. Armstrong, J. R. Mayo and F. Siebenlist, “Complexity Science Challenges in Cybersecurity,” March 2009. [10] B. Salamat, T. Jackson, A. Gal and M. Franz, “Orchestra: Intrusion Detection Using Parallel Execution and Monitoring
of Program Variants in User-Space,” Proceedings of the 4th ACM European conference on Computer systems, pp. 3346, April 2009.
[11] C. Liming and A. Avizienis, “N-VERSION PROGRAMMINC: A FAULT-TOLERANCE APPROACH TO RELlABlLlTY OF SOFTWARE OPERATlON,” Fault-Tolerant Computing, p. 113, Jun1995.
[12] J. Oberheide, E. Cooke and F. Jahanian, “CloudAV: N-Version Antivirus in the Network Cloud,” University of Michigan, Ann Arbor, MI 48109, 2008.
[13] J. H. Holland, Adaptation in natural and artificial systems: An introductory analysis with applications to biology, control, and artificial intelligence, Michigan: University of Michigan Press, 1975.
[14] K. &. B. P. J. Wloch, “Optimising the performance of a formula one car using a genetic algorithm,” Parallel Problem Solving from Nature-PPSN VIII, pp. 702-711, January 2004.
[15] R. C. Armstrong and J. R. Mayo, “Leveraging Complexity in Software for Cybersecurity (Abstract),” Association of Computing Machinery, pp. 978-1-60558-518-5, 2009.
[16] “Cynefin Framework (David Snowden),” [Online]. Available: http://en.wikipedia.org/wiki/Cynefin. [17] P. E. (. o. D. Leon, “Press Transcript,” US Department of Defense, 11 Oct 2012. [Online]. Available:
http://www.defense.gov/transcripts/transcript.aspx?transcriptid=5136. [Accessed 12 June 2014].
[18] “Cybersecurity - Facts and Figures,” International Telecommunications Union, [Online]. Available:
http://www.itu.int/en/ITU-D/Partners/Pages/Call4Partners/CYBLDCStats.aspx. [Accessed 11 June 2014].
