SWARMING COMPUTER SECURITY: AN ...

SWARMING COMPUTER SECURITY: AN EXPERIMENT IN POLICY DISTRIBUTION Ronaldo Menezes

Richard Ford and Attila Ondi

Florida Tech, Computer Sciences Center for Computation and Intelligence [email protected]

Florida Tech, Computer Sciences Center for Information Assurance {rford,aondi}@se.fit.edu

ABSTRACT

lem. The term policy here is used loosely: it can be a set of rules that regulates firewall configuration, or an update to an anti-virus system, or even a new version of an agent in a distributed agent-based anti-virus infrastructure (see Section 5 for more details). Hence, we describe a policy as an object Φv where v is a comparable version of this object — v can be used to find which of several objects is the newest. The problem is that updated policies deprecate older versions of the same policy. In a dynamic environment – such as a WAN – these updates need to be performed efficiently and able to cope with the dynamism of the network (disconnection, bandwidth fluctuations, etc). If updates can be carried out efficiently, one can now write systems where security policies change frequently enough to make the job of an attacker significantly more difficult.

Despite all the resources invested in research in computer security, researchers and users alike frequently hear reports of security breaches: in many ways, it looks like researchers are loosing the battle against attackers. Furthermore, current trends tend to show that if novel approaches to security problems are not explored, things are likely to get worse, not better. A possible approach that may give security experts the upper hand requires them to examine the fundamental causes of security problems. Is it possible that our security woes exist primarily due to an antiquated approach to solving the problem? In this paper, we argue that the answer is yes: one of the fundamental weaknesses of our collective approach is the static nature of most security systems. We then suggest the use of countermeasures based on a more dynamic approach a` la swarm. We concentrate here on the very important issue of security policy updates and show simulation results which demonstrate the promise of our approach.

2. SECURITY POLICIES Policies are one aspect of information that influences the behavior of a system. In security terms, policies may provide for protection from emerging threats, such as rapidly spreading a malicious code or new exploits. Due to the speed with which the threat landscape can change, an agile policy distribution mechanism is vital for the maintenance of a secure state in the system. The problem of policy distribution is a difficult one when considering that updates may be inserted in the network from various locations. The goal is to be able to implement a distribution scheme that covers the entire network fast without becoming a hindrance to the network itself and its users. But what are the general pre-requisites for developing more efficient policy distribution approaches? Clearly this depends on the underlying network if it is a LAN, WAN, MANET, etc. but across all these one can identify characteristics that are important universally:

1. INTRODUCTION Computer viruses and worms such as SQL.Slammer have demonstrated that new threats can become pervasive within minutes of their release. In the case of SQL.Slammer, the worm had a minimum population doubling time of under 9 seconds, and even perturbed Internet-level routing protocols [3]. The rapid evolution of such threats calls into question the comparatively static nature of current protection mechanisms [5]. For example, prophylactics to worms such as SQL.Slammer are normally reactive in nature and rely on researchers discovering a sample of the malicious code, creating a cure and distributing it globally. This distribution process tends to be somewhat static in nature, and follows at best a tree-like structure, where machines check in with a central hub and download updates. In the event of network disruption, such a fixed process is prone to failure, potentially leaving many machines unprotected. Without a robust method for sharing policy updates – or more broadly, threat information – even rapid detection and cure generation for MMC is not likely to address the prob-

0-7803-8916-6/05/$20.00 ©2005 IEEE

Cost: In large networks, it is important to find short(er) paths between the nodes to minimize the network cost for distributing policies. At the same time, the distribution should reach all nodes in the network within a reasonable amount of time.

1

Destruction of Old Versions: Policies are generally passive objects sent to nodes in the network. In order to destroy old versions scattered around in the network, new policies should be attracted (positive feedback) by old versions. The arrival of a newer version at a node forces the node to relinquish the old version.

pid (t) =


α

β

[τid (t)] · [δid (t)] · [ηid (t)]

h∈Ji

α

σ

β

[τih (t)] · [δih (t)] · [ηih (t)]

σ

In the equation above τid represents the learned behavior of the system. Each time a policy at node i chooses the neighbor d ∈ Ji it reinforces the path i → d so as to indicate to other policies that the neighbor d was chosen at some point in the past. This controls the desirability of a node based on previous experiences of policies at that location. The term δid is responsible for the decision being made by the policy with regards to the version. The older the version (compared with the current one) at a given neighbor d, the more attractive d is. Last, the term ηid represents some static information about the network such as link reliability, or maximum available bandwidth.1 Our approach uses a local update technique each time a neighbor is chosen. This local update may modify the values of τ only. The value of δ is updated at defined intervals in which nodes “ping” their neighbors for that information. We are currently planning on removing this requirement in favor of a more self-organizing approach which relies on the movement of the messages themselves to keep the values of δ updated for all neighbors of each individual node.

Disconnections: Coping with disconnections is extremely important in dynamic networks. A distribution mechanism needs to be proactive: as nodes are reconnected to the network, new policies need to flow to them. In very active networks optimality of distribution is never reached, the distribution system is in continuous move towards such optimality. Consideration towards disconnections is especially important when considering policy updates that are virus-related, as network instability is common during a virus outbreak. Adaptiveness: Policy distribution mechanisms need to handle networks with dynamic topology such as MANETs. Distribution algorithms that use static approaches to ensure full distribution coverage are unlikely to work well under these conditions. This also applies to networks where (re)connections are unpredictable. Authentication and Authorization: Policy information has significant security capital. It is important that in any environment the distribution of policies is appropriately controlled, such that only authorized policies can be distributed by only those who have proven that they are who they claim to be.

4. IMPLEMENTATION AND RESULTS In order to test our ideas we have chosen to simulate different solutions for policy distribution using our topologyaware simulator, Hephaestus [4]. This simulator, developed under a grant from Cisco for studying virus spreads, is also well-suited for modeling certain types of agent-based systems. Using a Monte-Carlo approach, the simulation environment consists of a number of agents or actors which are connected in various topologies. This environment can be then used to model the effect of different types of interaction on the “network”, ranging from simple virus-spread to more complex swarm-like interactions. Our approach to investigating the ways in which policies spread were two-fold. First, we determined the “rules” for the network in which the agents were located. During each time-step, each agent may choose to follow a particular course of action. Furthermore, agents were limited to updating (or attempting to update) at most two neighbors during a particular time step. This constraint reflects the limiting processing and bandwidth of individual machines; adequately considering “real world” limitations is an important aspect of our approach. Second, we tried different agent strategies for distributing our policies. There were:

3. SWARMING THE DISTRIBUTION OF POLICIES The swarm metaphor we used is based on a variation of foraging which take on elements molding [1]. In order to understand how molding can be applicable, let us first assume a network in which all the nodes currently have a copy of the security policy Φ – one can assume that a node that does not have any policy is similar to one that has an outdated policy. Let us also assign one of the nodes as the initiator of the policy update process into a Φn where n is a value such that a version n is more current than all versions < n. The distribution algorithm based on molding works by making the security policies active and attracted by different (older) versions of policies. When a policy Φk is created, it looks at the neighbors and replicates itself to the neighbors that contain policies Φ