The fundamental problem faced by both biological and computer
immune systems is to distinguish between malignant and benign
entities that enter the individual. Due to the high degree of
stability of body chemistry in individual vertebrates during their
lifetimes, their immune systems can replace this difficult
task with the much simpler one of distinguishing self from non-self.
This is a nice hack, because ``self'' is much easier to
define and recognize than ``benign''. The biological immune system can
simply implement the xenophobic strategy: ``Know thyself (and reject all else).''
This strategy errs on the side of false positives (i.e. false
rejection of benign entities), but except in cases of blood
transfusions and organ transplants, these mistakes are
of little consequence.
In computers, the same xenophobic strategy is an
important component of anomaly detection. Integrity monitors
can use checksums or other methods
to determine whether an existing executable
has changed. However, this is only a partial
solution. The nature of ``self'', i.e. the collection of
software on an individual computer, is continually shifting over
time -- much more so than in biological organisms.
People continually add new software to their system, and
update existing software by buying new versions or compiling new
source code. The fact that an executable is new or has changed is not
nearly enough to warrant suspicion. An array of other monitors
and heuristics employ a complementary ``Know thine
enemy'' strategy: the nature of the anomaly must be strongly
indicative of a virus. Some components of the anomaly detector
trigger on suspicious dynamical behaviors (such as one process
writing to an executable or boot record, or unusual
sequences of operating system calls, perhaps involving interception
of particular interrupts);
others trigger on static properties having to do with the
exact nature of a change that has been identified by the
integrity monitor.
|
