Cybernetics: Swarm Intelligence to curb Malware

System Security is evolving with the upward  trend of technology.  There was Antivirus, then Antimalware, Cloud Antivirus and now digital ants. In cloud antivirus a recommendation was made by the University of Michigan to offer system security applications like antiviruses, antimalware and so on so forth as an intelligent Software as a Service (SaaS).

Using this aproach would ensure:

• Improved detection of malware: This model increases the likelihood of malware being found, because multiple detection engines working in parallel can be used.

• Local anti-virus vulnerabilities are not a problem: Moving the anti-virus engine to the cloud eliminates the ability of malware to manipulate the client anti-virus application.

• Real-time signature definitions: Data from client computers are continually uploaded to the detection engine’s database, providing real-time answers to queries from other host computers that may be encountering the same malware.

• Small footprint on host: Moving malware detection off the client and into the cloud simplifies client software, extending anti-virus protection to devices with limited processing power (smart phones).

This was just an approach by the University of Michigan, I came across other research entities like PNNL (Pacific Northwest National Laboratory) whose mandate is to esolve cyber-security issues. However, their approach seemed to be a little bit of the edge – Dr. Glenn Fink, Senior Research Scientist believes that Mother Nature provides real life examples on how we can protect our computers by using collective intelligence.

In defending this position with the help of Dr. Errin Fulp, Associate Professor of Computer Science at Wake Forest University, specifically because of Dr. Fulp’s ground-breaking work with parallel processing. Together, they developed software capable of running multiple security scans contiguously, with each scan targeting a different threat. The technique it seems, Dr. Fink acquired from studying behavior exhibited by ant colonies. This according to me  is just another approach in employing cybernetics and basing technological advancements by mimicking Nature. The theory on digital humanism suggests that technology is just a manifestation of Biology in particular the human nervous system.

Why ants?

You might be asking yourself why the approach is based on the behaviour of ants and not other colonies. If you take a quick peek at the Wake Forest University article, “Ants vs. Worms” by Eric Frazier, Professor Fulp describes why the researchers chose to mimic ants:

“In nature, we know that ants defend against threats very successfully. They can ramp up their defense rapidly, and then resume routine behavior quickly after an intruder has been stopped. We are trying to achieve that same framework in a computer system.”

Once in a while you might want to watch the National Geographic special about ants to appreciate their collective capabilities and hence Collective In telligence when it applies to computer system securirty techniques.

What is Swarm Intelligence?

Swarm Intelligence is the name given by the researchers to their technology and if you research this on the Wikipedia. You will come across this definition of  Swarm Intelligence as a system that is:

“Typically made up of a population of simple agents or boids interacting locally with one another and with their environment. The agents follow very simple rules, and although there is no centralized control structure dictating how individual agents should behave, local, and to a certain degree random interactions between such agents lead to the emergence of “intelligent” global behavior, unknown to the individual agents.”

The digital Swarm Intelligence consists of three components:

Digital ant: Software designed to crawl through computer code, looking for evidence of malware. The researchers mentioned that ultimately there will be 3000 different types of Digital Ants employed.

Sentinel is the autonomic manager of digital ants congregated on an individual computer. It receives information from the ants, determines the state of the local host, and decides if any further action is required. It also reports to the Sergeant.

Sergeant is also an autonomic manager, albeit of multiple Sentinels.In my perception, the size of the network determines how many Sergeants are used. Also, Sergeants interface with human supervisors. The following slide courtesy of the researchers and the IEEE, depicts the collective arrangement:

Swarm Intelligence is quite complicated so I put in the following interview with Dr. Fulp by Michael Kassner from MKassner Net:

Question: How do Digital Ants work? Are they similar to local anti-virus scanners?
Dr. Fulp’s answer: Ants migrate about the system checking for evidence. The evidence is typically a simple check (network statistics, process-table info), and different ant populations check for different things. If an ant finds something abnormal, it leaves a pheromone trail which will attract more ants to the same computer. Given more ants (which provide different pieces of information), a clearer understanding of the threat can be obtained. This is different from an AV program, since they have to continuously run all the scans (looking for the different pieces of evidence). Using our approach, the population of ants can change based on the threat level.

Question: On the surface, the Digital Ant, Sentinel, and Sergeant relationship appears sophisticated. Could you please explain how it works?

Dr. Fulp’s answer: Ants are simple agents that check for a piece of evidence (malware) and leave pheromone (so other ants can locate the evidence) if malware is found. Sentinels reside on individual computers and interact with ants to discover any threats based on the ants’ findings. Sergeants interact with Sentinels and can observe changes over multiple computers.

Question: When Digital Ants are checking for evidence, how do they know if a particular parameter is out-of spec? Is an initial system footprint taken?

Dr. Fulps’ answer: Yes, the Sentinel has to be initially trained to understand “normal”.

Question: How are more Digital Ants created?

Dr. Fulp’s answer: If an ant is successful (its evidence is helpful in finding a threat) then it is duplicated, if not it dies. Of course a base population of ants is maintained.

Question: You mention the Digital Ant gets rewarded or it dies. In software-speak; does that mean a counter/timer is incorporated in the Digital Ant? With death occurring when the counter/timer is not reset?

Dr. Fulp’s answer: The Digital Ant actually lives as long as it has “energy” which is supplied to it if it is rewarded. If unsuccessful, then the energy will exhaust and the ant terminates.

Question: What is the software equivalent of the term pheromone? Is it a software tag or pointer informing other Digital Ants what to focus on?

Dr. Fulp’s answer: Yes, for the current implementation it is a file provided by the Sentinel, it can be digitally signed to prevent alteration by malware.

Question: Is Digital Ant technology network-based or can it function on an individual computer?

Dr. Fulp’s answer: This technology is intended for use on a network, but could be a set of VMs in a single computer.

Question: An anti-virus developer employs what they call Collective Intelligence; is Swarm Intelligence similar?

Dr. Fulp’s answer: Similar ideas, the difference being a collection of agents provides information that an individual agent cannot.

Question: The Sentinel resides on the local host. What prevents it from being corrupted by malware?

Dr. Fulp’s answer: The Sergeant has to verify if the Sentinel is behaving correctly. The system is not perfect. One approach is to use digital signatures to prove the code has not been corrupted.

Question: TechRepublic members were concerned about Collective Intelligence relying on a single “in-the-cloud” source for management and malware diagnosis. Is Swarm Intelligence a more secure approach?
Dr. Fulp’s answer: I think it is a more scalable and robust design. One drawback is speed, as these systems require some time to ramp-up and down. Still, I think it’s a worthwhile approach for the massively parallel systems we will face in the future.

Final thoughts

The theory was tested on a live network by Wake Forest Univeristy graduates and the results were encouraging; every time Dr. Fulp introduced a worm into the network, the Digital Ants successfully located it. I find this quite intriguing and great for technologists to learn from nature and not harm it. Besides the most successful systems, or pieces of technology are those that are properly derived from Nature, for example Night Vision Goggles.