Ants Vs. Worms — Computer Security Mimics Nature

An anonymous reader writes with this excerpt from Help Net Security: "In the never-ending battle to protect computer networks from intruders, security experts are deploying a new defense modeled after one of nature's hardiest creatures — the ant. Unlike traditional security devices, which are static, these 'digital ants' wander through computer networks looking for threats ... When a digital ant detects a threat, it doesn't take long for an army of ants to converge at that location, drawing the attention of human operators who step in to investigate. 'Our idea is to deploy 3,000 different types of digital ants, each looking for evidence of a threat,' [says Wake Forest Professor of Computer Science Errin Fulp.] 'As they move about the network, they leave digital trails modeled after the scent trails ants in nature use to guide other ants. Each time a digital ant identifies some evidence, it is programmed to leave behind a stronger scent. Stronger scent trails attract more ants, producing the swarm that marks a potential computer infection.'"

ridiculous references

[sopssa]

What's with the ridiculous reference to ants? If they had said this in a technical way, I might actually even understand what they mean. Now it's basically "ants travel inside your network". The article doesn't tell a lot more.

Obviously nothing is "traveling" inside your lan cable. So do they mean they have every machine in promiscuous lan that tries to seek what is traveling there? What kind of "scent" does it leave when it detects some threat and how are the other computers interact with that?

Stop doing some stupid nature references just for the hell of it, give technical details.

Re:ridiculous references

[buchner.johannes]

They are talking about an ant-based algorithm, often used in optimization (routing, for example). Some information is here http://en.wikipedia.org/wiki/Artificial_Ants and here.

Re:ridiculous references

[buchner.johannes]

Second link: http://en.wikipedia.org/wiki/Ant_colony_optimization (sorry)

I think this is just some theoretical research that got picked up by someone never heard of Ant algorithms (it sounds impressive when you hear it the first time), but it can often be outperformed.

Re:ridiculous references

[Fred_A]

Obviously nothing is "traveling" inside your lan cable.

So why does your network crawl all of or sudden ?

Re:ridiculous references

[Chris+Burke]

And ant colony algorithms by themselves are just an obfuscated way of defining ad-hoc probabilistic algorithms.

It's not "obfuscated", they are explicitly in that class of algorithms.

In other words it's completely heuristic, there is no actual theory that justifies defining the algorithms in that particular way.

Yeah and there's no theory a priori justifying simulated annealing or genetic algorithms work in their particular way. But they work. Random heuristics work (and there is theory explaining why, in general, they do). Different heuristics have different properties that are beneficial in some circumstances. That's why there's more than one. That's why Monte Carlo simulations weren't the final word on random heuristics.

And what they do has precious little to do with actual ants.

As much as genetic algorithms have to do with biological evolution or simulated annealing has to do with cooling metal. As in... next to nothing in a literal sense, but quite a bit in an inspirational or metaphorical sense. Probabilistically following previous paths through the solution space, with those paths 'evaporating' over time unless reinforced, is a pretty good analogy for what ants really do, and a good hint as to the algorithms advantages -- it does a good job of finding and tracking changes in the solution space in dynamic situations.

Basically, "Oh it's just a heuristic and not literally like the inspiration its named after" is the worst way to dismiss an algorithm ever.

Though, on the other hand, why this is a good idea for network security, I don't know. Why would you want a bunch of agents to "swarm" a location where problems are found, rather than just, say, deleting any instances of virus/worms found, and closing any security holes found (or notifying the sysadmin so they can), is beyond me.

Re:ridiculous references

[mikael]

He just uses "ants and swarms" to replace "daemon and daemons".

His research is based on a network of 64 computers and has identified all sorts of different types of security breach that can be detected on a network (unauthorized ssh/ftp, botnet commands, spam-mailer, virus-in-a-mail-message, backdoor trojan) and that it might not be possible to detect where the originating commands are coming from - a whole load of servers or PC's might be infected.

The article states that there is a performance gain from having a separate task to detect each of these (he calls these ants). Since there are so many files, ports and devices to be checked, it is better to have multiple copies of each task. OS people would call these 'daemons'. Testing for all of these security breach requires a "swarm of ants" or a "plague of daemons" (whatever the aggreggate work of daemon is).

I guess talking about daemons in the server network would probably scare the h*ll out of Christian Managers.

I can defeat the ants

[t0qer]

I just gotta run..
%SystemRoot%\system32\magnify.exe

Re:Taking the analogy further...

[Lesrahpem]

This reminds me of how one of the first worms was actually created. Xerox made it for going around their computers after hours and doing various checks and system maintainence. It got out of control and DoS'ed their network.

Let's use another analogy

[turing_m]

The internet is a lady of ill repute. My approach to security when "connected" to the internet is like 3 layers (hardware firewall, running as unprivileged user, whitelisting javascript/flash) of prophylactic separated by 2 layers of Deep Heat (logging, and tripwire). If either of the outer layers are "breached", I get a prompt warning.

The EU Serenity Project is using the same approach

[Futurepower(R)]

MOD PARENT UP. It is apparently correct to be skeptical.

The Serenity Project in the European Union is using the same approach. They call it "Ambient Intelligence(AmI)." The level of intelligence in the Serenity project may be indicated by the fact that, at present, 2009-09-26, 02:47 PDT, there is no space before "(AmI)". The Ambient Intelligence in the Serenity Project is very low, apparently.

Someone who worked for SAP Labs France told me the SAP Labs France part of the Serenity Project is so poorly managed that smart people leave as soon as they can find other jobs.

Apparently the only way of providing security that actually works is the Open BSD method: Audit the code. No number of "ants" can provide the security of audited code.

Want more biological humor? Read about SAP's customer-focused ecosystem. It supposedly fosters "... an ideal environment for ongoing innovation and value creation..." Biological references are apparently the hot new thing in corporate-speak. Biological references concerning computers are very useful to people who have no technical knowledge and don't want any, because they are so vague the speaker can never be found wrong.

So... bugs?

[jamesh]

If I wanted 3000 bugs swarming inside my computer i'd run Windows.

Bound to fail

[Tinctorius]

Taking the obvious problems with this approach aside (using viral programs to identify viral infections), it should be easy to distract the flock of "ants" by one or more decoy infection(s), and then start the 'real' infection on the "other side" of the network. The "ants" have built a highway of warning signs towards the decoy(s), so the probability of ants traversing to the 'really' infected machines is lowered.

It's always fun to apply theories from one field of CS (namely optimization) to another (security), but if you give it a short thought, you know this can't be a good idea. It wouldn't be science if they didn't test that hypothesis, but I certainly hope they're not that stupid to test it in production systems.

How long before malicious ants will appear?

[misnohmer]

Having anything "crawl" through your network seems like a huge security risk to me. Any security solutions will have be aware of those crawlers and allow them to crawl from computer to computer. What's to stop viruses to simply impersonate such crawling ant - free pass to every computer on the network!

Another problem may be as they all "converge" on threats. What is they bug down the target machine, or the network? If my browser cookie looks "yummy" to the "ant" (no pun intended - browser cookie may be classified as a threat), next thing I know my network interface is crawling with these "ants"! My administrator cannot log in because of all the ants plugging my bandwidth!

like in nature there's always a hack: Phorid flies

[garompeta]

The genus "pseudacteon" of the Phorid flies zombifyies ants laying eggs in the ants thorax. The larvae moves to the head of the ant and it feeds itself until it is big enough to come out, decapitating the ant.

So yeah, I think I know how this story of swarming ants are going to turn out.

just more bugs

[FatherDale]

Forget ants. Gimme a can of Raid.

Re:I'm looking for a new hobby

[The+Archon+V2.0]

We've got Worms and Spiders, now Ants!? I'm going to have to find a new hobby; computing doesn't seem very entomophobiac-friendly.

We started with bugs years ago. It was only a matter of time before everyone else moved in.