260 CATALYZING INQUIRY
human beings by the immune system and computer security. The following examples are adapted from
Somayaji et al.:^42
- Protecting active processes on a single host. For this application, a computer running multiple pro-
cesses might be conceptualized as a multicellular organism (in which each process is analogous to a
cell). An adaptive immune system could be a detector process that queried other processes to see
whether they were functioning normally. If not (i.e., if the detector process found “nonself” in its
probes), the adaptive system could slow, suspend, kill, or restart the misbehaving process. One ap-
proach to detection (positive detection) is based on the establishment of a profile of observed normal
behaviors and using that profile to notice when a program behaves abnormally.^43 - Protecting a network of computers. For this application, each computer in a network might be
conceptualized as a cell in an individual. Each process would still be considered as a cell, but now an
individual is a network of computers. (Another possible analogy for the network of computers is that
each computer represents a single organism and population-level protections are achieved by the col-
lective group through independence, diversity, and sharing of information.) An adaptive detector pro-
cess could be implemented as described above, with the added feature that these detectors could
migrate between computers, thereby enabling all computers on the network to benefit from the detec-
tion of a problem on one of them. - Protecting a network of disposable computers. This application is similar to that described above,
with the addition that when an anomaly is detected, the problematic machine can be isolated, rebooted,
or shut down. If the true source of the anomaly were outside the network, a detector process or system
could stand in for the victimized machine, doing battle with the malicious host and potentially sacrific-
ing itself for the good of the network. Note that this application requires that hosts be more or less
interchangeable—otherwise the network could not afford the loss of a single host.
8.2.5.3 Immunological Design Principles for Computer Security
The immune system exhibits a number of characteristics—one might call them design principles—
that could reasonably describe how effective computer security mechanisms might operate in a com-
puter system or network. (As in Section 5.4.4.3, “immune system” is understood to mean the adaptive
immune system.) For example, the immune system is:^44
- Distributed, in the sense that it has no central point of control. Instead, the components of the
immune system interact locally to mount responses to foreign pathogens (e.g., pathogen detectors
[lymphocytes] operate locally to flag the presence of pathogens). By contrast, a computer system based
on centralized control is vulnerable to “decapitation”—a successful attack on the point(s) of centralized
control renders the system entirely useless.^45 - Diverse, in the sense that because of the ways in which pathogen detectors are produced, each
individual human being can detect a somewhat different set of pathogens—a diversity that protects
(^42) A. Somayaji, S. Hofmeyr, and S. Forrest, “Principles of a Computer Immune System,” Proceedings of the 1997 Workshop on New
Security Paradigms, ACM Press, Langdale, UK, 1998, pp. 75-82.
(^43) An alternative approach is to use a randomly generated detector or set of detectors, living for a limited amount of time, after
which it would be replaced by another detector. Detectors that proved particularly useful during their lifetimes (e.g., by detect-
ing new anomalies) could be given a longer life span or allowed to spawn related processes. This approach has been used by
Forrest et al. in the development of a network intrusion detection system known as LISYS.
(^44) This discussion of the immune system is based on S. Forrest and S. Hofmeyr, “Immunology as Information Processing,”
Design Principles for Immune Systems and Other Distributed Autonomous Systems, L.A. Segal and I.R. Cohen, eds., Oxford University
Press, New York, 2001.
(^45) A distributed, mobile agent architecture for security was also proposed in M. Crosbie and G. Spafford, “Active Defense of a
Computer System Using Autonomous Agents,” Technical Report 95-008, Department of Computer Science, Purdue University,
1995.