One of my favorite topics is anti-malware technology, especially when it portends "outside-the-box" thinking. Collective Intelligence, leveraged in Cloud Antivirus is one such example. Recently, I came across another interesting concept and it's definitely unconventional.
Research coming out of Pacific Northwest National Laboratory (PNNL) always interests me. First, one of the lab's mission is to resolve cyber-security issues. Second, their conclusions can be unorthodox. Case in point, Dr. Glenn Fink, Senior Research Scientist at PNNL believes Nature provides examples of how we can protect computers by using collective intelligence.
To help defend his position, Dr. Fink enlisted Dr. Errin Fulp, Associate Professor of Computer Science at Wake Forest University, specifically because of Dr. Fulp's ground-breaking work with parallel processing. Together, the two researchers developed software capable of running multiple security scans contiguously, with each scan targeting a different threat. A technique it seems, Dr. Fink acquired from studying behavior exhibited by ant colonies.
In the Wake Forest University article, "Ants vs. Worms" by Eric Frazier, Professor Fulp describes why the researchers chose to mimic ants:
"In nature, we know that ants defend against threats very successfully. They can ramp up their defense rapidly, and then resume routine behavior quickly after an intruder has been stopped. We are trying to achieve that same framework in a computer system."
All one has to do is watch a National Geographic special about ants to appreciate their collective capabilities. So, the doctors' reasoning does makes sense.
The researchers call their technology Swarm Intelligence and for a good reason. According to Wikipedia, Swarm Intelligence is a system:
"Typically made up of a population of simple agents or boids interacting locally with one another and with their environment. The agents follow very simple rules, and although there is no centralized control structure dictating how individual agents should behave, local, and to a certain degree random interactions between such agents lead to the emergence of "intelligent" global behavior, unknown to the individual agents."
The digital Swarm Intelligence consists of three components:Digital ant: Software designed to crawl through computer code, looking for evidence of malware. The researchers mentioned that ultimately there will be 3000 different types of Digital Ants employed. Sentinel is the autonomic manager of digital ants congregated on an individual computer. It receives information from the ants, determines the state of the local host, and decides if any further action is required. It also reports to the Sergeant. Sergeant is also an autonomic manager, albeit of multiple Sentinels. If I understand correctly, the size of the network determines how many Sergeants are used. Also, Sergeants interface with human supervisors. The following slide courtesy of the researchers and the IEEE, depicts the collective arrangement:
In my world, Swarm Intelligence is complicated. So I needed to ask some questions:Question: How do Digital Ants work? Are they similar to local anti-virus scanners? Dr. Fulp's answer: Ants migrate about the system checking for evidence. The evidence is typically a simple check (network statistics, process-table info), and different ant populations check for different things. If an ant finds something abnormal, it leaves a pheromone trail which will attract more ants to the same computer. Given more ants (which provide different pieces of information), a clearer understanding of the threat can be obtained. This is different from an AV program, since they have to continuously run all the scans (looking for the different pieces of evidence). Using our approach, the population of ants can change based on the threat level. Question: On the surface, the Digital Ant, Sentinel, and Sergeant relationship appears sophisticated. Could you please explain how it works? Dr. Fulp's answer: Ants are simple agents that check for a piece of evidence (malware) and leave pheromone (so other ants can locate the evidence) if malware is found. Sentinels reside on individual computers and interact with ants to discover any threats based on the ants' findings. Sergeants interact with Sentinels and can observe changes over multiple computers. Question: When Digital Ants are checking for evidence, how do they know if a particular parameter is out-of spec? Is an initial system footprint taken? Dr. Fulps' answer: Yes, the Sentinel has to be initially trained to understand "normal". Question: How are more Digital Ants created? Dr. Fulp's answer: If an ant is successful (its evidence is helpful in finding a threat) then it is duplicated, if not it dies. Of course a base population of ants is maintained. Question: You mention the Digital Ant gets rewarded or it dies. In software-speak; does that mean a counter/timer is incorporated in the Digital Ant? With death occurring when the counter/timer is not reset? Dr. Fulp's answer: The Digital Ant actually lives as long as it has "energy" which is supplied to it if it is rewarded. If unsuccessful, then the energy will exhaust and the ant terminates. Question: What is the software equivalent of the term pheromone? Is it a software tag or pointer informing other Digital Ants what to focus on? Dr. Fulp's answer: Yes, for the current implementation it is a file provided by the Sentinel, it can be digitally signed to prevent alteration by malware. Question: Is Digital Ant technology network-based or can it function on an individual computer? Dr. Fulp's answer: This technology is intended for use on a network, but could be a set of VMs in a single computer. Question: An anti-virus developer employs what they call Collective Intelligence; is Swarm Intelligence similar? Dr. Fulp's answer: Similar ideas, the difference being a collection of agents provides information that an individual agent cannot. Question: The Sentinel resides on the local host. What prevents it from being corrupted by malware? Dr. Fulp's answer: The Sergeant has to verify if the Sentinel is behaving correctly. The system is not perfect. One approach is to use digital signatures to prove the code has not been corrupted. Question: TechRepublic members were concerned about Collective Intelligence relying on a single "in-the-cloud" source for management and malware diagnosis. Is Swarm Intelligence a more secure approach? Dr. Fulp's answer: I think it is a more scalable and robust design. One drawback is speed, as these systems require some time to ramp-up and down. Still, I think it's a worthwhile approach for the massively parallel systems we will face in the future. Final thoughts
This past summer, Dr. Fink invited Dr. Fulp and Wake Forest graduate students Wes Featherstun and Brian Williams to PNNL to test the theory on a live network. The results were encouraging; every time Dr. Fulp introduced a worm into the network, the Digital Ants successfully located it. I find that uniquely telling; technologists are learning from Nature.
I would like to thank Dr. Fink, Dr. Fulp, Mr. Featherstun, and Mr. Williams for their part in Swarm Intelligence. A special thanks to Dr. Fulp for taking the time to answer my numerous questions.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.