Network threats develop 'antibiotic' resistance
- — 13 February, 2008 09:13
The scientific field of biology has provided many useful metaphors, such as "virus" and "infection," for the study of malware. Many researchers have used biology and evolution science to create innovative defenses against malware, in many ways simulating the functions of biological immunity systems. I find that biological sciences and especially evolution provide some great insights into the behavior of malware, malware creators and malware defenses over longer periods of time. I also see a lot of parallels between the evolution of malware and the evolution of darknets (stealthy peer-to-peer, or P2P, networks).
Looking at how malware has evolved over time, you can see many of the same effects we see in nature. The key evolutionary concept that we see is the continuous adaptation of malware to its environment. It's not an "arms race" as much as it is a predator-prey relationship between malware and antimalware. Similarly in P2P darknets, there is a predator-prey relationship between P2P and the forces of censorship or copyright police.
If you think of the universe of computers as the environment in which malware exists, you can see how changes in that environment cause adaptations in the malware. Both the environment and the malware itself are directed by intelligent actors (hackers and security researchers) rather than random mutation, but the evolutionary progress is quite evident. As defenses have become more sophisticated, malware has adapted. As malware becomes more stealthy, defenses have adapted.
In this back-and forth we have to consider how the actions of security researchers create evolutionary pressures and environmental niches for new malware. A few weeks back we examined the issue of security monocultures. If all defenses are identical, then they are also predictable. As a result they are easier to bypass. Just like an army of clones, our operating systems are all susceptible to the exact same attacks (for the most part). But while the targets are very similar, the attacks are extremely varied. Malware mutations (variants) are multiplying at incredible rates and are currently estimated to be between 300,000 and 500,000, depending on the antimalware vendor you ask. So lots of different "nasties" but only a few different variations of immunity. No wonder so many systems get compromised every year.
Evolution is also a useful way to look at P2P darknets. In this case, the predators are the media company lawyers and the prey is the individual file-sharer (or the inverse, depending on your perspective). Over time, with repeated technological advances in the detection of piracy, darknets have evolved to evade, obscure and obfuscate.
From a single centralized and homogeneous network like Napster, we have seen the emergence of at least four generations of increasingly stealthy P2P technologies, in response to various detection tactics used by the lawyers. Today's P2P technologies are massively decentralized, and use encryption, port hopping, proxying and firewalls to evade detection. Each attempt by lawyers to shut them down leads to the next generation of P2P that has adapted to remove weaknesses. Biology and evolution can teach us a lot about information security.
Whether it is concepts of herd immunity or antiobiotic resistance, we still have a lot to learn from nature.