(This ant swarm is from a Web site called Daily Speculations, where you can learn more about the theory of insect behavior on which this story is based.)
Think of current anti-virals as playing a game of cops and robbers. Firewalls stand at the entrance to a system like TSA guards, inspecting code as it goes in-and-out. Scanners conduct regular inspections of the whole system -- they're cops raiding a joint with photos of the usual suspects.
The problem here is the same as you find in the real world. Bad guys disguise themselves. Cops can't be everywhere at once.
Many of the programs that do the most damage to computers and networks are classified as worms. They mimic animal behavior by copying themselves inside networks, without human intervention.
Glenn Fink at the Pacific Northwest National Laboratory, a Department of Energy research center, thought about this and asked, why mimic the behavior of human cops and guards at all? Why not model insect behavior?
Errin Fulp of Wake Forest and two of his graduate students spent last summer at PNNL, with Fink, coding and testing a solution based on this insight. Instead of big programs that carry the equivalent of mug shots (virus signatures), break the work down into smaller pieces and focus on maintaining safety, not catching crooks.
Having done extensive work in maintaining quality of service and detecting denial of service attacks, Fulp has broken the security task into three basic components:
- Ants patrol systems looking at specific conditions, like the connection rate of bits through a router. Fulp has 64 conditions that can be tested, and could in time have as many as 3,000, but each is a tiny program whose work does not slow the main system.
- Sentinels take reports from the ants, sort through them for potential problems and, if they find them, report them up the line. They also control the number of ants reporting to them, making new ones based on incoming data, destroying those that are not needed.
- Sergeants are the user interface. They turn the sentinels' reports into knowledge a human being can use to fix problems before they become real to users.
Fulp describes the results as "swarm intelligence," likening it to ant behavior in the wild. Ants swarm to anything that appears wrong and surround it, collecting data.
The key is that all these programs are small objects. You can deploy a lot of them when needed, cut their numbers when they're not, all under control of other software objects. Reports and commands to programmers are specific, action-oriented.
The Wake Forest work is aimed at protecting Internet-linked systems, but they can be deployed across networks without disruption, and could be the heart of new anti-viral program designs. Eventually they could even trace Internet threats to their source, allowing real cops to get to work with plenty of evidence for a warrant.