Modeling Security Software To Mimic Ant Behavior

wiredmikey writes "Researchers from universities and national laboratories in the United States are developing software that mimics ant behavior, as a new approach to network security." The concept has been around for a while, but this summer researchers are working to train the "digital ants" well enough that they can turn them loose into the power grid to seek out computer viruses trying to wreak havoc on the system.

Ant bait?

[pinpuke]

Will McAfee come out with Ant Trap 1.0?

Re:

[Meski]

It'll work if we tip honey on all the malware.

A new definition of honey-trap.

Skynet

[Anonymous Coward]

Turn them loose? Sounds like skynet. What could possibly go wrong?

Re:

[Culture20]

Well. If the ants consider computer viruses to be food then they will take them back to the nest.

or just like how real ants herd aphids and mulch fungus farms, these digi-ants might introduce vulnerabilities in known good software to keep their food supply high. Thank God that's not how they're programmed except in the mind of a mediocre sci-fi writer.

Re:

[maxwell demon]

But could a malicious person write another, malicious ant which manipulates the existing ant colony for his own goals? Those malicious ants could leave false scents at completely harmless computers, or remove scents left by other ants. Maybe it could even manage to free some part of the network from ants by leading ants at its borders to other parts of the network through strategically placed scents. Indeed, it could even be a DoS attack by simply creating lots of copies of the existing ants, which then wil

Re:

[Moryath]

But could a malicious person write another, malicious ant which manipulates the existing ant colony for his own goals?

Sure they could.

What, you didn't think that was what existing botnet viruses do? They co-opt the millions of computers left unpatched and unsecured by clueless users everywhere for their own purposes.

What's being described by the "ants" concept is nothing more than the age-old "can we make a beneficial computer virus" crap that constantly gets spread around. The answer is no, because if it g

Re:

[Meski]

Is that an un-ant-serable problem?

Re:

[halfEvilTech]

Was thinking the same thing. Let me know when they are about to start so I can make sure I am out of possible nuke targets.

There was an old power grid

[bugs2squash]

That swallowed a fly...

Re:

[BenJaminus]

I wonder why it swallowed a fly?...

Re:

[Abstrackt]

Probably because it was glowing.

Re:

[Wiarumas]

For those who don't understand this (insightful) post, its based off a children's novel (http://en.wikipedia.org/wiki/There_Was_an_Old_Lady_Who_Swallowed_a_Fly). There is an old woman who swallowed a fly and she keeps eating other animals to get rid of the previous animal until she eventually dies in the end (some versions have a censored ending).

Obligatory

[Blackdognight]

"I, for one, welcome our new insect overlords." Sorry, but the perfect oportunity to use the original quote doesn't come up every day...

Re:

[NoNonAlphaCharsHere]

It didn't today, either.

Not this bollocks again.

[Anonymous Coward]

So, in order for these "ant-like" software agents to "roam" around a network, presumably all the machines on the net will have to keep a port open to accept random downloads of software to run locally?

Sure, that'll work.

Why on earth would they "wander"

[Zerth]

I'd like my security software to stay resident at all times, thank you very much.

And "swarming"? I suppose that is an effective response, sucking up CPU by making meaningless copies of itself will keep the virus from doing much. But I'd rather remove the malware.

Re:

[Inda]

They wander to create networks: http://science.slashdot.org/story/11/02/17/2243203/Ants-Build-Cheapest-Networks

I like ants; I've owned ant farms, but c'mon, they can't be used for everything. Digging sand from under your garden path? Sure. Farming aphids? Yeah, they do a better job than I ever could ever do...

Leave the computer stuff to the intelligent animals.

Uh...WTF?

[chill]

"In nature, we know that ants defend against threats very successfully," Fulp said. "They can ramp up their defense rapidly, and then resume routine behavior quickly after an intruder has been stopped. We're trying to achieve that same framework in a computer system."

Yeah, that's what we need. One Symantec AV can't stop a virus it doesn't know about, so we need TEN SYMANTEC AVS on the job.

The problem in computer security is one of DISCERNING INTENT. Good code and bad code look the same. The call the same functions, perform mostly the same tasks.

Think of VNC or Windows Remote Help vs a backdoor trojan. Same basic thing, just different intent.

FTP, Dropbox or other file transfer vs a trojan that uploads your files. Intent again.

Ants don't do any better at recognizing bad guys than AV software does. Faced with an enemy that is TRYING to disguise itself, they are fooled or sidelined. http://www.securityweek.com/researchers-model-security-software-mimic-behavior-ants [securityweek.com]

On the bight side, I'll be they can squeeze a few research grants out of it.

Re:

[ThunderBird89]

ZoneAlarm and Comodo DO detect RealVNC as possible threat, asking for authorization to run, then another to connect. Same with Crossloop (which is just a shell for RealVNC with a custom connection schema, though).

Re:

[chill]

Yes, but that isn't a solution. That is just passing it on to the user to say "I see something, what is it?" Again, it defers determining intent to the user.

In real world application, ZoneAlarm and Comodo are next to useless because clueless users just keep clicking "allow" to make it stop bothering them.

God help them when "svchost.exe" pops up asking for permission.

Re:

[The Archon V2.0]

Which is really annoying if the firewall updates and forgets you told it VNC was OK, then you're left with a machine that has no monitor, mouse, or keyboard waiting for someone to click OK. (Thank you Comodo....)

Re:

[maxwell demon]

Well, just add another program to the box which monitors the firewall and emulates clicking OK whenever that window appears. :-)

Re:

[element-o.p.]

Back in my days working the abuse desk at an ISP, ZoneAlarm was the bane of my existence. The problem with ZoneAlarm is that it would freak out about EVERYTHING unless it was configured by someone who actually had a clue...but no one who actually had a clue would use ZoneAlarm, since much better products (like Sygate, IIRC) were available. We had customers write to complain that they were being hacked by the ISP DNS servers, mail servers, 127.0.0.1 (yes, I actually had someone write in to ask us to take a

Re:

[ThunderBird89]

I got fed up by the pro version's insane resource utilization when updating. It was enough to actually break USB connection to my phone. So off it went, and I switched to Comodo. Since I can't pay for the license (being a student and whatnot), I'd rather my AV/Firewall was free... :)

Re:

[PhilHibbs]

I think the broad theory is that each computer on a network behaves like an ant, passing information to other computers about the network environment. If one computer starts misbehaving, the others can communicate this information and avoid the infected machine or the source of the incoming traffic. If the security software on the infected PC is compromised, they might even be able to force the infected machine to run some different security software that can help combat the threat. This is all just off the

Re:

[PhilHibbs]

Hm, looks like I replied to the wrong comment. Oh well.

Re:

[pookemon]

Ah yes, however now when you are bored at work, and you look out the window and see a beautiful day, with the sun shining, you can have some fun by grabbing a magnifying glass and setting fire to your security software.

Nice concept...

[grimsweep]

...but the power of such a system is in interpreting the data. It sounds as if the 'ants' themselves wander about the network observing specific attributes, then leaving behind a few notes on anomalies found. Other ants come along, attracted by the 'scent' of the data, and add their own observations. This is all well and good, but my skepticism comes in when we try to interpret the 'odors'. The ants have a chance of observing an event they or another ant caused to happen, which introduces false positives

computer viruses in the power grid?

[doperative]

"this summer researchers are working to train the "digital ants" well enough that they can turn them loose into the power grid to seek out computer viruses trying to wreak havoc on the system".

The only way 'computer viruses` could get into the power grid is if you run your SCADA units on Microsoft Windows and connect them directly to the Internet. Designing a system that allows 'digital ants` to scurry about and be secure at the same time is a contradiction in terms. What happens if the 'digital ants` are

Re:

[vlm]

What happens if the 'digital ants` are hijacked by the .cyber->terrorists :)

This will be the inevitable outcome. Random software is not allowed inside, or at least we put a measurable although microscopic effort into it. Digital ants are allowed in. Therefore they will be the infection vector of the future. "who watches the watchers"

Re:

[SEWilco]

"who watches the watchers"

The ant lion watches them.

Re:

[maxwell demon]

What part of don't connect your SCADA units to the Internet don't these 'security experts' understand?

The "don't" part, of course.

never heard of USB sticks?

[dutchwhizzman]

It doesn't require an Internet connection to get infected. The most useful approach I've seen so far in power plants is 2 separated networks. One reserved for control with no external media or Internetconnection and one with internet and functioning drives, USB ports and all that. People are going to try to use the computer on their desk to do stuff they want, unless you provide them with an alternative. Lock the control computer down as best as you can, and leave the other one as open as possible.

Re:

[GameboyRMH]

What part of don't connect your SCADA units to the Internet don't these 'security experts' understand?

When they're not connected to the Internet, they're connected to a modem with no authentication...

Sounds like buggy code

[gatkinso]

Hahahahawhawhaw.

Carry on.

Re:

[antdude]

Ants aren't bugs. "How wude." :P

Computer Fungus Infection

[Pennidren]

Exit the age of the computer virus. Enter the age of the computer fungus! [youtube.com]

viruses are a bad analogy

[doperative]

"In nature, we know that ants defend against threats very successfully," Fulp said. "They can ramp up their defense rapidly, and then resume routine behavior quickly after an intruder has been stopped. We're trying to achieve that same framework in a computer system." link [securityweek.com]

Except computer viruses are no way near analogous to the biological kind. In nature the virus first has to latch onto the outside of the cell before injecting its genetic payload. It does this by hijacking biological processes necessary t

Re:

[jonadab]

> In nature, we know that ants defend against threats very successfully

Sure. Ants are particularly prolific even as insects go. They can take hundred-to-one losses against virtually anything and still win by sheer numbers.

Off the top of my head the only creature I can think of that can consistently wipe out entire colonies of ants and prevent them from coming back is a human.

In other words, the analogy is stupid.

The security technology may or may not be stupid. It's hard to tell, because unfortunately

Terry Pratchett was right !

[Pop69]

Invented years ago by TP

http://www.paulkidby.com/stickers/index.html/ [paulkidby.com]

What will this do...

[Kamiza Ikioi]

...to honeypots?

Re:

[pasv]

Is it just me or is creating "buzz"words nowadays an actual career path? (a lucrative one at that).

Resulting in...

[bugs2squash]

...crispy ant jerky

With apologies to Scott Adams, whomever he is signed in as today

The DigiAnts are a Godsend

[sexconker]

Well, I was wrong. The DigiAnts are a godsend.

But isn’t that a bit short-sighted? What happens when we’re overrun by DigiAnts?

No problem. We simply release wave after wave of Chinese DigiAnteater. They’ll wipe out the DigiAnts.

But aren’t the DigiAnteaters even worse?

Yes, but we’re prepared for that. We’ve lined up a fabulous type of DigiGorilla that thrives on DigiAnteater bits.

But then we’re stuck with DigiGorillas!

No, that’s the beautiful part. When IPv6 rol

Magnifying Glass

[Rob Riggs]

Is it me, or is it getting a bit warm on such a fine, sunny day?

Anthill inside...

[chthon]

nuff'said

Man questions?

[SanityInAnarchy]

From TFA:

Berenhaut and Hilton are working to answer man questions: How do the ants migrate across different computer platforms and systems operating at different speeds?

I'm not entirely sure how that's a "man question", and I certainly don't want MANswers [wikipedia.org] to attempt to answer it.

Re:

[Psychotria]

It's quite simple really [youtube.com]

Well, that's how it works around here anyway :(

Easily broken

[SnarfQuest]

All it takes is a 10 year old with a magnifying glass to wipe out your entire security system.

Ants? Why not lions?

[Smigh]

"In nature, we know that ants defend against threats very successfully," Fulp said.

Yeah, I'd say lions defend against threats even better. Why not model our security software to mimic lion behavior?

First it would conceal among other packets until the virus gets distracted. Then it will run at it in an angle so that the virus will run straight into an ambush mounted by other lions. Then they will bite the virus neck until it dies. Done! No more virus!

You may be vulnerable while your security software is napping though...

Melissa again?

[IZN0GUD]

Wasn't it the writer of Melissa that has had original intent of searching for other virii and removing them? I am no cracker, but from what I know AV software is common initial target of any decent virus; why would ants be immune to such attacks and who could guarantee that they are impermeable? This scenario sounds more like "once you get infected, can't get help by being insected" or whatever. Adding more possible holes that have mind of their own isn't really a security way to go...

100 years later...

[SchroedingersCat]

"researchers are working to train the digital ants well enough that they can turn them loose" ...
100 years later:
Agent Smith: I'd like to share a revelation that I've had during my time here. It came to me when I tried to classify your species and I realized that you're not actually mammals. Every mammal on this planet instinctively develops a natural equilibrium with the surrounding environment but you humans do not. You move to an area and you multiply and multiply until every natural resource is cons

this software

[BattleApple]

is going to be full of bugs

Great idea!

[SEWilco]

Seems like a great idea, as long as it's released on an electrical network that I'm not using!

Just read a Cory Doctorow short about this...

[unrtst]

"Human Readable" in his short story collection "With a Little Help".
Really enjoyable read, as are all his books. And you can read 'em for free if you like (most, if not all, are under creative commons), so there's no harm in checking it out :-)

I'd love to explain the story, cause it's really great, but that'd give away too much.