计算机专业时文选读之六

Autoimmune Computer Systems

For half a century, developers have protected their systems by coding rules that identify and block specific events. Edit rules look for corrupted data, firewalls enforce hard-coded permissions, virus definitions guard against known infections, and intrusion-detection systems look for activities deemed in advance to be suspicious by systems administrators.

But that approach will increasingly be supplemented by one in which systems become their own security experts, adapting to threats as they unfold and staying one step ahead of the action. A number of research projects are headed in that direction.

At the University of New Mexico, computer science professor Stephanie Forrest is developing intrusion-detection methods that mimic biological immune systems. Our bodies can detect and defend themselves against foreign invaders such as bacteria and parasites, even if the invaders haven't been seen before. Forrest's prototypes do the same thing.

Her host-based intrusion-detection system builds a model of what is normal by looking at short sequences of calls by the operating system kernel over time. The system learns to spot deviations from the norm, such as those that might be caused by a Trojan horse program or a buffer-overflow attack. When suspicious behavior is spotted, the system can take evasive action or issue alerts.

The central challenge with computer security is determining the difference between normal activity and potentially harmful activity. The common solution is to identify the threat and protect against it, but in many ways, this is the same as constantly fighting the last war, and it can be quite inefficient in environments that are rapidly changing.

In another project Forrest and her students are developing intrusion-detection systems even more directly modeled on how the immune system works. The body continuously produces immune cells with random variations. As the cells mature,the ones that match the body's own proteins are eliminated, leaving only those that represent deviations as guides to what the body should protect against. Likewise, Forrest's software randomly generates “detectors”， throws away those that match normal behavior and retains those that represent abnormal behavior.

Each machine in the network generates its own detectors based on that machine's unique behavior and experiences, and the detectors work with no central coordination or control. In fact, just how the detectors work isn't precisely known, Forrest says.

Indeed, these experimental approaches don't work perfectly, Forrest acknowledges, but she points out that no security measure, including encryption or authentication, works perfectly either. She says the most secure systems will employ multiple layers of protection, just as the human body does. The advantage of this type of system is that it is largely self-maintaining and doesn't require continual updating by experts.

参考译文

自免疫计算机系统

半个世纪以来，开发人员通过编制能识别和中断特别事件的规则来保护其系统。编辑规则寻找已被破坏了的数据，防火墙实施硬编码的许可，病毒定义防止已知的(病毒)感染，入侵检测系统则寻找由系统管理员事先认定好的可疑行为。

但是这种办法将越来越多地得到另一个办法的补充，即系统自己成为安全希赛网，当它们发现威胁时对威胁自适应，并提前一步采取措施。很多研究项目正在向此方向前进。

在(美国)新墨西哥大学，计算机科学教授 Stephanie Forrest正在开发模仿生物免疫系统的入侵检测系统。我们的身体能探测和自我防御外来入侵者，如细菌和寄生虫，甚至在以前根本没有看到过它们。Forrest的样机做同样的事。

她的这个基于主机的入侵检测系统建立一个模型，即通过操作系统内核察看短序列调用，看看它是否正常。系统学会找出偏离正常的地方，如由特洛伊木马程序或缓存溢出攻击造成的异常。当发现可疑行为时，系统能采取规避行为或发出警报。

对计算机安全的主要挑战是确定正常行为与潜在的可疑行为之间的差异。常见的解决办法是识别威胁和针对它采取保护措施，但是在很多方面，这与上一次与(病毒)打仗常常是一样的，这在快速变化的环境中效率可能很低。

在另一个项目中， Forrest和她的学生正在开发的入侵探检系统更是直接以免疫系统为模型。身体连续不断产生能随机变异的免疫细胞，当细胞成熟时，那些与体内已有蛋白质相匹配的免疫细胞被消灭了，只留下那些有变异的细胞，指导它们去针对那些应防御的(病毒)。同样，Forrest的软件随机地产生“探测元”，摒弃那些与正常行为匹配的探测元，保留那些代表异常行为的探测元。

网络中的每台机器都基于该机器的行为和经历产生自己的探测元，这些探测元在没有集中协调或控制的情况下工作。 Forrest称，探测元的工作实际上是没法精确了解的。

事实上， Forrest承认，这些试验性的方法还不太完美，包括加密或认证在内。她说最安全的系统如同人体那样采用多层次的保护。这类系统的优点是，在很大程度上它是自我维护的，不需要希赛网连续不断地更新。