Field of the Invention
The present invention relates to network security.
Background of the Related Art
Information security applied to computer and network security traditionally focuses on a single host in isolation, defining a security baseline and controls for a single host, and centrally managing the host policy and configuration. However, this model does not scale well due to the rapid and continued growth of networked devices, including mobile phones, smart grids, personal computing devices, and network enabled devices.
Information security management is an important aspect to the continued use of information systems to store, process, and transmit information. As systems, technology, users, and attackers increase in sophistication, defensive strategies and response tactics must evolve to match their sophistication. The current model of Computer Network Defense (CND) is becoming increasingly difficult to manage, while the defenders protecting increasing numbers of information systems are outnumbered as both human and automated attackers increase by the thousands. The current model of CND does not efficiently scale. The use of agents to monitor endpoint host characteristics is not new, nor is their use in interesting emergent behavior. (S. A. Hofmeyr, An immunological model of distributed detection and its application to computer security, 1999.) However, few works to date have attempted to evaluate the simple security-focused hygiene characteristics necessary to generate emergent security-oriented behavior in a complex environment. (See M. Mitchell, Self-awareness and control in decentralized systems. Presented at Metacognition in Computation, 2005 and R. Dove and L. Shirey, On discovery and display of agile security patterns, Presented at 8th Conference on Systems Engineering Research, 2010.)
The contemporary security structure instantiated in networked computer systems is sophisticated and complicated. Various paradigms support the conceptualization and development of security approaches, including those of a walled fortress, layered defense-in-depth, and immune system modeling. The initial imperative was to stop intruders from gaining unauthorized access to enterprise information assets. As new capabilities emerged, such as virtual private networks, and as new operational parameters evolved, such as teleworking, the concept of a singular system that could be protected has gradually eroded. This erosion has accelerated with the adoption of cloud computing.
The inventors recognized that a focus on perimeter security, while useful, is inadequate and can result in a system with a “hard-candy shell with a soft, chewy center.” (Wadlow, The process of network security: Designing and managing a safe network, 2000.) Not only is this model inadequate as it fails to provide defense once a single attacker has penetrated the network, it does not consider internal security to maintain defenses as attackers continue to persist within the network boundary. Additionally, the increasing number of virtual holes punched through the perimeter to allow authorized access from outside to inside for remote users, mobile users, and new services creates an increasingly porous boundary. The resultant de-perimeterization of the enterprise boundary has reduced the effectiveness of traditional security models (Jericho Forum 2007). It is widely recognized that the security field needs to become increasingly clever to develop new approaches that accommodate these realities (National Research Council 2007).
Attempts to make individual nodes on the network intelligent enough to recognize and handle threats have resulted in the development of technologies. One example is the work from the University of New Mexico in creating an immune system for computer systems, which would enable a computer to recognize alien software elements (Forrest et al., 1994). This immune system inspired research continues under many different exploratory paths (Timmis et al., 2010; Greensmith et al., 2006).
The operational challenge with running security software on computer systems is that recording and analyzing security-relevant events takes up processing cycles, thus reducing the available capacity for other uses, such as running the enterprise. When computers were much less powerful than they are today, this was a significant problem. It was not uncommon for networks to slow down to the point of being unusable if all options for security monitoring and analysis were selected (Kruegel et al., 2005). While the advances in computer speed and capacity have somewhat ameliorated this issue, it remains a significant challenge in very large systems where the amount of data to be collected, correlated, and analyzed is enormous.