SoS Musings #60 - Nature-Inspired Cybersecurity Enhancements
SoS Musings #60 -
Nature-Inspired Cybersecurity Enhancements
Cyberattacks continue to grow more advanced, calling for the security experts and the security community as a whole to further explore protection and defense methods beyond traditional cybersecurity techniques. According to the Global Industrial Cybersecurity Outlook 2022 report, cyberattacks increased significantly in 2020 and 2021, mostly in frequency and sophistication. In addition to signature-less ransomware and the increased adoption of the Ransomware-as-a-Service (RaaS) model, attackers have been turning to Artificial Intelligence (AI) and Machine Learning (ML) to help scale up their attacks. Cybersecurity can benefit from the idea of biomimicry, which refers to innovation inspired by nature or biological entities and processes. Further research and development of novel cybersecurity solutions based on nature is encouraged. There are studies that have contributed to the enhancement of knowledge in nature-inspired cybersecurity.
The nature of honey bees has inspired cyber defense methods. The study, "Hive Oversight for Network Intrusion Early Warning Using DIAMoND: A Bee-Inspired Method for Fully Distributed Cyber Defense" explores the idea of a self-organizing anomaly detection system involving an approach inspired by the social interactions of honey bees observed in the nature of their colonies. In honey bee foraging, theoretically, participants do not define the search target but they instead identify anomalies or resources when they encounter them. The honey bees' foraging methods could be mapped to computer system networks to detect and mitigate distributed attacks in an automated way. The researchers behind this study presented an algorithm for a coordination framework that translates the biological achievements of these foraging methods into similar operations for cyber defense. They used a software-based testing implementation to evaluate their algorithm and demonstrated up to 20 percent improvement in the capability for detection over parallel isolated anomaly detectors. The movement of bees, ants, and other insects during the search for food and the protection of their colonies involves complex peer-to-peer communication that does not have centralized command and control. Insects communicate using various methods, such as the use of auditory sounds, chemicals, and more, to send messages to their peers. When the message is successfully transmitted and acknowledged by others in the swarm, a decentralized mission is established to manage the situation made known in the message. In nature, the reaction of a single insect in the swarm and the transmission of messages in a peer-to-peer fashion can cause an entire environment to react. In this case, there is no need for a central leader who processes and gives an order. Morey J. Haber, the Chief Security Officer at the Privileged Access Management (PAM) firm BeyondTrust, emphasized that this method is strange to those who are accustomed to a hierarchy of authority, but it could be significant in the development of novel approaches to cybersecurity. The concept, "swarm intelligence," is based on AI models using decentralized self-organized systems. A team of researchers from Glasglow Caledonian University and COMSATS University developed a model that has the potential to protect the Internet and cloud resources against cyberattacks. Their attack method stems from an Artificial Bee Colony (ABC) and a Random Neural Network (RNN). An ABC algorithm is a swarm intelligence model that uses AI to imitate honey bees' foraging behavior and has been applied to solve real-world computational problems. This works by applying an RNN to the ABC model using ML based on the behavior of biological neural networks in the human brain. According to the team, their proposed anomaly-based intrusion detection scheme can protect sensitive information and detect novel cyberattacks, with the ABC algorithm being used to train the RNN-based system. The researchers trained their intrusion detection model based on ABC and RNN using a dataset that established algorithms to detect a cyberattack and contained Internet traffic data for training and analysis. They then conducted a sequence of assessments to measure the model's performance in identifying and quantifying cyberattacks, finding that it was highly effective at classifying new attacks with a 91.65 percent accuracy rate. The model's accuracy in classifying cyberattacks was also discovered to increase as the "colony" size of its ABC swarm intelligence grew larger. As more "artificial bees" contributed to the model, the overall confidence in the solution rose.
Researchers have also explored the nature of ants in developing cybersecurity solutions. For example, researchers from Wake Forest University and the US Department of Energy's Pacific Northwest National Laboratory (PNNL) delved into the development of software that mimics the behavior of ants as an approach to network security. Errin Fulp, a computer science professor at Wake Forest University, worked on creating an army of digital ants capable of roaming computer networks in search of threats. The technology differs from other traditional security models as it adapts quickly to changing threats. Fulp pointed out that ants are typically highly successful at defending against threats as they can rapidly amplify their defense and then quickly resume routine behavior following defensive actions against an intruder. This capability is what inspired the creation of a new security framework for a computer system. Glenn Fink, a PNNL researcher who had first come up with the idea of imitating ant behavior for computer security, invited him to join the project in which "digital ants" are trained to roam a power grid to find computer viruses. In protecting the power grid, the approach would have various applications regarding securing anything connected to Supervisory Control and Data Acquisition (SCADA) networks, software systems that monitor and control industrial processes, and more. The idea behind threat-combatting cyber warrior ants is to deploy different types of digital ants, each of which would look for threat evidence. As they move throughout the network, they leave digital trails, which mimic the scent trails used by ants to guide each other in nature. A digital ant is programmed to leave behind a stronger scent each time it identifies some evidence. The stronger a scent trail is, the more digital ants it attracts, thus creating a swarm indicating a potential computer infection and bringing the threat to the human operators' attention to investigate. The Department of Energy's project on using bio-inspired technologies for enhancing cybersecurity in the energy sector aims to demonstrate the successful application of digital ants across different organizational and technological boundaries that exist in smart grid architectures to correlate activities, produce emergent behavior, and bring attention to unusual conditions indicating a possible cyber incident. The project uses the digital ants architecture to address component-level and zero-day threats, which could be exploited in coordinated attacks against a large number of smaller devices such as smart meters to maliciously manipulate the grid. PNNL emphasizes that the use of ant-based cyber defense allows multiple stakeholders to organize coordinated cyber defense, develop highly adaptive immune system responses to attacks, maintain ultimate human responsibility without direct control, and prevent attacks.
There has been an increased interest in the application of methods based on human biology to bolster cybersecurity as cyberattacks continue to grow in sophistication. Steven Hofmeyr, a computational researcher at Lawrence Berkeley National Laboratory, says traditional approaches to cybersecurity, such as those that rely on signatures, are becoming increasingly ineffective, resulting in a renewed interest in methods modeled after biological processes to protect data and systems. The concept, dating back to the early 2000s, draws inspiration from human immune responses and vaccine models to strengthen protection. Human biology-based security tools can replace whitelists, blacklists, and other traditional detection techniques with a framework capable of finding anomalies in real-time. A computer network can attempt to shut down the invasion of hackers before they inflict damage, just as how the human body responds to a foreign agent using antibodies, T-cells, and other biological mechanisms. Hofmeyr, who helped introduce the concept of bio-based security with a company called Sana Security, now part of AVG, emphasizes the growing interest in the idea, especially because advances in ML and AI have made it more feasible. Eric Ahlm, a research director at Gartner, pointed out that implementing biological components via AI and ML is attractive, and the concept is emerging in a class of endpoint software called Extended Detection and Response (EDR). The cybersecurity firm Virsec is one of a growing number of companies that are introducing biological models to bolster protection. The approach used by the company to protect software workloads across a runtime stack regardless of the application type or environment allows only trusted execution and prevents known and unknown threats within milliseconds. The company's framework is designed to immunize a user from ransomware, Remote Code Execution (RCE) attacks, supply chain poisoning, and memory-based attacks. Dave Furneaux, CEO of Virsec, says the approach is similar to mRNA technology used by the vaccine makers Moderna and Pfizer, highlighting the improved protection of an organism once there is a better understanding of how to adapt a cell and how it could react when faced by a threat. Ray Galili Darnell, a senior ML engineer at Perception Point, has discussed a novel approach to detecting phishing attacks inspired by DNA sequence alignment, which is used to compare DNA of different origins. BLAST is a powerful bioinformatic algorithm used by researchers to align DNA sequences and measure their resemblance. This algorithm was preceded by SLAGAN, an older and less known variation that is more exhaustive in its approach and more applicable to phishing scam prevention. Understanding the difference between SLAGAN's global and local alignment provides insight into how this bioinformatics alignment technique can be used in cybersecurity phishing prevention techniques. In addition, SLAGAN uses a scoring matrix called BLOSUM to judge the quality of alignment when comparing DNA sequences. This concept can be applied to address domain lookalike challenges in the cyber realm, where visual similarity is universal. This application of biomimicry led to the creation of the S-GLocal (Shuffle, Global, Local) algorithm, which includes the biological algorithms, such as SLAGAN, in a way that addresses domain lookalike challenge cybersecurity challenges in phishing attacks.
Such studies and developments can help inform the creation of additional novel cybersecurity solutions based on the nature of insects, humans, and more.