Why anti mal* is doing it wrong
I had a presentation the other day at UNM on some of the work that I had done two years ago. It's fascinating that there is such a renewed interest.
A. Kozakiewicz, A. Felkner, P. Kijewski, and T. Kruk published a paper (4/2007) after my DefCon presentation entitled "Application of bioinformatics methods to recognitio of network threats." The conclusion of this paper was that these the bioinformatics techniques seem to have less resistance to polymorphism, however I maintain that was because of the simplicity of the scoring function they considered.
One of the starting papers in the field of using nature as a way to figure out how to do things correctly was a 1994 paper "Principles of a Computer Immune System" by A. Somayaji, S. Hofmeyr, and S. Forrest. This spends a lot of time considering the acquired immune system.
So, how does nature do things differently than anti mal*? There's a lot out there on this topic. I'd like to advance two points I've not seen elsewhere:
- Natural systems don't "root" the individual hosts, but the hosts provide enough information (via MHC II molecules) to an immutable status of what each host is doing. Anti-mal* is the opposite, wanting hooks into everything and itself being readily disabled.
- There is no hesitation to kill hosts that are suspected infected. Among many destruct mechanism is the FAS ligand activation pathway. Think of this as a lever on the outside that automatically shreds the cell and makes it easy for the acquired immune system to improve future defense. Note again that the cell is shredded; there is no "root" required for post mortem forensics.
These are just some ideas. I hope to be getting them together in a formal paper sometime soon. I look forward to comments.