Cyber 'ants' patrol PC networks against computer worms and other threats

In looking for highly efficient ways to solve complex problems, we've often seen researchers mimic the solutions found by nature over billions of years: smart fabrics inspired by pine cones, spectrum analyzers modeled after the human ear and powerful search-and-optimization genetic and evolutionary algorithms, to name just a few. The latest piece of news comes from Wake Forest University, where the group dynamics of ant colonies have inspired security software to fight computer worms and other threats.

The idea isn't entirely new, as a probabilistic algorithm called ant colony optimization (ACO) has been known to the IT community for some time. ACO uses the concept of "swarm intelligence," the basic idea that intelligent behavior can rise from a large community of unintelligent components, to solve problems — particularly search problems — that would otherwise be very computationally intensive.

In ant colony optimization, just as in nature, individual ants start by wondering about randomly until one of them eventually finds food for the colony and, on its way back, leaves a strong pheromone trail to quickly attract other ants towards the same target. This algorithm turns out to converge to the optimal solution rather quickly and has been applied to many optimization problems so far.

The Wake Forest University team's work builds on the ACO algorithm by adapting it to a dynamic environment, such as that of a computer security network. It also takes the analogy to ant group dynamics one step further by introducing concepts such as food and ant hierarchies.

"Our agents use an ant model for movement, feeding, spawning, and dying," Prof. Errin Fulp, who led the team's research efforts, explained to us in an e-mail. "ACO algorithms do the same, but an important difference is that our agents aren't working to achieve a one-time goal. Instead, for our system, the goal is more dynamic, the agents continually move looking for food, which they are given if they find evidence of a security event. Of course they can die if they are not successful."

These digital ants wonder through computer networks constantly looking for threats, exploring its nodes and leaving a trail as they find one, but also obeying the orders of "sentinels" residing on the various nodes which in turn report to "sergeants" controlled by humans, which are ultimately in control of the system.

The ants come in many different kinds, each looking for a very specific piece of evidence that it is very computationally "cheap" to achieve — one might look for a higher-than-normal cpu usage, another may check network traffic volume, and so on. When an agent finds a piece of evidence, its trail attracts agents of all other kinds, which look for more evidence to detect and eventually fight the threat early on, before it spreads to the entire network.

"Agents spawn if they are successful, indicating a threat is present, and die if they are unsuccessful. Of course there needs to be a resident population always available when there isn't a threat," Prof. Fulp told us, but the resulting resources employed are still far less than those of a traditional security system.

Today's security software is designed to defend us against all known threats at all times, but those who develop computer worms and other malware keep introducing slight variations to evade computers' defenses. As a result, security programs keep getting bigger as more and more updates are issued, consuming a growing amount of resources to the point where they can interfere with productive workflow.

With this new approach, however, computer resources are only intensively used when a threat is actually found, and the load can be further distributed among the various hosts in the network, making it a much more efficient way of fighting cybercrime.