ava i lab le a t www.sc iencedi rec t .com

www.compseconl ine . com/publ i ca t ions / prod in f .h tm

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 2 ( 2 0 0 7 ) 1 9 2 – 1 9 9

Biology, immunology and information security

Mark Burgess

Oslo University College, PO Box 4, St Olavs Plass, 0130 Oslo, Norway

a b s t r a c t

Biology has succeeded in solving many computational and communication problems in the

natural world, and computer users are ever inspired by its apparently ingenious creativity.

Today scientists are building artificial immune systems and discussing autonomic comput-

ing, with self-healing, self-anything systems. We discuss the relevance and efficacy of

these approaches. Are they better than classical software engineering design?

ª 2007 Elsevier Ltd. All rights reserved.

1. Introduction

‘‘Stop, look, divide, go left, go right, go forward. Repeat for-

ever.’’ This almost ridiculously simple recipe summarizes in

pastiche the essence of the program that brought down thou-

sands of Unix machines in 1988, the program that became

known as the Internet worm or the Morris worm (Eichin and

Rochlis, 1989). It is still a source of wonder to many how some-

thing so simple, and so apparently innocent, something no

more odious than a recipe for a trip to the supermarket, could

succeed in bringing down computers all over the world in

a matter of hours. Yet such simple rules are in fact the basis

of all living things and processes. So at some level we must in-

tuit that such simple mechanisms, when released into com-

plex environments, can yield extraordinary and even

seemingly motivated behaviour. This article will not speak

either for or against such an understanding, but rather will

examine critically the lessons that biological systems have

to offer technologists. It tells of how a growing number of en-

gineers and scientists are drawing inspiration from the world

of living things and asks: should we be impressed by this?

Should we invest more in these developments, or should we

be sceptical of their claims?

2. Biological thinking

The diversity, resilience and adaptability of biological organ-

isms provide ceaseless inspiration to engineers, designers

and even futurists, and have done so throughout the techno-

logical history. The lessons of living organisms have been ex-

plored both for ‘‘good’’ and for ‘‘evil’’ purposes, i.e. for both

attack and defence in human terminology. From the drawings

of Leonardo da Vinci, to the magnificent men with their flying

machines, to games of Life (Conway, 1970), computer viruses,

artificial immune systems (Perelson and Weisbuch, 1997; Forr-

est et al., 1997; Somayaji et al., 1997; Burgess, 1998), and even

the study of lilies and other rough surfaces for the develop-

ment of self-cleaning windows and other surfaces: the list of

topics is endless. Biology hones and tempers its solutions in

diverse environments, and explores everything from simple

material technologies to more complex differentiated archi-

tectural arrangements, so-called ‘‘organisms’’. But does it

have any principles that we can use or learn from computer

security? In the language of the analogy, software engineers

and system designers raise our computer systems in the

safe captivity of laboratories before releasing them into the

wild of the global Internet. Is it any wonder that they are

vulnerable and ill-prepared?

Computer users have come to know certain biologically in-

spired mechanisms as they have entered common parlance.

Nowadays, phenomena like viruses and worms are basic parts

of the vocabulary of computer users, ‘‘buzz’’ words like swarm

intelligence are on the rise and increasingly medical associa-

tions like ‘‘autonomic nervous system’’, attract the attention

of the curious, thanks to clever marketing of industry

researchers. The question is: are these allusions to biology

signs of an industry that has run out of ideas and is

E-mail address: mark@iu.hio.no1363-4127/$ – see front matter ª 2007 Elsevier Ltd. All rights reserved.doi:10.1016/j.istr.2007.10.005

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 2 ( 2 0 0 7 ) 1 9 2 – 1 9 9 193

desperately grasping at straws to rekindle interest in its mar-

kets, or is there are sound philosophical and technological

reasons for wanting to emulate nature in this iconophilic

way? Let us examine some current examples of biologically

inspired technology and try to answer this question with a crit-

ical eye.

3. Biology or economics?

So what is biology? For many technologists biology is recalled

from school laboratories as the messy science that has to do

with living things. It harks of the unreliable. We know that

animals and plants (especially humans) are hard to control. In-

stead of simply plugging them into the power socket, we have

to give biological organisms light, food and water. Moreover

they grow and carry all kinds of subsidiary organisms that

we don’t want. For those who have grown up in clean shiny

laboratories of electrical engineering or computer science,

where the prevailing philosophy is to remote control devices,

biology seems unruly and over-complex. Yet perhaps there is

something in this complexity that gives biological systems

their legendary properties of robustness and adaptability.

In information terms, biology is nothing more than a colos-

sal search algorithm, seeking organisms that can fit into an

environment and play some role in an ecological network.

The criterion for the search is ‘‘persistence in situ’’, or surviv-

ing for as long as possible in their environment. Biological evo-

lution ranks and whittles a phylogenetic tree of variations on

mass-replicated themes according to their ‘‘economic’’ suc-

cess in this market of species-longevity. The variations that

cannot make a living or do not persist in their environment

die out and are removed from the list. Those that are success-

ful tend to grow in numbers due to the strategy of replication

or reproduction. In other words, biology plays the ‘‘numbers

game’’, i.e. it deals with huge numbers of cells, organisms,

and can afford to eliminate some knowing that the larger spe-

cies still has enough to persist. This is essentially a market

economy; imagine product species like televisions or com-

puters surviving at the expense of certain stores or brands

that do not sell and die out.

The assumption of redundancy of life is a first and basic dif-

ference between biology and human technological systems. In

biology any individual is expendable. Technology has placed

its money on the myth of control and certainty rather than

competition and probability. Every computer system we build

is assumed to be reliable and valuable, we would not contem-

plate destroying a few for the good of the whole, nor do we

even begin to approach the kinds of numbers that complex bi-

ological organisms operate with, hence computer infrastruc-

tures cannot afford to lose their component parts.

The second fundamental dichotomy between biology and

technology is that biologically created organisms have abso-

lutely no purpose: they were not designed to do anything,

rather they accidentally and opportunistically flourish if

they find a niche they can occupy, in which they can play

a role within a network of other organisms, all sharing and

exchanging resources. A biological ‘‘technology’’ thrives in

its local environment when it fulfills an opportunity (not

a need – one must not fall into the trap of anthropomorphism)

that allows it to continue doing its thing (however, pointless

we deem it to be). Again this is like economics: businesses sur-

vive if they find a role to play in the exchange of goods and ser-

vices. One does not question the importance or validity of

a company making frivolous goods if they survive and thrive

in their marketplace.

Technology, on the other hand, is designed with a purpose

in mind. Humans are tool-builders. We have goals and our

tools are usually stepping stones in a grand design. Some-

times we build things that are completely unworthy of sur-

vival (like fragile computer systems) and sometimes our

inventions are more persistent than we really would like

(like computer viruses or older versions of software we would

prefer to replace), but this is because our criterion for success

is imbued with a plan or purpose that is not necessarily com-

patible with the economic forces of the environment.

Innovations succeed in a market ecology if they feed each

other with money rather than nutrients, so as to proliferate

in a kind of economic rather than biological reproduction.

Biology and economics are not so different, it is mostly the

currencies that differ. So if there is a similarity in phenomena,

we have to ask: what is the underlying principle? The concept

of a network is crucial to both these examples and to all self-

sustaining ecologies. Participants in a network are in a position

to communicate or exchange something that is of value to

each other, and hence through mutually beneficial symbiosis

they persist together. The world wide web is a good example

of a phenomenon that was not invented for the purpose it

has now grown into. It is now a valuable, self-sustaining en-

tity. It was not envisaged, it simply took off and flourished be-

cause it had properties that enabled other pieces of the puzzle

to proliferate in concert. So, what does this have to do with

security?

4. What is security?

From the opening paragraphs, it ought to be clear that biology

and technology bring up a central existential issue: that of se-

mantics or interpretation. Humans bring an essential ingredi-

ent to the table that is not present in nature: value judgement.

We decide policy, goals, wishes, and what we consider to be

either good for us, concurrent with our goals – or what we oth-

erwise consider positive according to fundamentally subjective

criteria. There is no such concept in biology: there is no scale

of value, only a scale of success. There is no ‘‘boss’’, no man-

agement who makes the decisions, only persistence or

disappearance.

Security, however, is an intrinsically subjective concept

that has to do with the protection of valuables. It is subjective

because the concept of value is itself subjective. Security is

easily and often considered together with ‘‘safety’’ (indeed,

in the Germanic languages it is often the same word) and is

somewhat related to ‘‘reliability’’. In short, the concept of se-

curity itself remains quite unclear; each of us has our own

idea of what we mean by it, and the marketplace has its

own ideas telling us that security is firewalls, passwords and

encryption.

Limited definitions are often the best way to proceed in

such a case. In Burgess (2004), for instance, a book aimed to

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 2 ( 2 0 0 7 ) 1 9 2 – 1 9 9194

bring a certain scientific methodology to human–computer

description, we find security defined as follows: ‘‘Security con-

cerns the possible ways in which a system’s integrity might be

compromised, causing it to fail in its intended purpose. In

other words, a breach of security is a failure of a system to

meet its specifications.’’ This makes security a kind of reliabil-

ity towards its goals. Security refers to ‘intended purpose’, so it

is immediately clear that it relates directly to a policy, individ-

ual judgements or decisions.

We associate security often with ‘attacks’ or ‘criminal ac-

tivity’ (these are also subjective valuations), but natural disas-

ters or other occurrences could be equally to blame for the

damage that breaks systems and leads to loss of value. An at-

tack could be defined as ‘‘an attempt to forcefully change the

intended behaviour of a system from outside’’. The main dif-

ference between this and a natural disaster is the possibility of

retribution against the attacker.

A loss of integrity can come from a variety of sources, e.g.

an internal fault, an accident or a malicious attack on the sys-

tem. Security is a property that requires the analysis of as-

sumptions that underpin the system, since it is these areas

which one tends to disregard and which can be exploited by

attackers, or fail for diverse reasons. This can be summed up

in a second definition, subtly different from that above: ‘‘A

secure system is one in which every possible threat has

been analyzed and where all the risks have been assessed

and accepted as a matter of policy.’’

This definition is an eye-opener for many who believe that

security is mainly something to do with privacy or encryption,

and can be purchased in a box from some suitable company. It

is, of course, up to each individual to come up with their own

definition of security, and also be clear about its conse-

quences. What is essential to realize is that security is a rela-

tive concept, i.e. it is based on a subjective policy, like

a blueprint for what we consider desirable.

5. In sickness and in health

Policy is central to security so let us explore the notion of

policy and value judgement further. Amongst the examples

of biological inspiration that were discussed during the

1990s the issue of sickness and health was probably the first

to be exploited in computer science directly.

What is sickness? Sickness is basically a human judgement

that occurs within the biological framework of an organism

that we have observed in a healthy state. It is a value judge-

ment about the assumed state of correctness that we project

onto the organism (ourselves for instance). When we say we

are sick, we think that we are not performing according to

our wishes and expectations. Once again, biology cares noth-

ing for this judgement. Indeed, the causes of sickness are

themselves biological, equally valid, and are nothing more

than mechanisms that are themselves trying to persist, seeing

an opportunity and exploiting it in fair competition. There is

no malice behind sickness. The fact that we feel offended by

it is because we imprint a sense of value and purpose on the

scenario.

So, like security, sickness is a subjective judgement about

activity that affects the behaviour of a particular system in

its environment. Unlike security, sickness cannot be attrib-

uted to any malicious intentions. What is fascinating is that

biological organisms (themselves trying to persist) have ratch-

eted up arms race between opportunistic pathogens and an

immune system of defences that assures the persistence of

the host by competitive countermeasure. This automatically

polarizes the competition into a conflict of interests. Organ-

isms have immune systems because this facilitates their

only real policy, which is persistent. The security analogy is

for an organization to develop a security policy that aims to

protect its valuables from exploitation by trying to destroy

the threats it can recognize.

Sickness occurs in organisms for the following two basic

reasons. (i) The functioning of the system is perverted into

a new direction that is not compatible with the normal func-

tioning of the organism, i.e. its policy is violated. This usually

involves a pathogen, invading organism or virus. (ii) Parasites

feed off the organism and either deplete it, destroy it or leave

toxins that inhibit the normal functioning.

The analogy between health and a ‘‘policy compliant state’’

seems natural and was extolled in the 1990s in Burgess (1998).

It took the general view of an organism as a system, with mea-

surable parameters, which could be observed in a ‘‘normal

state’’ and then compared to ‘‘anomalous states’’ for signs of

sickness. The analogy of immunological defences, based on

the idea of system regulation through feedback, was also pro-

posed. Just as the regulation of temperature and other bodily

functions keeps us in a healthy functioning state. The subse-

quent research and implementation of those ideas have

largely centred around the software Cfengine from Oslo Uni-

versity College (Burgess, 1993), a set of automatic tools for

Unix management, which has acquired widespread popular-

ity as a result.

Even before this general view was proposed, the notion of

computer viruses was well-known. The possibility of com-

puter viruses had been discussed in science fiction since the

1970s, with varying degrees of sophistication (Brunner, 1975;

Stephenson, 1992). A virus is any mechanism which is able

to interface to an existing system and alters its behaviour to

replicate further copies of the virus (thereby ensuring its

own persistence) so that these can go on to infect similar sys-

tems. Harmful viruses often cause damage to the system in

the process of their exploitation. Kephart (1994) of IBM first

proposed the idea of an immune system approach against

computer viruses in the early 1990s that used the idea of sig-

natures to search for malicious code. This became the stan-

dard approach to detecting computer viruses.

The idea of an immune system for something called a vi-

rus is natural enough. It is always convenient to associate

symptoms of sickness in a system with an invader or at-

tacker. Sickness, however, is more general than attack, it is

an abnormal state or anomaly in the behaviour of the system

that does not comply with policy. It was only when actual im-

munologists joined forces with computer scientist Stephanie

Forrest and her team at the University of New Mexico that

a more sophisticated idea of a computer immune system

was developed (Farmer et al., 1986; Forrest et al., 1997;

Somayaji et al., 1997). Forrest’s group was less interested in

the general idea of healthy or not healthy and more inter-

ested in the detection of abnormal behaviour as a result of

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 2 ( 2 0 0 7 ) 1 9 2 – 1 9 9 195

external influence. They generalized the idea of an attack and

developed a fully digital view of anomaly detection and regu-

lation, based on the immunological idea of distinguishing

‘‘self’’ and ‘‘non-self’’.

It should be explained that before the 1990s the unchal-

lenged view of the immune system was that our bodies learn

to distinguish what is part of us and what is foreign, and that

our bodies then attack anything that is foreign. See Burgess

(1998), Aickelin and Cayzer (2002), Dasgupta and Forrest

(1998) and Dasgupta (1998) for various reviews of the basic

mechanisms of the immune system. This distinction between

‘‘self’’ and ‘‘non-self’’ was presumed to be learned before birth

through a process called tolerization. In other words, exposure

to self allowed the body to eliminate cells that would attack

our own cells early in life. The remaining cells would then at-

tack anything else. This presumed mechanism became in-

creasingly controversial culminating in fervent discussion in

the 1990s. Our bodies contain many foreign organisms that

help us to function, e.g. bacteria in our gut. These do not

make us sick. Indeed, they provide a symbiotic benefit. The

immune system does not attack sperm cells or babies that

are foreign to their mothers. So are all foreigners attackers?

In the mid-1990s, immunologist Polly Matzinger of

National Institutes of Health in Bethesda puts forward a new

interpretation of immunology called the Danger Model

(Matzinger, 1994) which took a different view. Although it

was clear that the body can distinguish self from non-self to

some extent, this she claimed was not the policy criterion

for raising an alarm. Rather, there was an additional signal re-

leased when the damage was caused by an invader that

alerted the countermeasures of the immune system (a com-

plex ensemble of cells involving almost every part of the

body) to the danger. This danger model made considerable

sense from a computational viewpoint and was embraced by

several authors (Burgess, 1998; Aickelin and Cayzer, 2002;

Williamsen, 2000) including leading researchers from Hewlett

Packard to explore this approach to building protective sys-

tems for computers.

While both views leave a lot of questions unanswered, the

self/non-self paradigm has obvious problems of implementa-

tion in computational terms. In the language of computer sci-

ence, this process of tolerization amounts to a matter of

‘‘supervised learning’’, i.e. a computational device undergoes

a period of training during which it learns what is valid and in-

valid according to its model. The problem with this view came

to a head when it was shown that the mammalian immune

system could mount successful response to artificially gener-

ated antigens, belonging to no virus that has ever existed in

the history of the universe. This suggests that the repertoire

of the immune system is more or less infinite, which in turn

suggests that no finite period of training would easily succeed

in immunising a body against itself. Why should the pattern of

sheltered behaviour in the womb be a guide for the rest of life?

A more computationally defensible scenario is that there

must be some additional criterion for instigating a response.

The detection of harmful behaviour is an obvious signal for in-

stigating countermeasures, and one can easily argue this even

for biology. Indeed, Matzinger argued that the evolution would

naturally select an immune system that responded to danger

rather than arbitrary labels. Hence the (still controversial)

danger model is based on ‘‘danger signals’’, or the detection

of physical damage.

In spite of this controversy Forrest and coworkers managed

to show that some computational mechanisms can be based

on unsupervised learning. For example, the GNU/Linux kernel

patch ‘‘pH’’ written by Somayaji and Forrest (2000) used an im-

munological approach to detecting changes in actual behav-

iour. The idea was to view the sequences of system calls

executed by the kernel as recognition profiles, rather like the

peptide markers used to recognize cells. After a period of su-

pervised learning (or tolerization) the system could be left to

run. If unknown sequences suddenly appeared, indicating

new behaviour, the kernel began to delay the offending pro-

cess as a deterrent to the presumed hackers responsible. If

the behaviour was in fact benign, only a delay would be in-

curred, but if it were malevolent, the hackers would presum-

ably get bored and move on.

There are two comments to make here: the mechanism

would delay valid use also, causing much annoyance to users

so the approach would only work effectively in very predict-

able scenarios; also, the mechanism, while inspired by biol-

ogy, works in the opposite way to the immune system.

Rather than eliminating self and remembering the rest, it

remembers self, in a complementary fashion.

Several of the mechanisms developed by Forrest’s group

worked well during tests, but have not been used widely be-

cause they turned out to be highly sensitive and intrusive to

actual computer operations in practice. Humans, it turns

out, value their freedom often more than their security. As

security experts know, this is a constant dilemma, a basic

conflict of interests that biology does not have to deal with.

In all of this, we really end up no closer to an answer to the

basic questions: how do we define the security of a computer

system and can biology help us to understand it? Is it possible

to protect against threats? What is a threat? These issues re-

main fundamentally subjective, and for all the guidelines

thrust upon businesses and organizations from standardiza-

tion bodies (BS/ISO, 2000), the difference between reliability

with respect to an operating policy and security is far from

clear. It is not enough for our computer systems to survive,

they must also carry out their purpose. The lessons of evolu-

tionary biology suggest that a purpose incompatible with its

environment should be changed or adapted, but humans are

not so mercenary. We would rather fight back or outwit our

oppressors.

6. Intrusion detection

It has often been assumed that viruses and harmful organ-

isms arrive from outside an organism or system and that

a successful strategy for protecting against the perversion of

a system therefore involves preventing the arrival of poten-

tially harmful packages. In biological organisms the skin is

the organ which prevents our bodies from being exploited by

such opportunism from outside. Do all threats occur from out-

side the body, or from outside computer systems? Today we

know that this is not true in biology: auto-immune diseases,

rheumatism, phantom pain and cancer are all examples of

a body defying our own wishes and expectations for its

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 2 ( 2 0 0 7 ) 1 9 2 – 1 9 9196

performance from within. In security, we know that the in-

sider problem is often the most pernicious and unexpected ill-

ness for an organization. Occasionally cancers and diseases

are triggered by interactions with outside, such as radiation,

injury, or consumption of toxins, but genetic illnesses illus-

trate clearly that latent features of any system can lead to

behaviour that is not part of our human plan.

Notwithstanding the ability for programs to go haywire

even without outside interference, the threat from outside

a system is always significant simply because the outside is

much bigger than the inside, and the probability of an external

trigger is correspondingly greater. It is well-known, for in-

stance, that burn victims who lost large parts of their skin

used to be essentially condemned to death before the tech-

nique of skin grafting was perfected and antibiotics were

invented, but the skin can never be a perfect barrier to danger,

however, it must have holes in it to allow for input and output.

So while the skin acts as a kind of ‘‘firewall’’ for the body that

firewall cannot be a perfect barrier from harm if the system it

protects is not to be smothered and completely isolated. The

same is true for computers.

Is there anything more to learn from biology than these

platitudes, anything about protection by barriers like

firewalls? This is a particularly interesting question as it illus-

trates the kind of way one can be duped into a false sense of

security by misplaced trust in analogies.

Skin is composed of fatty acids in which bacteria and vi-

ruses cannot easily survive, and other barriers like exoskele-

tons provide a physically impenetrable barrier to pathogens.

In this respect, a firewall packet filter behaves like an exoskel-

eton or reptilian skin than human skin. For an animal, the

mouth and nose provide a controlled entry-way from outside

to inside, as do the female sexual organs. Both entry-ways

present quite hostile environments to anything entering.

The strategy in sex is to try to kill off as many sperm or other

intruders as possible by presenting a generally acidic environ-

ment. This is a best effort, blind attack on incoming matter.

The airways lead to either the lungs (which are coated in a mu-

cus layer to trap organisms that are then coughed up to

remove the detritus) or to the stomach which is highly acidic.

After passing through the stomach to the gut, food matter or

other intruders are broken down into basic amino acids by

this mixture. Proteins that might lead to harmful behaviour

are essentially pulverized beyond recognition. Little or none

of their information remains intact to carry harmful activity

into the system. In the human body, only about one in 1012

proteins actually makes it through this barrier into the body

to be dealt with by internal immune mechanisms, giving it

pretty good odds for a sheltered existence from potentially

perverting pathogens. Note, however, that in spite of these

odds we still need doctors when things go wrong, just in

case we were under the illusion that security could be com-

pletely automated.

In information systems, we have long realized that eradi-

cating all of the information in arriving network packets is

not a viable strategy, but a selective warning about packets

that look suspicious has been the approach used by intrusion

detection systems, as first proposed by Denning (1987) (Ranum

et al., 1997; Hofmeyr et al., 1998; Sekar et al., 1999). Intrusion

detection falls into the categories of host based and network

based. Host-based systems work not unlike the immune cells

patrolling our bodies (Burgess, 1998), seeking out files and pro-

cesses that do not fit with our policy for what is acceptable.

Network intrusion detection involves funnelling traffic

through a bottleneck and examining every packet at high

speed. While this seemed plausible 10 years ago, the data rates

in present day systems test current technology to the limit

and increasingly require approximations such as netflow

rather than packet analysis. A lazy evaluation approach to de-

tection has been proposed in Burgess (2006) which to some ex-

tent models the way in which the immune system looks first

for innate and general signs of illness, then later activating

more specific targeted searches for counter-policy pathogens.

Although the nature has its answer to these problems, it

would be a stretch to claim that intrusion detection systems

were biologically inspired (the exceptions are those already

mentioned in Somayaji and Forrest, 2000; Hofmeyr et al.,

1998; Warrender et al., 1999). Nature relies mainly on preven-

tion by pulverization and post-infection detection. There is an

exception here also, however. The so-called Peyer’s patches in

the gut apparently allow controlled amounts of antigen mate-

rials inside the body where they are examined by the immune

system. This provides a kind of forewarning about possible

threats that might have made it through the defences. There

is a passing resemblance between this idea and the packet in-

spection in the de-militarized zone (DMZ) of a network, as per-

formed by network intrusion detection systems and now

often referred to as a honeypot. However, the resemblance is

superficial and this is where the firewall analogy begins to

break down.

Our computer systems exist to communicate. Pulverizing

or burning every incoming packet is not an option for an orga-

nization because it is the content that is interesting. Computer

communication is more like sex than it is like eating, as pre-

cise information has to be carried into the interior of the sys-

tem in order to allow the functioning of the system.

Information has to be transmitted reliably. The principles of

regulation in Burgess (1998) and of detection in Forrest et al.

(1997) and Somayaji and Forrest (2000) have provided the

most convincing applications of the immunologically inspired

reaction, based on underlying principles rather than mimicry.

These systems are in use.

7. Reactive behaviour: stimulus responseand autonomics

A quick search of the literature for definitions of life character-

istics yields a few themes amidst much healthy debate. They

can be condensed to the following.

� The ability to regulate internal state, e.g. temperature.

� An ability to metabolize or utilise energy from the

environment.

� The ability to adapt to changes in the environment.

� The ability to response to stimuli.

� The ability to reproduce.

The first thing to notice about this is that the definition of

life refers explicitly to the environment. This immediately

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 2 ( 2 0 0 7 ) 1 9 2 – 1 9 9 197

distinguishes life from computer science which almost never

discusses the interaction of systems with an environment;

this, in spite of the fact that it is the environment that is of cru-

cial importance to understanding the reliability and security

of systems. An early exception was Shannon’s insightful the-

ory of communication (Shannon and Weaver, 1949), what is

now referred to as information theory. Shannon highlighted

the importance of the environment as a bringer of ‘‘noise’’

or unexpected changes to a system, and he proved quite im-

portantly that all systems could be made to survive as long

as they employed error correction, or what we today might

call maintenance (Burgess, 2003).

The last of the above criteria was proposed by von Neu-

mann (1948) as a basic necessity for life. Today we might

regard this as a basic necessity of evolution, but not necessar-

ily of life itself (Dawkins, 1990). It is through the process of du-

plication that biology can play the ‘‘numbers game’’ of trial

and error.

Perhaps the most important and basic behaviour in this

list, exhibited by living systems, is the stimulus response or

reactivity of life. This is a fundamental requirement for com-

munication between entities and also for feedback (communi-

cation with self). Reactivity also underlies the ability to

respond to changes in the environment, to flinch at danger

and adapt to render it harmless.

Computer systems have long been regarded as machines to

be controlled by users, not machines to react to their environ-

ment. However, the manifesto of the 1990s (Burgess, 1998;

Somayaji and Forrest, 2000) and recently IBM’s autonomic ini-

tiative (Kephart and Chess, 2003) makes it clear that users are

not needed for many tasks and that Shannon’s model of error

correction or maintenance can easily be applied to computer

systems with basic operating policies. If we view the policy

of a computer as a message to be transmitted into the future

then errors, faults, damage, intrusions, infections, etc., all ap-

pear to be simply faults to be corrected. The immune system is

nothing more than an error correction algorithm operating

within a particular kind of mechanism. Since biology is

a rather elaborate playground of mechanisms, the immune

system has to be elaborate. However, in a simple digital

framework, Shannon showed that simply coding schemes

were sufficient to maintain policy.

What is fundamental to error correction is the need for

a system to examine itself. It requires sensors to monitor its

own state and these sensors have to be connected through

feedback to repair mechanisms that can maintain that state.

Much has been written on this topic in connection with Cfen-

gine (Burgess, 1993), for which a lot of research into these is-

sues has been invested. It is curious that management

models, old and new, and even many management products

keep monitoring entirely separate from change managements

(ITU-T, 1993; Office of Government Commerce, 2000; TM fo-

rum, 2005). Computer systems have to integrate monitoring

with change to allow error correction. If we can define changes

that are contrary to policy (call it either management policy or

security policy) to be errors and introduce a generic mainte-

nance scheme, then we approach a simple mechanistic view

to security that is automatable.

So is the answer to management or security to create living

computers? Cfengine, for instance, satisfies all of the criteria,

including the ability to reproduce, in a special sense. However,

the suggestion that this software is alive would be more than

a little ridiculous. However, if one adds a layer of machine vir-

tualization to the environment in which Cfengine operates,

the notion of reproduction and resource consumption be-

comes less ridiculous and one could entertain the idea of liv-

ing herds of computers in an entirely reasonable way. We

must remember the basic dichotomy between biology and

technology. Biology has no purpose other than to persist; it

does this by reproducing and a side effect of this effort is

that it gradually mutates and evolves to persist even better.

Computers should not behave like this: we decide their pur-

pose and use the idea of immunity and autonomic regulation

to make them persist in that role. If our decision is ill-advised

then we are responsible, but that is the price we pay for having

a purpose. The role for automation and adaptability has to be

grounded in a fixed policy. In some sense, biology’s policy is to

continue without principle or conscience. In the human

realm, security must obey economic rules and sociological

rules of interaction.

8. Swarms, teams and autonomicorganizations

One of the impressive features of biology is its distributed na-

ture. Biology has embraced networking using all manner of

signals, chemical, auditory, and visual, and it builds collec-

tives of interacting units in a way that distributed computing

technologists would envy. Apart from the brain and nervous

system, there are few centralized systems in biology. Biology’s

strategy is rather to build swarms, herds and other multiplic-

ities that coordinate their actions through communication.

Computers have evolved the other way around. Most com-

puter systems are built in monolithic centralized archi-

tectures and only recently have we seen any serious

exploration of peer to peer methods or swarm-like behaviour.

The concept of a swarm has captured the imagination of

many authors, both for engineering solutions, technologies

and algorithms within distributed systems (Bonabeau et al.,

1999). Swarm-inspired methods are often associated with

multi-agent systems (Wooldridge, 2002), and ant-inspired

routing algorithms are perhaps the best known example of

computing mechanisms that claim such inspiration (Di Caro

and Dorigo, 1998). The traditional approach in swarm engineer-

ing (or swarm intelligence) is to design and create a ‘popula-

tion’ of agents or robots that are all configured with

a specific goal or policy. The ultimate characteristic of a swarm

is that it must exhibit some resultant behaviour collectively

that is not evident in the behaviours of the individual agents.

For instance, flocks of birds form co-moving formations, ants

form food distribution networks and build nests. Ant-inspired

algorithms for routing have proven effective, but these mech-

anisms are not immune to criticism that biological inspiration

plays a rather minor and somewhat artificial role in the actual

implementation.

Swarms, flocks, shoals and herds are presumed to form in

nature as a survival mechanism. By forming a localized struc-

ture with a boundary the individual organisms minimize their

risk of exposure to the environment. Thus, from a security

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 2 ( 2 0 0 7 ) 1 9 2 – 1 9 9198

perspective, what one learns from swarms is to minimize

one’s visibility by limiting contact to a few representatives.

These need not be fixed, as in a firewall architecture, but

they should be few. Indeed, the ability of the swarm to re-

spond and adapt to dangerous situations is enhanced by the

ability of the individuals to change places and assume differ-

ent roles. The problem of minimizing risk is made easier by

this interchangeability of parts, and by the redundancy of in-

dividuals. ‘‘All you fish with the shields, stay on the outside!’’

would not work as well.

Once again we should be careful with the analogy. Biology

makes this strategy knowing that it could lose some individ-

uals so that the herd will persist. We are usually less willing

to sacrifice parts of a computing system. However, in terms

of service level security there is a natural analogy with the

use of multiple redundant servers in the data centre. If a single

server is compromised somehow, it can be killed off to be

reborn or replaced later.

Autonomic computing takes a middle road between cen-

tralization and distribution or swarming. The architecture of

Cfengine, for example, is to make every single computer indi-

vidually responsible for its own internals (just like cells). How-

ever, the cellular hosts are bound together by a centralized

policy, which can respond and adapt to local conditions. Sim-

ilarly one can only make decisions about observed properties

of the whole ensemble by collecting it into one place where

it can be collated and modelled. Thus, rather than complete

centralization or complete de-centralization, one uses the

approach that is best for the job.

In this we can look to biology’s long search and see what

evolution has come up with: every possible variation from

slime moulds that are loose associations of single-celled or-

ganisms that coalesce by chemical messages under duress,

to mammals which begin as a swarm of stem cells that later

differentiate, specialize and form multi-level cooperative

structures in a ‘‘divide and conquer’’ strategy. Centralized

brains and de-centralized organs interacting in a service ori-

ented way have provided a successful model for the most

adaptive lifeforms on the planet. The autonomic nervous sys-

tem monitors organisms and provides coordinated flinch re-

sponse to danger for the entire organism; this cannot be

instigated efficiently on a cell-by-cell basis (although the slime

mould makes an impressive effort). Sometimes being a single

monolithic system is a disadvantage (‘‘You, soldier! Surround

that house!’’), and the ability to work in a more loosely coupled

way would help. We still have much to learn about the design

of organisms and computing infrastructures.

Current research into autonomic computing (Hofig et al.,

2006; Agoulmine et al., 2006; van der Meer et al., 2006) does

not always strike the balance in a rational way. It often bears

a strong flavour of the software engineering tradition of

monolithic centralized architecture, while Cfengine has taken

the exact opposite approach, starting with complete de-

centralization and paying only lip service to collective

monitoring. The kind of control mentality that computing

engenders is hard to pass up, but it is clearly needed for

coordinated effort. Yet there is also much to be gained from

de-centralization. Biology shows us that we do not have to

see everything directly to be able to feel safe. The brain does

not need to know that we have lost a few hairs or skin cells

if these things are expendable. It can focus on whether major

organs are damaged or if there is a systemic fault or disease.

9. Summary

Biological analogy has permeated all branches of technologi-

cal innovation throughout history. This brief review can only

scratch the surface. It is entirely natural that we would be

amazed by the result of evolution’s billion year spree of crea-

tive whittling, but we need to be cautious when allowing our-

selves to be seduced by its apparent genius. Inspiration is

always an important catalyst to the creative enterprise, but

‘‘cool ideas’’ do not necessarily make for good science or

engineering.

Two possibilities occur: (i) we look to these systems be-

cause they are familiar and they survive more damning at-

tacks than anyone has so far been capable of launching by

computer; (ii) we are so starved of ideas in computer science

itself that we are clasping at straws. In a sense, biology and se-

curity make strange bedfellows. Biology’s ‘‘live and let die’’

methods are in stark contrast to security’s ‘‘protect at all

costs’’ way of thinking.

As one of the originators of the biologically inspired system

idea I have changed tack somewhat. What computer science

needs is a simple way of understanding behaviour. I now be-

lieve that biology’s inherent complexity is the wrong starting

place to win ground in understanding. To use the analogy,

we must first understand the raw elements of computing

and then simple molecules and chemicals, and then the

bulk materials before entertaining all of the complexities of

life. A new manifesto based on Promise Theory is now trying

to do this (Burgess).

The point is simple: it is inspiration itself that is valuable to

us, no matter where it comes from. Biology has a head start of

billions of years, meaning that it has plenty of examples to

study. But when it comes down to it, we must understand

the principles behind the analogies to see why the solutions

were effective within their particular domain. No one would

suggest feathers for spaceflight.

Acknowledgement

This work is supported by the EC IST-EMANICS Network of

Excellence (#26854).

r e f e r e n c e s

Aickelin U, Cayzer S. The danger theory and its application toartificial immune systems, 2002.

Agoulmine N, Balasubramaniam S, Botvich D, Strassner J,Lehtihet E, Donnelly W, et al. Challenges for autonomicnetwork management. In: Proceedings of the first IEEEinternational workshop on modelling autonomiccommunications environments (MACE). Multicon verlag, ISBN3-930736-05-5; 2006. p. 9–28.

Bonabeau E, Dorigo M, Theraulaz G. Swarm intelligence: fromnatural to artificial systems. Oxford: Oxford University Press;1999.

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 2 ( 2 0 0 7 ) 1 9 2 – 1 9 9 199

Brunner John. The shockwave rider. New York: Del Rey; 1975.Burgess M. Cfengine, <http://www.cfengine.org>; 1993.Burgess M. Computer immunology. In: Proceedings of the twelfth

systems administration conference (LISA XII). Berkeley, CA:USENIX Association; 1998. p. 283.

Burgess M. On the theory of system administration. Science ofComputer Programming 2003;49:1.

Burgess M. Analytical network and system administration –managing human–computer systems. Chichester: J. Wiley &Sons; 2004.

Burgess M. Probabilistic anomaly detection in distributedcomputer networks. Science of Computer Programming 2006;60(1):1–26.

Burgess M. Promise you a rose garden, <http://research.iu.hio.no/papers/rosegarden.pdf>.

British Standard/International Standard Organization.BS/ISO17799 Information technology – code of practice forinformation security management; 2000.

Conway JH. Life, mathematical games. Scientific American 1970.Dasgupta D, editor. Artificial immune systems and their

applications. Berlin: Springer Verlag; 1998.Dasgupta D, Forrest S. An anomaly detection algorithm inspired

by the immune system. In: Artificial immune systems andtheir applications; 1998. p. 262.

Dawkins R. The extended phenotype. Oxford: Oxford UniversityPress; 1990.

Denning D. An intrusion detection model. IEEE Transactions onSoftware Engineering 1987;13:222.

Di Caro G, Dorigo M. Antnet: distributed stigmergetic control forcommunications networks. Journal of Artificial IntelligenceResearch 1998;9:317–65.

Eichin MW, Rochlis JA. With microscope and tweezer: ananalysis of the Internet worm. In: Proceedings of 1989 IEEEComputer Society symposium on security and privacy; 1989.p. 326.

Forrest S, Hofmeyr S, Somayaji A. Communications of the ACM1997;40:88.

Farmer JD, Packard NH, Perelson AS. The immune system,adaptation, and machine learning. Physica D 1986;2(1–3):187–204.

Hofig E, Wust B, Benko BK, Mannella A, Mamei M, Nitto ED, et al.On concepts for autonomic communication elements. In:Proceedings of the first IEEE international workshop onmodelling autonomic communications environments (MACE).Multicon verlag, ISBN 3-930736-05-5; 2006. p. 49–59.

Hofmeyr SA, Somayaji A, Forrest S. Intrusion detection usingsequences of system calls. Journal of Computer Security 1998;6:151–80.

ITU-T. Open systems interconnection – the directory: overview ofconcepts, models and service. Recommendation X.500.Geneva: International Telecommunications Union; 1993.

Kephart JO. A biologically inspired immune system forcomputers. In: Proceedings of the fourth internationalworkshop on the synthesis and simulation of living systems.Cambridge, MA: MIT Press; 1994. p. 130.

Kephart JO, Chess DM. The vision of autonomic computing.Technical report. IBM Research; 2003. <www.research.ibm.com/autonomic/research/papers/AC_Vision_Computer_Jan_2003.pdf>.

Matzinger P. Tolerance, danger and the extended family. AnnualReview of Immunology 1994;12:991.

van der Meer S, Donnelly W, Strassner J, Jennings B, O Foghlu M.Emerging principles of autonomic network management.Challenges for autonomic network management. In:Proceedings of the first IEEE international workshop onmodelling autonomic communications environments (MACE).Multicon verlag, ISBN 3-930736-05-5; 2006. p. 29–47.

von Neumann J. The general and logical theory of automata.Reprinted in vol. 5 of his Collected Works. Oxford, Pergamon;1948.

Office of Government Commerce, editor. Best practice for servicesupport. ITTL: the key to managing IT services. London: TheStationary Office; 2000.

Perelson AS, Weisbuch G. Immunology for physicists. Reviews ofModern Physics 1997;69:1219.

Ranum MJ, Landfield K, Stolarchuk M, Sienkiewicz M, Lambeth A,Wall E. Implementing a generalized tool for networkmonitoring. In: Proceedings of the eleventh systemsadministration conference (LISA XI). Berkeley, CA: USENIXAssociation; 1997. p. 1.

Sekar R, Bowen T, Segal M. On preventing intrusions by processbehaviour monitoring. In: Proceedings of the workshop onintrusion detection and network monitoring. USENIX; 1999.

Somayaji A, Forrest S. Automated response using system-calldelays. In: Proceedings of the ninth USENIX securitysymposium; 2000. p. 185.

Somayaji A, Hofmeyr S, Forrest S. Principles of a computerimmune system. In: New security paradigms workshop. ACM;September 1997. p. 75–82.

Stephenson Neil. Snow crash. New York: Bantam; 1992.Shannon CE, Weaver W. The mathematical theory of

communication. Urbana: University of Illinois Press; 1949.TM forum, <http://www.tmforum.org>; 2005.Warrender C, Forrest S, Pearlmutter B. Detecting intrusions using

system calls: alternative data models. In: Submitted to the1999 IEEE symposium on security and privacy; 1999.

Williamsen M. Biologically inspired approaches to computersecurity. HP Labs Technical Reports HPL-2002-131. Availablefrom: <http://www.hpl.hp.com/techreports/2002/HPL-2002-131.html>; 2000.

Wooldridge M. An introduction to multiagent systems.Chichester: Wiley; 2002.