Science Network banner
Virus and Digital Ecosystem

"...The boss of a senior hexagon found a code as confusing as the others, but one that had two almost homogenous lines. He showed his discovery to an itinerant decoder, who told him they were drafted in a Babylonian code. Others told him they were drafted in Yiddish. Centuries later a voice was heard from beyond: "No, don't do it like that. When you deal with limits, as with many other subjects, so it can work for us it must be understood. We must delve into it, we must penetrate its deepest meanings..."

(Anonymous)

In the mid 70's, Richard Dawkins wrote an exciting book, The Selfish Gene. In his book he arrived at a biologically objective conclusion: "We are survival machines, robot vehicles blindly programmed to preserve the selfish genes we harbor in our cells."

We find ourselves at the threshold of the post-macrovirus era. The macrovirus birth rate is higher and their difussion therefore faster than the traditional file viruses, because users, as against computer programs, do exchange documents and other data files capable of holding macroviruses.

The complex e-mail and file transfer functions now available enable users to share documents and programs faster and easier than previously possible, a capability that worsens the problem.
Digital ecosystem

Macroviruses are the first viruses to exploit the growing trend toward cross-functionality among computers. For example, a virus infecting a DOS file will never be a danger to a Mac, but a macrovirus can infect any computer with vulnerable resident software.

Current viruses usually spread from one computer to another through a manual and deliberate exchange of programs. Human response time is usually up to the task when it comes to their treatment.

In a typical case, a new virus takes months and even years to colonize successfully. But in the very near future, with a high interconnection density, viruses could spread much faster. Already in 1988 Robert Tappan Morris launched the so-called Internet Worm, a program that exploited the security gaps and invaded hundreds of computers throughout the world in less than one day.

The new techniques for the silent loading of data and software on a user's computer (such as Web browsers that use components like "Active X", etc.) turn this into an even more urgent problem. Modern email programs already make it very simple to send text documents or spreadsheets as e-mail attachments. Opening the attachments can set off a related application, which may result in the execution of any macrovirus contained in the attachment.

There are now programs, called cyber-agents, which can automatically authorize sending and opening e-mails with their corresponding attachments. If a user does not have to intervene in their reproduction cycle, viruses will surely be free to spread at a rate that will be higher than the present one by several orders of magnitude.

These changes in the digital ecosystem suggest there is a need to respond to viruses in a manner that is both automatic and drastic, without the limits imposed by human reaction time or by the time it may take experts to dissect a new virus.


PETRI NET

A feasible solution, which could be applied in the near term, would be the use of a cyberspace immune system based on the concept of Petri Nets. Just like a vertebrate's immune system makes cells capable of fighting off new pathogenic agents a few days after being exposed to them, the computer's immune system develops, in a matter of minutes, instructions to recognize and suppress new computer viruses. In a current prototype (see graphic), several PCs executing the antivirus program are connected through a network to a central computer that analyzes the viruses.

Each PC has monitoring software that uses various heuristics based on the system's behavior, suspicious changes to software and/or familiar patterns to infer the possible presence of a virus. This program makes a copy of every program suspected of being infected and sends the copies through the network to the virus analyzing computer. Upon receiving an allegedly infected sample, the computer sends it to another computer which acts as a digital Petri dish.

This test device attracts the virus so it can infect programs especially designed as "decoys". This is achieved by any execution, writing or handling of such decoy programs. If there is to be a successful and extensive viral infection, the virus must infect programs that are used often, and then the decoy will attract the viral code out of its hiding place. During this phase other traits of the virus' behavior may be discovered.

Next step, all infected decoys can be analyzed by other components of the immune system. The components will extract the patterns and compose repairs to confirm and eliminate the viruses. The virus analyzer usually takes less than five minutes to compose the repair programs from an infected sample. The analyzer will return this information to the infected client PC, which will enter it into a permanent database of known viral remedies. The PC is then ordered to locate and eliminate the virus wherever and whenever it turns up, and it is thus permanently protected from future infections.

If the PC is connected to other computers through a LAN, it is very likely that the virus has already infected several of them. In the prototype based on a Petri Net, the new repair program is sent automatically to nearby devices in the network, and each device immediately performs a self-check. Since computer viruses can take advantage of a network to multiply quickly, it seems appropriate that the antidote should follow a similar strategy to spread to those computers that need it.

If care is taken to ensure that the most recent repair programs spread to facilities not yet infected, it will be possible, in principle, to immunize the whole universe of personal computers against an emerging virus. No matter how refined the techniques to fight off viruses become, computer viruses will always maintain a difficult coexistence with computers and their users. Various strains will grow and wane, but, in general, computer viruses and antiviral techniques will evolve together in a manner very similar to biological parasites and their hosts. Both will also respond the changes in the environment, for example, mobile computer agents which must be protected from corruption by the computer systems they traverse, even if those systems themselves are safe from viruses.


Petri Net

THE DIGITAL IMMUNE SYSTEM of the Web could behave as we have outlined here. An unknown virus causes a client to send a sample to a server (1), which in turn sends a coded sample to a central virus analyzing device (2). This device reproduces the virus in a sort of Petri dish and analyzes its structure and behavior (3). The resulting repair program returns to the server (4), which sends it first to the infected client (5) and then to the other LAN-connected devices (6). Subscribers throughout the world will receive updated antiviral versions of a repair program on a regular basis. These programs will protect them from new viruses (7).


REPLICAS OF OURSELVES

Biology teaches us that of the one hundred trillion cells contained in the human body, only one tenth belong to our tissues and organs, the remaining 90% corresponding to ninety trillion bacteria inhabiting our skin, the inside of our noses, our throat and our digestive tract. Our own hands, even if well washed, are home to 12 million germs; by shaking hands, we are putting our bacterial flora in contact with that of the person we greet.

Human beings constantly issue replicas of themselves, whether through their genes or through their works, whereby the analogical sensorial component displaces and neutralizes the digital neural system of the brain. It radically refuses to accept foreign systems, not only with respect to things we regularly allow ourselves to do, but even with respect to their presumed alternatives. Don't we like most that which is most similar to ourselves, in our own likeness and image?

Perhaps computer viruses and computer immune systems are merely forerunners of a rich and inevitable ecosystem of forms of artificial life that will live, die, cooperate and attack each other in cyberspace. Replicas of blind selfish genes, of our own selves.


HOW PETRI NETS WORK

A Petri Net is a system model expressed in specific graphic notation. It may be used to explore certain properties of the system. A Petri Net consists of a set of places, a set of transitions and a set of directed arcs. Each transition has an associated set of input places and a set of output places. A transition is linked to each of its input places by a directed arc that goes from the place to the transition, and to each of its output places by means of a directed arc from the transition to the place.

The simultaneous system states are represented by the presence of symbols at the places, a specific state being represented by a specific assignment of symbols to places. This assignment is called a marking.

The net drawn in this diagram uses a conventional graphic notation. The places are represented by the circles designated as p...t, the transition bars are indicated by the lines Bl... B4 and the initial marking is displayed by the use of points representing symbols.

Transitions represent possible changes in the state of the system. A transition can become activated or fire (that is, cause a change in the state) only when each of its input places contains, at least, one symbol. When a transition becomes activated, it eliminates one symbol from each of its input places and deposits a symbol at each of its output places. This way the combination of a transition's input and output places represents both the conditions in which a change of state can take place and the effects of such a change. The activation of a transition constitutes an indivisible event and, therefore, the simultaneous activation of two or more transitions is not possible. When the state is such that there are two or more transitions capable of firing, each must be considered individually.


EXAMPLE OF A PETRI NET
Example of Petri net

Starting from an initial marking representing an initial state of the system and by applying a direct procedure that will generate other markings that can be obtained from the initial marking, the possible states of the system can be explored as well as the ways in which these states can be obtained. For example, both the inhibiting and the unproductive loop states can be detected easily, and, in general, it is possible to check whether the system's behavior is the one expected. However, although the procedure to generate reachable markings is simple, the attempts to perform a complete analysis are frequently thwarted by the sheer number of these markings, which may be infinite. In this way, the general problem of determining whether a given marking may be reached starting from a given initial state is undecidable.

With the assignment of the initial marking that appears in the graphic, both Bl and B3 can be activated. Assume B1 is activated. This eliminates the symbols from places p and t, and deposits a single symbol at place q. That way only B2 can be activated. (B3 cannot be activated because there is no longer a symbol at place t). When B2 is activated, the symbol is eliminated from place q and new symbols are deposited at places p and t, thereby reestablishing the initial assignment of symbols. If at this moment B3 is activated, a single symbol is deposited at at place s and B4 then becomes activated, reestablishing the initial marking again. This net may be considered as a paradigm for a system in which two processes compete for a shared resource. The resource availability is represented by the presence of a symbol at place t. The process' pertinent states, whether they possess the resource or not, are represented by symbols at places p and q, respectively. Similar symbols at places r and s represented pertinent states of the other process.

Starting from an initial marking representing an initial state of the system, and by applying a direct procedure that will generate other markings that can be obtained from the initial marking, the possible states of the system can be explored as well as the ways in which these systems can be obtained. For example, both the inhibiting and the unproductive loop states can be detected easily, and, in general, it is possible to check whether the system's behavior is the one expected. However, although the procedure to generate reachable markings is simple, the attempts to perform a complete analysis are frequently thwarted by the sheer number of these markings, which may be infinite. In this way, the general problem of determining whether a given mark may be reached starting off a given initial state is undecidable.

With the assignment of the initial marking that appears in the graphic, both Bl and B3 can be activated. Assume B1 is activated. This eliminates the symbols from places p and t, and deposits a single symbol at place q. That way only B2 can be activated. (B3 cannot be activated because there is no longer a symbol at place t). When B2 is activated, the symbol is eliminated from place q and new symbols are deposited at places p and t, thereby reestablishing the initial assignment of symbols. If at this moment B3 is activated, a single symbol is deposited at place s and B4 then becomes activated, reestablishing the initial marking again. This net may be considered as a paradigm for a system in which two processes compete for a shared resource. The resource availability is represented by the presence of a symbol at place t. The process' pertinent states, whether they possess the resource or not, are represented by symbols at places p and 1, respectively. Similar symbols at places r and s represented pertinent states of the other process.

C. A. Petri was the German creator, in the early 60's, of the nets named after him.


SUPPLEMENTARY BIBLIOGRAPHY:

- ROGUE PROGRAMS: VIRUSES, WORMS AND TROJAN HORSES.
Lance J. Hoffman, Van Nostrand Reinhold, 1990.
- COMPUTERS AND EPIDEMIOLOGY.
J. O. Kephart, S. R. White and D. M. Chess and D. M. Chess. IEEE Spectrum, val. SO, ny 5, Pages 20-26; May 1993.
- A SHORT COURSE ON COMPUTER VIRUSES.
Second edition. Frederick B. Cohen, John Wiley & Sons, 1994.
- ROBERT SLADE's GUIDE TO COMPUTER VIRUSES.
Robert Slade. Springer-Verlag, 1994.
- BIOLOGICALLY INSPIRED DEFENSES AGAINST COMPUTER VIRUSES.
Jeffrey O. Kephart, Gregory B. Sorkin, William C. Arnold, David M. Chess, Gerald J. Tesauro and Steve R. White in Proceedings of the 14th International Joint Conference on Artificial Intelligence, Montreal, August 20-25, 1995. Distributed by Morgan Kaufmann Publishers, Inc.


OTHER ARTICLES OF INTEREST
Corporation formed by scientists transform world trade


© SCIENCE NETWORK | Contact us
This site and its contents are the copyright of Science Network. Unrestricted official Science Network documents and other texts are for free public use. Other material can be reproduced without prior permission provided proper attribution is given to Science Network and Science Network is informed; but Science Network reserves the right to withhold permission to reproduce this material. Other web sites wishing to link this site are also asked to inform us.