Cybersecurity professionals can respond and fix vulnerabilities more efficiently by acting like ants, according to Chris Oehmen, senior research scientist at the Pacific Northwest National Laboratory (PNNL).
Ants find food in a complex environment through a central controller without being taught what to expect upfront. They use a communications strategy that helps them explore, maintain alertness, and “swarm” quickly when the environment changes. This way, they balance awareness and response.
Cybersecurity professionals can use this approach when detecting problems in their security systems.
“Computers are affected in various strange ways when malicious software is on them,” Oehmen said. “Using an ant-based approach makes it possible to observe many different systems with this leaderless, efficient method that balances awareness of what is going on and rapid response when something strange happens.”
PNNL, which is part of the Department of Energy, developed Digital Ants, an application that cybersecurity professionals can use to search through cyber landscapes and “swarm” when an unusual situation or actor is detected.
“Digital Ants will make it possible to have awareness of the effects of software on systems even when the virus itself gets through defenses,” Oehmen said. “This will make it more difficult for malware to run undetected for months, as it does today.”
Digital Ants helps prioritize cyber defenses to where protection is needed most by targeting hot spots of unusual activity.
Software can also be broken up into families of malicious and non-malicious software, similar to DNA, according to Oehmen. DNA is made up of long molecules with a small number of repeating elements, which is similar to the way software presents itself in computer systems.
“We can look for commonalities that make it easier to find software because much software is built from reused pieces of code, similar to how DNA is passed down through generations,” Oehmen said.
PNNL developed Machine Learning String Tools for Operational and Network Security (MLSTONES), a group of applications, which organize software into families.
“MLSTONES cuts down on the number of items you have to compare to when you are asking the question ‘does this unknown piece of software look like a relative of something we have seen before?’ ” Oehmen said.
The technique allows cybersecurity researchers to recognize potentially dangerous software before it starts infecting computers and makes it harder for malware to get to the systems it intends to target. MLSTONES enables cybersecurity teams to deal with malicious software in groups rather than individually.
“This will give software analysts a good starting point when encountering something never before seen, and it gives cyber defenders a tool that may block new viruses before other tools learn their signatures,” Oehmen said.