Dynamic Defense

A new approach to cloud security, inspired by nature

Data Center

Richard Brown
Senior Research Manager
Richard Brown

Zero-day attacks sound like the stuff of science fiction. In reality, they're a major security threat to contemporary enterprise computing, says HP Labs researcher Richard Brown.

"A zero-day attack is one that successfully exploits vulnerabilities in systems and applications that no-one knew existed," Brown explains. "From the point when the vulnerability is exploited, which can often be long before the attack is known about, through to when patches and signatures are made available, enterprises are very vulnerable."

Now HP Labs is researching a technique that could identify these threats before they get started. Taking ideas from biology, a team in HP's Cloud and Security Lab is creating 'forensic virtual machines' to spot signature elements of a novel threat without having to wait for the attack itself to begin.

In the same way that our bodies can detect a viral intrusion even before we feel sick and quickly deploy white blood cells to surround it, these tiny applications can sniff out suspicious activity and then coalesce in that area to verify the threat.

HP Forensic Virtual Machines screenshot
This is an illustration of HP's Forensic Virtual Machines swarming around an infected host as symptom malware is detected
Enlarge image

The advantages of this approach are considerable, says Brown, project leader and senior research manager with HP's Cloud and Security Lab. Not only does it increase the possibility of identifying attacks before they happen, he says, "but it means we're highly efficient in directing our resources towards the greatest area of threat. Even more significantly, it means the security we're putting into our infrastructure can be dynamic. The location of these forensic virtual machines can be constantly switched in response to the threat environment."

On top of that, the HP team has devised an entire second level of randomization to their scheme, making for a promising new approach to enterprise security that they've dubbed, appropriately, 'Dynamic Defense'.

An increasing threat

Malicious attacks on computer systems have been with us now for decades. But as businesses increasingly move into the Cloud and as ever more of the world's population goes online, both the vulnerabilities and possible sources of danger increase.

It's estimated that another billion people will gain online access over the next five to eight years, notes Martin Sadler, director of HP's Cloud and Security Lab. "If you look at how easy it can be for organized criminals to persuade people to carry out certain kinds of actions," he says, "they need only persuade 1% of these new users to behave inappropriately and you've got 10 million extra hackers out there."

At the same time, the ultimate origin of the majority of threats has shifted from brilliant amateur hackers looking for bragging rights and fame to highly organized criminal gangs. These groups are well resourced and patient – happy to sow the seeds for an attack months or even years before it makes itself known.

"It's become a real business," adds Brown. "In addition, the tools now available to attackers are quite significant. You can actually get toolkits that enable you to write malware. That tends to be how attacks are now generated – you pull in this trick and then add that capability and fairly quickly you've created yourself a zero-day-like attack that's never been seen before."

Dynamic Defence Rings

Forensic machines, modeled on biology

In the genesis of modern cyber-attacks, however, also lies their vulnerability to the innovations that Brown's team is developing.

The sole purpose of each forensic virtual machine they create is to identify a single one of those off-the-shelf elements that are combined to create a successful new attack.

A particular forensic virtual machine might look for certain patterns in the memory of an operating system, for example, or for the existence or non-existence of certain files or telltale processes. "Spot any of these", says Brown, "and you have the capability to say, 'I think something pretty bad might be happening,' triggering a swarming reaction where other forensic machines also come and look for their specific symptoms."

Most attacks try to disable the security mechanisms of the operating system they are threatening, or make themselves invisible to them. The HP forensic virtual machines, however, sit in the hypervisor layer of a virtualized system, meaning that they sit undetected, outside of the operating system that is potentially under attack.

Human biology was a direct inspiration, Brown reports. Just as our immune systems create multiple triggers that send white blood cells to target viral and other kinds of attacks, future computer systems might deploy several thousand of these small applications at once. When a forensic virtual machine detects something it's programmed to notice, it sends off alarms that cause others to gather around the potential problem and search for their own signature symptoms.

"It'll start to build up a picture," says Brown. "If you get sufficient evidence that enough of these different components seem to be present in your infrastructure, then it looks like you're really under attack."

Doubly dynamic – randomized virtualization

In addition to residing outside of the operating system they're designed to protect, forensic virtual machines operate randomly until they find something suspicious. As a result, attackers can never be sure whether or not they are being observed.

The HP team, though, is adding a second layer of randomization.

Nearly all serious attacks require knowing the specific configuration of the target system's memory, data and software instructions in order to exploit a vulnerability and then take control of the machine.

The dynamic defense approach, however, also randomizes the infrastructure itself. This is done in a way that doesn't affect the functioning of the application or the services that run on the system.

"The application doesn't really know that it's being randomized," explains Brown. "It's still just doing what it's always been programmed to do. But when an attacker breaks into the system and looks inside, it won't look like what they thought it was going to. So any mechanism that they planned to use to attack is no longer valid."

More to do

Dynamic defense promises to make it both harder to launch an attack and more likely that novel attacks will be detected before being fully activated – achieving what traditional signature-based security solutions currently fail to do.

The HP team is now generating a proof of concept for Dynamic Defense and has already created several user interface demonstrators for it.

"If we prove it in the lab, we will then use it on HP's own network," says lab director Sadler.

But they won't succeed, he adds, without robust support from other HP teams that identify the constantly evolving off-the-shelf elements from which new attacks are compiled. And once they've identified an attack that is likely being planned, more work is always required to then neutralize and remove the offending malware.

"None of these things are ever perfect," Sadler suggests. "What you are always looking for are ways of trying to tip the balance in favor of defenders. You want the cost of attack to be as high as you can possibly make it, and the cost of effective defense to be as low as you can make it."

That issue of cost is important. As computer systems grow more complex, it becomes prohibitively expensive to try and secure an entire system all of the time.

"At the end of the day, a company's cloud infrastructure is there to run revenue generating applications for its customers," notes Brown. "You don't want to be using up your resources throwing unnecessary security at it. One of the great advantages of Dynamic Defense is that is can be lean, deploying its resources to meet emerging threats as needed, delaying the use of the really big guns until they can have maximum effect".