Abstract
A Distributed Computer Immune System
(Summary) January 2003
Computer Immunology is about the detection and reaction to changes in the state of the computer system. The goal is to maintain system integrity by detecting and protecting against attacks and failures. Its methods and models are inspired from the biological immune system of living organisms. In this project, the aim is to approach such a system by combining two existing immunological approaches: pH a kernel patch for the GNU/Linux kernel and cfengine a highlevel policy-based configuration engine. These two systems are independent of each other. By combining them we mean to enable a way for them to benefit from each other by sharing information or communicating events. We hope in that way to learn about the feasibility of distributed computer immune systems and what requirements they have. Our requirement specification is strongly influenced by the types of system we analysed. A new analysis using two different systems would probably bring a different and healthy light to distributed anomaly detection.
In a distributed computer immune system every component needs available interfaces and clear defined communication channels. We focused on combining two existing systems, not designing a distributed system from the ground up. Our project showed that two anomaly detection systems can indeed benefit from each other if we modify them a little. We formulated the following requirements
that we mean must be met by all systems in a distributed computer immune system:
Compatible abstraction level
Increased overall functionality
Compatible and predictable data representation
Zero interference / No trigger loop
Independability
Openness / Availability