Swarm Intelligence in Action: Phalanx Project

Web threats are up 1564% since 2005, vulnerabilities continue to number in the thousands annually, malware infections have skyrocketed to over 8 million in November of 2007 alone, SPAM accounts for up to 90% of all email traffic, there is an estimated 3 million plus bot-compromised machines connected to the internet at any given moment, high-impact regional threats and targeted attacks have increased dramatically year over year since 2005, and there is a breach a day in what has become an orgy of disclosure, punctuated by a tsunami of useless loss statistics. This is all against a backdrop of new vectors of attack introduced by mobile computers, virtualization, SaaS, and other disruptive technologies.  Clearly the current reactive, ad-hoc, threat enumeration, information security model is broken and given the economics of malware and cybercrime it will only get worse…

Sample data from research on the underground digital economy in 2007 from Trend Annual Threat Report 2007 (here)

Pay-out for each unique adware installation – $.30 in the US

Malware package, basic version $1,000 – $2,000

Malware package with add-on services – $20 starting price

Undetected copy of an information stealing Trojan – $80, may vary

10,000 compromised PCs – $1,000

Stolen bank account credentials – $50 starting price

1 million freshly-harvested emails – $8 up, depending on quality

Recently I posted some thoughts on evolving information security to move towards distributed, collective intelligence or swarm intelligence, (here) and (here), and came across a project at the University of Washington called Phalanx – (here) via /.

Their system, called Phalanx, uses its own large network of computers to shield the protected server. Instead of the server being accessed directly, all information must pass through the swarm of “mailbox” computers.

The many mailboxes do not simply relay information to the server like a funnel – they only pass on information when the server requests it. That allows the server to work at its own pace, without being swamped.

“Hosts use these mailboxes in a random order,” the researchers explain. “Even an attacker with a multimillion-node botnet can cause only a fraction of a given flow to be lost,” the researchers say.

Phalanx also requires computers wishing to start communicating with the protected server to solve a computational puzzle. This takes only a small amount of time for a normal web user accessing a site. But a zombie computer sending repeated requests would be significantly slowed down.

This is a very interesting way to deal with the problem of DDoS attacks, it isn’t difficult to imagine how one could use a swarm of intelligent agents to cooperate and shield, or even work to identify patterns of behavior that are representative of malicious or nefarious actions and counter an attack in progress or impending attack before it has a chance to impact the environment.