Skip to Main Content U.S. Department of Energy
Information and Infrastructure Integrity Initiative

DigitalAnts™: Ant-Based Cyber Defense

Every computer attack is a battle between the owners of a computational infrastructure and adversaries bent on using these resources for their own purposes. The owners may span multiple organizations that have limited trust between them. Meanwhile, human adversaries are adaptively hostile, employing open-ended strategies and anti-forensic techniques. The problem of securing complex infrastructures in a dynamic hostile environment with changing adversaries cannot be solved with static defenses or uncoordinated unilateral measures. In today's large infrastructures comprised of many collaborating organizations, the way we typically monitor cyber defense is to gather all the cyber data from across the enterprise to a single point and analyze it centrally. While this gives excellent scope of information, this approach scales poorly.

To address this challenge, the Pacific Northwest National Laboratory (PNNL) has developed a framework for decentralized coordination based on the eusocial behaviors seen in ant colonies. The eusocial organization in the ant colony provides a highly adaptive common defense that achieves emergent behavior via stygmergic communication. We have applied these ant behaviors to cyber security in our Ant-Based Cyber Defense where humans and various software agents share the responsibilities of securing an infrastructure comprised of enclaves that belong to member organizations.

Decentralized Hierarchy

The primary purpose of the Ant-Based Cyber Defense is to reduce the level of required human involvement in problem detection and resolution while retaining the human ability to intervene as desired. The second purpose is to enable separate enclaves to cooperate in their cyber defense while maintaining their privacy and proprietary data. A hierarchy is needed to give the humans at the top a single point of access to enclave-wide security information, but the monitoring and resolution are decentralized, bringing the sensor to the data rather than vice-versa.

The Ant-Based Cyber Defense is made of a set of collaborating enclave hierarchies of humans and software agents. An enclave is a collection of machines owned by a single organization and managed under a single policy. A Human Supervisor may lead multiple enclaves, each of which is led by an agent called a Sergeant. Sentinel agents autonomically monitor enclave machines, and mobile Sensor agents wander through the enclave.


Human Supervisors provide guidance to and receive feed-back from one or more enclaves. They may take initiative as desired to inspect any element of the system, but we discourage direct human control that would destroy natural adaptation. Supervisors need take action only when the lower-level agents encounter a problem that requires human involvement.


Enclave-level agents called Sergeants are each responsible for the security state of an entire enclave. Sergeants dialogue with humans to gain guidance for running the system according to human-specified business drivers and security policies. Sergeants create and enforce executable policies for the entire enclave.

Sentinels and Sensors

A host-level Sentinel agent protects and configures each monitored machine. Sentinels interact with human supervisors only when they need clarification about how to classify ambiguous evidence from the swarm of Sensor agents. The Sensors roam from machine to machine within their enclave each searching for indicators of problems uniquely derived from the set of known problem indicators. They report discovered problems to the appropriate Sentinel. Sensors communicate by leaving digital pheromone messages that result it positive feedback, attracting a wide variety of Sensors to suspected problems.

Deployment Status

The Ant-Based Cyber Defense is a technology readiness level one project that has been implemented at the Sentinel and Sensor level on a cluster of 64 Linux virtual machines. This implementation rapidly identifies previously unknown malware based on real Linux worm code. Currently, development is underway in to use the digital ant approach as a security mechanism underlying the NSF GENI testbed laboratory.

For more information on Ant-Based Cyber Defense, please contact .

Project Management