Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

A Cheap, Distributed Zero-Day Defense?

CmdrTaco posted more than 5 years ago | from the yeah-that-won't-get-gamed dept.

Security 116

coondoggie writes "Shutting down zero-day computer attacks could be carried out inexpensively by peer-to-peer software that shares information about anomalous behavior, say researchers at the University of California at Davis.The software would interact with existing personal firewalls and intrusion detection systems to gather data about anomalous behavior, says Senthil Cheetancheri, the lead researcher on the project he undertook as a grad student at UC Davis from 2004 to 2007. He now works for SonicWall."

cancel ×

116 comments

Wow... (4, Insightful)

roc97007 (608802) | more than 5 years ago | (#26452441)

If you could break into that process, you could rule the world.

My first thought too (5, Insightful)

A nonymous Coward (7548) | more than 5 years ago | (#26453643)

Who watches the watchers?

Any system like this would be a premium cracker target. All it would take is one false positive or false negative before no one would trust it again.

Six months later, some other researcher would make a new proposal for a p2p system to guard the broken p2p system.

Re:My first thought too (1)

Neoprofin (871029) | more than 5 years ago | (#26453883)

Couldn't the same argument be used against distro repositories, security vendors websites, and any other system that people assume is safe and working in their best interests?

Obviously the entire point of doing it p2p is to speed up distribution, but that doesn't mean the fixes couldn't go through some kind of verification process before being flagged as safe and useful fixes.

Seems to work out pretty well for Blizzard updates.

Re:My first thought too (1)

marcosdumay (620877) | more than 5 years ago | (#26455061)

"Couldn't the same argument be used against distro repositories, security vendors websites, and any other system that people assume is safe and working in their best interests?"

Yes, theoretically, it could. In practice, the argument only holds against Windows and MS Office update (maybe also Firefox), since the others have a very high diversity.

Re:My first thought too (1)

mr exploiter (1452969) | more than 5 years ago | (#26458749)

"Couldn't the same argument be used against distro repositories, security vendors websites, and any other system that people assume is safe and working in their best interests?"

Yes, theoretically, it could. In practice, the argument only holds against Windows and MS Office update (maybe also Firefox), since the others have a very high diversity.

What the hell??... This has nothing to do with Office or Firefox update they are not peer-to-peer applications.

Re:My first thought too (1)

pixelpusher220 (529617) | more than 5 years ago | (#26455697)

I would say the argument can't be made. The examples you've cited are materially different. They are single point push systems, rather than a p2p pulling system.

You only get your updates from one place, the original source. (Or in the case of linux distro's you get the validation/CRC check from one place)

The article is about an automated distributed response, hence you have to trust much more than the person you're getting it from. You have to trust the entire chain.

The Blizzard example is a better one. I'd say that a lack of exploits against it isn't a good measure of it's suitability though. Distribution of fixes (bittorrent) is rather easy, ensuring the security/authenticity of said stuff isn't nearly so.

Re:My first thought too (1)

andy_t_roo (912592) | more than 5 years ago | (#26455319)

"All it would take is one false positive or false negative before no one would trust it again."

would you be able to tell me which of the currently used security products are trusted, due to never throwing a false positive or negative?

Re:My first thought too (1)

A nonymous Coward (7548) | more than 5 years ago | (#26456239)

"All it would take is one false positive or false negative before no one would trust it again."

would you be able to tell me which of the currently used security products are trusted, due to never throwing a false positive or negative?

Irrelevant. They aren't automated. People are allowed to make mistakes and presumably learn from them; it takes many repeated mistakes to become unreliable.

An automated system doesn't have that luxury. When there is no one to accept blame and make corrections, people won't trust it.

Re:Wow... (1)

shankarunni (1002529) | more than 5 years ago | (#26453649)

That was the first thought that crossed my mind, too..

Re:Wow... (2, Interesting)

orclevegam (940336) | more than 5 years ago | (#26453937)

Don't even need to break into it, just fool it. If you could convince it that some normal every day activity (say going to google more than twice in an hour) is really a sign of a 0-day attack in progress and get it to lock down network IO, you've just gotten a ready made DDoS. Simply get the system to propagate your false positive to all the nodes (which it would need to do quickly, quietly, and efficiently in order to combat 0-Day threats) and then wait for it to go off. Instant DDoS and you barely even needed to do anything. Best part is if you can make it look like you weren't trying to trick it, then even if the attack eventually gets traced back to you, you can claim you're innocent and the software just flaked on you.

Re:Wow... (1)

davecb (6526) | more than 5 years ago | (#26455447)

Presumably the monitor itself would need to be tricked into thinking the harmless operation was evil, so it would submit it to peer review on the p2p network.

Then you'd need to trick some other subscribers into agreeing it was evil, and somehow arrange for them to be selected by the system as peers. Then and only then could you get the system to DoS it's users.

--dave

Re:Wow... (1)

neokushan (932374) | more than 5 years ago | (#26453971)

This is the first thing I thought as well. Find a way to compromise systems and rather than do your usual dirty work, just get them all to report that the legitimate, "Secure" devices are the ones causing all the trouble. There you go, you've DDOS'd the secure computers without ever having to touch them yourself.

Re:Wow... (0)

Anonymous Coward | more than 5 years ago | (#26454355)

Im going to create this and call it "SKYNET"

Cheap Defense? (4, Insightful)

drewzhrodague (606182) | more than 5 years ago | (#26452449)

Six Inches of Air?

Re:Cheap Defense? (1)

buchner.johannes (1139593) | more than 5 years ago | (#26453393)

A Cheap, Distributed Zero-Day Defense?

Just before buying a computer, deciding not to?

Re:Cheap Defense? (0)

Anonymous Coward | more than 5 years ago | (#26454815)

Six Inches of Air?

Hm... to stop the WiFi you need much more than 6 Inches....

Re:Cheap Defense? (0)

Anonymous Coward | more than 5 years ago | (#26455927)

Hm... to stop the WiFi you need much more than 6 Inches....

Pervert.

I have a better solution (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26452463)

Everyone should wear funny hats. This will cause cats and some dogs to defend the Human race against bloggers and other Satanic cults. Now that Obama is our President it is time to say goodby to fungus and long division of the spoils of pharmony? i PREFER pants!

Hats are the key. The

Not so fast... (5, Insightful)

Jah-Wren Ryel (80510) | more than 5 years ago | (#26452495)

On the face of it, it sounds like he's proposing a "trusted" infection vector. A way to distributed code intended to patch holes to systems that want it. The obvious problem with such a system is the consequences of it being compromised. Then it becomes a way to distribute malicious code much more effectively than the way bot-nets infect new hosts now.

Re:Not so fast... (5, Insightful)

girlintraining (1395911) | more than 5 years ago | (#26452801)

On the face of it, it sounds like he's proposing a "trusted" infection vector. A way to distributed code intended to patch holes to systems that want it. The obvious problem with such a system is the consequences of it being compromised. Then it becomes a way to distribute malicious code much more effectively than the way bot-nets infect new hosts now.

You forget that the system is also leaking information about the traffic it is sending/receiving at the same time, and possibly internal state information (such as what applications are loaded, plugins, etc). That data in and of itself is valuable to an attacker, nevermind whether the vector can be protected or not... It opens up the possibility of discovering new vectors in ways maybe not possible remotely.

Re:Not so fast... (1)

redxxx (1194349) | more than 5 years ago | (#26454707)

Heck, the data is valuable to anyone with an interest in what people are doing online and how they are using the internet. I don't see any way the information sent out could be limited to the actions of malware, so the database could end up a nice target for commercial(marketing and whatnot) datamining.

Sending out information which I don't control defeats half of the purpose behind why I run software firewalls.

Re:Not so fast... (4, Insightful)

liquidpele (663430) | more than 5 years ago | (#26453037)

The obvious problem with such a system is the consequences of it being compromised.

The non-obvious problems:
1) People that don't keep automatic updates on aren't going to use this, so the same people that get infected today will continue to get infected.
2) P2P systems like this are notoriously hard to keep poison data out of.

Re:Not so fast... (2, Funny)

morgan_greywolf (835522) | more than 5 years ago | (#26453129)

You make it sound suspiciously like "Windows Update," which doesn't have these problems...oh wait....nevermind.

Re:Not so fast... (1)

jd (1658) | more than 5 years ago | (#26453807)

Maybe use a similar sort of system as a massively distributed active intrusion detection system. In "real life" (yeah, the outdoor thing), oak trees have chemicals in their leaves which sublime under normal atmospheric conditions. If the leaves are attacked by insects, the chemicals are released into the air and are picked up by nearby oaks. These respond by adding extra tannin in their own leaves. The practical upshot is that the heavier the insect attack, the more heavily protected the trees become, making it impossible for many insects to attack groves of oaks except en-masse or with powerful acids.

In the digital world, you might use a P2P network as follows: If you get below some threshold of attacks of type XYZ being reported, firewalls might log packets that have similar characteristics as XYZ. If those attacks exceed some minimum threshold and have been reported from some minimum number of sites, you might take more action, such as passing round fingerprints of the attacks and block on those fingerprints being detected. If the attacks pass some higher threshold, you then close suspect ports or re-direct them to honeypots.

Re:Not so fast... (1)

eonlabs (921625) | more than 5 years ago | (#26453927)

Which lends itself well to a self created DDOS attack. You get a system like that to respond to a normal packet from the net and all of a sudden the amount of processing power expended to analyze the packets increases in response, which leads to greater susceptibility to flooding the system with crap.

Re:Not so fast... (1)

jd (1658) | more than 5 years ago | (#26455403)

I can see that. You'd need very good thresholds to avoid trivially establishing a self-inflicted DDoS. According to the Byzantine General's Problem, in a system with N nodes, (N+1)/2) of those nodes -must- be trustable in order to detect a node that is not. Thus, it would be necessary to establish in advance that the sum total of all compromised nodes PLUS all nodes run with malicious intent PLUS all misconfigured nodes fell below the ((N-1)/2)-M threshold, where M is the number of nodes you expect to be freshly compromised or otherwise "turn traitor" within the response time of the network, in order to be even mathematically possible. That's hard.

This is the absolute upper limit for a threshold in order for the system to function at all. If the threshold is too low, then the noise in the system (natural or artificial) will destabilize the system. You need the threshold for taking any action at all to be high enough that if it is artificially-induced, it is readily characterizable and readily screened-for. This means that low-volume attacks would simply walk past such a system. Which is fine. The outermost defenses should not be concerned with the same sorts of problems that standard system security is intended to deal with. Using the castle wall analogy, the wall isn't intended to stop you from being attacked, it's intended to stop you from being swamped when you are attacked.

The total effort involved in classifying and filtering must also be cost-effective, so the expense of adding dynamic packet classifiers must be less than the cost (in CPU cycles) of protecting systems in other ways -and- the bandwidth saved by such filtering must exceed the bandwidth consumed by the messaging requirements of such a network.

Next, both the response and the change in response in proportion to the change in stimulus must both be negative feedback loops. There must be increased resistance to adding further security, as security increases, and the increase in security must be less with each step.

Finally, the P2P network must have no possibility of flaps, cascading errors, positive feedback loops, over-reporting or other such characteristics. So, no superlinear, polynomial or exponential response curves. It shouldn't even be linear. Double the stimulus should produce much less than double the response, which does violate the biological model I'm basing this on to some degree, but oaks have greater bandwidth to work with. In other words, it must require a greater DDoS attack on a segment of the system to engender a DDoS effect within the system than would be required to achieve an equal DDoS effect on the nodes within the system individually.

You would certainly have to satisfy all of these requirements for a P2P IDS to work effectively. On a corporate network that has multiple points of access to external networks on multiple sites (typically an extranet-type arrangement), you could probably set up something like this without too much difficulty. However, the problem is so small and constrained, you don't need a generic solution, so there are probably better methods anyway.

Now, doing something like this over any significant federated network of networks like the Internet, that would be a much harder problem. It might very well be that there is no solution that meets all of the constraints in such an environment. That would be interesting to determine. Even if the constraints can be satisfied, the enormous problems and potential weaknesses within such a system would make it very hard to implement in a way that was impervious to self-inflicted wounds.

Re:Not so fast... (1)

whiteworm (1452871) | more than 5 years ago | (#26454585)

Actually I can tell what it is, as one of the authors (& for those who don't feel the need to check the paper) -- no distribution of code, or patching systems, etc. It's a distributed anomaly detector, that meters connectivity for suspicious connections. -JMA

Re:Not so fast... (1)

orclevegam (940336) | more than 5 years ago | (#26454985)

In other words it's a monitoring tool, nothing more. Useful, but also dangerous in the wrong hands. Would be difficult to scrub the data such that it doesn't violate privacy, but still provides enough info to be useful.

It also wouldn't help against distributed C&C bot nets as those by definition don't have any one point of contact, but rather a great deal of contact among all the nodes. Without some sort of deeper inspection at both the data layer, and the application layer although this might catch some of the malware out there (and that does give the idea some merit) it wouldn't catch most, or even I fear much.

Re:Not so fast... (1)

Ihmhi (1206036) | more than 5 years ago | (#26456995)

Has Windows Update ever been compromised? It's a tortuously slow system in a similar vein, but I can't recall ever reading about malware being distributed via Windows Update (unless you count WGA ^.~ )

Sooo... (4, Insightful)

gblackwo (1087063) | more than 5 years ago | (#26452497)

What is the zero-day defense protocol for the zero-day defense software?

Re:Sooo... (1)

phagstrom (451510) | more than 5 years ago | (#26452893)

It's not needed, because the zero-day defense software will be perfect - duh.

You're obviously right on point. This is only a good idea, if the software was perfect. But we wouldn't need this "perfect" software, if software was perfect....and around and around we go.

Re:Sooo... (1)

orclevegam (940336) | more than 5 years ago | (#26455211)

It all comes down to GIGO. The software can only be as perfect as the person using it. Of course, the definition of perfect is also arbitrary and worse still, subjective.

Linux Causes Woman to Drop Out of College (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#26452499)

One for the Lunix fagboys who think Lunix is "ready for the desktop". Here is a real-world example of the inadequacies of Linux when doing perfectly normal stuff in the real world:

http://www.wkowtv.com/global/story.asp?s=9667184&ClientType=Printable [wkowtv.com]

27 News Troubleshooter: Woman says Dell computer kept her from taking online classes

Posted: Jan 13, 2009 03:42 PM

MCFARLAND (WKOW) -- Abbie Schubert paid more than $1,100 for a Dell laptop hoping to enroll in online classes at MATC.

But something stopped her: Ubuntu.

That's an operating system for your computer similar to Windows that runs off the Linux system.

Schubert says she ordered her laptop online at Dell.com expecting to buy your classic bread-and-butter computer.

She didn't realize until the next morning her laptop defaulted to the Ubuntu operating system.

"It's been a mess," she said. "I regret ordering the computer."

Schubert says she never heard of Ubuntu before learning that's when she accidentally bought. She called Dell the very next day and says the representative told her there was still time to change back to Windows.

But she says Dell discouraged her.

"The person I was talking to said Ubuntu was great, college students loved it, it was compatible with everything I needed," said Schubert.

So she stuck with it.

Later, she discovered Ubuntu might look like Windows, but it doesn't always act like it.

Her Verizon High-Speed Internet CD won't load, so she can't access the internet. She also can't install Microsoft Word, which she says is a requirement for MATC's online classes.

As a result, with no internet and no Microsoft Word, Schubert dropped out of MATC's fall and spring semesters.

She also says Dell claimed it was now too late to get Windows and any changes she made herself would void her warranty.

"I'm extremely frustrated," said Schubert. "I wanted to get back to school, but I needed a computer to be able to do that."

27 News contacted Dell, but the company has not responded to us yet.

However, we think we've helped her get back to school.

Verizon says it will dispatch a technician to try to assist her accessing the internet without using the Windows-only installation disk.

MATC also says it promises to accept any of Schubert's papers or class documents using whatever software she has installed.

Re:Linux Causes Woman to Drop Out of College (2, Insightful)

gblackwo (1087063) | more than 5 years ago | (#26452599)

I have to giggle whenever someone thinks they need some sort of Verizon High Speed Internet CD to use the internet.

It's almost as funny as the people who use AOL because it is the "internet" even though they are just hooked into a router and cable modem like everyone else. - this used to be acceptable when people used AOL's dialup service (or shudder- continue to use it)

Re:Linux Causes Woman to Drop Out of College (1)

Ethanol-fueled (1125189) | more than 5 years ago | (#26453057)

But it's very possible that the person is using a USB HSDPA [vzw.com] adapter which may need proprietary windows-only software to connect to the network.

Though I'm sure the troll was just trying to be funny in saying that the computer needed a verizon CD and MS Word(uh, OO.o anybody?) to do schoolwork.

Re:Linux Causes Woman to Drop Out of College (1)

johnsonav (1098915) | more than 5 years ago | (#26453945)

Though I'm sure the troll was just trying to be funny in saying that the computer needed a verizon CD and MS Word(uh, OO.o anybody?) to do schoolwork.

Sadly, that's a real news story. Its funny, but all too true. I'm from Wisconsin, and I died a little inside when I read this story on another site.

Re:Linux Causes Woman to Drop Out of College (2, Interesting)

Chabo (880571) | more than 5 years ago | (#26454391)

And I cry any time a school says it requires a piece of software that can only run on one OS.

Then again, at my school the standard response would've been "there are plenty of cluster computers available all over campus, if yours won't run the necessary software."

Re:Linux Causes Woman to Drop Out of College (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#26452619)

Well, a stupid bitch like her shouldn't even be allowed to own a computer!

Re:Linux Causes Woman to Drop Out of College (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#26452985)

So says the guy who has never gotten any pussy in his life and loves the taste of dick.

Re:Linux Causes Woman to Drop Out of College (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26453047)

If he truely loved the taste of dick then not getting pussy isn't much of an insult.

Re:Linux Causes Woman to Drop Out of College (0)

Anonymous Coward | more than 5 years ago | (#26453725)

Minor pedantry - parent's post is more "Offtopic" than "Troll". Just like how this post should be modded Offtopic.

Re:Linux Causes Woman to Drop Out of College (2, Insightful)

pipboy9999 (1088005) | more than 5 years ago | (#26452997)

while I don't agree with the way this was put, I do agree that if this lady wasn't smart enough to due to research and double check her order before pushing "check out" then its not really Ubuntu's fault she bought some thing that does not meet her requirements.

What to tell your boss (4, Funny)

MrEricSir (398214) | more than 5 years ago | (#26452513)

"I'm not pirating movies... I'm protecting the network!"

Re:What to tell your boss (1)

CDMA_Demo (841347) | more than 5 years ago | (#26453583)

"I'm not pirating movies... I'm protecting the network!"

Baws: "Yea, but who's paying for it?" Welcome to capitalism.

fuckin indians (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26452605)

go back home!

Cheap defense? (1, Interesting)

the_humeister (922869) | more than 5 years ago | (#26452639)

How about "disconnect it from the network."? That's the cheapest one I can think of.

Re:Cheap defense? (1)

vux984 (928602) | more than 5 years ago | (#26453287)

How about "disconnect it from the network."? That's the cheapest one I can think of.

Now, do you have any solutions to network security that, you know, actually let me use the network?

You seem like the type that would propose shooting someone in the face is a good inexpensive way to ensure someone with cancer doesn't die of cancer, with the added benefit that they won't have to worry about their heart condition any more either.

I sincerely hope you aren't a doctor.

Re:Cheap defense? (1)

the_humeister (922869) | more than 5 years ago | (#26453625)

Nice strawman. BTW, I am a doctor. Some people just don't know a joke when they see one.

Re:Cheap defense? (1)

vux984 (928602) | more than 5 years ago | (#26454649)

Nice strawman

Thanks.

Some people just don't know a joke when they see one.

Look in the mirror. ;)

Re:Cheap defense? (1)

the_humeister (922869) | more than 5 years ago | (#26455641)

touché

Flimsy (3, Insightful)

sean_nestor (781844) | more than 5 years ago | (#26452717)

I can't think of any way this could fail gracefully. If this system was compromised, it'd be a powerful way to disrupt network traffic and take down important systems that happen to run it.

"It depends on the number of events and the number of computers polled, but if there is a sufficient number of such samples, you can say with some degree of certainty that it is a worm,â Cheetancheri says. For that decision, the software uses a well-established statistical technique called sequential hypothesis testing, he says"

I'm also skeptical that you could rely on a vast network of machines that have presumably fallen prey to an attack to share information between each other fast enough to correctly diagnose an attack with the kind of results the researcher seems hopeful of.

Given that no method for correctly identifying "malicious" code 100% of the time currently exists, I don't think it's wise to allow a software program to run with the decision of shutting a machine down on notice of a perceived threat.

The concept seems like an interesting idea, but I doubt It could be terribly effective in practice.

Re:Flimsy (1)

Migraineman (632203) | more than 5 years ago | (#26453389)

The response of the security bot-net is even worse. It's an algorithmic evaluation of cost tables.

That cost-benefit analysis would be simple to carry out, but network executives would have to determine the monetary costs and enter them into the software configuration so it can do its calculations.

End users would not program or modify the core detection engine. We don't want to have humans in the loop.

So, it'll go something like this: The CEO/VP/Regional Manager is working on a contract bid that absolutely has to go out the door by 4pm today. His network connection abruptly drops, then he's forcefully logged-of.
Exec: [calls IT desk] My computer just crapped out!
ITDesk: Yeah, seems your machine was tagged for anomolous behavior.
Exec: It's critical that my account be reactivated.
ITDesk: I don't think I can do that. The system is fully automated.
Exec: Do you think you can stop by HR to pick up your severance check?

Re:Flimsy (1)

Chabo (880571) | more than 5 years ago | (#26454595)

My school's network actually worked somewhat like this. If "worm-like activity" was found, then it would kick you off the network automatically, and have you complete a checklist saying you'd performed a virus check, and things like that.

If you were found to still be infected (usually because you lied about actually doing a virus check), you couldn't get back on without an IT rep checking your computer (usually within a few hours if you needed them to come to you; pretty good for a public school I thought).

That system wasn't too bad; it helped prevent the spread of malware without being a major inconvenience if you were infected. That is, as long as it was a weekday. Boy, was it a pain to have the system catch a false positive (caused by having my max number of BitTorrent connections too high) on Friday at 7PM. But that's not an issue in an office environment.

Re:Flimsy (1)

Migraineman (632203) | more than 5 years ago | (#26456189)

> But that's not an issue in an office environment.

Tell that to the guy in the next cube. I believe he's running an internet business from there. (Honestly. I keep hearing him on the phone ... brokering the sale of horses. We manufacture electronics.)

Oh, yeah. It is going to work. (1)

140Mandak262Jamuna (970587) | more than 5 years ago | (#26452721)

The malware is so sophisticated nowadays, they evade detection from local monitors. Somehow getting more data from remote computers will help you detect the malware? Come on, Senthil it is not going to work.

Will never happen. (5, Interesting)

girlintraining (1395911) | more than 5 years ago | (#26452723)

Detecting anomalies requires a baseline of what "normal" is. That means surrendering information about the type and nature of traffic being received by your computer (and possibly sent as well). It's a privacy problem that not many people will commit to. And businesses will be even more reluctant to surrender such information. That said, an aggregate of several hundred thousand firewall logs would be an asset to many organizations and individuals. For this reason, it will never be free... The moment someone realizes there is a monentary value in what they're doing, they will attempt to capitalize on it. So, effectually, what this project is asking you to do is give them your private, personal data, so they can turn a buck under the pretense of fighting those big bad evil hackers. Isn't the market already pretty crowded with the fear-mongers, anti-virus, anti-malware, anti-anti-anti businesses?

Also, this is not a defensive product. A defense requires the ability to resist or avoid an attack. Nothing about this scheme suggests it would provide that to the end-user. It is more of a "zero day surveillance" system than anything. It's a digital cow bell. Moo, ding ding, moo. The only problem is the cow moves at the speed of light and can replicate a few thousand times a second (conservatively). Don't ask about the milk. x_x

Re:Will never happen. (0, Offtopic)

Shakrai (717556) | more than 5 years ago | (#26452815)

Don't ask about the milk. x_x

Can you get it in skim? I gotta watch my geeky figure.....

Re:Will never happen. (1)

whiteworm (1452871) | more than 5 years ago | (#26454799)

>> Detecting anomalies requires a baseline of what "normal" is. Yes, and this is done by each machine, so there is no exchange of information particular to the machine. Pls read the paper. One of the authors -jma

Nice try, but... (1)

russotto (537200) | more than 5 years ago | (#26452749)

Your typical problems with security programs are

1) Blocking behavior which should be permitted and
2) Not blocking behavior which should be forbidden.

This adds the potential for

3) Enabling behavior which should be forbidden.

Is there one of those snarky standard forms for this?

Re:Nice try, but... (1)

ad0n (1171681) | more than 5 years ago | (#26453155)

you left out:
4) Profit !!!

Patents! (1)

troll8901 (1397145) | more than 5 years ago | (#26452775)

I'm pretty sure we can modify some existing patents to apply to distributed firewalls.

US Patent Application 20080250497 [freepatentsonline.com] : Statistical method and system for network anomaly detection

"Whatever concept a person can think of, there will be a patent either active, being applied, or being prepared to include new concept." -- Troll

---

There's also some other related studies.

Modular Strategies for Internetwork Monitoring [umich.edu] , which "addresses the longstanding and difficult problem of detecting and classifying spatially distributed network anomalies from multiple monitoring sites on the Internet".

The end of the web in 3.. 2.. 1.. (1)

gmuslera (3436) | more than 5 years ago | (#26452891)

Just wait till that distributed firewall "decide" (bug, intrusion, feeding patterns, whatever) to block the port 80.

Re:The end of the web in 3.. 2.. 1.. (0)

Anonymous Coward | more than 5 years ago | (#26452993)

Lets call it a functional system once it 'learns' to block *.microsoft.com

Won't work under Ninnle! (0)

Anonymous Coward | more than 5 years ago | (#26452917)

Both Ninnle Linux and NinnleBSD are far too secure.

Re:Won't work under Ninnle! (0)

Anonymous Coward | more than 5 years ago | (#26453339)

It's a good thing googling for either of those only comes up with slashdot posts. You wouldn't want to actually be helpful, now would you?

Re:Won't work under Ninnle! (1)

jpyeck (1368075) | more than 5 years ago | (#26454233)

Not only is this troll-nonsense, it is a Slashdot-only troll-nonsense!

ninnle linux -slashdot [google.com] is a "Google Whack"! (if you stretch the rules a bit)

Could work on large corporate-type networks (3, Informative)

sweatyboatman (457800) | more than 5 years ago | (#26453073)

The summary is misleading in that this isn't proposed as a defense. This is an early-warning system for detecting compromised machines on a network.

This isn't going to run on every computer in the world. Think of a corporate network with thousands of machines with fairly homogeneous usage. This could alert the sysadmin to a worm infection when the number of machines is numbered in the tens.

And since all it's doing is monitoring it shouldn't present a security risk (if well designed) greater than any P2P client.

Reinventing the wheel... (0)

Anonymous Coward | more than 5 years ago | (#26458635)

Nothing to see here..This is already done @ Symantec with Deepsight, and with TrustedSource @ Securecomputing/Mcaffee and SANS with Dshield.

Look for Symantec and Mcafee to integrate this deeper into their products soon.

This already exists (4, Informative)

charlesnw (843045) | more than 5 years ago | (#26453121)

It's called dshield: http://isc.sans.org/howto.html [sans.org]

Re:This already exists (1)

value_added (719364) | more than 5 years ago | (#26453435)

It's called dshield: http://isc.sans.org/howto.html [sans.org]

That was my first thought, although that may not be entirely accurate. As for dshield, noticed the other day there's what appears to be a new link on the Spamhaus [spamhaus.org] page that reads

Consumer Alerts
Is your PC infected or part of a "botnet"?
Check it Here

Humorous aspects aside, it links to some sort of dshield copy-cat setup run by mynetwachman.com. Never heard of them personally, but the more the merrier. A community-based effort to solve a community-wide problem is sound in principle, and doubtless better than clamoring for new laws or regulations which typically brings unanticipated consequences to the mix.

Re:This already exists (1)

whiteworm (1452871) | more than 5 years ago | (#26454903)

No its not dshield. It has nothing to do with sharing logs or firewalls. The concept is an entirely distributed anomaly detector. Please read the paper.

I have a better zero day defense... (0, Flamebait)

rmallico (831443) | more than 5 years ago | (#26453213)

install linux...

Re:I have a better zero day defense... (0)

Anonymous Coward | more than 5 years ago | (#26453263)

because there's never 0-days against the linux kernel or the daemons and software it runs?

Re:I have a better zero day defense... (0)

Anonymous Coward | more than 5 years ago | (#26453317)

There is such a thing as 0day exploits for Linux, and not every program on a Linux system is perfect.

A Cheap, Distributed Zero-Day Defense? (4, Insightful)

Thaelon (250687) | more than 5 years ago | (#26453333)

A Cheap, Distributed Zero-Day Defense?

User education.

Re:A Cheap, Distributed Zero-Day Defense? (0)

Anonymous Coward | more than 5 years ago | (#26453605)

I loled

Re:A Cheap, Distributed Zero-Day Defense? (2, Funny)

Lord Ender (156273) | more than 5 years ago | (#26454497)

I think you misread "Cheap, Distrubted Zero-Day Defense" as "expensive, ineffective, and slow defense."

More difficult than it sounds (1)

__roo (86767) | more than 5 years ago | (#26453399)

I recently interviewed security researcher Michael Collins for Beautiful Teams [amazon.com] (a book I'm finishing for O'Reilly) about work he'd done at CERT working on SiLK [cert.org] , a collection of traffic analysis tools. From talking to him, it sounds like this is an enormously difficult problem to solve. His work involved modeling "normalcy" as a baseline to detect anomalies using an enormous amount of data spit out of edge routers. When I asked, "So your goal was to look at the data from routers, and just by looking at the gigabytes of daily data from router logs you can detect successful and unsuccessful attempts at intrusion?", he said, "That's the Holy Grail." (We'll be printing the whole interview, if you're curious to see it.) TFA was light on details -- if they managed to make some headway towards solving this problem, that would be amazing. But from what we talked about, it sounds like simply finding anomalies after the fact using a huge amount of data turns out to be enormously difficult. Doing it in real time seems ... well, let's just say that I'm skeptical.

Easier than it sounds, actually (1)

davecb (6526) | more than 5 years ago | (#26455357)

One part of this is just the "it was in yesterday's activity log" test. If you have data from a period leading up to a problem, set-subtract the previous activity from the activity on the day of the crash to get just the new, unexpected activity. That's the material you should be looking at.

For syslog, this can be implemented with an awk script: there's an example in "Sherlock Holmes on Log Files", at http://datacenterworks.com/stories/antilog.html [datacenterworks.com]

--dave

what a useless article (1)

slashdotmsiriv (922939) | more than 5 years ago | (#26453417)

So where is the paper/thesis/documentation of any type whatsoever that describes their p2p solution?

Collaborative p2p worm containment has been around for ever, what does Senthil Cheetancheri's proposal has to offer over previous work?

a small subset of prior work that does exactly what the clueless article sais they do.

http://gridsec.usc.edu/wormshield/ [usc.edu]
http://research.microsoft.com/apps/pubs/default.aspx?id=66830 [microsoft.com]

PS: I doubt Senthil's research reinvents the wheel but I would appreciate an actual link to his work from the /. story.

Re:what a useless article (1)

slashdotmsiriv (922939) | more than 5 years ago | (#26453539)

And to answer my own question (hate doing it on /. but somebody has to set the record straight).

http://scholar.google.com/scholar?hl=en&q=Senthil%20Cheetancheri&um=1&ie=UTF-8&sa=N&tab=ws [google.com]

There is no published work on his so called groundbreaking research:

http://scholar.google.com/scholar?hl=en&lr=&q=Senthil%20Cheetancheri&um=1&ie=UTF-8&sa=N&tab=ws [google.com]

I would expect much higher story verification standards by Cmdr Taco and NetworkWorld

Another related actually high profile published work on the subject:
http://portal.acm.org/citation.cfm?id=1159961 [acm.org]

Re:what a useless article (0)

Anonymous Coward | more than 5 years ago | (#26454697)

FTFA:

So far no one he knows of is working on commercializing the idea.

Re:what a useless article (2, Insightful)

whiteworm (1452871) | more than 5 years ago | (#26455163)

Yes, I'll agree the article isn't revealing. The difference between our work and "Autograph" type approaches that WormShield builds on is that we are doing traffic anomaly detection and these more involved approaches attempt to automatically build a signature. The paper is available (only, sigh) from Springer, in "Recent Advances in Intrusion Detection 11th International Symposium", RAID 2008, Cambridge, MA, USA. -JMA

I know of better defense! (1)

LunarEffect (1309467) | more than 5 years ago | (#26453459)

*Puts on tinfoil hat*

Operator Law (1)

kenp2002 (545495) | more than 5 years ago | (#26453855)

Ken's OPERATOR Law

There inany given population, in an effort to corrdinate, will have a given number of contrarians that for no purpose other then to avoiding conforming to the norm, will intentionally provide and contribute false information to the collective. This can be exhibited in the childrens game 'operator' starting with a message and retelling it down the line. While in small populations the deviation from the original message is minor. The larger the population, the larger the devation tends to get. But when comparing a wide variety of game sessions one can readily see that there will always be some little shit that screws the message up intentionally."

In an social network it is apparent that an incredibly small number of people can populate false information quickly to population. In this, peer review moves SLOWER then misinformation as the network of trust must oust the false information.

IN ENGLISH: YOU CAN MAKE SHIT UP FASTER THEN YOU CAN DISPROVE BULLSHIT.

5 hackers could easily poison a P2P defense with false-positives and use that very same P2P defense to automatically modify attacks to avoid detection QUICKER then peers can review it and flag is as bullshit.

It is far too late for that (1)

0xdeadbeef (28836) | more than 5 years ago | (#26453887)

There is no defense against "zero day". The script kiddie misappropriation of warez d00d slang is now so embedded in the nomenclature that even legitimate security researchers are using it.

Re:It is far too late for that (1)

Belial6 (794905) | more than 5 years ago | (#26454923)

That's what I was thinking. The first time I heard zero day was with the DirectTV attack on illegally hacked satellite boxes. The reason it was called zero-day was because DirectTV sent little pieces of code that didn't do anything malicious in small segments. This resulted in the hackers ignoring each little piece of code. After all, the code didn't do anything harmful. Then on Superbowl Sunday, when the absolute highest quantity of hacked boxes would be running, they sent the last little bit of code that by itself didn't do anything harmful, but assembled all the other bits of code into a routine that literally fried the access cards. As I understand it, it actually put a burn hole in some of them. The term zero-day was used because the plan to burn the access cards was put in place long before the attack, and it took many small set up attacks to prep the system for the day that their count down reached zero.

Now, it seems that zero-day just means malware. Anyone know if there is a previous usage of the term before DirectTV?

Re:It is far too late for that (1)

0xdeadbeef (28836) | more than 5 years ago | (#26455389)

It originally meant having a crack available to the copy protection of piece of software on the day of its release (the zero day, being more impressive than the day after, or three weeks later). The script kiddies started using it to refer to any type of exploit because it sounded cool, so it has now been rationalized to refer to an exploit for which there is no patch available, regardless of how long the software has been out or how long the exploited flaw has been known.

Re:It is far too late for that (1)

Belial6 (794905) | more than 5 years ago | (#26456213)

Ah yes. I do recall it being used like that now.

It sounds to me like... (1)

Logical Zebra (1423045) | more than 5 years ago | (#26453897)

...this is a great way to cause the opposite effect of a technological singularity [wikipedia.org] .

Now works for SonicWall, eh? (1)

kwabbles (259554) | more than 5 years ago | (#26453931)

Knowing SonicWall, this will be a feature in next years product line - except it will only "work" between other SonicWall products. It won't actually do anything, but they'll claim that it does - yet they won't provide any technical details (let alone source code) on the inner workings.

Re:Now works for SonicWall, eh? (1)

monkeySauce (562927) | more than 5 years ago | (#26454673)

Close... it will appear in the routers as an unlockable feature for an additional, annual license fee.

sonicwall blows.

Re:Now works for SonicWall, eh? (1)

kwabbles (259554) | more than 5 years ago | (#26455091)

And when you get your annual renewal feature key - you'll go to type it in and submit it but it won't be able to authenticate the license key. So, you'll have to call SonicWall for a 100-character manual license key and sit on hold for forever listening to that damned SonicWall hold music.

Now I've got it stuck in my head.

Ta ta ta ta... ta ta ta ta... doo doo dee dooo dee doooo dee dooo... ta ta ta ta... ta ta ta ta... doo doo dee dooo dee doooo dee dooo... ta ta ta ta... ta ta ta ta...

I'm glad everyone here had the same first thought (0)

Anonymous Coward | more than 5 years ago | (#26454167)

"If this was exploited, all hell would break loose"...

So if this is patently obvious, what have UC Davis (a good institution) got here?

Something incredibly clever, or a Prof that ran with a dumb idea?

ACTNet (1)

rtechie (244489) | more than 5 years ago | (#26454843)

There are a number of products that already do this. ACTNet [gews.com] , which is part of ActiveScout, does something very similar to this. And it's patented.

Attack information is uploaded to a central server from individual appliances. Appliances then check the central server for a list of "known attackers" and automatically blocks them if they attempt to access the protected network. The concept is similar to Realtime Blackhole lists for spammers.

Run foul of the law (1)

Nethemas the Great (909900) | more than 5 years ago | (#26455301)

You know this sound somewhat similar to the plan already devised that would fall foul of the law [slashdot.org] to remedy the Storm.

Trollko8e (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26455639)

surv1ve at a7l

Remember BlueFrog! (1)

benjfowler (239527) | more than 5 years ago | (#26456093)

We all know that malware criminals and fraudsters are sociopaths.

A risk of a peer-to-peer zero day malware shield (besides being cracked and exploited by criminals), is that it could turn out to be a success. As we saw with BlueFrog, a lot of criminals are completely morally bankrupt, and will do absolutely anything to preserve their illegal business models.

BlueFrog was doomed because it was too effective and destroyed spammers' business models. So the criminals waged a massive campaign of harrassment and intimidation on BlueFrog's entirely-innocent users until BlueFrog were forced to accede to the crims' demands.

Malware criminals cannot be defeated by technical means alone. It would be nice if the police started doing their jobs -- because the one thing these sort of scum fear is getting caught and subsequently made somebody's bitch in prison.

CPAN has this already... (1)

adamkennedy (121032) | more than 5 years ago | (#26458739)

I wrote something almost identical years ago, but couldn't since I'm not part of the security community it never really took off. Blacklists were The Thing at the time still...

http://search.cpan.org/~adamk/ThreatNet-DATN2004-0.20/lib/ThreatNet/DATN2004.pm [cpan.org]

The test bots are still running in Freenode #threatnet

This is not a new concept... (0)

Anonymous Coward | more than 5 years ago | (#26459175)

BlackICE / Network ICE anyone?

The idea sounds great having a distributed sensor network that can dynamically react to threats and proactively block the attacker before he makes it to your system.

1) What happens when the DoS attack is launched with spoofed IP addresses that match critical internal systems? (perhaps the IP address of your name servers or domain controllers????)
2) Most talented exploits aren't done thru brute force scanning / attacking of large IP address ranges since most security devices (Firewalls, IPS, etc) detect and block this type of activity already.

This type of approach has been used by some $$$ anti-spam products with pretty good results though.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...