Slashdot Mirror
Sandia's Distributed Anti-Cracking Bot
tgw writes: "Beyond 2000 is reporting that Sandia National Laboratories has created a unique type of bot that can defend against cracking attacks and viruses. The bot 'runs on multiple computers in a network and depending on circumstances the separate copies of the agent can act alone or together as a single, distributed program. The [bots] across the network constantly compare notes to determine if any unusual requests or commands have been received from external or internal sources.'" A cool-sounding project, to be sure -- but how much control is too much to cede to the intelligent agents?
Given the sensitive nature of much of their work, Sandia National Labs probably has resources that are not available to your ordinary ISP, like 'sleeping' multiply redundant bandwidth and use of the *many* Federal access points to the web, both "owned" and leased, including normal ISPs.
.mil bases and co-locos all over the country.
;=>
When a DDoS strikes, you 'wake' a normally dormanr redundant line to another backbone (possibly via direct link to a high volume ISP to hide your signature), then you identify your "known" valid users and VPN to them via the peer. You can VPN via a distant ISP/node, so the attacker won't know you're communicating with 'legitimate users' via a hidden link to the ATT backbone in Ogden Utah and emerging on the Net over the redundant bandwidth of
The invaders can pound on the gates all they want. You're not using the front door anymore. You can also have secret VPN router/authenticators around the country that 'legitimate users' can connect to when the front door is slammed shut. The details could be built into key software, transparent to the legitimate users.
It's like a reverse DDoS. In a DDoS, the attacker overwhelms you with attacks from every direction, faster than you can respond. In the 'Reverse DDos' Defense, the legitimate communications links are leaking out from all over, faster than you can find them and swamp them. In DDoS attacks, the defender is trapped by converging bandwidth from 'distributed attackers'. In the Reverse DDoS defense, the 'hidden peering' lets the defender 'distribute its communication bandwidth' to emerge as barely above background blips in widely divergent locations
Well, that's how *I'd* do it, if I were the Feds. Hence the unimaginative codename "Legion"
(Am I too close for comfort? My services are available for a fee, Feds.)
If you can go to bed, knowing you did a valuable thing today, you're very lucky. If you can't... it's not bedtime
If there are "backdoors" or special security exceptions made for the bots, then one would hope there is some means of recognizing rogue 'bots.
The most obvious attack on a system with security like this is to duke in a rogue 'bot faking inheritance of the security privileges given to the real ones, and then use that to mount the attack.
I've just spent far too many hours securing the network settings on a test harness... and I can tell you right now, I would never allow this sort of access to any topology unless I had very clear and fixed signatures for all these "bots".
One principle behind securing a network is to disallow unnecessary access between machines. The fewer legitimate channels, and the more predictable the dataflow, the easier it is to monitor for anomalies. There are certain machines in the test harness I'm working on, for example, that *never* talk to one another. If I didn't segregate machines this way, we could lose essential data if a weak front-end box were taken.
Opening the network to roving spiders and allowing them discretionary control over monitoring and transmitting would be difficult to secure. How could I tell the difference between a scan from a bot and a scan from an attacker? How could I identify what is an "dangerous" data transmission when the bots are semi-autonomous and unpredictable?
I don't want to dismiss the idea, because eventually we will have to develop "immune systems" for our machines. But right now, it seems difficult to integrate these two models. When I run my own scans, I know that I'm doing it and I can pick out my work from the logs. This would add a new layer of complexity - something that already exists in abundance in the security field!
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
...does the article's descriptions of "agents" sound eerily like the agents from the Matrix. Dammit, if I wake up tommorrow in some coccoon full of pink goo, I'm going to be heli-pissed!
And, if these bots are re-written, what capacity for harm would they have? Assuming that they interract with each other in an environment requiring digital signatures to make them "safe," what happens when some self-proclaimed guardian of our security decides to show us the new flaw he has discovered and re-programs these bots to wreak havoc? All for the better good, of course.
How easy will they be to deactivate once someone else has the key? Let's suppose that we have become reliant on these bots (or their descendants), and that our ever noble, benovolent security experts (Cult of the Dead Cow IV, for example) have decided to re-define "unusual requests" as something which would normally be useful, and vice-versa? Denial of Service attacks are bad enough, but an attack from millions of bots - distributed and replicating WITH PERMISSION across a network - that would be horrific.
If this protocol is accepted and integrated into the system, I can imagine password sniffing bots, e-mail re-directing bots, etc., all written by the script kiddies of the day and reproducing as nightmare progency.
I suggest that, with such a threat, the safeguards need to be more formidable than any yet formulated. We would need to have -virtually - "viral inhibitors" keyed to destroy any interlopers on our system. Does such technology currently exist? Do we want to release these bots into the world before they do?
Neopets - the best free game on the Int
can be found here. These guys are somewhat more sophisticated than your average script kiddie.
No, Thursday's out. How about never - is never good for you?
Having redundant links into the Net is certainly one way of handling DDoS, and is in fact already practiced (more for general resilience and performance, but it works well against DDoS) - see http://www.dn.net/technology/network.html for an example of how DigitalNation, a dedicated server hosting company, has tens of links to various ISPs.
This will only work against DDoS if the new routes (i.e. via un-DDOSed links) are advertised out quickly enough - first of all, the IDS needs to detect the DDoS, then it needs to mark the links under attack as down, so that the routing protocol (which has to be BGP as you are interfacing to multiple ISPs), can advertise the new routes.
These routes then have to propagate out throughout the Net, across multiple ISPs, via BGP, until they reach the ISPs of (non-attackers) who are trying to reach your site - these ISPs' routers will then start sending packets via the new routes. The tough part is making sure the route advertisements don't reach the DDoSing hosts - if they do, you have just moved the DDoS attacks onto a new link!
The IDS actually has to analyse the origin of the DDoS attacks (which may mean cooperating with upstream ISPs, since the source addresses will be forged if the attackers have any sense), working out which ISP is hosting the attacking hosts, and then make sure that the route advertisements don't get sent to that ISP. While BGP is very powerful, I'm not sure if it can do this - ask a BGP guru... In any case, if the DDoS attackers are smart enough to subvert hosts in tens of major ISPs, there is no way you can use this 'change route' approach to combat them, without cutting off many legitimate users of your site who are also getting on the Net via those ISPs.
Before DDoS, this approach would have worked, i.e. where there was a single host attacking you - but it's now not sophisticated enough. It may still help in some DDoS attacks, it just depends on luck and the skill of the attackers.
Combatting DDoS is a fundamentally hard problem. The best single mechanism to reduce DDoSes and make them easier to track is RFC 2267 (see www.faqs.org for a copy), which prevents people from injecting packets with forged source addresses (actually they can forge their host address but can't claim to be from a different network). This makes it much easier to directly contact the ISP whose customer or web hosts have been compromised and get them to put in filters blocking the attack.
Without source address spoofing prevention, you have to have a laborious process of going from network operations centre (NOC) to NOC for each ISP back up the chain, getting them to put on traffic analysis tools to see where the traffic is coming from.
I spent two years working for these guys building the Scheme component of their agent system, so I had a chance to learn something about the general theory of the field. Every agent system I've seen has a notion of a sandbox that agents are limited to. In the case of our particular system, agents were also to be signed by their "master", who might then be responsible for any damage caused. Agent data transmitted across the network could be encrypted; agents themselves had to be packaged and signed when in transit between machines, unless they came from a "trusted" machine. Inter-agent communication was not direct; it went through the agent server daemon on each host machine, so that untrusted agents wouldn't need to have the ability to open sockets or files. We were slowly putting together a system for resource allocation, such that each agent would only be allowed to use a certain percentage of each system resource --- that can help prevent a DDoSing agent. (There were interesting attempts to work out a micropayment-like system for purchasing resource access; I don't think it ever got finalized.)
In short, if Sandia has remotely competent people, these agents are going to have strict limitations on their capabilities. Are they completely immune to attack? No. As Bruce Schneier has taught us, this only reduces risk. Still, if you add a requirement for agents to monitor each other, a human would have to be damn good to compromise a sufficient agent population. (Of course, this means that we may be headed for a future of eternal agent war. Might be cool. Want to prove open source? Make Tux2.0 the agent that can kick the crap out of any other agent.)
It sounds like a smarter firewall that communicates with other firewalls on the same network. Not a huge advance in technology, just some marketroid got carried away. Here are the amazing features/capabilities it has:
port scans: it detects port scans. Most firewalls do this. Theirs just detects ones that take place over a longer period, too.
faint probes: isn't this pretty much the same as above? So it detects "stealth" scans, etc. A lot of firewalls do this.
trojan horses: it recognizes "patterns" indicative of trojan horses. Tripwire, anyone?
denial of service attacks there's only so much you can do without changing the upstream routing hardware/logic, especially against DDoS or DoS from a source with higher bandwidth (wanna bet Sandia has a really fat pipe, though?)
security functions are integrated with ordinary everyday network use: email and web browsing are integrated into the security agent? How does that work? All I can think of is global security settings. Kinda nice, but is that really necessary if you're not running buggy MS junk?
'live' programs such as the I-Love-You virus are prohibited this is a problem of stupid users and really bad design. Untrusted scripts/executables shouldn't run automatically, and user education is the most important part of any security system.
Really, this just sounds like a souped-up firewall + Tripwire. Nothing too revolutionary. Wanna bet that a properly-configured OpenBSD box could have held off those four script kiddies (err, "experienced hackers") for 16 hours, too?
Sorry for being so bloody sarcastic, but this just sounds like the kind of marketroid detail-free crap that ZDNet usually turns out.
I attended a talk last november given by a Sante Fe institute lecturer on computer intrusion detection systems modelled after the human immune system. (unfortunately, I can't remember what her name was, otherwise I would try to post a link). There's actually a very strong parallel between what a computer security system has to do, and the role of the human immune system: the key behind both these systems is to be able to distinguish between "self" and "non-self". In the case of the human immune system, the anti-bodies are trained on marrow cells (?) and only released into general circulation if they do not attack host cells. In their research, they used genetic programming to train the intrusion detectors on "typical" network activity - after which, the detectors would be able to identify and report non-typical activity. It supposedly works pretty well.
This deals with such a wide array of computer sabotage that its utterly amazing. Everything from breakins to virii to DDOS's can be successfully combated by this. Its exactly what the net needs.
What would really be cool of course if the source was released(drool). But maybe that will happen since from the article it sounds like they want to see their program widely distributed.
No, Thursday's out. How about never - is never good for you?
There is in fact two noticable examples of distributed network monitoring/Intrusion Detection Tools out there already that sound very similar to Sandia's new tool. They include the HummingBird System and MOM
The Hummer Project led by Dr. Deborah Frincke has been around since early 1998 and their main project, the HummingBird System is now in version 3.4. It is a complex toolkit that gives an administrator the power to distribute security and intrustion detection information between several hosts (including Solaris and NT machines as well as Linux) in which multiple attackers and targets are mixed and matched.
The other example I know of is MOM which unfortunately been out of further development for over a year now.
The main similarity between the two's functionality is that they both have:
- A main process that runs on a central machine that gathers, sorts, and reports on data received from children on other hosts.
- On other hosts, a child client process runs which reports anomalies to the central host and;
- On all hosts, agents run that perform various maintenance, diagnostic, and intrusion detection tasks.
So as you can see, distributed anti-cracknig and IDS tools have been around longer than you think and are quite refined. Good luck setting them up, and for those developing themKeep up the great work.
-- "I can't tell the future, I just work there." -- The Doctor
Once this becomes more common and something people are familiar with attacks against it will get easier. I would imagine that in the realworld people will do like they always do and shut off many of the security features in order to make thier lives more conveniant.
From the article. A consumer release is at least three years away as Sandia says the agent must be "trained to protect a wider variety of services" before it can be of much use to the average household. One suspects it also needs to be dumbed down slightly so that it is not quite as clever as the military-grade version.
Besides it's like an arms race with both sides forever increasing the sophistication of their weapons. "What kind of attacks with these be? Well if these agents are as good as Sandia says you can bet it won't be long be before the bad guys get some bots of their own and start using them against governments, corporations and the general public. "
I thought the opening comment "A cool-sounding project, to be sure -- but how much control is too much to cede to the intelligent agents? " was a little paranoid until I read the end of the article. In time the agents may graduate from patrol to control. Intelligent agents would be ideal for the control of interplanetary robot swarm missions while at the same time protecting them from long distance hackers or practical jokers. Closer to home micro-satellite swarms or perhaps even remote-controlled jet fighters could be computer-coordinated with agent assistance. Come on doesn't that sound a little like a the start of a William Gibson book.
Environmentalists are their own worst enemy. ~tricklenews.com
By the time they are five years old, most children can recognize digits and letters ... We take this ability for granted until we face the task of teaching a machine how to do the same ... In spite of almost 50 years of research, design of a general purpose machine pattern recognizer remains an elusive goal.
I don't think this Sandia project will work as intended. Until we build a computer with processing power equivalent to our brains' trillion synapses, a human will be able to beat a computer in many ways.
However, that bot can have uses other than the acknowledged ones. Censorship, for instance. Security must be absoultely perfect, while censorship may have holes - it's much worse having a cracker penetrate the Sandia labs atomic research files than a public library misclassifying a pr0n website.
Anyone remember the game BotWars? It was simple; using assembler language in a protected and limited memory space, write a bot that will kill any other bots on the system. Most bots sprayed memory with nulls or JMP commands to corrupt and kill everything else on the system. But one very powerful bot was known as the Five Musketeers.
:/
The Five Musketeers bot looked for copies of itself in memory, and if it didn't find them, it created up to four copies. Each copy then kept checking on the health of the other four, and if one copy became corrupted it was rewritten. Thus, the Five Musketeers were cooperatively immortal, and payloads could be added to them to spray memory or any other offensive attack you wished.
Sound anything like Sandia's bot yet?
I'm not sure I like the idea of the internet turning into a playfield for agents like those in BotWars. It could rapidly turn into a wasteland, with all the bandwidth going to automatic attacks and defenses.
Genocide Man -- Life is funny. Death is funnier. Mass murder can be hilarious.
By my understanding, VISA does a similar sort of thing with its transaction processing. The software monitors your usage pattern -- locations, dollar amounts, dates, time and suchlike -- and attempts to identify abnormal usage.
So, probably, most of your spending is in and around your hometown. Once in a while you make a trip to the big city. You don't seem to use it a lot at the jeweller's -- Christmas is the exception.
Hmmm.. what's this? You're buying a $3000 necklace at Goldstein's Jewellers in Vancouver, BC? Seems unlikely you'd be getting a videotape from Roger's on Tuesday in Poughkeepsie, and then buying diamonds in Vancouver on Wednesday... let's deny the transaction, or get the clerk to confirm ID.
Now, this is hearsay. I can't say I've *read* a report on this, but I've heard several people tell of it. And it doesn't seem such a stretch, though I've never actually heard of someone being denied an unlikely purchase.
Anyway, long and short of it is that it's not a real stretch to imagine this being a powerful tool for networks. Monitor the traffic and perform analysis: start figuring out what's normal and what's not. And alert someone when abnormal things begin to happen.
Sounds cool. I'm for it!
--
--
Don't like it? Respond with words, not karma.