Sandia's Distributed Anti-Cracking Bot

tgw writes: "Beyond 2000 is reporting that Sandia National Laboratories has created a unique type of bot that can defend against cracking attacks and viruses. The bot 'runs on multiple computers in a network and depending on circumstances the separate copies of the agent can act alone or together as a single, distributed program. The [bots] across the network constantly compare notes to determine if any unusual requests or commands have been received from external or internal sources.'" A cool-sounding project, to be sure -- but how much control is too much to cede to the intelligent agents?

Re:this is sweet

[orpheus]

Given the sensitive nature of much of their work, Sandia National Labs probably has resources that are not available to your ordinary ISP, like 'sleeping' multiply redundant bandwidth and use of the *many* Federal access points to the web, both "owned" and leased, including normal ISPs.

When a DDoS strikes, you 'wake' a normally dormanr redundant line to another backbone (possibly via direct link to a high volume ISP to hide your signature), then you identify your "known" valid users and VPN to them via the peer. You can VPN via a distant ISP/node, so the attacker won't know you're communicating with 'legitimate users' via a hidden link to the ATT backbone in Ogden Utah and emerging on the Net over the redundant bandwidth of .mil bases and co-locos all over the country.

The invaders can pound on the gates all they want. You're not using the front door anymore. You can also have secret VPN router/authenticators around the country that 'legitimate users' can connect to when the front door is slammed shut. The details could be built into key software, transparent to the legitimate users.

It's like a reverse DDoS. In a DDoS, the attacker overwhelms you with attacks from every direction, faster than you can respond. In the 'Reverse DDos' Defense, the legitimate communications links are leaking out from all over, faster than you can find them and swamp them. In DDoS attacks, the defender is trapped by converging bandwidth from 'distributed attackers'. In the Reverse DDoS defense, the 'hidden peering' lets the defender 'distribute its communication bandwidth' to emerge as barely above background blips in widely divergent locations

Well, that's how *I'd* do it, if I were the Feds. Hence the unimaginative codename "Legion"
(Am I too close for comfort? My services are available for a fee, Feds.) ;=>

Aren't you forgetting the "Hummer Project"?

[Netsnipe]

It's not that I'm discrediting the guys over at Sandia, but the idea of bots that "runs on multiple computers in a network...constantly compare notes to determine if any unusual requests or commands have been received from external or internal sources" is not unique or a first.

There is in fact two noticable examples of distributed network monitoring/Intrusion Detection Tools out there already that sound very similar to Sandia's new tool. They include the HummingBird System and MOM

The Hummer Project led by Dr. Deborah Frincke has been around since early 1998 and their main project, the HummingBird System is now in version 3.4. It is a complex toolkit that gives an administrator the power to distribute security and intrustion detection information between several hosts (including Solaris and NT machines as well as Linux) in which multiple attackers and targets are mixed and matched.

The other example I know of is MOM which unfortunately been out of further development for over a year now.

The main similarity between the two's functionality is that they both have:

• A main process that runs on a central machine that gathers, sorts, and reports on data received from children on other hosts.
• On other hosts, a child client process runs which reports anomalies to the central host and;
• On all hosts, agents run that perform various maintenance, diagnostic, and intrusion detection tasks.

So as you can see, distributed anti-cracknig and IDS tools have been around longer than you think and are quite refined. Good luck setting them up, and for those developing them

Keep up the great work.

A couple of thoughts

[|deity|]

At least this will give the truly skilled black/grey hat hackers something new to play with. I would bet that this type of computer defense would be good against script kiddies but skilled computer intruders would be able to get around it. In and of itself this could make for several vulnerabilities. Imagine a Dos attack that only has to do a port scan to fool the computers defenses into closing it's ports. Although like all vulnerabilities it wouldn't last long.

Once this becomes more common and something people are familiar with attacks against it will get easier. I would imagine that in the realworld people will do like they always do and shut off many of the security features in order to make thier lives more conveniant.

From the article. A consumer release is at least three years away as Sandia says the agent must be "trained to protect a wider variety of services" before it can be of much use to the average household. One suspects it also needs to be dumbed down slightly so that it is not quite as clever as the military-grade version.

Besides it's like an arms race with both sides forever increasing the sophistication of their weapons. "What kind of attacks with these be? Well if these agents are as good as Sandia says you can bet it won't be long be before the bad guys get some bots of their own and start using them against governments, corporations and the general public. "

I thought the opening comment "A cool-sounding project, to be sure -- but how much control is too much to cede to the intelligent agents? " was a little paranoid until I read the end of the article. In time the agents may graduate from patrol to control. Intelligent agents would be ideal for the control of interplanetary robot swarm missions while at the same time protecting them from long distance hackers or practical jokers. Closer to home micro-satellite swarms or perhaps even remote-controlled jet fighters could be computer-coordinated with agent assistance. Come on doesn't that sound a little like a the start of a William Gibson book.

VISA does an analogous thing

[FFFish]

By my understanding, VISA does a similar sort of thing with its transaction processing. The software monitors your usage pattern -- locations, dollar amounts, dates, time and suchlike -- and attempts to identify abnormal usage.

So, probably, most of your spending is in and around your hometown. Once in a while you make a trip to the big city. You don't seem to use it a lot at the jeweller's -- Christmas is the exception.

Hmmm.. what's this? You're buying a $3000 necklace at Goldstein's Jewellers in Vancouver, BC? Seems unlikely you'd be getting a videotape from Roger's on Tuesday in Poughkeepsie, and then buying diamonds in Vancouver on Wednesday... let's deny the transaction, or get the clerk to confirm ID.

Now, this is hearsay. I can't say I've *read* a report on this, but I've heard several people tell of it. And it doesn't seem such a stretch, though I've never actually heard of someone being denied an unlikely purchase.

Anyway, long and short of it is that it's not a real stretch to imagine this being a powerful tool for networks. Monitor the traffic and perform analysis: start figuring out what's normal and what's not. And alert someone when abnormal things begin to happen.

Sounds cool. I'm for it!

--