Self-Policing Networks?

An Anonymous Coward writes: "IBM is looking to build self-policing networks with project eLiza, as reported in Wired. Sounds pretty cool, but I don't see it being all that effective. And if it is, security teams will get pretty lax, and not be able to handle an attack that breaks eLiza." Also a USA Today article. It's a insightful idea, and one that I'm sure will *eventually* become part of many major networks, but somehow I suspect that this is one of those things that appears difficult on the surface, and turns out to be ten times as difficult when you get into it.

sad state of security today

While good security is hard to come by the main problem at most companies is that security just isn't really thought of. One Fortune 50 firm that I did an audit of and whose name I will omit to protect the foolish:
(a) Used frontpage to design their website;
(b) Didn't bother to password protect it;
and
(c) Included the sysadmin username and password for their oracle database in the asp code. This was done simply so they could dynamically populate a list of sales regions. The same database had their entire financials on it.
If Eliza can protect against actions such as these then I'm all for it. It had better be cheap though neither the CEO or the CIO of this company thought much of it, stating "Its only our website. Thats not really important to us." followed by "No security is foolproof."

Re:Eliza?

[schussat]

What does it do, psychoanalyze the attacker?

computer1: intruder detected
eLiza: How does that make you feel?
computer1: security breached!
eLiza: What do you think about the beach?

-schussat

Re:What Cyberdyne systems is

[James+Lanfear]

And other course Cyberdyne orignally comes from the Terminator movies, which probably everyone has seen. IIRC, Cyberdyne's baby, Skynet, was a military computer that destroyed the world after humanity realized that its wasn't a terribly good idea to have a giant computer with a sense of self-preservation controlling all of our nukes. (This is an old plot, but a nifty name ;-)

Eliza?

[johnathan]

What does it do, psychoanalyze the attacker?

--

Cracking tools will get better too

[isaac_akira]

If corps start using "intelligent" software to battle crackers in real time, the crackers and script kiddies are just gonna one up them with more advanced cracking tools. The crackers don't have to worry about waiting until something is well tested and proven, so they will always be on the cutting edge. They can also blatently steal the code or patented ideas from the corp software tools, while the corps have to do everything legally.

As always, the advantage goes to the offensive tools over the defensive ones.

Frankenstein

[BierGuzzl]

We're going to create this semi-alive, semi-independent thing with massive power over an enormous network that will be the infrastructure of our economy. That's like trusting your life to Frankenstein -- just because you created him doesn't mean he's going to like you!

Project Eliza is going to cause a lot of havoc with all the perfectly normal activity it will combat, all the false alarms it will respond to. Hell, it might begin to view it's controllers as the real oppressors, and try to protect itself from them yet too.

intrusion detection

[grue23]

My ex-advisor is a chair of the IETF working group researching automated intrusion detection. Currently they are developing a protocol to pass messages between network devices when a potential breach is detected. It's a really complicated field, both in terms of getting a distributed group of network devices to collaborate to decide whether or not something is a deliberate attack, and in creating a security alert protocol that can't be compromised itself.

Re:intrusion detection

[Jade+E.+2]

I dont know exactly what (all) methods they employ to detect attacks, but the University of Arizona is already using autonomous intrusion detection boxes. I do, however, know 2 things about them for sure:

1) When they detect intrusions, their response is to telnet to the edge router for whichever line the attack is coming through, and block the IP there, for increasingly longer periods.

2) They consider it an attack if you try to FXP a file to a server inside the U when both you and the source server are outside. This is, of course, how I first became aware of them.

The netadmin I know there tells me these boxen are called 'NetRangers', and we had a lengthy theoretical talk about how scary it is for autonomous devices to have exec access to your routers, and wondering whether they're smart enough to detect a constant barrage of packets with rotating forged sources before most of the internet is blocked at the routers.

What Cyberdyne systems is

[unformed]

For the people who don't know what Cyberdyne systems is, it's part of the movie at Univeral Studios' (Florida) Terminator attraction. Cyberdyne Systems created a "security system" based on artificial intelligence which 1) nearly fully controlled everything that went on and 2) was programmed to destroy the world if it was about to beaten.

I might be a little rusty on the details since I haven't been to Universal in a while...but for those of you who are confused, this DOES make sense (just not to most people :)

Automated Intrusion Prevention?

[Daath]

I really don't think so. Not for next many years. At least not effectively! Sure it will probably work for some attacks, script-kiddies and all that, but an automated system would, as I see it, be easy to fool...

Let's imagine that you DoS attack a server, you write a little program that automates the attack, spoofing IP addresses of a particular ISP that you don't like, covering an entire C-class, or B-class or whatever. Maybe alternate the attack types.
Very soon the automated intrusion prevention system will have blocked all the IP addresses of the ISP. Bing.

It would be interesting to see though, also in regards to honeypot networks (nets designed to be hacked/cracked/attacked).

I believe that there is a tool that you use with snort (an IDS), to make an automated system, block IPs etc.

Anyway, my point was that for many years to come, we wont be able to live without the experienced system administrator, going through logs!

Re:A Nicer World Please?

[hillct]

The second paragraph is even worse:

Big Blue announces a multi-billion dollar program designed to create a world populated with self-managing computer networks that can ensure their own survival and stability.

Wasn't there a movie made about this?
---

Self-Diagnosis

[chris_mahan]

I wouldn't mind if the machine would monitor itself for performance, see if a piece of hardware is failing, see if a piece of software is failing, and notify the sysadmin, maybe reduce it's expected throughput and notify the load-balancer (say ram drops from 512 to 128, so hits per seconds need to drop from 300 to 50), and make a diagnostics report for the problem, so that if the machine is under warranty, the tech can bring the right parts to fix it, and if not, then the parts vendor can ship the right parts.

Also, I wouldn't mind if the machine would throttle itself to manageable levels when becoming unstable, instead of crashing.

Also, the machine should be "aware" of the other machines in the organization so it can notify them of the reduced performance.

This would essentially be a self-load balancing system.

I wonder to what extent Google has implemented something like that in their 8000-strong server farm.

snake oil

[deran9ed]

You have to wonder how much of this is to market IBM so here goes my take on this.

"If they can actually create servers that battle crackers -- that can monitor their own health and bandage their own wounds -- then I can turn my attention to work that only a truly sentient being can do," he added.

The problem with security vulnerabilities at most is poor programming along with lousy administration, so how do they plan on bandaging a wound for a newly found vulnerabilty that has yet been exposed to the security community as a whole? Do they expect their system to just guess on its own?

our customers will need help to deploy technology so they can focus their people on real business issues instead of just managing and maintaining their infrastructure."

Nicely put. "Our customers" .. So I take it this is strictly for IBM customers using their products. Why not make it an open project and let everyone reap the benefits, they would be martyred.

"Automation is the way to go. That said, the IT industry hasn't yet focused on it and very few skills are out there. Many of the experts are long-time IBMers, so the company has a head start here."

Automation is a small step. One of the biggest problems facing companies, is their administrators are poorly trained. Even if the products, their using are broken, chances are there are patches, fixes, tweaks, etc., to get it up and running properly, its the administrators job to make sure this is done.

After its done, automation should come next, not vice versa, no machine no matter what IBM thinks they're gonna do, is going to be smart enough to determine what is and what isn't secure when it comes to exposing new flaws. Sure they could patch up all the older ones as they go along, but if I sat here and coded a new vulnerability, how is that machine going to determine a fix if it hasn't been exposed without automation, to what is right and wrong?

Getting back to reality now, companies should look to training instead of spending X more on X product simply because X says it will secure your network. Total bullshit and typical snake oil salesman tactics. "Buy X product and be secured!" give me a break

#define crypto

A Nicer World Please?

[neoshroom]

Imagine a world where complicated computer networks need little or no interaction with humans: a world where computers can update and maintain their own systems, shield themselves from misfortune caused by human error and acts of nature, and fiercely protect themselves against attacks by computer crackers.

Is it just me or does that sound like a frightening world to live in?