Slashdot Mirror
Biological Network Security
mercut writes: "A friend of mine recently wrote a Guest Feature on SecurityFocus about Biological Network Security. It has some interesting implications and I thought the /. community could provide some good perspective into IDS communication and security."
pee in a cup now to use our network?
;)
I can just see it now - Bosses using this to run drug and other tests on us at the same time as we "authenticate"
Does this mean having a cadre of Winged Monkeys to despatch upon evidence of network intrusion?
"A DDOS attack coming from some script kiddie in Newark... Fly, my pretties, fly..."
mercut writes: "A friend of mine recently wrote...
Shouldn't this read "*I* recently wrote..."?
Those working with computers stand to gain a great deal from considering biology and anatomy when designing systems. Artificial Intelligence is a field where this has already been applied extensively and beneficially, with the use of genetic programming.
The human body (used here only because it's the most familiar to the average person) works. It has some problems, but the design is solid. We don't experience network downtime, and the majority of infections or intrusions we suffer are automatically dealt with. It makes sense to look to a model that's had 4 billion years to evolve- computer networks are pretty similar in function if you're not too pedantic about it.
visit the hwky website for a lyrical genius infusion.
That comment just plain sucks ass, man!
No, 3/8", but at least I can jerk off now.
Great, just what I need, for my new security system to 'isolate and sacrifice' all the Secretary's computers, noticing their computers are the ones which most viruses get onto the network with.
You can't see this if you have sigs turned off.
At this point, I think help is out of the question!
Bad spider monkey's! Bad!
or chemotherapy, for that matter...
you know, there's something to be said about targeting the immune system.
And they're all full of crap. Comparing a network to a "loving, breathing organism" is crap. You know it, I know it, everyone knows it. This is just incredibly stupid and infantile. Proprietary security software can't communicate with other proprietary security software? Right. Tell that to ISS and Checkpoint.
Absolute drivel.
.?
Comment removed based on user account deletion
but the implementation will be a bear. First there is the relatively low hurdle of standardizing communications between IDS's. The IETF has been working on such a format for a while.
The main problem, though, will be in establishing automatic systems that are able to judge "threat levels" and act accordingly. People will sign on to such a network only if it's more likely to benefit than to inconvenience them. Such a system won't be of much use if it requires human intervention every time an alert goes up, but it is notoriously difficult to program computers to take the place of simple human judgement.
So after my firewall has been exposed to MS Exchange traffic a few times it will go into anaphylactic shock?
It's nice to be liked, but it's better by far to get paid
get your rocks off here!
BULL0X0R!
see her perform some oralse.cx!
1 2 3 4 5
CVS!
it's all over the web!!
The main problem with your next step is that it relies on Joe User becoming smarter. It also completely ignores a DDoS attack. Better passwords does not stop attacks from occuring.
Computers were built to do complex things in shorter times than humans. Recognizing and acting upon those attacks seems to be a natural evolution of something computers should be doing, not relying on Joe User to get smart.
The thought that everyone will accomplish these things seems less likely than a "Biological System" being implemented.
Can you imagine the number of people who'd have to co-operate to make this happen? And it wouldn't even be possible for CONGRESS to make it happen, since the Internet is International now.
However, there is already a good amount of work done to secure the Internet - take a look at Bind 9 and its secure DNS, IPv6, ISP border address verification, etc.
The foundations of the failure of these ideas is that of "trust" - who do you trust, anyway? What happens when somebody you trust suddenly changes heart?
Following your representation of the "biological" model, can you successfully argue for "biological" home security? How many houses do you know don't lock their doors and rely on super-intelligent robots or dogs to defend them?
I thought so.
Notice that even your "biological" model breaks down for biology! Nearly every organism has skin, an exoskeleten, cellular wall, etc - in other words, a biological firewall!
These other methods work in conjunction with a good firewall, but the firewall is here to stay.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I would say that both points are valid, a system is usually compromised by an outside person finding out INSIDE information. (passwords, p2p, trojans,) If access were locked down at the USER or NODE level then the 733t hax0r has a big box of cookies with no milk to dunk them in. That coupled with an outside defense system (firewall), trebled with a "compromised network" response (biological defense) would make a lockdown absolute.
This however gives a very false sense of security without stiff penalties for violating the security policies. Remember, security is only as secure as the *least* secure factor. or person.
http://cincyboys.blogspot.com/ Everything Cincinnati. Including the word 'Finnih'
1. The C buffer overflow problem will not be solved as long as pointer arithmetic is allowed. When computing resources were tight, it made sense to combine control and data into a single stack. Now, we are stuck with that decision. We have programming language solutions that people choose not to use (e.g., Java). Buffer overflow is no longer a technical problem; it is a social problem.
2. I agree with everything else. I think security policies and access control is the next great area for security research. There is a huge disconnect between low-level policies (e.g., file permissions) and higher-level policies (e.g, use groups). As things become more distributed, the gap will widen.
This sounds a lot like setting up neural network for defense... i seem to recall some people working on neural nets that might be applicable. http://hebb.cis.uoguelph.ca/home/ns.html
When the attacker has human-level intelligence, on the other hand, the immune system folds like a beat puppy - thus the success of poisoners. To defeat poisoners you have to harden your kitchen.
So computer immune systems are liable to work, as long as intruders are no smarter than bacteria. That oughta keep out the script kiddies, though...
You say: A really good administrator and network architect can create a secure, robust, and fully functional environment
today, right now, with off the shelf products (OpenBSD to start).
Yes, and a REALLY GOOD programmer won't have buffer overflows or memory leaks, and a REALLY GOOD secretary won't reveal private data by social engineering or click on email attachments, and a REALLY GOOD..., oh, never mind.
Any security policy that depends on the whole human race suddenly getting genetically superior to what it is now is a non-starter.
This system isn't biological, its not even artificial intelligence.
......
The proposed method of preventing a (DoS) attack by notifying your upstream provider to cut off traffic has been proposed before, and discarded as a bad idea. Imagine if I sent a bunch of messages from my workstation to my ISP which had just such a system :
"Help Help! microsoft.com is DoSsing me!"
.. and then the automated "biological" response system at my ISP acted on it, forwarded it to microsoft.com's ISP and had them cut off from the Internet. Actually, on the other hand, that might not be such a bad idea
But in all seriousness, the scope for misuse is so large that nobody would ever put this kind of system in place.
I will say that the next step isn't BNS, but rather, just actually implementing existing idea, best practices, and software.
You got that right. I have a security textbook. About 350+pages. 30 odd on encryption and such matters. The rest on organizational issues. Dumpster diving and social engineering are always a threat.
If you can pick some developer's brain for a password or pay the secretary $5K for a way in... cheaper than trying to crack a 128 bit encryption scheme. And probably more interesting because in addition to getting info on how to get in, you can get info on where what you want might be located!
Security starts with a well-thought out policy covering the organization, the employees, and the computer systems. Then the next step is implementation of those policies in a meaningful way. Passwords that are too short or easy to guess, people who write their passwords on their desk pad, employees who run anything that arrives in their inbox including viruses and trojans, etc - these are the threats to security that we have to beat before fancy shmancy AI biological and biometric systems matter a whit.
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
I agree that the "universal" IDS information format will be a long time comming. It's been worked on and thought about for years, but the security corporations seem to be doing just fine on their own. In the realm of security, implementation is usually the most difficult obstacle to any solution.
While certain aspects of this idea are interesting, I think it raises several serious problems.
The currently used shorthand of this security posture is the use of active defenses such as Sentry. While useful in a remote network with a limited range of applications (read: small, and by applications, I'm talking layer7, not Word), rigidly predefined responses to certain incident conditions almost always cause trouble on a large system used for a wide variety of purposes. Even if one were to make the incident response logic near-omnipotent in its ability to respond appropriately, the openness of the standards involved would mean that any intruder would have a VERY good idea of how your systems will react to attack, to say nothing of being able to monitor the response by looking for outbound BNS traffic.
There is also another more sinister possiblity for how this type of protocol might be used. If network security structures could be organized into an "authoritative cloud" of trusted BNS devices controlling the Internet, it would provide a great way for people currently annoyed at the free exchange of information on the Internet to have a good chance of shutting it down.
Would you want to hear about legislation pending in your state government that would force your ISP to shut you down for surfing porn?
Given how easy it is to spoof traffic over the insecure IP and TCP protocols, all an attacker would have to do is spoof some attacks coming from some of AOL's IPs, and all of a sudden all AOL users can't access your site, since the CAS system told the backbone routers to block all the AOL IPs
If you use the biology metaphor, this is an alergy. Your system is reacting aggressively to something that isn't a threat.
IDSs have had the ability to configure firewall ACLs for years via OPSEC SAMP, etc., but almost no-one uses it for this very reason, it's just too easy to trick.
The real solution is to redesign the internet protocols with security in mind. Something like IPSec does a lot more than this proposes system ever would.
The one good idea the article had was centralized analysis, but as the article mentioned, this was discussed more thoroughly in a previous article on securityfocus.
Humans are always the weakest link in any security system. Adaptive system won't help if you have idiots setting them up, running and using them. Education people, education. That's what's needed.
Higher Logics: where programming meets science.
I like to stick my big cock into CmdrTaco's mouth and cum all over his face!
Semi-permeable membranes, aka firewalls. A person's skin acts as a pretty good firewall, allowing certain substances in or out and is mostly successful. It is possible to exploit it through making harmful substances appear to have the signature of allowed substances, in the same way that allowing inbound connections of any kind permits other connection types to mimic it: eg, hijacking a terminated telnet connection and sending traffic in the reverse direction. I can't think of a skin analogy for access-list allow host port established syntax, but I'm sure one exists. Firewalls thus play an important part of a biological system.
Complex system interactions. If one were to use an individual cell as an analogy for a computer network and pathways into and out of the cell as the routes through the firewall then you come close to the biological analogy proposed in the article. Note that cells do not in fact advertise that they are under attack from viruses. Other cells notice that a virus attack in underway and react accordingly, with varying degrees of success. It is this approach that would be more useful to take by analogy from biological systems and apply to the computer/network security field. The same problems exist.
Firstly there is the problem of the existing IDS not noticing an intrusion or failing to take sufficient action, such as for any biological infection which causes the death of the host. The biological solution to this is to immunise the system by exposing it to a non-lethal form of the pathogen to educate it for what to look for. A virus-scanner is a good example: Virus signature updates are the computer/network security version of immunisation.
Then there is the problem of overreaction. In a biological system this is equivalent to the so-called '20th Century Syndrome' of boy-in-bubble fame. The biological system's IDS incorrectly registers normal operations as an intrusion and acts as it would for a normal intrusion, causing illness or death. This is a 'false-positive' reaction and is even more likely in a poorly designed IDS. As an example, reference the number of false positives generated by end users who install ZoneAlarm or equivalent personal firewalls. This is the same 'Microsoft is DoS-ing me!' argument mentioned by another respondent.
So, the analogy has merit, but is poorly expressed in the article. I wish to point out that the main advance in IDS and security in general is not the establishment of a new analogy, paradigm or any other buzzword. I believe there are two key aspects that become increasingly important:
1. Correctness of implementation. This is fixing inherent security problems that allow infection to occur. This requires hardening of software, systems and networks. Most people in the field acknowledge this to be true.
2. Greater correlation. This is the ability to more correctly diagnose likely causes from symptoms. The security administrator becomes the highly trained doctor, using knowledge gained from analysis of known pathogens, methods of attack and problems inherent in existing symptoms and uses this knowledge to faster and more accurately diagnose root causes, and prescribe a solution. The use of tools, preferably automated, greatly increase the effectiveness of this approach. I believe it is in this area that the greatest advances have yet to occur.
Just because you're paranoid doesn't mean they're NOT after you.
I like it when cmdrtaco bitchslaps MY ASS!!
IDS taking actions is a very complex issue. Most of our IDS nowadays are based on signature detection. It is not 100% accurate, it can detect false positive or can miss attacks that are not signature based (I actually wrote my SANS GCIA paper on one of these non-signature based attacks)
IDS triggered action is not safe at all, it could cause unnecessary DoS to unintended target if IDS ever gets too smart.
The best solution with todays technology is still active alert (even better at real time) and have analysis by human to determine whether there was actually an attack.
Remeber, a lot of traffic is stange but there might be a legitimate reason behind it. Anyone remeber the faulty router at daemon.net?
This however gives a very false sense of security without stiff penalties for violating the security policies.
IMO, this is a key point that was almost completely ignored in the article, but I would apply it at the societal level. Since technological threats are created by humans, an effective defense strategy must include a deterrent (e.g. criminal prosecution) as well as a response. One of the tricky parts is that in order for this to work, the deterrent must be credible - investigation and prosecution must be a matter of course, and this must apply across national boundaries. Given the emerging definition of terrorism, we may well see this happen in the next decade. Of course, then we'll find ourselves faced with another tricky issue - where to draw the line. What constitutes malevolence vs. research, attack vs. investigation, prevention vs. tyranny? These are questions we already are starting to ask, but they will need to be answered before any effective deterrent can be implemented.
IDS and biological security are neat but it will be quite some time before they can be deployed on a large network. The reason: bandwidth. If you read the article and look at the included architecture diagram, this should be obvious. To make IDS work, your IDS device must, at a minimum, see all of the incoming ("dirty") traffic on your network. If you have anything more than a single T3 coming in, the amount of data to be analyzed is just too great. Correct me if I'm wrong but is there any machine which is capable of analyzing (in real time, mind you) 150+Mbit/sec of traffic? In addition to monitoring this traffic, a true IDS needs to look for patterns and signatures over a period of time. The processor and storage requirements for this sort of thing are just too enormous.
Chris
Oh well.
I thought that this was the story of Ping?
Some are getting too hung up on carrying the biological metaphor too far. There is no way these systems can, in the short term, be anywhere near as complicated as that of a living system. But neither do they have do be, since the environment in which it operates is vastly less complicated than the physical world. Past success in applying simplistic biological models (GAs, etc) to limited domains seems very encouraging to me.
This link might give some good reading:
http://www.cs.unm.edu/~immsec/
The problem with DDOS-attacks is that theoretically you can't really distinguish them from real connection attempts. Sure, today most DDOS attacks follow a simple pattern which are relatively easy to discover. But what if i managed to take control of a few thousand ramdomly placed (AS-wise) DSL's with M$ or something and then sent lots of "valid" requests from those clients? The pattern of the DDOS attack would not be much different from the packet storms of 11'th sept. towards the newssites...
//MC
Couldn't get past this "...Initially, little consideration was given to network security,...
:: INTERNET.
"little?"
What is this guy talking about? I've seen this kind before. Their facts are fudged in the 1st few sentences.
As an example, the decentralized design of ARPARNET then later on the Internet had lot of security in mind.
MILITARY(read security) + SCIENCE/ENGINEERING (read brains) = ARPARNET
You can only secure yourself for known forms of atack. In the begging of the internet, as far as I know, were indeed very insecure, since no one never thougth of atacks coming from the network. The intenet began to be secured after the first worm were made that was realy a great-grand-father of the nimda that used a combination of shell scripts and compiled code to propagate and installing it self and it did propageted as fast as wild fire, the net was almost shuted down because of it. After that the net wasn't safe anymore.
Careless? No, I don't think so. You simply can't prevent something that yuo don't even know where it is coming from. No one would think to protect a city against a comercial airplane, now I bet people think about that, rather seriously.
[]'s Victor Bogado da Silva Lins
^[:wq
It's a concept that has existed in Frame Relay/ATM, for example, for a decade (at least on StrataCom/Cisco) equipment. They use an algorithm called ForeSight(tm) on their core switches to throttle VC traffic in the case of congestion at the source. This later evolved into the ATM ABR standard, with input from other vendors.
In this type of automatic "biological" response, as long as no other traffic is attempting to use the bandwidth, the activity is permitted (who knows, it could be a "normal burst"). When other traffic is active, the offender is throttled back to to the source to its minimum rate.
While it doesn't stop the problem, it makes the offender ineffective at impacting service. As a result, it's no longer a "denial of service". Some more information on ForeSight and ABR in this whitepaper. The functionality predates the BPX product mentioned in the whitepaper (the StrataCom IPX had it), but that's before Cisco purchased StrataCom.
Frame and ATM are "session oriented"; a PVC or SVC defined the communications along a path, so it's easy to define the parameters to control traffic characteristics. I'm not that familiar with IP QOS; is there an equivalent functionality that would apply? If so, could the problem be solved by making the attack "unattractive" (nondisruptive)?
Can You Say Linux? I Knew That You Could.
Fulfill all your sick sexual needs here!
ok we all know about irises and fingerprnts. seriously could some medical scientist tell us whether the size shape length ( or depth) of relatively private body parts are useful in uniquely identifying individuals( men and women both). it can be non invasive and safe if ultrasound scanners are used. how would you even know theyre measuring the length from the cervix to the outside, for instance. these cant be faked easily, can they?
What would prevent a user of a LAN that a CAS is on from spoofing the CAS' IP address and sending a false alarm flying to every corner of the net?
I like his anology of firewall more:
To protect a city and its occupants a wall was built around the city, with a few gates provided
to allow regulated access. If a city was conquered, the walls were simply rebuilt higher and wider. This is much the same approach people are taking with Firewalls; and ultimately it is ignoring the true problem,
In this anology there are more solutions. Some city's make countries. (ISP buy each other). cities contain houses.(and each house has his own front door). etc etc. The segmentation is comparable to WAN country.
If someone find a generic key to a house he can be fenced off at the firewall (be it at ISP/LAN/MACHINE level).
Does this help: yes, more and more filters are implemented by ISP's, windows XP contains its own filerwall, Firewalls ge to know more and more about the traffic they let trhough.
Even real countries (china) are firewalled completely).
And if a firewall goes down, a bigger wall is made (including .
I agree the author is wrong. Not to be too much of a "me too post" but I would like to add a single comment. The author discusses security systems communicating to form better network security. To me, this just makes that communication a target. Once you infiltrate a security node, you have the network it secures through that very mechanism.
In fact, the author likes the idea of using XML. I would prefer something encrypted to say the least. But the system outlined sounds much less secure. I mean comparing it to the human body (as was done before) that means we should get rid of the skin and trust our immune system. And we should not worry because digital AIDS will never be developed by malicious programmers.
LOL... okay. Think on this for a moment (being an IT folk myself and self realized, I can say this). Biological network security... based on our bodies (normally pasty, out of shape, even fat) and what we input into our biological systems (booze, drugs, junk food) I am not sure we need to be dabbling in anything of a biological design nature since we can't even handle the one system we already own and that is so important. :p