Slashdot Mirror
Biological Network Security
mercut writes: "A friend of mine recently wrote a Guest Feature on SecurityFocus about Biological Network Security. It has some interesting implications and I thought the /. community could provide some good perspective into IDS communication and security."
Does this mean having a cadre of Winged Monkeys to despatch upon evidence of network intrusion?
"A DDOS attack coming from some script kiddie in Newark... Fly, my pretties, fly..."
Those working with computers stand to gain a great deal from considering biology and anatomy when designing systems. Artificial Intelligence is a field where this has already been applied extensively and beneficially, with the use of genetic programming.
The human body (used here only because it's the most familiar to the average person) works. It has some problems, but the design is solid. We don't experience network downtime, and the majority of infections or intrusions we suffer are automatically dealt with. It makes sense to look to a model that's had 4 billion years to evolve- computer networks are pretty similar in function if you're not too pedantic about it.
visit the hwky website for a lyrical genius infusion.
Great, just what I need, for my new security system to 'isolate and sacrifice' all the Secretary's computers, noticing their computers are the ones which most viruses get onto the network with.
You can't see this if you have sigs turned off.
or chemotherapy, for that matter...
you know, there's something to be said about targeting the immune system.
No, but it gives "ping of death" a whole new meaning.
Comment removed based on user account deletion
but the implementation will be a bear. First there is the relatively low hurdle of standardizing communications between IDS's. The IETF has been working on such a format for a while.
The main problem, though, will be in establishing automatic systems that are able to judge "threat levels" and act accordingly. People will sign on to such a network only if it's more likely to benefit than to inconvenience them. Such a system won't be of much use if it requires human intervention every time an alert goes up, but it is notoriously difficult to program computers to take the place of simple human judgement.
The main problem with your next step is that it relies on Joe User becoming smarter. It also completely ignores a DDoS attack. Better passwords does not stop attacks from occuring.
Computers were built to do complex things in shorter times than humans. Recognizing and acting upon those attacks seems to be a natural evolution of something computers should be doing, not relying on Joe User to get smart.
The thought that everyone will accomplish these things seems less likely than a "Biological System" being implemented.
Can you imagine the number of people who'd have to co-operate to make this happen? And it wouldn't even be possible for CONGRESS to make it happen, since the Internet is International now.
However, there is already a good amount of work done to secure the Internet - take a look at Bind 9 and its secure DNS, IPv6, ISP border address verification, etc.
The foundations of the failure of these ideas is that of "trust" - who do you trust, anyway? What happens when somebody you trust suddenly changes heart?
Following your representation of the "biological" model, can you successfully argue for "biological" home security? How many houses do you know don't lock their doors and rely on super-intelligent robots or dogs to defend them?
I thought so.
Notice that even your "biological" model breaks down for biology! Nearly every organism has skin, an exoskeleten, cellular wall, etc - in other words, a biological firewall!
These other methods work in conjunction with a good firewall, but the firewall is here to stay.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I would say that both points are valid, a system is usually compromised by an outside person finding out INSIDE information. (passwords, p2p, trojans,) If access were locked down at the USER or NODE level then the 733t hax0r has a big box of cookies with no milk to dunk them in. That coupled with an outside defense system (firewall), trebled with a "compromised network" response (biological defense) would make a lockdown absolute.
This however gives a very false sense of security without stiff penalties for violating the security policies. Remember, security is only as secure as the *least* secure factor. or person.
http://cincyboys.blogspot.com/ Everything Cincinnati. Including the word 'Finnih'
1. The C buffer overflow problem will not be solved as long as pointer arithmetic is allowed. When computing resources were tight, it made sense to combine control and data into a single stack. Now, we are stuck with that decision. We have programming language solutions that people choose not to use (e.g., Java). Buffer overflow is no longer a technical problem; it is a social problem.
2. I agree with everything else. I think security policies and access control is the next great area for security research. There is a huge disconnect between low-level policies (e.g., file permissions) and higher-level policies (e.g, use groups). As things become more distributed, the gap will widen.
When the attacker has human-level intelligence, on the other hand, the immune system folds like a beat puppy - thus the success of poisoners. To defeat poisoners you have to harden your kitchen.
So computer immune systems are liable to work, as long as intruders are no smarter than bacteria. That oughta keep out the script kiddies, though...
Well, if you're saying that your system is already flawed. Anaphalectic shock is produced when an antigen accepting compound, which usually attracts killer cells, attaches to the killer cell and then does sort of a "wish bone" effect, tearing open the killer cells and releasing the poison intended for the antigens into your body. So, I guess if you mean that your system's AI is flawed, then yes, your system could go into shock.
Sorry I replied in such a terrible manner to an obvious joke. But anaphalactic shock is most certainly caused by inherent flaws in the auto-immune system and not so much as the attacking organisms.
http://cincyboys.blogspot.com/ Everything Cincinnati. Including the word 'Finnih'
You say: A really good administrator and network architect can create a secure, robust, and fully functional environment
today, right now, with off the shelf products (OpenBSD to start).
Yes, and a REALLY GOOD programmer won't have buffer overflows or memory leaks, and a REALLY GOOD secretary won't reveal private data by social engineering or click on email attachments, and a REALLY GOOD..., oh, never mind.
Any security policy that depends on the whole human race suddenly getting genetically superior to what it is now is a non-starter.
I will say that the next step isn't BNS, but rather, just actually implementing existing idea, best practices, and software.
You got that right. I have a security textbook. About 350+pages. 30 odd on encryption and such matters. The rest on organizational issues. Dumpster diving and social engineering are always a threat.
If you can pick some developer's brain for a password or pay the secretary $5K for a way in... cheaper than trying to crack a 128 bit encryption scheme. And probably more interesting because in addition to getting info on how to get in, you can get info on where what you want might be located!
Security starts with a well-thought out policy covering the organization, the employees, and the computer systems. Then the next step is implementation of those policies in a meaningful way. Passwords that are too short or easy to guess, people who write their passwords on their desk pad, employees who run anything that arrives in their inbox including viruses and trojans, etc - these are the threats to security that we have to beat before fancy shmancy AI biological and biometric systems matter a whit.
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
I agree that the "universal" IDS information format will be a long time comming. It's been worked on and thought about for years, but the security corporations seem to be doing just fine on their own. In the realm of security, implementation is usually the most difficult obstacle to any solution.
Given how easy it is to spoof traffic over the insecure IP and TCP protocols, all an attacker would have to do is spoof some attacks coming from some of AOL's IPs, and all of a sudden all AOL users can't access your site, since the CAS system told the backbone routers to block all the AOL IPs
If you use the biology metaphor, this is an alergy. Your system is reacting aggressively to something that isn't a threat.
IDSs have had the ability to configure firewall ACLs for years via OPSEC SAMP, etc., but almost no-one uses it for this very reason, it's just too easy to trick.
The real solution is to redesign the internet protocols with security in mind. Something like IPSec does a lot more than this proposes system ever would.
The one good idea the article had was centralized analysis, but as the article mentioned, this was discussed more thoroughly in a previous article on securityfocus.
Humans are always the weakest link in any security system. Adaptive system won't help if you have idiots setting them up, running and using them. Education people, education. That's what's needed.
Higher Logics: where programming meets science.
Semi-permeable membranes, aka firewalls. A person's skin acts as a pretty good firewall, allowing certain substances in or out and is mostly successful. It is possible to exploit it through making harmful substances appear to have the signature of allowed substances, in the same way that allowing inbound connections of any kind permits other connection types to mimic it: eg, hijacking a terminated telnet connection and sending traffic in the reverse direction. I can't think of a skin analogy for access-list allow host port established syntax, but I'm sure one exists. Firewalls thus play an important part of a biological system.
Complex system interactions. If one were to use an individual cell as an analogy for a computer network and pathways into and out of the cell as the routes through the firewall then you come close to the biological analogy proposed in the article. Note that cells do not in fact advertise that they are under attack from viruses. Other cells notice that a virus attack in underway and react accordingly, with varying degrees of success. It is this approach that would be more useful to take by analogy from biological systems and apply to the computer/network security field. The same problems exist.
Firstly there is the problem of the existing IDS not noticing an intrusion or failing to take sufficient action, such as for any biological infection which causes the death of the host. The biological solution to this is to immunise the system by exposing it to a non-lethal form of the pathogen to educate it for what to look for. A virus-scanner is a good example: Virus signature updates are the computer/network security version of immunisation.
Then there is the problem of overreaction. In a biological system this is equivalent to the so-called '20th Century Syndrome' of boy-in-bubble fame. The biological system's IDS incorrectly registers normal operations as an intrusion and acts as it would for a normal intrusion, causing illness or death. This is a 'false-positive' reaction and is even more likely in a poorly designed IDS. As an example, reference the number of false positives generated by end users who install ZoneAlarm or equivalent personal firewalls. This is the same 'Microsoft is DoS-ing me!' argument mentioned by another respondent.
So, the analogy has merit, but is poorly expressed in the article. I wish to point out that the main advance in IDS and security in general is not the establishment of a new analogy, paradigm or any other buzzword. I believe there are two key aspects that become increasingly important:
1. Correctness of implementation. This is fixing inherent security problems that allow infection to occur. This requires hardening of software, systems and networks. Most people in the field acknowledge this to be true.
2. Greater correlation. This is the ability to more correctly diagnose likely causes from symptoms. The security administrator becomes the highly trained doctor, using knowledge gained from analysis of known pathogens, methods of attack and problems inherent in existing symptoms and uses this knowledge to faster and more accurately diagnose root causes, and prescribe a solution. The use of tools, preferably automated, greatly increase the effectiveness of this approach. I believe it is in this area that the greatest advances have yet to occur.
Just because you're paranoid doesn't mean they're NOT after you.
This however gives a very false sense of security without stiff penalties for violating the security policies.
IMO, this is a key point that was almost completely ignored in the article, but I would apply it at the societal level. Since technological threats are created by humans, an effective defense strategy must include a deterrent (e.g. criminal prosecution) as well as a response. One of the tricky parts is that in order for this to work, the deterrent must be credible - investigation and prosecution must be a matter of course, and this must apply across national boundaries. Given the emerging definition of terrorism, we may well see this happen in the next decade. Of course, then we'll find ourselves faced with another tricky issue - where to draw the line. What constitutes malevolence vs. research, attack vs. investigation, prevention vs. tyranny? These are questions we already are starting to ask, but they will need to be answered before any effective deterrent can be implemented.
IDS and biological security are neat but it will be quite some time before they can be deployed on a large network. The reason: bandwidth. If you read the article and look at the included architecture diagram, this should be obvious. To make IDS work, your IDS device must, at a minimum, see all of the incoming ("dirty") traffic on your network. If you have anything more than a single T3 coming in, the amount of data to be analyzed is just too great. Correct me if I'm wrong but is there any machine which is capable of analyzing (in real time, mind you) 150+Mbit/sec of traffic? In addition to monitoring this traffic, a true IDS needs to look for patterns and signatures over a period of time. The processor and storage requirements for this sort of thing are just too enormous.
Chris
You can only secure yourself for known forms of atack. In the begging of the internet, as far as I know, were indeed very insecure, since no one never thougth of atacks coming from the network. The intenet began to be secured after the first worm were made that was realy a great-grand-father of the nimda that used a combination of shell scripts and compiled code to propagate and installing it self and it did propageted as fast as wild fire, the net was almost shuted down because of it. After that the net wasn't safe anymore.
Careless? No, I don't think so. You simply can't prevent something that yuo don't even know where it is coming from. No one would think to protect a city against a comercial airplane, now I bet people think about that, rather seriously.
[]'s Victor Bogado da Silva Lins
^[:wq
It's a concept that has existed in Frame Relay/ATM, for example, for a decade (at least on StrataCom/Cisco) equipment. They use an algorithm called ForeSight(tm) on their core switches to throttle VC traffic in the case of congestion at the source. This later evolved into the ATM ABR standard, with input from other vendors.
In this type of automatic "biological" response, as long as no other traffic is attempting to use the bandwidth, the activity is permitted (who knows, it could be a "normal burst"). When other traffic is active, the offender is throttled back to to the source to its minimum rate.
While it doesn't stop the problem, it makes the offender ineffective at impacting service. As a result, it's no longer a "denial of service". Some more information on ForeSight and ABR in this whitepaper. The functionality predates the BPX product mentioned in the whitepaper (the StrataCom IPX had it), but that's before Cisco purchased StrataCom.
Frame and ATM are "session oriented"; a PVC or SVC defined the communications along a path, so it's easy to define the parameters to control traffic characteristics. I'm not that familiar with IP QOS; is there an equivalent functionality that would apply? If so, could the problem be solved by making the attack "unattractive" (nondisruptive)?
Can You Say Linux? I Knew That You Could.