Slashdot Mirror
Biological Network Security
mercut writes: "A friend of mine recently wrote a Guest Feature on SecurityFocus about Biological Network Security. It has some interesting implications and I thought the /. community could provide some good perspective into IDS communication and security."
Does this mean having a cadre of Winged Monkeys to despatch upon evidence of network intrusion?
"A DDOS attack coming from some script kiddie in Newark... Fly, my pretties, fly..."
Those working with computers stand to gain a great deal from considering biology and anatomy when designing systems. Artificial Intelligence is a field where this has already been applied extensively and beneficially, with the use of genetic programming.
The human body (used here only because it's the most familiar to the average person) works. It has some problems, but the design is solid. We don't experience network downtime, and the majority of infections or intrusions we suffer are automatically dealt with. It makes sense to look to a model that's had 4 billion years to evolve- computer networks are pretty similar in function if you're not too pedantic about it.
visit the hwky website for a lyrical genius infusion.
Great, just what I need, for my new security system to 'isolate and sacrifice' all the Secretary's computers, noticing their computers are the ones which most viruses get onto the network with.
You can't see this if you have sigs turned off.
Comment removed based on user account deletion
but the implementation will be a bear. First there is the relatively low hurdle of standardizing communications between IDS's. The IETF has been working on such a format for a while.
The main problem, though, will be in establishing automatic systems that are able to judge "threat levels" and act accordingly. People will sign on to such a network only if it's more likely to benefit than to inconvenience them. Such a system won't be of much use if it requires human intervention every time an alert goes up, but it is notoriously difficult to program computers to take the place of simple human judgement.
Can you imagine the number of people who'd have to co-operate to make this happen? And it wouldn't even be possible for CONGRESS to make it happen, since the Internet is International now.
However, there is already a good amount of work done to secure the Internet - take a look at Bind 9 and its secure DNS, IPv6, ISP border address verification, etc.
The foundations of the failure of these ideas is that of "trust" - who do you trust, anyway? What happens when somebody you trust suddenly changes heart?
Following your representation of the "biological" model, can you successfully argue for "biological" home security? How many houses do you know don't lock their doors and rely on super-intelligent robots or dogs to defend them?
I thought so.
Notice that even your "biological" model breaks down for biology! Nearly every organism has skin, an exoskeleten, cellular wall, etc - in other words, a biological firewall!
These other methods work in conjunction with a good firewall, but the firewall is here to stay.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I would say that both points are valid, a system is usually compromised by an outside person finding out INSIDE information. (passwords, p2p, trojans,) If access were locked down at the USER or NODE level then the 733t hax0r has a big box of cookies with no milk to dunk them in. That coupled with an outside defense system (firewall), trebled with a "compromised network" response (biological defense) would make a lockdown absolute.
This however gives a very false sense of security without stiff penalties for violating the security policies. Remember, security is only as secure as the *least* secure factor. or person.
http://cincyboys.blogspot.com/ Everything Cincinnati. Including the word 'Finnih'
1. The C buffer overflow problem will not be solved as long as pointer arithmetic is allowed. When computing resources were tight, it made sense to combine control and data into a single stack. Now, we are stuck with that decision. We have programming language solutions that people choose not to use (e.g., Java). Buffer overflow is no longer a technical problem; it is a social problem.
2. I agree with everything else. I think security policies and access control is the next great area for security research. There is a huge disconnect between low-level policies (e.g., file permissions) and higher-level policies (e.g, use groups). As things become more distributed, the gap will widen.
When the attacker has human-level intelligence, on the other hand, the immune system folds like a beat puppy - thus the success of poisoners. To defeat poisoners you have to harden your kitchen.
So computer immune systems are liable to work, as long as intruders are no smarter than bacteria. That oughta keep out the script kiddies, though...
Given how easy it is to spoof traffic over the insecure IP and TCP protocols, all an attacker would have to do is spoof some attacks coming from some of AOL's IPs, and all of a sudden all AOL users can't access your site, since the CAS system told the backbone routers to block all the AOL IPs
If you use the biology metaphor, this is an alergy. Your system is reacting aggressively to something that isn't a threat.
IDSs have had the ability to configure firewall ACLs for years via OPSEC SAMP, etc., but almost no-one uses it for this very reason, it's just too easy to trick.
The real solution is to redesign the internet protocols with security in mind. Something like IPSec does a lot more than this proposes system ever would.
The one good idea the article had was centralized analysis, but as the article mentioned, this was discussed more thoroughly in a previous article on securityfocus.
Humans are always the weakest link in any security system. Adaptive system won't help if you have idiots setting them up, running and using them. Education people, education. That's what's needed.
Higher Logics: where programming meets science.
Semi-permeable membranes, aka firewalls. A person's skin acts as a pretty good firewall, allowing certain substances in or out and is mostly successful. It is possible to exploit it through making harmful substances appear to have the signature of allowed substances, in the same way that allowing inbound connections of any kind permits other connection types to mimic it: eg, hijacking a terminated telnet connection and sending traffic in the reverse direction. I can't think of a skin analogy for access-list allow host port established syntax, but I'm sure one exists. Firewalls thus play an important part of a biological system.
Complex system interactions. If one were to use an individual cell as an analogy for a computer network and pathways into and out of the cell as the routes through the firewall then you come close to the biological analogy proposed in the article. Note that cells do not in fact advertise that they are under attack from viruses. Other cells notice that a virus attack in underway and react accordingly, with varying degrees of success. It is this approach that would be more useful to take by analogy from biological systems and apply to the computer/network security field. The same problems exist.
Firstly there is the problem of the existing IDS not noticing an intrusion or failing to take sufficient action, such as for any biological infection which causes the death of the host. The biological solution to this is to immunise the system by exposing it to a non-lethal form of the pathogen to educate it for what to look for. A virus-scanner is a good example: Virus signature updates are the computer/network security version of immunisation.
Then there is the problem of overreaction. In a biological system this is equivalent to the so-called '20th Century Syndrome' of boy-in-bubble fame. The biological system's IDS incorrectly registers normal operations as an intrusion and acts as it would for a normal intrusion, causing illness or death. This is a 'false-positive' reaction and is even more likely in a poorly designed IDS. As an example, reference the number of false positives generated by end users who install ZoneAlarm or equivalent personal firewalls. This is the same 'Microsoft is DoS-ing me!' argument mentioned by another respondent.
So, the analogy has merit, but is poorly expressed in the article. I wish to point out that the main advance in IDS and security in general is not the establishment of a new analogy, paradigm or any other buzzword. I believe there are two key aspects that become increasingly important:
1. Correctness of implementation. This is fixing inherent security problems that allow infection to occur. This requires hardening of software, systems and networks. Most people in the field acknowledge this to be true.
2. Greater correlation. This is the ability to more correctly diagnose likely causes from symptoms. The security administrator becomes the highly trained doctor, using knowledge gained from analysis of known pathogens, methods of attack and problems inherent in existing symptoms and uses this knowledge to faster and more accurately diagnose root causes, and prescribe a solution. The use of tools, preferably automated, greatly increase the effectiveness of this approach. I believe it is in this area that the greatest advances have yet to occur.
Just because you're paranoid doesn't mean they're NOT after you.
IDS and biological security are neat but it will be quite some time before they can be deployed on a large network. The reason: bandwidth. If you read the article and look at the included architecture diagram, this should be obvious. To make IDS work, your IDS device must, at a minimum, see all of the incoming ("dirty") traffic on your network. If you have anything more than a single T3 coming in, the amount of data to be analyzed is just too great. Correct me if I'm wrong but is there any machine which is capable of analyzing (in real time, mind you) 150+Mbit/sec of traffic? In addition to monitoring this traffic, a true IDS needs to look for patterns and signatures over a period of time. The processor and storage requirements for this sort of thing are just too enormous.
Chris
You can only secure yourself for known forms of atack. In the begging of the internet, as far as I know, were indeed very insecure, since no one never thougth of atacks coming from the network. The intenet began to be secured after the first worm were made that was realy a great-grand-father of the nimda that used a combination of shell scripts and compiled code to propagate and installing it self and it did propageted as fast as wild fire, the net was almost shuted down because of it. After that the net wasn't safe anymore.
Careless? No, I don't think so. You simply can't prevent something that yuo don't even know where it is coming from. No one would think to protect a city against a comercial airplane, now I bet people think about that, rather seriously.
[]'s Victor Bogado da Silva Lins
^[:wq