Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Immunization

Posted by Zonk on from the nature-saves-us-from-leet-haxxors dept.

xav_jones writes "Nature.com reports on computer experts from Israel who are proposing a different strategy for combating fast-spreading worms and viruses -- one in which the fix can, theoretically, keep up with or stay ahead of the malicious code. They 'propose a system in which a few honeypot computers lie in wait for viruses. These computers run automated software that first identifies the virus, and then sends out its signature across the Internet. This enables a sentinel program on all the other computers in the network to identify the virus and bar it before it can attack them.' The honeypot computers would reside in a secure, dedicated network. For 'roughly 200 million computers ... [with] just 800,000 [(0.004%)] of them acting as honeypots [it] would restrict a viral outbreak to 2,000 machines.'"

10 of 229 comments (clear)

  1. Re:Huh?!? by Wesley+Felter · · Score: 2, Informative

    A honeypot need to get infected and then not spread that infection to other computers. Thus it needs a kind of "roach motel security": malware checks in, but it doesn't check out.

  2. Re:A fine idea . . . by TubeSteak · · Score: 2, Informative
    However, he points out that someone would still need to run the honeypot computers, and it is not clear how to secure the wormholes so that only antiviral agents can use them. "These virus writers are smart guys, and they could find a way to attack the parallel network itself," he cautions.
    Yea, they realize that.
    --
    [Fuck Beta]
    o0t!
  3. Re:WOW by baryon351 · · Score: 3, Informative

    > Seems like rational ideas are just an illision now a days

    Seems like good math skills are too. 800,000 computers out of 200 million is WAY more than 0.004% as the summary stated

    Someone is off by a couple orders of magnitude. Much closer to half a percent.

  4. Already In Place by Anonymous Coward · · Score: 3, Informative

    Symantec, at least, already has a network like this in place and it has been in place for several years. I believe other companies do as well.

  5. Re:Why not do this with the human body? by Anonymous Coward · · Score: 1, Informative
    You're just describing automized immunization, aren't you? In any case, one answer to why this wouldn't be so useful is found in the post above:

    Virus writers will just add mutational code to their virius, so each instance of infection will have a unique signature.

    You can't effectively immunize against HIV, for example, because it's always changing.

  6. Re:WOW by Anonymous Coward · · Score: 5, Informative

    You're a teacher? It's not 0.004%, it's 0.004. 0.004% is actually 0.00004. Come back when you've had a little Excel training maybe.

  7. Why honeypots? Use DShield! by jgaynor · · Score: 2, Informative

    This is a fine idea, and one that could be done at little cost save for the 'global honeypot network' part. Why not use info from an existing distributed log source like Dshield?

  8. Vigilante by saikatguha266 · · Score: 2, Informative

    The article in the story doesn't seem to mention existing work in the same area. This approach has already be proposed, evaluated and peer-reviewed in the top networking conference (SIGCOMM'04) [1] and the top Operating System's conference (SOSP'05) [2]. The existing approach was proposed by Microsoft Research and is called Vigilante.

    They find that it is possible to quickly detect worms automatically, construct automatic filters for just the worm and not benign traffic, and distribute it quickly to vulnerable hosts in a secure, non-forgeable way.

    [1] http://portal.acm.org/citation.cfm?id=1095809.1095 824
    [2] http://research.microsoft.com/research/pubs/view.a spx?type=Publication&id=1483

  9. nothing new by ezelkow1 · · Score: 2, Informative

    After attending a talk given by Niels Provos, creator of Honeyd, he showed this exact thing 3 months ago. He setup multiple honeyd nets all showing the same possible exploit holes to try and capture spyware and virii and then issue patches if these holes were found on the rest of the system and showed that with the right amount of machines it can be done effectively. These guys seem to just be copying his research verbatim

  10. Not a load of dung, just expensive by Sangui5 · · Score: 4, Informative

    There are a lot of techniques to do automatic identification of viruses, the problem is that they are too expensive for everyday use--your programs run 40x slower or worse. Below is a selection (small and randomly generated) of related work.

    Mostly, you need to do extensive monitoring of what your program is doing, and look for out-of-bound writes (e.g. buffer overflows/stack smashing), or do taint analysis (that is, don't execute or make "important" decisions based on data "tainted" from an untrusted source). But this requires performing many anaysis operations for every "real" operation, so it isn't feasible to do everywhere.

    Just google the titles for electronic copies.

    Kreibich, C., and Crowcroft, J. Honeycomb - creating intrusion detection signatures using honeypots. In HotNets (Nov. 2003).

    Kim, H., and Karp, B. Autograph: Toward automated, distributed worm signature detection. In USENIX Security Symposium (Aug. 2004).

    Zou, C. C., Gao, L., Gong, W., and Towsley, D. Monitoring and early warning for internet worms. In ACM CCS (Oct. 2003).

    Wilander, J., and Kamkar, M. A comparison of publicly available tools for dynamic buffer overflow prevention. In NDSS (Feb. 2003).

    Newsome, J., and Song, D. Dynamic taint analysis: Automatic detection and generation of software exploit attacks. In NDSS (Feb. 2005).