Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Immunization

Posted by Zonk on from the nature-saves-us-from-leet-haxxors dept.

xav_jones writes "Nature.com reports on computer experts from Israel who are proposing a different strategy for combating fast-spreading worms and viruses -- one in which the fix can, theoretically, keep up with or stay ahead of the malicious code. They 'propose a system in which a few honeypot computers lie in wait for viruses. These computers run automated software that first identifies the virus, and then sends out its signature across the Internet. This enables a sentinel program on all the other computers in the network to identify the virus and bar it before it can attack them.' The honeypot computers would reside in a secure, dedicated network. For 'roughly 200 million computers ... [with] just 800,000 [(0.004%)] of them acting as honeypots [it] would restrict a viral outbreak to 2,000 machines.'"

7 of 229 comments (clear)

  1. WOW by rovingeyes · · Score: 4, Interesting

    All that to combat worms and viruses? If I am correct, most of the worms and viruses infect because of a vulnerabilitly in the software. So what if these sentinnels of "guardian angels" themselves have some flaws which these viruses exploit. How about spending some money on training developers to practise safe coding. How about educating average joe to not click on the Britney's image and let him know that she is not going to blow him? How about lobbying to pass laws to force software companies to pass a higher standard? Heck even children toys have certain standards that the companies have to adhere to.

    Seems like rational ideas are just an illision now a days. Don quixote suddenly seems more reasonable to me than this guy.

  2. Why not do this with the human body? by PIPBoy3000 · · Score: 4, Interesting

    I always wondered if the future of human defense against viruses was similar. Use "honeypots" with human-like susceptibility (genetically modified pigs or something). Once their immune systems start figuring out what virus is attacking, take a part of the virus DNA and post the code for the world to see.

    Individuals at home would have their DNA sequencers crank out a batch and they'd then inoculate themselves, prepping their immune system for the real virus.

    This is all future stuff, of course. It could also be prone to problems, such as someone hacking into the system and posting a DNA sequence that does bad things to people. Shucks, the autism/vaccine scares already show people's fear of such things. Might make for a good story, though.

  3. What's new? by Kelson · · Score: 3, Interesting

    I maintain mail servers with some honeypot addresses. Incoming mail is not only used to train our own filters, but reported to other services like Razor. The whole thing about getting the signatures to travel faster than the worm is easy if you already know where you're sending the data (the worm either has to do scans or pick destinations at random).

    Is the novelty

    1. Using this technique for viruses?
    2. Using a dedicated honeynet?

  4. I'm pretty sure by TubeSteak · · Score: 3, Interesting
    I'm pretty sure that ALL the major anti-virus vendors already have honeypots sitting around. That's in addition to the virii nabbed by heuristics on desktop computers & submitted to the anti-virus companies.

    However, I'm willing to give these guys a fair shake. No matter what anyone has to say about their politics, the Israelis definitely know how to do high-tech.

    From TFA:
    "All the ingredients are already there, or could be worked out in a short time," Vespigiani says. He says that some company intranets already run programs that automatically detect the arrival of a new virus, and the architecture of the Internet is sufficiently well understood to position the honeypot computers strategically.
    ...
    "Shir does not have any plans to commercialize the idea. He hopes that people will realize the scheme in an open-source project, freely available to all computer users who want to get involved. But even if a company takes the idea and makes it happen, we'd all have a better defence against viruses," he says."
    --
    [Fuck Beta]
    o0t!
  5. Re:Am I missing the point... by kebes · · Score: 3, Interesting

    I think the reason this is interesting (as an idea anyway) is that it would be automated. Nowadays the anti-virus guys check things out, create patches, and deliver patches... so there is a spread of the immunization. Under this scheme, the signature would be automatically sent out to all computers, so people would become immunized very quickly. The cure would spread as fast as the virus, since everything is automated. But there, as far as I'm concerned is the problem. The article says:

    The real trick is to make sure that the antiviral signature travels faster through the Internet than the virus itself,

    I disagree. Sending signals to all participating computers real fast isn't such a big deal. After all, the virus has to poke around inside an infected computer, looking for data on "who to infect next." This immunization system will have a built-in table of how to efficiently route the cure. So it will be faster (or at least competitive with) the virus spreading speed. (I know, I know... virus-writers will exploit that very routing table...)

    In my estimation, the real challenge is to automate the detection. The honeypot must somehow identify what is a virus and what is not (and do it quickly to be at all effective!). Sometimes this will be easy (the honeypot may have a store of thousands of files that it never touches, and if any one of them becomes modified, it must have been a virus trying to replicate itself, etc.)... other times, it may be darn difficult for a machine to tell it has become infected. After all, the whole point of a virus is that it does something unexpected (exploits a bug that was not known to exist). So determining that a virus is operating is hard.

    I also see false positives being a major concern. If the honeypot starts issuing signatures for legitimate net traffic, then the system becomes worse than useless. Just my opinion. I'm no expert.

  6. Wow... by Spy+der+Mann · · Score: 2, Interesting

    it just amazed me. This is nothing but a replication of the natural immune system... where the honeypots are the lymphatic ganglions, and the signatures are the antibodies.

    I'd like to see how this results... whatever the outcome, it's an interesting experiment.

  7. This isn't a very good paper. by Sangui5 · · Score: 2, Interesting

    I didn't know that Nature was such a high end CS publication. At SOSP this year Vigilante (http://research.microsoft.com/~manuelc/MS/Vigilan teSOSP.pdf) was presented--a much more complete paper in a more salient venue.

    The citations list at the end of the Nature paper also is missing a large body of relevant work. Check the citations list of the Vigilante paper for details--50 references most of which are missing from the Nature pub. Also, the publications the Nature paper cites are mixed--some are good (like http://www.icsi.berkeley.edu/~nweaver/containment/ ), but I don't think the editors of "Physical Review Letters" (a physics journal) are really up to speed on the latest in computer security research. Indeed, most of the works they cite are either from physics journals, Nature, or Science.

    The analysis is quite math heavy, and makes some unrealistic assumptions (i.e. worms only spread to their neighbors). In the end, they "show" that it is theoretically possible to stop worms with a side-channel network. Vigilante, on the other hand, has an implementation of a vaccination system, and simulation results run against Blaster, Slammer, and Code Red. Now, which is more convincing to you?