Slashdot Mirror
Internet Immunization
xav_jones writes "Nature.com reports on computer experts from Israel who are proposing a different strategy for combating fast-spreading worms and viruses -- one in which the fix can, theoretically, keep up with or stay ahead of the malicious code. They 'propose a system in which a few honeypot computers lie in wait for viruses. These computers run automated software that first identifies the virus, and then sends out its signature across the Internet. This enables a sentinel program on all the other computers in the network to identify the virus and bar it before it can attack them.' The honeypot computers would reside in a secure, dedicated network. For 'roughly 200 million computers ... [with] just 800,000 [(0.004%)] of them acting as honeypots [it] would restrict a viral outbreak to 2,000 machines.'"
All that to combat worms and viruses? If I am correct, most of the worms and viruses infect because of a vulnerabilitly in the software. So what if these sentinnels of "guardian angels" themselves have some flaws which these viruses exploit. How about spending some money on training developers to practise safe coding. How about educating average joe to not click on the Britney's image and let him know that she is not going to blow him? How about lobbying to pass laws to force software companies to pass a higher standard? Heck even children toys have certain standards that the companies have to adhere to.
Seems like rational ideas are just an illision now a days. Don quixote suddenly seems more reasonable to me than this guy.
Except that no system is prefectly secure.
And once someone finds a hole in this magic system, it will become the most effective means of distributing viruses ever invented.
The honeypot computers would reside in a secure, dedicated network Wouldn't that make it just a little difficult for the honeypots to contract a virus? Or is this some new definition of the word "secure" that I'm not familiar with?
I've abandoned my search for truth; now I'm just looking for some useful delusions.
...for the ~1 million honey-pots, their connectivity, and their management?
Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind. - Dr. Seuss
Great.. until of course:
1) Worm writers figure out a way to avoid them or
2) Someone decides to use the "honeypots" to attack the network itself by flooding it with slightly different worms, making the signal to noise ratio patently obscene.
So now, instead of getting spam for viagra, I get spam for v1agra, vi4gra, vyagra, viegra, etc.
Virus writers will just add mutational code to their virius, so each instance of infection will have a unique signature.
...or is this not so different from the way anti-virus packages distribute updated signature lists? The TFA uses a lot of biological metaphors, but if you s/honeypot/anti-virus research lab/ this is pretty much the same thing everybody does already. The bit about creating faster-than-virus "wormholes" is mentioned kind of as an afterthought, when, really, it's the most important (and problematic) aspect of the whole plan.
I always wondered if the future of human defense against viruses was similar. Use "honeypots" with human-like susceptibility (genetically modified pigs or something). Once their immune systems start figuring out what virus is attacking, take a part of the virus DNA and post the code for the world to see.
Individuals at home would have their DNA sequencers crank out a batch and they'd then inoculate themselves, prepping their immune system for the real virus.
This is all future stuff, of course. It could also be prone to problems, such as someone hacking into the system and posting a DNA sequence that does bad things to people. Shucks, the autism/vaccine scares already show people's fear of such things. Might make for a good story, though.
I maintain mail servers with some honeypot addresses. Incoming mail is not only used to train our own filters, but reported to other services like Razor. The whole thing about getting the signatures to travel faster than the worm is easy if you already know where you're sending the data (the worm either has to do scans or pick destinations at random).
Is the novelty
1. Using this technique for viruses?
2. Using a dedicated honeynet?
I make it 0.4% ...
Ok, I think i figured it out!
If I find out a way to infect the singal the honeypots are sending out, then I can infect even more people, because the people relying on the honeypot machines won't be running anti-virus programs themselves.
Hmm, that would be fun!
...it would be like if the internet had peanut allergies and malicious code kissed it after eating Reeses Cups.
However, I'm willing to give these guys a fair shake. No matter what anyone has to say about their politics, the Israelis definitely know how to do high-tech.
From TFA:
[Fuck Beta]
o0t!
I like the magic part where this incredibly advanced piece of software figures out that the machine has been infected. It's so smart, in fact, it can figure out what viral signature can uniquely identify it.
Ya know, if ya had some code that could reliably identify virii without signatures, wouldn't we all be running *that* on all our desktops?
- The Kessel run is for nerf herders. I can circumnavigate the entire Central Finite Curve in a lot less than 12 parse
You want to a create a network of machines that are vulnerable to viruses/worms/other baddies, provide a full index of these computers and their addresses on a huge number of central servers, and then you want to deliberately expose those central servers to malacious code?
Is that what I'm reading? If that's so, then count me out. I can't take care of my own, thankyouverymuch.
if(!toilet_paper) roll.replace(new roll);
...we could just not use operating systems which have abysmal security. You know, the one that attracts malware in the same way a magnet attracts iron ore. Yeah, you're right, that's crazy talk.
Working in a DevOps shop is like playing in a band made up entirely of keytarists.
Symantec, at least, already has a network like this in place and it has been in place for several years. I believe other companies do as well.
Why do they need dedicated honeypots? Why not just include software in SMTP servers that lets them notify each other when they identify a virus locally? An SMTP operator could subscribe to several dozen peers, in a network of trust. When their own threshold of peers reporting the same virus is reached, they've got a hit.
Maybe this is a good application for the Usenet tech, to flood the trust networks with info rapidly, reliably, and without a centralized authority that itself can be attacked or otherwise compromised. Most of this tech already exists. We don't need 800K new servers that do nothing else, when we've got even more that also serve mail. Maybe the researchers are setting up a spinoff security network. But their research actually points to a better system than relying on them for more than the starting point.
--
make install -not war
There are already appliance makers that do this very thing: identify malware and viruses, and signal the others, usually in the guise of spam control appliances.
Webs of early notifiers is also not a new idea; look at the honeypot networks that are on the web, the honeypot project, and so on.
The containment cited is theoretical, subject to the ability to correctly identify behavior, and doesn't prevent users from clicking on URLs that have malware, or filter signatures that have fast breakout behavior.
And so, the merit of the Nature article is in question. It's just a PR release in disguise.
---- Teach Peace. It's Cheaper Than War.
take two OSS tablets (not applicable in France) and call me in the morning
A feeling of having made the same mistake before: Deja Foobar
This is a fine idea, and one that could be done at little cost save for the 'global honeypot network' part. Why not use info from an existing distributed log source like Dshield?
it just amazed me. This is nothing but a replication of the natural immune system... where the honeypots are the lymphatic ganglions, and the signatures are the antibodies.
I'd like to see how this results... whatever the outcome, it's an interesting experiment.
I didn't know that Nature was such a high end CS publication. At SOSP this year Vigilante (http://research.microsoft.com/~manuelc/MS/Vigilan teSOSP.pdf) was presented--a much more complete paper in a more salient venue.
/ ), but I don't think the editors of "Physical Review Letters" (a physics journal) are really up to speed on the latest in computer security research. Indeed, most of the works they cite are either from physics journals, Nature, or Science.
The citations list at the end of the Nature paper also is missing a large body of relevant work. Check the citations list of the Vigilante paper for details--50 references most of which are missing from the Nature pub. Also, the publications the Nature paper cites are mixed--some are good (like http://www.icsi.berkeley.edu/~nweaver/containment
The analysis is quite math heavy, and makes some unrealistic assumptions (i.e. worms only spread to their neighbors). In the end, they "show" that it is theoretically possible to stop worms with a side-channel network. Vigilante, on the other hand, has an implementation of a vaccination system, and simulation results run against Blaster, Slammer, and Code Red. Now, which is more convincing to you?
The article in the story doesn't seem to mention existing work in the same area. This approach has already be proposed, evaluated and peer-reviewed in the top networking conference (SIGCOMM'04) [1] and the top Operating System's conference (SOSP'05) [2]. The existing approach was proposed by Microsoft Research and is called Vigilante.
5 824a spx?type=Publication&id=1483
They find that it is possible to quickly detect worms automatically, construct automatic filters for just the worm and not benign traffic, and distribute it quickly to vulnerable hosts in a secure, non-forgeable way.
[1] http://portal.acm.org/citation.cfm?id=1095809.109
[2] http://research.microsoft.com/research/pubs/view.
I guess they the honeypots wouldn't catch them. It's just a guess, though.
[sig]
After attending a talk given by Niels Provos, creator of Honeyd, he showed this exact thing 3 months ago. He setup multiple honeyd nets all showing the same possible exploit holes to try and capture spyware and virii and then issue patches if these holes were found on the rest of the system and showed that with the right amount of machines it can be done effectively. These guys seem to just be copying his research verbatim
There are a lot of techniques to do automatic identification of viruses, the problem is that they are too expensive for everyday use--your programs run 40x slower or worse. Below is a selection (small and randomly generated) of related work.
Mostly, you need to do extensive monitoring of what your program is doing, and look for out-of-bound writes (e.g. buffer overflows/stack smashing), or do taint analysis (that is, don't execute or make "important" decisions based on data "tainted" from an untrusted source). But this requires performing many anaysis operations for every "real" operation, so it isn't feasible to do everywhere.
Just google the titles for electronic copies.
Kreibich, C., and Crowcroft, J. Honeycomb - creating intrusion detection signatures using honeypots. In HotNets (Nov. 2003).
Kim, H., and Karp, B. Autograph: Toward automated, distributed worm signature detection. In USENIX Security Symposium (Aug. 2004).
Zou, C. C., Gao, L., Gong, W., and Towsley, D. Monitoring and early warning for internet worms. In ACM CCS (Oct. 2003).
Wilander, J., and Kamkar, M. A comparison of publicly available tools for dynamic buffer overflow prevention. In NDSS (Feb. 2003).
Newsome, J., and Song, D. Dynamic taint analysis: Automatic detection and generation of software exploit attacks. In NDSS (Feb. 2005).
With an automatic response like that, I wonder if virus writers would learn to craft a virus that caused the sentinal program to generate a signature that removed/damaged important files (or otherwise wreak havoc) on the computers they were supposed to protect. Cause an autoimmune response if you will.
Only if you don't know the difference between a percent and a ratio.
It seems to me that it would be possible for a virus writer to: 1) Identify one of the honeypot machines - there's probably a couple of ways to do that... 2) Target this honeypot machines by sending it an endless array of viruses with different signatures, thereby keeping all the systems using it for security darn busy updating their definitions -- DoS... 3) ...
4) Profit!
--