Slashdot Mirror
A Cheap, Distributed Zero-Day Defense?
coondoggie writes "Shutting down zero-day computer attacks could be carried out inexpensively by peer-to-peer software that shares information about anomalous behavior, say researchers at the University of California at Davis.The software would interact with existing personal firewalls and intrusion detection systems to gather data about anomalous behavior, says Senthil Cheetancheri, the lead researcher on the project he undertook as a grad student at UC Davis from 2004 to 2007. He now works for SonicWall."
If you could break into that process, you could rule the world.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Six Inches of Air?
Zhrodague.net - I do projects and stuff too.
On the face of it, it sounds like he's proposing a "trusted" infection vector. A way to distributed code intended to patch holes to systems that want it. The obvious problem with such a system is the consequences of it being compromised. Then it becomes a way to distribute malicious code much more effectively than the way bot-nets infect new hosts now.
When information is power, privacy is freedom.
What is the zero-day defense protocol for the zero-day defense software?
"I'm not pirating movies... I'm protecting the network!"
There's no -1 for "I don't get it."
I have to giggle whenever someone thinks they need some sort of Verizon High Speed Internet CD to use the internet.
It's almost as funny as the people who use AOL because it is the "internet" even though they are just hooked into a router and cable modem like everyone else. - this used to be acceptable when people used AOL's dialup service (or shudder- continue to use it)
How about "disconnect it from the network."? That's the cheapest one I can think of.
"It depends on the number of events and the number of computers polled, but if there is a sufficient number of such samples, you can say with some degree of certainty that it is a worm,â Cheetancheri says. For that decision, the software uses a well-established statistical technique called sequential hypothesis testing, he says"
I'm also skeptical that you could rely on a vast network of machines that have presumably fallen prey to an attack to share information between each other fast enough to correctly diagnose an attack with the kind of results the researcher seems hopeful of.
Given that no method for correctly identifying "malicious" code 100% of the time currently exists, I don't think it's wise to allow a software program to run with the decision of shutting a machine down on notice of a perceived threat.
The concept seems like an interesting idea, but I doubt It could be terribly effective in practice.
The malware is so sophisticated nowadays, they evade detection from local monitors. Somehow getting more data from remote computers will help you detect the malware? Come on, Senthil it is not going to work.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Detecting anomalies requires a baseline of what "normal" is. That means surrendering information about the type and nature of traffic being received by your computer (and possibly sent as well). It's a privacy problem that not many people will commit to. And businesses will be even more reluctant to surrender such information. That said, an aggregate of several hundred thousand firewall logs would be an asset to many organizations and individuals. For this reason, it will never be free... The moment someone realizes there is a monentary value in what they're doing, they will attempt to capitalize on it. So, effectually, what this project is asking you to do is give them your private, personal data, so they can turn a buck under the pretense of fighting those big bad evil hackers. Isn't the market already pretty crowded with the fear-mongers, anti-virus, anti-malware, anti-anti-anti businesses?
Also, this is not a defensive product. A defense requires the ability to resist or avoid an attack. Nothing about this scheme suggests it would provide that to the end-user. It is more of a "zero day surveillance" system than anything. It's a digital cow bell. Moo, ding ding, moo. The only problem is the cow moves at the speed of light and can replicate a few thousand times a second (conservatively). Don't ask about the milk. x_x
#fuckbeta #iamslashdot #dicemustdie
Your typical problems with security programs are
1) Blocking behavior which should be permitted and
2) Not blocking behavior which should be forbidden.
This adds the potential for
3) Enabling behavior which should be forbidden.
Is there one of those snarky standard forms for this?
I'm pretty sure we can modify some existing patents to apply to distributed firewalls.
US Patent Application 20080250497: Statistical method and system for network anomaly detection
"Whatever concept a person can think of, there will be a patent either active, being applied, or being prepared to include new concept." -- Troll
---
There's also some other related studies.
Modular Strategies for Internetwork Monitoring, which "addresses the longstanding and difficult problem of detecting and classifying spatially distributed network anomalies from multiple monitoring sites on the Internet".
Just wait till that distributed firewall "decide" (bug, intrusion, feeding patterns, whatever) to block the port 80.
Both Ninnle Linux and NinnleBSD are far too secure.
while I don't agree with the way this was put, I do agree that if this lady wasn't smart enough to due to research and double check her order before pushing "check out" then its not really Ubuntu's fault she bought some thing that does not meet her requirements.
Yeah, I've got nothing...
Comment removed based on user account deletion
But it's very possible that the person is using a USB HSDPA adapter which may need proprietary windows-only software to connect to the network.
Though I'm sure the troll was just trying to be funny in saying that the computer needed a verizon CD and MS Word(uh, OO.o anybody?) to do schoolwork.
The summary is misleading in that this isn't proposed as a defense. This is an early-warning system for detecting compromised machines on a network.
This isn't going to run on every computer in the world. Think of a corporate network with thousands of machines with fairly homogeneous usage. This could alert the sysadmin to a worm infection when the number of machines is numbered in the tens.
And since all it's doing is monitoring it shouldn't present a security risk (if well designed) greater than any P2P client.
It breaks my pluginses, my precious!
It's called dshield: http://isc.sans.org/howto.html
Charles Wyble System Engineer
install linux...
sig goes here!
User education.
Question everything
I recently interviewed security researcher Michael Collins for Beautiful Teams (a book I'm finishing for O'Reilly) about work he'd done at CERT working on SiLK, a collection of traffic analysis tools. From talking to him, it sounds like this is an enormously difficult problem to solve. His work involved modeling "normalcy" as a baseline to detect anomalies using an enormous amount of data spit out of edge routers. When I asked, "So your goal was to look at the data from routers, and just by looking at the gigabytes of daily data from router logs you can detect successful and unsuccessful attempts at intrusion?", he said, "That's the Holy Grail." (We'll be printing the whole interview, if you're curious to see it.) TFA was light on details -- if they managed to make some headway towards solving this problem, that would be amazing. But from what we talked about, it sounds like simply finding anomalies after the fact using a huge amount of data turns out to be enormously difficult. Doing it in real time seems ... well, let's just say that I'm skeptical.
Building Better Software
So where is the paper/thesis/documentation of any type whatsoever that describes their p2p solution?
Collaborative p2p worm containment has been around for ever, what does Senthil Cheetancheri's proposal has to offer over previous work?
a small subset of prior work that does exactly what the clueless article sais they do.
http://gridsec.usc.edu/wormshield/
http://research.microsoft.com/apps/pubs/default.aspx?id=66830
PS: I doubt Senthil's research reinvents the wheel but I would appreciate an actual link to his work from the /. story.
*Puts on tinfoil hat*
Who watches the watchers?
Any system like this would be a premium cracker target. All it would take is one false positive or false negative before no one would trust it again.
Six months later, some other researcher would make a new proposal for a p2p system to guard the broken p2p system.
Infuriate left and right
Minor pedantry - parent's post is more "Offtopic" than "Troll". Just like how this post should be modded Offtopic.
Ken's OPERATOR Law
There inany given population, in an effort to corrdinate, will have a given number of contrarians that for no purpose other then to avoiding conforming to the norm, will intentionally provide and contribute false information to the collective. This can be exhibited in the childrens game 'operator' starting with a message and retelling it down the line. While in small populations the deviation from the original message is minor. The larger the population, the larger the devation tends to get. But when comparing a wide variety of game sessions one can readily see that there will always be some little shit that screws the message up intentionally."
In an social network it is apparent that an incredibly small number of people can populate false information quickly to population. In this, peer review moves SLOWER then misinformation as the network of trust must oust the false information.
IN ENGLISH: YOU CAN MAKE SHIT UP FASTER THEN YOU CAN DISPROVE BULLSHIT.
5 hackers could easily poison a P2P defense with false-positives and use that very same P2P defense to automatically modify attacks to avoid detection QUICKER then peers can review it and flag is as bullshit.
-=[ Who Is John Galt? ]=-
There is no defense against "zero day". The script kiddie misappropriation of warez d00d slang is now so embedded in the nomenclature that even legitimate security researchers are using it.
...this is a great way to cause the opposite effect of a technological singularity.
I have a bad feeling about this...
Knowing SonicWall, this will be a feature in next years product line - except it will only "work" between other SonicWall products. It won't actually do anything, but they'll claim that it does - yet they won't provide any technical details (let alone source code) on the inner workings.
Just disrupt the deflector shield with a tachyon burst.
Though I'm sure the troll was just trying to be funny in saying that the computer needed a verizon CD and MS Word(uh, OO.o anybody?) to do schoolwork.
Sadly, that's a real news story. Its funny, but all too true. I'm from Wisconsin, and I died a little inside when I read this story on another site.
... and that's when the C.H.U.D.'s came at me.
So if this is patently obvious, what have UC Davis (a good institution) got here?
Something incredibly clever, or a Prof that ran with a dumb idea?
And I cry any time a school says it requires a piece of software that can only run on one OS.
Then again, at my school the standard response would've been "there are plenty of cluster computers available all over campus, if yours won't run the necessary software."
Convert FLACs to a portable format with FlacSquisher
There are a number of products that already do this. ACTNet, which is part of ActiveScout, does something very similar to this. And it's patented.
Attack information is uploaded to a central server from individual appliances. Appliances then check the central server for a list of "known attackers" and automatically blocks them if they attempt to access the protected network. The concept is similar to Realtime Blackhole lists for spammers.
You know this sound somewhat similar to the plan already devised that would fall foul of the law to remedy the Storm.
Two of my imaginary friends reproduced once
One part of this is just the "it was in yesterday's activity log" test. If you have data from a period leading up to a problem, set-subtract the previous activity from the activity on the day of the crash to get just the new, unexpected activity. That's the material you should be looking at.
For syslog, this can be implemented with an awk script: there's an example in "Sherlock Holmes on Log Files", at http://datacenterworks.com/stories/antilog.html
--dave
davecb@spamcop.net
We all know that malware criminals and fraudsters are sociopaths.
A risk of a peer-to-peer zero day malware shield (besides being cracked and exploited by criminals), is that it could turn out to be a success. As we saw with BlueFrog, a lot of criminals are completely morally bankrupt, and will do absolutely anything to preserve their illegal business models.
BlueFrog was doomed because it was too effective and destroyed spammers' business models. So the criminals waged a massive campaign of harrassment and intimidation on BlueFrog's entirely-innocent users until BlueFrog were forced to accede to the crims' demands.
Malware criminals cannot be defeated by technical means alone. It would be nice if the police started doing their jobs -- because the one thing these sort of scum fear is getting caught and subsequently made somebody's bitch in prison.
Nothing to see here..This is already done @ Symantec with Deepsight, and with TrustedSource @ Securecomputing/Mcaffee and SANS with Dshield.
Look for Symantec and Mcafee to integrate this deeper into their products soon.
I wrote something almost identical years ago, but couldn't since I'm not part of the security community it never really took off. Blacklists were The Thing at the time still...
http://search.cpan.org/~adamk/ThreatNet-DATN2004-0.20/lib/ThreatNet/DATN2004.pm
The test bots are still running in Freenode #threatnet
BlackICE / Network ICE anyone?
The idea sounds great having a distributed sensor network that can dynamically react to threats and proactively block the attacker before he makes it to your system.
1) What happens when the DoS attack is launched with spoofed IP addresses that match critical internal systems? (perhaps the IP address of your name servers or domain controllers????)
2) Most talented exploits aren't done thru brute force scanning / attacking of large IP address ranges since most security devices (Firewalls, IPS, etc) detect and block this type of activity already.
This type of approach has been used by some $$$ anti-spam products with pretty good results though.
Except, as demonstrated by the last few sentences, it's all easily worked around with minimal effort on the part of others (verizon and the college) if they are just a little bit aware.
Why waste your money on six inches of air when a half inch will do just fine?
fencepost
just a little off
Why not create a tool, possibly based off of process monitor from Sysinternals, that monitors all recent activity: network, file and registry access. Then integrate a decision option so that sysadmins (or tech support) can quantify a window of infection. All data is uploaded to a database that calculates common denominators.
This is like "FW Snort" except it is deployed to communicate to peers world wide where FW Snort only works on the LAN, but it is similar, maybe it would be a good place to start with this idea
This site has been blocked and the attempted access has been logged by the SonicWALL Content Filtering Service.
http://www.networkworld.com/news/2009/011309-zero-day-worm.html?hpg1=bn
Reason for restriction: Forbidden Category "Adult Entertainment"
Way to go, Cheetancheri.
Proteus' Child
Doko ni datte; hito wa, tsunagette iru.
How this system can protect against bad mouthing? For example a botnet can be used to distribute negative comments, evaluations about some security trusted web site or else. With the current size of botnets often more than tens of thousands of bots, it looks easy to launch a DoS attack on any web site out there. In an enterprise network the attacker can play its way to exclude all patch managing or admin systems from accessing the clients in the network and virtually forbid them managing the network!
What happens if N *compromised* computers start to send controversial information to the ones that represent real threats? Wouldn't it overcome/defeat the benefit this tool was intended to provide? Maybe too many false-positives?