Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Cheap, Distributed Zero-Day Defense?

Posted by CmdrTaco on from the yeah-that-won't-get-gamed dept.

coondoggie writes "Shutting down zero-day computer attacks could be carried out inexpensively by peer-to-peer software that shares information about anomalous behavior, say researchers at the University of California at Davis.The software would interact with existing personal firewalls and intrusion detection systems to gather data about anomalous behavior, says Senthil Cheetancheri, the lead researcher on the project he undertook as a grad student at UC Davis from 2004 to 2007. He now works for SonicWall."

20 of 116 comments (clear)

  1. Wow... by roc97007 · · Score: 4, Insightful

    If you could break into that process, you could rule the world.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
    1. Re:Wow... by orclevegam · · Score: 2, Interesting

      Don't even need to break into it, just fool it. If you could convince it that some normal every day activity (say going to google more than twice in an hour) is really a sign of a 0-day attack in progress and get it to lock down network IO, you've just gotten a ready made DDoS. Simply get the system to propagate your false positive to all the nodes (which it would need to do quickly, quietly, and efficiently in order to combat 0-Day threats) and then wait for it to go off. Instant DDoS and you barely even needed to do anything. Best part is if you can make it look like you weren't trying to trick it, then even if the attack eventually gets traced back to you, you can claim you're innocent and the software just flaked on you.

      --
      Curiosity was framed, Ignorance killed the cat.
  2. Cheap Defense? by drewzhrodague · · Score: 4, Insightful

    Six Inches of Air?

    --
    Zhrodague.net - I do projects and stuff too.
  3. Not so fast... by Jah-Wren+Ryel · · Score: 5, Insightful

    On the face of it, it sounds like he's proposing a "trusted" infection vector. A way to distributed code intended to patch holes to systems that want it. The obvious problem with such a system is the consequences of it being compromised. Then it becomes a way to distribute malicious code much more effectively than the way bot-nets infect new hosts now.

    --
    When information is power, privacy is freedom.
    1. Re:Not so fast... by girlintraining · · Score: 5, Insightful

      On the face of it, it sounds like he's proposing a "trusted" infection vector. A way to distributed code intended to patch holes to systems that want it. The obvious problem with such a system is the consequences of it being compromised. Then it becomes a way to distribute malicious code much more effectively than the way bot-nets infect new hosts now.

      You forget that the system is also leaking information about the traffic it is sending/receiving at the same time, and possibly internal state information (such as what applications are loaded, plugins, etc). That data in and of itself is valuable to an attacker, nevermind whether the vector can be protected or not... It opens up the possibility of discovering new vectors in ways maybe not possible remotely.

      --
      #fuckbeta #iamslashdot #dicemustdie
    2. Re:Not so fast... by morgan_greywolf · · Score: 2, Funny

      You make it sound suspiciously like "Windows Update," which doesn't have these problems...oh wait....nevermind.

      --
      My blog
  4. Sooo... by gblackwo · · Score: 4, Insightful

    What is the zero-day defense protocol for the zero-day defense software?

  5. What to tell your boss by MrEricSir · · Score: 4, Funny

    "I'm not pirating movies... I'm protecting the network!"

    --
    There's no -1 for "I don't get it."
  6. Re:Linux Causes Woman to Drop Out of College by gblackwo · · Score: 2, Insightful

    I have to giggle whenever someone thinks they need some sort of Verizon High Speed Internet CD to use the internet.

    It's almost as funny as the people who use AOL because it is the "internet" even though they are just hooked into a router and cable modem like everyone else. - this used to be acceptable when people used AOL's dialup service (or shudder- continue to use it)

  7. Flimsy by sean_nestor · · Score: 3, Insightful
    I can't think of any way this could fail gracefully. If this system was compromised, it'd be a powerful way to disrupt network traffic and take down important systems that happen to run it.

    "It depends on the number of events and the number of computers polled, but if there is a sufficient number of such samples, you can say with some degree of certainty that it is a worm,â Cheetancheri says. For that decision, the software uses a well-established statistical technique called sequential hypothesis testing, he says"

    I'm also skeptical that you could rely on a vast network of machines that have presumably fallen prey to an attack to share information between each other fast enough to correctly diagnose an attack with the kind of results the researcher seems hopeful of.

    Given that no method for correctly identifying "malicious" code 100% of the time currently exists, I don't think it's wise to allow a software program to run with the decision of shutting a machine down on notice of a perceived threat.

    The concept seems like an interesting idea, but I doubt It could be terribly effective in practice.

  8. Will never happen. by girlintraining · · Score: 5, Interesting

    Detecting anomalies requires a baseline of what "normal" is. That means surrendering information about the type and nature of traffic being received by your computer (and possibly sent as well). It's a privacy problem that not many people will commit to. And businesses will be even more reluctant to surrender such information. That said, an aggregate of several hundred thousand firewall logs would be an asset to many organizations and individuals. For this reason, it will never be free... The moment someone realizes there is a monentary value in what they're doing, they will attempt to capitalize on it. So, effectually, what this project is asking you to do is give them your private, personal data, so they can turn a buck under the pretense of fighting those big bad evil hackers. Isn't the market already pretty crowded with the fear-mongers, anti-virus, anti-malware, anti-anti-anti businesses?

    Also, this is not a defensive product. A defense requires the ability to resist or avoid an attack. Nothing about this scheme suggests it would provide that to the end-user. It is more of a "zero day surveillance" system than anything. It's a digital cow bell. Moo, ding ding, moo. The only problem is the cow moves at the speed of light and can replicate a few thousand times a second (conservatively). Don't ask about the milk. x_x

    --
    #fuckbeta #iamslashdot #dicemustdie
  9. Re:Linux Causes Woman to Drop Out of College by pipboy9999 · · Score: 2, Insightful

    while I don't agree with the way this was put, I do agree that if this lady wasn't smart enough to due to research and double check her order before pushing "check out" then its not really Ubuntu's fault she bought some thing that does not meet her requirements.

    --
    Yeah, I've got nothing...
  10. Comment removed by account_deleted · · Score: 4, Insightful

    Comment removed based on user account deletion

  11. Could work on large corporate-type networks by sweatyboatman · · Score: 3, Informative

    The summary is misleading in that this isn't proposed as a defense. This is an early-warning system for detecting compromised machines on a network.

    This isn't going to run on every computer in the world. Think of a corporate network with thousands of machines with fairly homogeneous usage. This could alert the sysadmin to a worm infection when the number of machines is numbered in the tens.

    And since all it's doing is monitoring it shouldn't present a security risk (if well designed) greater than any P2P client.

    --
    It breaks my pluginses, my precious!
  12. This already exists by charlesnw · · Score: 4, Informative

    It's called dshield: http://isc.sans.org/howto.html

    --
    Charles Wyble System Engineer
  13. A Cheap, Distributed Zero-Day Defense? by Thaelon · · Score: 4, Insightful

    A Cheap, Distributed Zero-Day Defense?

    User education.

    --

    Question everything

    1. Re:A Cheap, Distributed Zero-Day Defense? by Lord+Ender · · Score: 2, Funny

      I think you misread "Cheap, Distrubted Zero-Day Defense" as "expensive, ineffective, and slow defense."

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  14. My first thought too by A+nonymous+Coward · · Score: 5, Insightful

    Who watches the watchers?

    Any system like this would be a premium cracker target. All it would take is one false positive or false negative before no one would trust it again.

    Six months later, some other researcher would make a new proposal for a p2p system to guard the broken p2p system.

    --
    Infuriate left and right
  15. Re:Linux Causes Woman to Drop Out of College by Chabo · · Score: 2, Interesting

    And I cry any time a school says it requires a piece of software that can only run on one OS.

    Then again, at my school the standard response would've been "there are plenty of cluster computers available all over campus, if yours won't run the necessary software."

    --
    Convert FLACs to a portable format with FlacSquisher
  16. Re:what a useless article by whiteworm · · Score: 2, Insightful

    Yes, I'll agree the article isn't revealing. The difference between our work and "Autograph" type approaches that WormShield builds on is that we are doing traffic anomaly detection and these more involved approaches attempt to automatically build a signature. The paper is available (only, sigh) from Springer, in "Recent Advances in Intrusion Detection 11th International Symposium", RAID 2008, Cambridge, MA, USA. -JMA