A Cheap, Distributed Zero-Day Defense?

coondoggie writes "Shutting down zero-day computer attacks could be carried out inexpensively by peer-to-peer software that shares information about anomalous behavior, say researchers at the University of California at Davis.The software would interact with existing personal firewalls and intrusion detection systems to gather data about anomalous behavior, says Senthil Cheetancheri, the lead researcher on the project he undertook as a grad student at UC Davis from 2004 to 2007. He now works for SonicWall."

Wow...

[roc97007 (608802)]

If you could break into that process, you could rule the world.

My first thought too

[A nonymous Coward (7548)]

Who watches the watchers?

Any system like this would be a premium cracker target. All it would take is one false positive or false negative before no one would trust it again.

Six months later, some other researcher would make a new proposal for a p2p system to guard the broken p2p system.

Re:

[Neoprofin (871029)]

Couldn't the same argument be used against distro repositories, security vendors websites, and any other system that people assume is safe and working in their best interests?

Obviously the entire point of doing it p2p is to speed up distribution, but that doesn't mean the fixes couldn't go through some kind of verification process before being flagged as safe and useful fixes.

Seems to work out pretty well for Blizzard updates.

Re:

[marcosdumay (620877)]

"Couldn't the same argument be used against distro repositories, security vendors websites, and any other system that people assume is safe and working in their best interests?"

Yes, theoretically, it could. In practice, the argument only holds against Windows and MS Office update (maybe also Firefox), since the others have a very high diversity.

Re:

[orclevegam (940336)]

Don't even need to break into it, just fool it. If you could convince it that some normal every day activity (say going to google more than twice in an hour) is really a sign of a 0-day attack in progress and get it to lock down network IO, you've just gotten a ready made DDoS. Simply get the system to propagate your false positive to all the nodes (which it would need to do quickly, quietly, and efficiently in order to combat 0-Day threats) and then wait for it to go off. Instant DDoS and you barely even n

Re:

[neokushan (932374)]

This is the first thing I thought as well. Find a way to compromise systems and rather than do your usual dirty work, just get them all to report that the legitimate, "Secure" devices are the ones causing all the trouble. There you go, you've DDOS'd the secure computers without ever having to touch them yourself.

Cheap Defense?

[drewzhrodague (606182)]

Six Inches of Air?

Re:

[buchner.johannes (1139593)]

A Cheap, Distributed Zero-Day Defense?

Just before buying a computer, deciding not to?

Not so fast...

[Jah-Wren Ryel (80510)]

On the face of it, it sounds like he's proposing a "trusted" infection vector. A way to distributed code intended to patch holes to systems that want it. The obvious problem with such a system is the consequences of it being compromised. Then it becomes a way to distribute malicious code much more effectively than the way bot-nets infect new hosts now.

Re:Not so fast...

[girlintraining (1395911)]

On the face of it, it sounds like he's proposing a "trusted" infection vector. A way to distributed code intended to patch holes to systems that want it. The obvious problem with such a system is the consequences of it being compromised. Then it becomes a way to distribute malicious code much more effectively than the way bot-nets infect new hosts now.

You forget that the system is also leaking information about the traffic it is sending/receiving at the same time, and possibly internal state information (such as what applications are loaded, plugins, etc). That data in and of itself is valuable to an attacker, nevermind whether the vector can be protected or not... It opens up the possibility of discovering new vectors in ways maybe not possible remotely.

Re:

[redxxx (1194349)]

Heck, the data is valuable to anyone with an interest in what people are doing online and how they are using the internet. I don't see any way the information sent out could be limited to the actions of malware, so the database could end up a nice target for commercial(marketing and whatnot) datamining.

Sending out information which I don't control defeats half of the purpose behind why I run software firewalls.

Re:Not so fast...

[liquidpele (663430)]

The obvious problem with such a system is the consequences of it being compromised.

The non-obvious problems:
1) People that don't keep automatic updates on aren't going to use this, so the same people that get infected today will continue to get infected.
2) P2P systems like this are notoriously hard to keep poison data out of.

Re:

[morgan_greywolf (835522)]

You make it sound suspiciously like "Windows Update," which doesn't have these problems...oh wait....nevermind.

Re:

[jd (1658)]

Maybe use a similar sort of system as a massively distributed active intrusion detection system. In "real life" (yeah, the outdoor thing), oak trees have chemicals in their leaves which sublime under normal atmospheric conditions. If the leaves are attacked by insects, the chemicals are released into the air and are picked up by nearby oaks. These respond by adding extra tannin in their own leaves. The practical upshot is that the heavier the insect attack, the more heavily protected the trees become, makin

Re:

[eonlabs (921625)]

Which lends itself well to a self created DDOS attack. You get a system like that to respond to a normal packet from the net and all of a sudden the amount of processing power expended to analyze the packets increases in response, which leads to greater susceptibility to flooding the system with crap.

Re:

[orclevegam (940336)]

In other words it's a monitoring tool, nothing more. Useful, but also dangerous in the wrong hands. Would be difficult to scrub the data such that it doesn't violate privacy, but still provides enough info to be useful.

It also wouldn't help against distributed C&C bot nets as those by definition don't have any one point of contact, but rather a great deal of contact among all the nodes. Without some sort of deeper inspection at both the data layer, and the application layer although this might catch s

Sooo...

[gblackwo (1087063)]

What is the zero-day defense protocol for the zero-day defense software?

Re:

[orclevegam (940336)]

It all comes down to GIGO. The software can only be as perfect as the person using it. Of course, the definition of perfect is also arbitrary and worse still, subjective.

What to tell your boss

[MrEricSir (398214)]

"I'm not pirating movies... I'm protecting the network!"

Cheap defense?

[the_humeister (922869)]

How about "disconnect it from the network."? That's the cheapest one I can think of.

Re:

[vux984 (928602)]

How about "disconnect it from the network."? That's the cheapest one I can think of.

Now, do you have any solutions to network security that, you know, actually let me use the network?

You seem like the type that would propose shooting someone in the face is a good inexpensive way to ensure someone with cancer doesn't die of cancer, with the added benefit that they won't have to worry about their heart condition any more either.

I sincerely hope you aren't a doctor.

Re:

[the_humeister (922869)]

Nice strawman. BTW, I am a doctor. Some people just don't know a joke when they see one.

Flimsy

[sean_nestor (781844)]

I can't think of any way this could fail gracefully. If this system was compromised, it'd be a powerful way to disrupt network traffic and take down important systems that happen to run it.

"It depends on the number of events and the number of computers polled, but if there is a sufficient number of such samples, you can say with some degree of certainty that it is a worm,â Cheetancheri says. For that decision, the software uses a well-established statistical technique called sequential hypothesis testing, he says"

I'm also skeptical that you could rely on a vast network of machines that have presumably fallen prey to an attack to share information between each other fast enough to correctly diagnose an attack with the kind of results the researcher seems hopeful of.

Given that no method for correctly identifying "malicious" code 100% of the time currently exists, I don't think it's wise to allow a software program to run with the decision of shutting a machine down on notice of a perceived threat.

The concept seems like an interesting idea, but I doubt It could be terribly effective in practice.

Re:

[Migraineman (632203)]

The response of the security bot-net is even worse. It's an algorithmic evaluation of cost tables.

That cost-benefit analysis would be simple to carry out, but network executives would have to determine the monetary costs and enter them into the software configuration so it can do its calculations.

End users would not program or modify the core detection engine. We don't want to have humans in the loop.

So, it'll go something like this: The CEO/VP/Regional Manager is working on a contract bid that absol

Re:

[Chabo (880571)]

My school's network actually worked somewhat like this. If "worm-like activity" was found, then it would kick you off the network automatically, and have you complete a checklist saying you'd performed a virus check, and things like that.

If you were found to still be infected (usually because you lied about actually doing a virus check), you couldn't get back on without an IT rep checking your computer (usually within a few hours if you needed them to come to you; pretty good for a public school I thought

Oh, yeah. It is going to work.

[140Mandak262Jamuna (970587)]

The malware is so sophisticated nowadays, they evade detection from local monitors. Somehow getting more data from remote computers will help you detect the malware? Come on, Senthil it is not going to work.

Will never happen.

[girlintraining (1395911)]

Detecting anomalies requires a baseline of what "normal" is. That means surrendering information about the type and nature of traffic being received by your computer (and possibly sent as well). It's a privacy problem that not many people will commit to. And businesses will be even more reluctant to surrender such information. That said, an aggregate of several hundred thousand firewall logs would be an asset to many organizations and individuals. For this reason, it will never be free... The moment someone realizes there is a monentary value in what they're doing, they will attempt to capitalize on it. So, effectually, what this project is asking you to do is give them your private, personal data, so they can turn a buck under the pretense of fighting those big bad evil hackers. Isn't the market already pretty crowded with the fear-mongers, anti-virus, anti-malware, anti-anti-anti businesses?

Also, this is not a defensive product. A defense requires the ability to resist or avoid an attack. Nothing about this scheme suggests it would provide that to the end-user. It is more of a "zero day surveillance" system than anything. It's a digital cow bell. Moo, ding ding, moo. The only problem is the cow moves at the speed of light and can replicate a few thousand times a second (conservatively). Don't ask about the milk. x_x

Nice try, but...

[russotto (537200)]

Your typical problems with security programs are

1) Blocking behavior which should be permitted and
2) Not blocking behavior which should be forbidden.

This adds the potential for

3) Enabling behavior which should be forbidden.

Is there one of those snarky standard forms for this?

The end of the web in 3.. 2.. 1..

[gmuslera (3436)]

Just wait till that distributed firewall "decide" (bug, intrusion, feeding patterns, whatever) to block the port 80.

Could work on large corporate-type networks

[sweatyboatman (457800)]

The summary is misleading in that this isn't proposed as a defense. This is an early-warning system for detecting compromised machines on a network.

This isn't going to run on every computer in the world. Think of a corporate network with thousands of machines with fairly homogeneous usage. This could alert the sysadmin to a worm infection when the number of machines is numbered in the tens.

And since all it's doing is monitoring it shouldn't present a security risk (if well designed) greater than any P2P client.

This already exists

[charlesnw (843045)]

It's called dshield: http://isc.sans.org/howto.html [sans.org]

Re:

[value_added (719364)]

It's called dshield: http://isc.sans.org/howto.html [sans.org]

That was my first thought, although that may not be entirely accurate. As for dshield, noticed the other day there's what appears to be a new link on the Spamhaus [spamhaus.org] page that reads

Consumer Alerts
Is your PC infected or part of a "botnet"?
Check it Here

Humorous aspects aside, it links to some sort of dshield copy-cat setup run by mynetwachman.com. Never heard of them personally, but the more the merrier. A community-based effort to solve a community-wide pro

A Cheap, Distributed Zero-Day Defense?

[Thaelon (250687)]

A Cheap, Distributed Zero-Day Defense?

User education.

Re:

[Lord Ender (156273)]

I think you misread "Cheap, Distrubted Zero-Day Defense" as "expensive, ineffective, and slow defense."

More difficult than it sounds

[__roo (86767)]

I recently interviewed security researcher Michael Collins for Beautiful Teams [amazon.com] (a book I'm finishing for O'Reilly) about work he'd done at CERT working on SiLK [cert.org], a collection of traffic analysis tools. From talking to him, it sounds like this is an enormously difficult problem to solve. His work involved modeling "normalcy" as a baseline to detect anomalies using an enormous amount of data spit out of edge routers. When I asked, "So your goal was to look at the data from routers, and just by looking at the g

what a useless article

[slashdotmsiriv (922939)]

So where is the paper/thesis/documentation of any type whatsoever that describes their p2p solution?

Collaborative p2p worm containment has been around for ever, what does Senthil Cheetancheri's proposal has to offer over previous work?

a small subset of prior work that does exactly what the clueless article sais they do.

http://gridsec.usc.edu/wormshield/ [usc.edu]
http://research.microsoft.com/apps/pubs/default.aspx?id=66830 [microsoft.com]

PS: I doubt Senthil's research reinvents the wheel but I would appreciate an actual link to his

Re:

[slashdotmsiriv (922939)]

And to answer my own question (hate doing it on /. but somebody has to set the record straight).

http://scholar.google.com/scholar?hl=en&q=Senthil%20Cheetancheri&um=1&ie=UTF-8&sa=N&tab=ws [google.com]

There is no published work on his so called groundbreaking research:

http://scholar.google.com/scholar?hl=en&lr=&q=Senthil%20Cheetancheri&um=1&ie=UTF-8&sa=N&tab=ws [google.com]

I would expect much higher story verification standards by Cmdr Taco and NetworkWorld

Another related actually high profi

Re:

[whiteworm (1452871)]

Yes, I'll agree the article isn't revealing. The difference between our work and "Autograph" type approaches that WormShield builds on is that we are doing traffic anomaly detection and these more involved approaches attempt to automatically build a signature. The paper is available (only, sigh) from Springer, in "Recent Advances in Intrusion Detection 11th International Symposium", RAID 2008, Cambridge, MA, USA. -JMA

Operator Law

[kenp2002 (545495)]

Ken's OPERATOR Law

There inany given population, in an effort to corrdinate, will have a given number of contrarians that for no purpose other then to avoiding conforming to the norm, will intentionally provide and contribute false information to the collective. This can be exhibited in the childrens game 'operator' starting with a message and retelling it down the line. While in small populations the deviation from the original message is minor. The larger the population, the larger the devation tends to ge

It is far too late for that

[0xdeadbeef (28836)]

There is no defense against "zero day". The script kiddie misappropriation of warez d00d slang is now so embedded in the nomenclature that even legitimate security researchers are using it.

Re:

[Belial6 (794905)]

That's what I was thinking. The first time I heard zero day was with the DirectTV attack on illegally hacked satellite boxes. The reason it was called zero-day was because DirectTV sent little pieces of code that didn't do anything malicious in small segments. This resulted in the hackers ignoring each little piece of code. After all, the code didn't do anything harmful. Then on Superbowl Sunday, when the absolute highest quantity of hacked boxes would be running, they sent the last little bit of code

Now works for SonicWall, eh?

[kwabbles (259554)]

Knowing SonicWall, this will be a feature in next years product line - except it will only "work" between other SonicWall products. It won't actually do anything, but they'll claim that it does - yet they won't provide any technical details (let alone source code) on the inner workings.

Re:

[monkeySauce (562927)]

Close... it will appear in the routers as an unlockable feature for an additional, annual license fee.

sonicwall blows.

Re:

[kwabbles (259554)]

And when you get your annual renewal feature key - you'll go to type it in and submit it but it won't be able to authenticate the license key. So, you'll have to call SonicWall for a 100-character manual license key and sit on hold for forever listening to that damned SonicWall hold music.

Now I've got it stuck in my head.

Ta ta ta ta... ta ta ta ta... doo doo dee dooo dee doooo dee dooo... ta ta ta ta... ta ta ta ta... doo doo dee dooo dee doooo dee dooo... ta ta ta ta... ta ta ta ta...

ACTNet

[rtechie (244489)]

There are a number of products that already do this. ACTNet [gews.com], which is part of ActiveScout, does something very similar to this. And it's patented.

Attack information is uploaded to a central server from individual appliances. Appliances then check the central server for a list of "known attackers" and automatically blocks them if they attempt to access the protected network. The concept is similar to Realtime Blackhole lists for spammers.

Re:

[gblackwo (1087063)]

I have to giggle whenever someone thinks they need some sort of Verizon High Speed Internet CD to use the internet.

It's almost as funny as the people who use AOL because it is the "internet" even though they are just hooked into a router and cable modem like everyone else. - this used to be acceptable when people used AOL's dialup service (or shudder- continue to use it)

Re:

[Ethanol-fueled (1125189)]

But it's very possible that the person is using a USB HSDPA [vzw.com] adapter which may need proprietary windows-only software to connect to the network.

Though I'm sure the troll was just trying to be funny in saying that the computer needed a verizon CD and MS Word(uh, OO.o anybody?) to do schoolwork.

Re:

[johnsonav (1098915)]

Though I'm sure the troll was just trying to be funny in saying that the computer needed a verizon CD and MS Word(uh, OO.o anybody?) to do schoolwork.

Sadly, that's a real news story. Its funny, but all too true. I'm from Wisconsin, and I died a little inside when I read this story on another site.

Re:

[Chabo (880571)]

And I cry any time a school says it requires a piece of software that can only run on one OS.

Then again, at my school the standard response would've been "there are plenty of cluster computers available all over campus, if yours won't run the necessary software."

Re:

[pipboy9999 (1088005)]

while I don't agree with the way this was put, I do agree that if this lady wasn't smart enough to due to research and double check her order before pushing "check out" then its not really Ubuntu's fault she bought some thing that does not meet her requirements.