A Cheap, Distributed Zero-Day Defense? 116
coondoggie writes "Shutting down zero-day computer attacks could be carried out inexpensively by peer-to-peer software that shares information about anomalous behavior, say researchers at the University of California at Davis.The software would interact with existing personal firewalls and intrusion detection systems to gather data about anomalous behavior, says Senthil Cheetancheri, the lead researcher on the project he undertook as a grad student at UC Davis from 2004 to 2007. He now works for SonicWall."
Wow... (Score:5, Insightful)
If you could break into that process, you could rule the world.
Cheap Defense? (Score:5, Insightful)
Not so fast... (Score:5, Insightful)
On the face of it, it sounds like he's proposing a "trusted" infection vector. A way to distributed code intended to patch holes to systems that want it. The obvious problem with such a system is the consequences of it being compromised. Then it becomes a way to distribute malicious code much more effectively than the way bot-nets infect new hosts now.
Sooo... (Score:5, Insightful)
Re:Linux Causes Woman to Drop Out of College (Score:3, Insightful)
It's almost as funny as the people who use AOL because it is the "internet" even though they are just hooked into a router and cable modem like everyone else. - this used to be acceptable when people used AOL's dialup service (or shudder- continue to use it)
Flimsy (Score:3, Insightful)
"It depends on the number of events and the number of computers polled, but if there is a sufficient number of such samples, you can say with some degree of certainty that it is a worm,â Cheetancheri says. For that decision, the software uses a well-established statistical technique called sequential hypothesis testing, he says"
I'm also skeptical that you could rely on a vast network of machines that have presumably fallen prey to an attack to share information between each other fast enough to correctly diagnose an attack with the kind of results the researcher seems hopeful of.
Given that no method for correctly identifying "malicious" code 100% of the time currently exists, I don't think it's wise to allow a software program to run with the decision of shutting a machine down on notice of a perceived threat.
The concept seems like an interesting idea, but I doubt It could be terribly effective in practice.
Re:Not so fast... (Score:5, Insightful)
On the face of it, it sounds like he's proposing a "trusted" infection vector. A way to distributed code intended to patch holes to systems that want it. The obvious problem with such a system is the consequences of it being compromised. Then it becomes a way to distribute malicious code much more effectively than the way bot-nets infect new hosts now.
You forget that the system is also leaking information about the traffic it is sending/receiving at the same time, and possibly internal state information (such as what applications are loaded, plugins, etc). That data in and of itself is valuable to an attacker, nevermind whether the vector can be protected or not... It opens up the possibility of discovering new vectors in ways maybe not possible remotely.
Re:Linux Causes Woman to Drop Out of College (Score:2, Insightful)
Comment removed (Score:5, Insightful)
A Cheap, Distributed Zero-Day Defense? (Score:5, Insightful)
User education.
My first thought too (Score:5, Insightful)
Who watches the watchers?
Any system like this would be a premium cracker target. All it would take is one false positive or false negative before no one would trust it again.
Six months later, some other researcher would make a new proposal for a p2p system to guard the broken p2p system.
Re:what a useless article (Score:2, Insightful)