Internet Immunization 229
xav_jones writes "Nature.com reports on computer experts from Israel who are proposing a different strategy for combating fast-spreading worms and viruses -- one in which the fix can, theoretically, keep up with or stay ahead of the malicious code. They 'propose a system in which a few honeypot computers lie in wait for viruses. These computers run automated software that first identifies the virus, and then sends out its signature across the Internet. This enables a sentinel program on all the other computers in the network to identify the virus and bar it before it can attack them.' The honeypot computers would reside in a secure, dedicated network. For 'roughly 200 million computers ... [with] just 800,000 [(0.004%)] of them acting as honeypots [it] would restrict a viral outbreak to 2,000 machines.'"
WOW (Score:5, Interesting)
All that to combat worms and viruses? If I am correct, most of the worms and viruses infect because of a vulnerabilitly in the software. So what if these sentinnels of "guardian angels" themselves have some flaws which these viruses exploit. How about spending some money on training developers to practise safe coding. How about educating average joe to not click on the Britney's image and let him know that she is not going to blow him? How about lobbying to pass laws to force software companies to pass a higher standard? Heck even children toys have certain standards that the companies have to adhere to.
Seems like rational ideas are just an illision now a days. Don quixote suddenly seems more reasonable to me than this guy.
Re:WOW (Score:3, Informative)
Seems like good math skills are too. 800,000 computers out of 200 million is WAY more than 0.004% as the summary stated
Someone is off by a couple orders of magnitude. Much closer to half a percent.
Re:WOW (Score:2)
Re:WOW (Score:2)
So now anyone can DoS the whole internet in under 2 seconds by sending a virus to 1 computer.
Must be a full moon out there somewhere ...
Re:WOW (Score:5, Informative)
Proving him right... re-read the summary (Score:2)
Re:WOW (Score:2)
garbage in, garbage out
But... (Score:2)
Re:WOW (Score:2)
Look at the post I was replying to;
If you were one of my students I'd gladly fail you. Try it in a calculator
800,000 divided by 200,000,000, It's 0.004%. Feel like coming back and studying grade school math under me? I promise I won't laugh too much.
Re:it is correct (Score:2, Insightful)
Re:it is correct (Score:2)
Re:WOW (Score:2)
Cha right. And monkies might fly from my ass.
-Rick
Re:WOW (Score:2)
Cha right. And monkies might fly from my ass.
If they do then lemme tell ya, do I have the website for you [flyingbuttmonkeys.com]!
Re:WOW (Score:2)
You're right. That is a lot of work. Please straighten these guys out because there must be something easier than this.
How about spending some money on training developers to practise safe coding.
Definitely. Educating the coders has saved us from inefficent apps and poorly documented code. It only makes sense to add secure coding practices to this list of perfection. If only we could have known ahead of time that security might have been a problem.
How about educati
Looks like it could be a weak link... (Score:3, Insightful)
Re:WOW (Score:2)
Yes, and if every US internet user had to take a 6 week course, 20 hours of simulated net usage, 20 hours hands on instructor guided net usage, then had to pass both a written and prac app test, then spend two years on a probationary net use license... Yes, then I could see sinking a huge investment into making software perfect.
-Rick
A fine idea . . . (Score:5, Insightful)
And once someone finds a hole in this magic system, it will become the most effective means of distributing viruses ever invented.
Re:A fine idea . . . (Score:3, Informative)
Re:A fine idea . . . (Score:5, Funny)
What about the Vic-20 locked in my closet under my old underware with all the keys stuck from 20 year old Coca-Cola? I dare you to break into that!
Re:A fine idea . . . (Score:5, Funny)
Re:A fine idea . . . (Score:4, Funny)
Re:A fine idea . . . (Score:2)
Huh?!? (Score:5, Insightful)
Re:Huh?!? (Score:3, Informative)
Re:Huh?!? (Score:3, Insightful)
Fully Automated Security Breach Detection? (Score:2)
If I'm right, I suspect an antivirus network like this is extremely likely to zombie-fy the honeypots, and then use them to propagate a back door to every system relying on the antivirus network.
Re:Huh?!? (Score:2)
Better yet, if you know how to make your honeypots 100% secure against all unknown viruses then could you share this technology with everyone else please? That way we wouldn't need the honeypots at all...
Not necessarily. Physically write-protect your hard-disk after a clean install and I'm fairly positive the vast majority your most of your virus woes will disappear.
Of course, your computer might not be very good for general computing tasks then, now would it? But said computer could work for the pur
Re:Huh?!? (Score:5, Insightful)
and who foots the bill... (Score:3, Insightful)
Re:and who foots the bill... (Score:2)
Hrrm. (Score:2, Insightful)
1) Worm writers figure out a way to avoid them or
2) Someone decides to use the "honeypots" to attack the network itself by flooding it with slightly different worms, making the signal to noise ratio patently obscene.
Didn't we try this with Spam? (Score:5, Insightful)
Virus writers will just add mutational code to their virius, so each instance of infection will have a unique signature.
Re:Didn't we try this with Spam? (Score:2)
That if is the big problem. After all, if such a system was employed, then the #1 goal of any virus writer would be to make the virus indetectable by the honeypots. Or alternatively, the virus could actually modify the honeypots to not report that virus, or maybe even use them to spread more efficiently.
Re:Didn't we try this with Spam? (Score:2)
Am I missing the point... (Score:2, Insightful)
Re:Am I missing the point... (Score:4, Interesting)
The real trick is to make sure that the antiviral signature travels faster through the Internet than the virus itself,
I disagree. Sending signals to all participating computers real fast isn't such a big deal. After all, the virus has to poke around inside an infected computer, looking for data on "who to infect next." This immunization system will have a built-in table of how to efficiently route the cure. So it will be faster (or at least competitive with) the virus spreading speed. (I know, I know... virus-writers will exploit that very routing table...)
In my estimation, the real challenge is to automate the detection. The honeypot must somehow identify what is a virus and what is not (and do it quickly to be at all effective!). Sometimes this will be easy (the honeypot may have a store of thousands of files that it never touches, and if any one of them becomes modified, it must have been a virus trying to replicate itself, etc.)... other times, it may be darn difficult for a machine to tell it has become infected. After all, the whole point of a virus is that it does something unexpected (exploits a bug that was not known to exist). So determining that a virus is operating is hard.
I also see false positives being a major concern. If the honeypot starts issuing signatures for legitimate net traffic, then the system becomes worse than useless. Just my opinion. I'm no expert.
Re:Am I missing the point... (Score:2)
It it runs from e-mail or pokes it's head in through a port and edits code on my machine to start itself IT'S A VIRUS
If you are worried it might catch spyware then you are too right wing (You can make money from it and it's not illegal!) to live, proceed accordingly.
Re:Am I missing the point... (Score:2)
I'd bundle few critical Windows DLLs with my virus. I'd love to see automatic immunization patch created for that!
Why not do this with the human body? (Score:5, Interesting)
Individuals at home would have their DNA sequencers crank out a batch and they'd then inoculate themselves, prepping their immune system for the real virus.
This is all future stuff, of course. It could also be prone to problems, such as someone hacking into the system and posting a DNA sequence that does bad things to people. Shucks, the autism/vaccine scares already show people's fear of such things. Might make for a good story, though.
HIV always changes, but it's still HIV (Score:2)
The trick is to find those key portions and use them in your vaccine.
Re:HIV always changes, but it's still HIV (Score:2)
Re:Why not do this with the human body? (Score:2)
Tell that to the crocodile's immune system [theregister.co.uk].
Plus, even the HIV virus has a weakness. Block the cell-attaching mechanism [nature.com], and you've blocked HIV.
Re:Why not do this with the human body? (Score:2)
True, but HIV does respond well to chemotherapy as do most highly mutagenic viruses. If HIV didn't have a resivoir somewhere in the body it could probably be wiped out by chemotherapy.
Only the coat changes. The portion of DNA which codes for reverse transcriptase changes rapidly.
Frankly, I don't understand how they can use anything except PCR to test for the presence of HIV. A Western Blot test is often used, I know, but t
No need for pigs (Score:2)
What's new? (Score:4, Interesting)
Is the novelty
1. Using this technique for viruses?
2. Using a dedicated honeynet?
Nothing new here. (Score:2)
How about someone thinking that dedicating 800,000 computers to guarding Bill Gates' crappy OS is a good use of resources? Give me a break, you could run Google 2 with that kind of processing power.
1+1=11 (Score:5, Insightful)
I make it 0.4% ...
Re:1+1=11 (Score:4, Funny)
You get a gold star.
Re:1+1=11 (Score:2)
The summary is wrong, the article is correct...
i got it! (Score:3, Insightful)
If I find out a way to infect the singal the honeypots are sending out, then I can infect even more people, because the people relying on the honeypot machines won't be running anti-virus programs themselves.
Hmm, that would be fun!
Re:i got it! (Score:2)
Vmware perhaps? Honeypotting with VMware - basics [seifried.org]
If you could make this system overreact... (Score:3, Funny)
I'm pretty sure (Score:4, Interesting)
However, I'm willing to give these guys a fair shake. No matter what anyone has to say about their politics, the Israelis definitely know how to do high-tech.
From TFA:
That's cool! (Score:2, Offtopic)
Load Of Dung (Score:5, Insightful)
Ya know, if ya had some code that could reliably identify virii without signatures, wouldn't we all be running *that* on all our desktops?
Not a load of dung, just expensive (Score:5, Informative)
Mostly, you need to do extensive monitoring of what your program is doing, and look for out-of-bound writes (e.g. buffer overflows/stack smashing), or do taint analysis (that is, don't execute or make "important" decisions based on data "tainted" from an untrusted source). But this requires performing many anaysis operations for every "real" operation, so it isn't feasible to do everywhere.
Just google the titles for electronic copies.
Kreibich, C., and Crowcroft, J. Honeycomb - creating intrusion detection signatures using honeypots. In HotNets (Nov. 2003).
Kim, H., and Karp, B. Autograph: Toward automated, distributed worm signature detection. In USENIX Security Symposium (Aug. 2004).
Zou, C. C., Gao, L., Gong, W., and Towsley, D. Monitoring and early warning for internet worms. In ACM CCS (Oct. 2003).
Wilander, J., and Kamkar, M. A comparison of publicly available tools for dynamic buffer overflow prevention. In NDSS (Feb. 2003).
Newsome, J., and Song, D. Dynamic taint analysis: Automatic detection and generation of software exploit attacks. In NDSS (Feb. 2005).
Re:Not a load of dung, just expensive (Score:2)
Re:Not a load of dung, just expensive (Score:3, Insightful)
The difference here is that Lord Kelvin said it before it had been done.
The problem, boiled down to its smallest, is to find inputs to the computer which cause it to emit bad outputs (e.g. cause it to try to spread the worm). We control the honeypot, so we can strictly classify what good outputs are (generally nothing, or some small set of fixed responses)--everything else is therefore bad. Any message to the ho
Re:Load Of Dung (Score:2)
that assumes a non-windows operating system, and investing in this kind of setup for a non-windows network is probably only worth the expense in a select few situations.
Re:Load Of Dung (Score:2)
There is magic tinkerbell.
It is called virtualization.
Virtualize the honeypot and then watch his filesystem from "outside" - any unexpected writes will indicate infection. That should reliably catch all viruses that are intended to survive a reboot. Viruses that don't survive reboots aren't likely to be a problem.
Let me get this straight... (Score:3, Insightful)
Is that what I'm reading? If that's so, then count me out. I can't take care of my own, thankyouverymuch.
OR... (Score:3, Insightful)
Already In Place (Score:3, Informative)
The Network is the Honey (Score:3, Insightful)
Maybe this is a good application for the Usenet tech, to flood the trust networks with info rapidly, reliably, and without a centralized authority that itself can be attacked or otherwise compromised. Most of this tech already exists. We don't need 800K new servers that do nothing else, when we've got even more that also serve mail. Maybe the researchers are setting up a spinoff security network. But their research actually points to a better system than relying on them for more than the starting point.
Re:The Network is the Honey (Score:2)
This isn't a new or different idea at all (Score:3, Insightful)
Webs of early notifiers is also not a new idea; look at the honeypot networks that are on the web, the honeypot project, and so on.
The containment cited is theoretical, subject to the ability to correctly identify behavior, and doesn't prevent users from clicking on URLs that have malware, or filter signatures that have fast breakout behavior.
And so, the merit of the Nature article is in question. It's just a PR release in disguise.
You have a bad case of... (Score:2, Funny)
take two OSS tablets (not applicable in France) and call me in the morning
Why honeypots? Use DShield! (Score:3, Informative)
Wow... (Score:3, Interesting)
I'd like to see how this results... whatever the outcome, it's an interesting experiment.
Re:Wow... (Score:2)
Re:Wow... (Score:2)
Immune systems are not quite as simple as that (Score:2)
Not really... (Score:2, Insightful)
Re:Not really... (Score:2)
This isn't a very good paper. (Score:3, Interesting)
The citations list at the end of the Nature paper also is missing a large body of relevant work. Check the citations list of the Vigilante paper for details--50 references most of which are missing from the Nature pub. Also, the publications the Nature paper cites are mixed--some are good (like http://www.icsi.berkeley.edu/~nweaver/containment
The analysis is quite math heavy, and makes some unrealistic assumptions (i.e. worms only spread to their neighbors). In the end, they "show" that it is theoretically possible to stop worms with a side-channel network. Vigilante, on the other hand, has an implementation of a vaccination system, and simulation results run against Blaster, Slammer, and Code Red. Now, which is more convincing to you?
Re:This isn't a very good paper. (Score:2)
So.... Amway builds a DDOS network? (Score:2)
honeypot on secure network? (Score:5, Insightful)
Re:honeypot on secure network? (Score:2)
Re:honeypot on secure network? (Score:2)
That's just about the opposite of what I normally think of as a "secure network".
That also makes their infection detection simpler; if the computer attempts to make any outbound connections, it's infected. But malware that has a long incubation period wouldn't be detected promptly, so other methods must be used as well.
Judgement Day. (Score:2)
Vigilante (Score:3, Informative)
They find that it is possible to quickly detect worms automatically, construct automatic filters for just the worm and not benign traffic, and distribute it quickly to vulnerable hosts in a secure, non-forgeable way.
[1] http://portal.acm.org/citation.cfm?id=1095809.109
[2] http://research.microsoft.com/research/pubs/view.
Re:Vigilante (Score:2)
Except for Yuval Shavitt [google.com] the authors barely even register in DBLP (a database of CS bibliographies). Not [google.com] big [google.com] players [google.com] in the CS community, and obviously not fully aware of the existing work.
Re:Vigilante (Score:2)
Can anybody explain to me why they haven't put this into action ? They would be hailed as saviours of the (electonic) planet. Are there still a 'few kinks' to be ironed out or are we into tinfoil-hat-area ?
nothing new (Score:2, Informative)
the idea has been around (Score:2)
Re:the idea has been around (Score:2)
Autoimmunity (Score:2, Insightful)
Re:Autoimmunity (Score:2)
Remember, natural autoimmune illnesses don't kill the immune system. They cause the immune system to go against other parts of the system (body) it is supposed to protect.
And this is a new idea how? (Score:2)
Of course, (Score:2)
Hmm (Score:2)
First, you build this giant wall...
Fix it for them (Score:2)
Just in... (Score:2)
Unworkable (Score:2)
But the problem is that in reality, the honeynet is composed of software too, so even if you think it is better than nothing, you might change your mind when virus writers discover exploits in the honeynets.
Hoping the honeynet computers won't break containment at that point is wishful thinking at best.
Nature really is slipping (Score:2)
Nature seems to want to publish stuff in computer science, but it is becoming increasing clear that they simply have no clue what they are doing. Apparently, they select papers that take some idea from computer science, add some biological or physics jargon, and otherwise fit their format, and publish it.
It seems more and more like Nature is turning into the New Scientist, only Nature isn't as entertaining.
Why not turn normal users' PCs into honeypots? (Score:2)
If my machine is running Norton AV, and I get something, couldn't my machine just automatically alert a central Symantec server or something lik
Who watches the watchers? (Score:2)
You wouldn't be able to force me. After all, "Who Watches the Watchers [startrek.com]?
I don't want to be subject to an "automatic immunity" system because I don't want to lose control of my computer, internet connectivity and communication. I can imagine a "sentinel program" being told to exclude or dump, without warning, my choice or even my knowledge, dangerous packets containing strings like "ACLU," "EFF," "Vote for [fill in]," "PG
Re:Avoid the computers? (Score:2, Funny)
Re:Inspiring display of arithmatic (Score:2)