Become a fan of Slashdot on Facebook


Forgot your password?
Security Technology

A Cheap, Distributed Zero-Day Defense? 116

coondoggie writes "Shutting down zero-day computer attacks could be carried out inexpensively by peer-to-peer software that shares information about anomalous behavior, say researchers at the University of California at Davis.The software would interact with existing personal firewalls and intrusion detection systems to gather data about anomalous behavior, says Senthil Cheetancheri, the lead researcher on the project he undertook as a grad student at UC Davis from 2004 to 2007. He now works for SonicWall."
This discussion has been archived. No new comments can be posted.

A Cheap, Distributed Zero-Day Defense?

Comments Filter:
  • Wow... (Score:5, Insightful)

    by roc97007 ( 608802 ) on Wednesday January 14, 2009 @02:16PM (#26452441) Journal

    If you could break into that process, you could rule the world.

    • by A nonymous Coward ( 7548 ) on Wednesday January 14, 2009 @03:24PM (#26453643)

      Who watches the watchers?

      Any system like this would be a premium cracker target. All it would take is one false positive or false negative before no one would trust it again.

      Six months later, some other researcher would make a new proposal for a p2p system to guard the broken p2p system.

      • Couldn't the same argument be used against distro repositories, security vendors websites, and any other system that people assume is safe and working in their best interests?

        Obviously the entire point of doing it p2p is to speed up distribution, but that doesn't mean the fixes couldn't go through some kind of verification process before being flagged as safe and useful fixes.

        Seems to work out pretty well for Blizzard updates.
        • "Couldn't the same argument be used against distro repositories, security vendors websites, and any other system that people assume is safe and working in their best interests?"

          Yes, theoretically, it could. In practice, the argument only holds against Windows and MS Office update (maybe also Firefox), since the others have a very high diversity.

          • "Couldn't the same argument be used against distro repositories, security vendors websites, and any other system that people assume is safe and working in their best interests?"

            Yes, theoretically, it could. In practice, the argument only holds against Windows and MS Office update (maybe also Firefox), since the others have a very high diversity.

            What the hell??... This has nothing to do with Office or Firefox update they are not peer-to-peer applications.

            • If implemented right, P2P distribution is as hard to break as centralized one. The biggest problem here that the distribution is automatic.
        • I would say the argument can't be made. The examples you've cited are materially different. They are single point push systems, rather than a p2p pulling system.

          You only get your updates from one place, the original source. (Or in the case of linux distro's you get the validation/CRC check from one place)

          The article is about an automated distributed response, hence you have to trust much more than the person you're getting it from. You have to trust the entire chain.

          The Blizzard example is a bet
      • "All it would take is one false positive or false negative before no one would trust it again."

        would you be able to tell me which of the currently used security products are trusted, due to never throwing a false positive or negative?

        • "All it would take is one false positive or false negative before no one would trust it again."

          would you be able to tell me which of the currently used security products are trusted, due to never throwing a false positive or negative?

          Irrelevant. They aren't automated. People are allowed to make mistakes and presumably learn from them; it takes many repeated mistakes to become unreliable.

          An automated system doesn't have that luxury. When there is no one to accept blame and make corrections, people won't trust it.

      • Make it an encrypted VPN like OpenVPN and use physical security
        like they do at military installations when dealing with
        Compartmentalized Top Secret information.

        Have Supernodes that are the trusted servers, and the clients can
        just offer data to their Supernode.

        Have the reporting software add in PC system metrics like the
        MAC and CPU ID#'s so that if ppl are trying to affect the
        system maliciously it fingerprints them.

        • Yah, that'll work well.

          MACs can be configured at will.

          CPU ID#, now that's a new one. Still, it takes software to report it, so it too can be forged.

          What exactly are you proposing anywho? I wonder if you have any clues about "miltary installations" other than what Hollywood tells you.

    • That was the first thought that crossed my mind, too..

    • Re: (Score:3, Interesting)

      by orclevegam ( 940336 )
      Don't even need to break into it, just fool it. If you could convince it that some normal every day activity (say going to google more than twice in an hour) is really a sign of a 0-day attack in progress and get it to lock down network IO, you've just gotten a ready made DDoS. Simply get the system to propagate your false positive to all the nodes (which it would need to do quickly, quietly, and efficiently in order to combat 0-Day threats) and then wait for it to go off. Instant DDoS and you barely even n
      • by davecb ( 6526 ) *

        Presumably the monitor itself would need to be tricked into thinking the harmless operation was evil, so it would submit it to peer review on the p2p network.

        Then you'd need to trick some other subscribers into agreeing it was evil, and somehow arrange for them to be selected by the system as peers. Then and only then could you get the system to DoS it's users.


    • This is the first thing I thought as well. Find a way to compromise systems and rather than do your usual dirty work, just get them all to report that the legitimate, "Secure" devices are the ones causing all the trouble. There you go, you've DDOS'd the secure computers without ever having to touch them yourself.

  • Cheap Defense? (Score:5, Insightful)

    by drewzhrodague ( 606182 ) <drew.zhrodague@net> on Wednesday January 14, 2009 @02:16PM (#26452449) Homepage Journal
    Six Inches of Air?
  • Not so fast... (Score:5, Insightful)

    by Jah-Wren Ryel ( 80510 ) on Wednesday January 14, 2009 @02:19PM (#26452495)

    On the face of it, it sounds like he's proposing a "trusted" infection vector. A way to distributed code intended to patch holes to systems that want it. The obvious problem with such a system is the consequences of it being compromised. Then it becomes a way to distribute malicious code much more effectively than the way bot-nets infect new hosts now.

    • Re:Not so fast... (Score:5, Insightful)

      by girlintraining ( 1395911 ) on Wednesday January 14, 2009 @02:36PM (#26452801)

      On the face of it, it sounds like he's proposing a "trusted" infection vector. A way to distributed code intended to patch holes to systems that want it. The obvious problem with such a system is the consequences of it being compromised. Then it becomes a way to distribute malicious code much more effectively than the way bot-nets infect new hosts now.

      You forget that the system is also leaking information about the traffic it is sending/receiving at the same time, and possibly internal state information (such as what applications are loaded, plugins, etc). That data in and of itself is valuable to an attacker, nevermind whether the vector can be protected or not... It opens up the possibility of discovering new vectors in ways maybe not possible remotely.

      • by redxxx ( 1194349 )

        Heck, the data is valuable to anyone with an interest in what people are doing online and how they are using the internet. I don't see any way the information sent out could be limited to the actions of malware, so the database could end up a nice target for commercial(marketing and whatnot) datamining.

        Sending out information which I don't control defeats half of the purpose behind why I run software firewalls.

    • Re:Not so fast... (Score:5, Insightful)

      by liquidpele ( 663430 ) on Wednesday January 14, 2009 @02:50PM (#26453037) Journal

      The obvious problem with such a system is the consequences of it being compromised.

      The non-obvious problems:
      1) People that don't keep automatic updates on aren't going to use this, so the same people that get infected today will continue to get infected.
      2) P2P systems like this are notoriously hard to keep poison data out of.

    • Re: (Score:2, Funny)

      You make it sound suspiciously like "Windows Update," which doesn't have these problems...oh wait....nevermind.

    • by jd ( 1658 )

      Maybe use a similar sort of system as a massively distributed active intrusion detection system. In "real life" (yeah, the outdoor thing), oak trees have chemicals in their leaves which sublime under normal atmospheric conditions. If the leaves are attacked by insects, the chemicals are released into the air and are picked up by nearby oaks. These respond by adding extra tannin in their own leaves. The practical upshot is that the heavier the insect attack, the more heavily protected the trees become, makin

      • by eonlabs ( 921625 )

        Which lends itself well to a self created DDOS attack. You get a system like that to respond to a normal packet from the net and all of a sudden the amount of processing power expended to analyze the packets increases in response, which leads to greater susceptibility to flooding the system with crap.

        • by jd ( 1658 )

          I can see that. You'd need very good thresholds to avoid trivially establishing a self-inflicted DDoS. According to the Byzantine General's Problem, in a system with N nodes, (N+1)/2) of those nodes -must- be trustable in order to detect a node that is not. Thus, it would be necessary to establish in advance that the sum total of all compromised nodes PLUS all nodes run with malicious intent PLUS all misconfigured nodes fell below the ((N-1)/2)-M threshold, where M is the number of nodes you expect to be fr

          • by beav007 ( 746004 )

            Using the castle wall analogy, the wall isn't intended to stop you from being attacked, it's intended to stop you from being swamped when you are attacked.

            Nonsense. I started constructing castle walls at the basement door with my peanut butter and jelly crusts last summer, and haven't been attacked even once!

            • by jd ( 1658 )

              Is that why you've been thrown into the closet by the marauding army ants?

    • Actually I can tell what it is, as one of the authors (& for those who don't feel the need to check the paper) -- no distribution of code, or patching systems, etc. It's a distributed anomaly detector, that meters connectivity for suspicious connections. -JMA
      • In other words it's a monitoring tool, nothing more. Useful, but also dangerous in the wrong hands. Would be difficult to scrub the data such that it doesn't violate privacy, but still provides enough info to be useful.

        It also wouldn't help against distributed C&C bot nets as those by definition don't have any one point of contact, but rather a great deal of contact among all the nodes. Without some sort of deeper inspection at both the data layer, and the application layer although this might catch s
        • Actually it would help detecting distributed attacks, since it is looking for a combination of small increments of traffic on numerous machines. Small, unreliable detections averaged over many machines equals a significant, reliable detection. This is having the law of large numbers on your side. Again, much of the work on distributed worm detection has been published, I recommend folks read it before spewing speculation. -JMA
    • by Ihmhi ( 1206036 )

      Has Windows Update ever been compromised? It's a tortuously slow system in a similar vein, but I can't recall ever reading about malware being distributed via Windows Update (unless you count WGA ^.~ )

  • Sooo... (Score:5, Insightful)

    by gblackwo ( 1087063 ) on Wednesday January 14, 2009 @02:19PM (#26452497) Homepage
    What is the zero-day defense protocol for the zero-day defense software?
    • It's not needed, because the zero-day defense software will be perfect - duh.

      You're obviously right on point. This is only a good idea, if the software was perfect. But we wouldn't need this "perfect" software, if software was perfect....and around and around we go.

      • It all comes down to GIGO. The software can only be as perfect as the person using it. Of course, the definition of perfect is also arbitrary and worse still, subjective.
  • by MrEricSir ( 398214 ) on Wednesday January 14, 2009 @02:20PM (#26452513) Homepage

    "I'm not pirating movies... I'm protecting the network!"

    • "I'm not pirating movies... I'm protecting the network!"

      Baws: "Yea, but who's paying for it?" Welcome to capitalism.

  • Cheap defense? (Score:2, Interesting)

    How about "disconnect it from the network."? That's the cheapest one I can think of.

    • by vux984 ( 928602 )

      How about "disconnect it from the network."? That's the cheapest one I can think of.

      Now, do you have any solutions to network security that, you know, actually let me use the network?

      You seem like the type that would propose shooting someone in the face is a good inexpensive way to ensure someone with cancer doesn't die of cancer, with the added benefit that they won't have to worry about their heart condition any more either.

      I sincerely hope you aren't a doctor.

  • Flimsy (Score:3, Insightful)

    by sean_nestor ( 781844 ) on Wednesday January 14, 2009 @02:31PM (#26452717) Homepage
    I can't think of any way this could fail gracefully. If this system was compromised, it'd be a powerful way to disrupt network traffic and take down important systems that happen to run it.

    "It depends on the number of events and the number of computers polled, but if there is a sufficient number of such samples, you can say with some degree of certainty that it is a worm,â Cheetancheri says. For that decision, the software uses a well-established statistical technique called sequential hypothesis testing, he says"

    I'm also skeptical that you could rely on a vast network of machines that have presumably fallen prey to an attack to share information between each other fast enough to correctly diagnose an attack with the kind of results the researcher seems hopeful of.

    Given that no method for correctly identifying "malicious" code 100% of the time currently exists, I don't think it's wise to allow a software program to run with the decision of shutting a machine down on notice of a perceived threat.

    The concept seems like an interesting idea, but I doubt It could be terribly effective in practice.

    • The response of the security bot-net is even worse. It's an algorithmic evaluation of cost tables.

      That cost-benefit analysis would be simple to carry out, but network executives would have to determine the monetary costs and enter them into the software configuration so it can do its calculations.

      End users would not program or modify the core detection engine. We don't want to have humans in the loop.

      So, it'll go something like this: The CEO/VP/Regional Manager is working on a contract bid that absol

      • by Chabo ( 880571 )
        My school's network actually worked somewhat like this. If "worm-like activity" was found, then it would kick you off the network automatically, and have you complete a checklist saying you'd performed a virus check, and things like that.

        If you were found to still be infected (usually because you lied about actually doing a virus check), you couldn't get back on without an IT rep checking your computer (usually within a few hours if you needed them to come to you; pretty good for a public school I thought
        • > But that's not an issue in an office environment.

          Tell that to the guy in the next cube. I believe he's running an internet business from there. (Honestly. I keep hearing him on the phone ... brokering the sale of horses. We manufacture electronics.)
  • The malware is so sophisticated nowadays, they evade detection from local monitors. Somehow getting more data from remote computers will help you detect the malware? Come on, Senthil it is not going to work.
  • Will never happen. (Score:5, Interesting)

    by girlintraining ( 1395911 ) on Wednesday January 14, 2009 @02:32PM (#26452723)

    Detecting anomalies requires a baseline of what "normal" is. That means surrendering information about the type and nature of traffic being received by your computer (and possibly sent as well). It's a privacy problem that not many people will commit to. And businesses will be even more reluctant to surrender such information. That said, an aggregate of several hundred thousand firewall logs would be an asset to many organizations and individuals. For this reason, it will never be free... The moment someone realizes there is a monentary value in what they're doing, they will attempt to capitalize on it. So, effectually, what this project is asking you to do is give them your private, personal data, so they can turn a buck under the pretense of fighting those big bad evil hackers. Isn't the market already pretty crowded with the fear-mongers, anti-virus, anti-malware, anti-anti-anti businesses?

    Also, this is not a defensive product. A defense requires the ability to resist or avoid an attack. Nothing about this scheme suggests it would provide that to the end-user. It is more of a "zero day surveillance" system than anything. It's a digital cow bell. Moo, ding ding, moo. The only problem is the cow moves at the speed of light and can replicate a few thousand times a second (conservatively). Don't ask about the milk. x_x

    • Re: (Score:1, Offtopic)

      by Shakrai ( 717556 )

      Don't ask about the milk. x_x

      Can you get it in skim? I gotta watch my geeky figure.....

    • >> Detecting anomalies requires a baseline of what "normal" is. Yes, and this is done by each machine, so there is no exchange of information particular to the machine. Pls read the paper. One of the authors -jma
  • Your typical problems with security programs are

    1) Blocking behavior which should be permitted and
    2) Not blocking behavior which should be forbidden.

    This adds the potential for

    3) Enabling behavior which should be forbidden.

    Is there one of those snarky standard forms for this?

  • I'm pretty sure we can modify some existing patents to apply to distributed firewalls.

    US Patent Application 20080250497 []: Statistical method and system for network anomaly detection

    "Whatever concept a person can think of, there will be a patent either active, being applied, or being prepared to include new concept." -- Troll


    There's also some other related studies.

    Modular Strategies for Internetwork Monitoring [], which "addresses the longstanding and difficult problem of detecting and classifying spatially

    • Actually...
      I did a provisional patent for a application I wrote in 2001 that, as best as i can tell from the article, was nearly the same.
      NACM. Network Active Countermeasures.
      I buried it, because it would have been too easy to use it as a censorship tool.
      If it is the same, I guess that would constitute prior art.

  • Just wait till that distributed firewall "decide" (bug, intrusion, feeding patterns, whatever) to block the port 80.
  • The summary is misleading in that this isn't proposed as a defense. This is an early-warning system for detecting compromised machines on a network.

    This isn't going to run on every computer in the world. Think of a corporate network with thousands of machines with fairly homogeneous usage. This could alert the sysadmin to a worm infection when the number of machines is numbered in the tens.

    And since all it's doing is monitoring it shouldn't present a security risk (if well designed) greater than any P2P client.

  • This already exists (Score:5, Informative)

    by charlesnw ( 843045 ) <> on Wednesday January 14, 2009 @02:55PM (#26453121) Homepage Journal
    It's called dshield: []
    • It's called dshield: []

      That was my first thought, although that may not be entirely accurate. As for dshield, noticed the other day there's what appears to be a new link on the Spamhaus [] page that reads

      Consumer Alerts
      Is your PC infected or part of a "botnet"?
      Check it Here

      Humorous aspects aside, it links to some sort of dshield copy-cat setup run by Never heard of them personally, but the more the merrier. A community-based effort to solve a community-wide pro

    • No its not dshield. It has nothing to do with sharing logs or firewalls. The concept is an entirely distributed anomaly detector. Please read the paper.
  • by Thaelon ( 250687 ) on Wednesday January 14, 2009 @03:05PM (#26453333)

    A Cheap, Distributed Zero-Day Defense?

    User education.

    • Re: (Score:3, Funny)

      by Lord Ender ( 156273 )

      I think you misread "Cheap, Distrubted Zero-Day Defense" as "expensive, ineffective, and slow defense."

  • I recently interviewed security researcher Michael Collins for Beautiful Teams [] (a book I'm finishing for O'Reilly) about work he'd done at CERT working on SiLK [], a collection of traffic analysis tools. From talking to him, it sounds like this is an enormously difficult problem to solve. His work involved modeling "normalcy" as a baseline to detect anomalies using an enormous amount of data spit out of edge routers. When I asked, "So your goal was to look at the data from routers, and just by looking at the g
    • One part of this is just the "it was in yesterday's activity log" test. If you have data from a period leading up to a problem, set-subtract the previous activity from the activity on the day of the crash to get just the new, unexpected activity. That's the material you should be looking at.

      For syslog, this can be implemented with an awk script: there's an example in "Sherlock Holmes on Log Files", at []


  • So where is the paper/thesis/documentation of any type whatsoever that describes their p2p solution?

    Collaborative p2p worm containment has been around for ever, what does Senthil Cheetancheri's proposal has to offer over previous work?

    a small subset of prior work that does exactly what the clueless article sais they do. [] []

    PS: I doubt Senthil's research reinvents the wheel but I would appreciate an actual link to his

  • *Puts on tinfoil hat*
  • Ken's OPERATOR Law

    There inany given population, in an effort to corrdinate, will have a given number of contrarians that for no purpose other then to avoiding conforming to the norm, will intentionally provide and contribute false information to the collective. This can be exhibited in the childrens game 'operator' starting with a message and retelling it down the line. While in small populations the deviation from the original message is minor. The larger the population, the larger the devation tends to ge

  • There is no defense against "zero day". The script kiddie misappropriation of warez d00d slang is now so embedded in the nomenclature that even legitimate security researchers are using it.

    • by Belial6 ( 794905 )
      That's what I was thinking. The first time I heard zero day was with the DirectTV attack on illegally hacked satellite boxes. The reason it was called zero-day was because DirectTV sent little pieces of code that didn't do anything malicious in small segments. This resulted in the hackers ignoring each little piece of code. After all, the code didn't do anything harmful. Then on Superbowl Sunday, when the absolute highest quantity of hacked boxes would be running, they sent the last little bit of code
      • It originally meant having a crack available to the copy protection of piece of software on the day of its release (the zero day, being more impressive than the day after, or three weeks later). The script kiddies started using it to refer to any type of exploit because it sounded cool, so it has now been rationalized to refer to an exploit for which there is no patch available, regardless of how long the software has been out or how long the exploited flaw has been known.

  • ...this is a great way to cause the opposite effect of a technological singularity [].

  • Knowing SonicWall, this will be a feature in next years product line - except it will only "work" between other SonicWall products. It won't actually do anything, but they'll claim that it does - yet they won't provide any technical details (let alone source code) on the inner workings.

    • Close... it will appear in the routers as an unlockable feature for an additional, annual license fee.

      sonicwall blows.

      • And when you get your annual renewal feature key - you'll go to type it in and submit it but it won't be able to authenticate the license key. So, you'll have to call SonicWall for a 100-character manual license key and sit on hold for forever listening to that damned SonicWall hold music.

        Now I've got it stuck in my head.

        Ta ta ta ta... ta ta ta ta... doo doo dee dooo dee doooo dee dooo... ta ta ta ta... ta ta ta ta... doo doo dee dooo dee doooo dee dooo... ta ta ta ta... ta ta ta ta...

  • There are a number of products that already do this. ACTNet [], which is part of ActiveScout, does something very similar to this. And it's patented.

    Attack information is uploaded to a central server from individual appliances. Appliances then check the central server for a list of "known attackers" and automatically blocks them if they attempt to access the protected network. The concept is similar to Realtime Blackhole lists for spammers.

  • You know this sound somewhat similar to the plan already devised that would fall foul of the law [] to remedy the Storm.
  • We all know that malware criminals and fraudsters are sociopaths.

    A risk of a peer-to-peer zero day malware shield (besides being cracked and exploited by criminals), is that it could turn out to be a success. As we saw with BlueFrog, a lot of criminals are completely morally bankrupt, and will do absolutely anything to preserve their illegal business models.

    BlueFrog was doomed because it was too effective and destroyed spammers' business models. So the criminals waged a massive campaign of harrassment and

  • I wrote something almost identical years ago, but couldn't since I'm not part of the security community it never really took off. Blacklists were The Thing at the time still... []

    The test bots are still running in Freenode #threatnet

  • This is like "FW Snort" except it is deployed to communicate to peers world wide where FW Snort only works on the LAN, but it is similar, maybe it would be a good place to start with this idea
  • This site has been blocked and the attempted access has been logged by the SonicWALL Content Filtering Service. []

    Reason for restriction: Forbidden Category "Adult Entertainment"

    Way to go, Cheetancheri.
  • How this system can protect against bad mouthing? For example a botnet can be used to distribute negative comments, evaluations about some security trusted web site or else. With the current size of botnets often more than tens of thousands of bots, it looks easy to launch a DoS attack on any web site out there. In an enterprise network the attacker can play its way to exclude all patch managing or admin systems from accessing the clients in the network and virtually forbid them managing the network!
  • What happens if N *compromised* computers start to send controversial information to the ones that represent real threats? Wouldn't it overcome/defeat the benefit this tool was intended to provide? Maybe too many false-positives?

Radioactive cats have 18 half-lives.