RSS
Twitter
An Immune System For The Internet?
from the until-it-gets-infected,-of-course dept
We've talked about the problems with many anti-virus solutions today that rely on a fingerprint of the virus that then gets sent out to client applications on a regular basis. It's a reactive approach that is often too late -- especially as new viruses are created and spread faster than ever. Another approach to fighting viruses is behavioral, where the anti-virus software tries to recognize actions commonly associated with viruses, and block them off. This has problems also, in that plenty of legitimate products may also take similar actions, and the new scam will be tricking people into "accepting" malicious software by having it piggyback on something legitimate. However, if the behavioral products are on the network, some can be decent at spotting threats -- but still they face the problem of distributing the protective code out to other machines fast enough. The infections move just as fast, if not faster, and they have a head start. So, some researchers have tried to attack the second part of that problem, and devised a system of honeypots that could be outfitted with the behavioral software. The trick, though, is that those honeypots would also be connected to each other "via a dedicated and secure network." Think of the dedicated network as a shortcut to all the important hubs. Thus, once one honeypot machine discovers a virus and cures it, it can widely distribute the cure very quickly. The researchers mathematically show that it would beat the virus to most machines -- and it gets even better as the network gets larger. Of course, even ignoring the questions about just how well this behavioral software can recognize a virus and create the "cure" code, it seems the bigger issue is how can you really keep that separate dedicated network secure? Wouldn't that be the immediate target of the determined hacker? They'd all want to figure out how to hijack that network to spread their viruses even faster.
Reader Comments
(Flattened / Threaded)
No Subject Given
Having a virtualized "honeypot" with write protection software such as Drive Shield, Clean Slate, or others and a simulated network connection could do the trick. This would allow a full compromise of the "honeypot" without actually affecting the physical machine. It would also allow for analysis of both the virus infection and the associated exploits, providing a more in-depth knowledge of the attack.
(reply to this comment) (link to this comment)
AI based virus detector
There is a possibility for integrating Artificial Intelligent Signature with virus detection systems for detecting malicious patterns in the program execution. Not sure about the extent of feasibility. - pmtracker http://pmtracker.siteburg.com
(reply to this comment) (link to this comment)
Bad very bad idea
I like the idea of the Internet having some sort of immune system but like any immune system its purpose is to weed out the bad. As a computer doesn't know what the bad is how can it distinguish from the good software and bad software. Whats not to say that it notices a program to configure the Honey Pot to write a virus? Or even write a program to prevent people from accessing their own computers?
I think this is a very very bad idea.
ALTHOUGH
If done properly can render viruses useless. A system to detect viruses and distribute vaccines to uninfected systems can be handy.
(reply to this comment) (link to this comment)
No Subject Given
One word... SkyNet
(reply to this comment) (link to this comment)
Anyone ever heard of IPS?
You may remember Zotob from several weeks ago. Although Microsoft didn't have a patch, and anti-virus vendors didn't have a signature on day zero, our Intrusion Prevention System had the checks for the exploit 6 months in advance of the virus, resulting in ZERO infections to our company.
(reply to this comment) (link to this comment)
Techno-Darwinism
If some viruses can disable other viruses to suit their needs, why the hell has no one made a "white T cell" virus that just stomps on other viruses when encountered and release it in the wild? Or are we waiting for 27th century Borg technology? What's the deal?
Hold on, some tall guy is at the door, he says he's from the future and he's here to kill me...
(reply to this comment) (link to this comment)
No Subject Given
honeypots are rather easy to bypass.
(reply to this comment) (link to this comment)
Bait and Switch
The good ole bait and switch routine would work, I have a honey net that I used with b&s and it works well for keeping up with the script kiddies out there. I have a small solution for auto generating snort signatures to throw onto test development IDS sensors, eventually I might go production.. bah doubt it :(
(reply to this comment) (link to this comment)
Why not have an effort to "uninfect" or stop attac
Why not try to diagnose any attack from any IP? If you are getting attacked, you could look at the IP and if it were not from a DNS you wanted to block out, or a range you knew (from a large scan of attacking IP ranges kept and exchanged) was safe, then you could launch your own attack on the "attacker" and perhaps install your own exploit to neutralize it.
This would work for at least the people who directly connect to the net, but not for trojan affected PC's, but I imagine there would be some reduction if this worked.
Trojans affected PC's might be behind firewalls, and therefor launching the attacks on you with no reverse course to take.
However it seems logical that if the systems were breached once, why not do it twice, or at least try as a way to reduce the "bot" armies
(reply to this comment) (link to this comment)
Reactive or proactive virus scanner?
Rather than looking at the behavior of a program to guess whether it's a virus (or in addition to that), why not look at the user's behavior? "Has the mouse been moving and have any programs or files been opened or scrolled in the past x minutes? No? Then I will not allow this program to install or download."
The scanner should also recognize human patterns, accuracy, and activities, and be able to distinguish between those and a spoof.
(reply to this comment) (link to this comment)
Add Your Comment