Japan Says No To iPod Tax >>
<< 20th Century Fox Pretends The Competition...
 tdicon 


(Mis)Uses of Technology

by Mike Masnick

Fri, Dec 2nd 2005 2:48am





An Immune System For The Internet?

from the until-it-gets-infected,-of-course dept

We've talked about the problems with many anti-virus solutions today that rely on a fingerprint of the virus that then gets sent out to client applications on a regular basis. It's a reactive approach that is often too late -- especially as new viruses are created and spread faster than ever. Another approach to fighting viruses is behavioral, where the anti-virus software tries to recognize actions commonly associated with viruses, and block them off. This has problems also, in that plenty of legitimate products may also take similar actions, and the new scam will be tricking people into "accepting" malicious software by having it piggyback on something legitimate. However, if the behavioral products are on the network, some can be decent at spotting threats -- but still they face the problem of distributing the protective code out to other machines fast enough. The infections move just as fast, if not faster, and they have a head start. So, some researchers have tried to attack the second part of that problem, and devised a system of honeypots that could be outfitted with the behavioral software. The trick, though, is that those honeypots would also be connected to each other "via a dedicated and secure network." Think of the dedicated network as a shortcut to all the important hubs. Thus, once one honeypot machine discovers a virus and cures it, it can widely distribute the cure very quickly. The researchers mathematically show that it would beat the virus to most machines -- and it gets even better as the network gets larger. Of course, even ignoring the questions about just how well this behavioral software can recognize a virus and create the "cure" code, it seems the bigger issue is how can you really keep that separate dedicated network secure? Wouldn't that be the immediate target of the determined hacker? They'd all want to figure out how to hijack that network to spread their viruses even faster.

10 Comments | Leave a Comment..


If you liked this post, you may also be interested in...
 

Reader Comments (rss)

(Flattened / Threaded)

  1.  

    No Subject Given

    identicon
    anon, Dec 2nd, 2005 @ 4:01am

    Having a virtualized "honeypot" with write protection software such as Drive Shield, Clean Slate, or others and a simulated network connection could do the trick. This would allow a full compromise of the "honeypot" without actually affecting the physical machine. It would also allow for analysis of both the virus infection and the associated exploits, providing a more in-depth knowledge of the attack.

    reply to this | link to this | view in thread ]

  2.  

    AI based virus detector

    identicon
    pmtracker, Dec 2nd, 2005 @ 4:57am

    There is a possibility for integrating Artificial Intelligent Signature with virus detection systems for detecting malicious patterns in the program execution. Not sure about the extent of feasibility. - pmtracker http://pmtracker.siteburg.com

    reply to this | link to this | view in thread ]

  3.  

    Bad very bad idea

    identicon
    Lynx, Dec 2nd, 2005 @ 6:20am

    I like the idea of the Internet having some sort of immune system but like any immune system its purpose is to weed out the bad. As a computer doesn't know what the bad is how can it distinguish from the good software and bad software. Whats not to say that it notices a program to configure the Honey Pot to write a virus? Or even write a program to prevent people from accessing their own computers?
    I think this is a very very bad idea.
    ALTHOUGH
    If done properly can render viruses useless. A system to detect viruses and distribute vaccines to uninfected systems can be handy.

    reply to this | link to this | view in thread ]

  4.  

    No Subject Given

    identicon
    TravisOwens, Dec 2nd, 2005 @ 7:07am

    One word... SkyNet

    reply to this | link to this | view in thread ]

  5.  

    Anyone ever heard of IPS?

    icon
    bmac (profile), Dec 2nd, 2005 @ 7:14am

    You may remember Zotob from several weeks ago. Although Microsoft didn't have a patch, and anti-virus vendors didn't have a signature on day zero, our Intrusion Prevention System had the checks for the exploit 6 months in advance of the virus, resulting in ZERO infections to our company.

    reply to this | link to this | view in thread ]

  6.  

    Techno-Darwinism

    identicon
    melancolico catrin, Dec 2nd, 2005 @ 7:43am

    If some viruses can disable other viruses to suit their needs, why the hell has no one made a "white T cell" virus that just stomps on other viruses when encountered and release it in the wild? Or are we waiting for 27th century Borg technology? What's the deal?
    Hold on, some tall guy is at the door, he says he's from the future and he's here to kill me...

    reply to this | link to this | view in thread ]

  7.  

    No Subject Given

    identicon
    Mauls Things, Dec 2nd, 2005 @ 7:54am

    honeypots are rather easy to bypass.

    reply to this | link to this | view in thread ]

  8.  

    Bait and Switch

    identicon
    Justin Shattuck, Dec 2nd, 2005 @ 9:58am

    The good ole bait and switch routine would work, I have a honey net that I used with b&s and it works well for keeping up with the script kiddies out there. I have a small solution for auto generating snort signatures to throw onto test development IDS sensors, eventually I might go production.. bah doubt it :(

    reply to this | link to this | view in thread ]

  9.  

    Why not have an effort to "uninfect" or stop attac

    identicon
    honeypot squirrel, Dec 2nd, 2005 @ 10:34am

    Why not try to diagnose any attack from any IP? If you are getting attacked, you could look at the IP and if it were not from a DNS you wanted to block out, or a range you knew (from a large scan of attacking IP ranges kept and exchanged) was safe, then you could launch your own attack on the "attacker" and perhaps install your own exploit to neutralize it.

    This would work for at least the people who directly connect to the net, but not for trojan affected PC's, but I imagine there would be some reduction if this worked.

    Trojans affected PC's might be behind firewalls, and therefor launching the attacks on you with no reverse course to take.

    However it seems logical that if the systems were breached once, why not do it twice, or at least try as a way to reduce the "bot" armies

    reply to this | link to this | view in thread ]

  10.  

    Reactive or proactive virus scanner?

    identicon
    Ivan Sick, Dec 3rd, 2005 @ 12:39pm

    Rather than looking at the behavior of a program to guess whether it's a virus (or in addition to that), why not look at the user's behavior? "Has the mouse been moving and have any programs or files been opened or scrolled in the past x minutes? No? Then I will not allow this program to install or download."
    The scanner should also recognize human patterns, accuracy, and activities, and be able to distinguish between those and a spoof.

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>


Japan Says No To iPod Tax >>
<< 20th Century Fox Pretends The Competition...
 tdicon 

A word from our Sponsors...
Follow Techdirt
Flattr rss rss

Powered by Postrank

From the Techdirt Archive...
A word from our Sponsors...

Close

Email This