An Immune System For The Internet?

from the until-it-gets-infected,-of-course dept

We’ve talked about the problems with many anti-virus solutions today that rely on a fingerprint of the virus that then gets sent out to client applications on a regular basis. It’s a reactive approach that is often too late — especially as new viruses are created and spread faster than ever. Another approach to fighting viruses is behavioral, where the anti-virus software tries to recognize actions commonly associated with viruses, and block them off. This has problems also, in that plenty of legitimate products may also take similar actions, and the new scam will be tricking people into “accepting” malicious software by having it piggyback on something legitimate. However, if the behavioral products are on the network, some can be decent at spotting threats — but still they face the problem of distributing the protective code out to other machines fast enough. The infections move just as fast, if not faster, and they have a head start. So, some researchers have tried to attack the second part of that problem, and devised a system of honeypots that could be outfitted with the behavioral software. The trick, though, is that those honeypots would also be connected to each other “via a dedicated and secure network.” Think of the dedicated network as a shortcut to all the important hubs. Thus, once one honeypot machine discovers a virus and cures it, it can widely distribute the cure very quickly. The researchers mathematically show that it would beat the virus to most machines — and it gets even better as the network gets larger. Of course, even ignoring the questions about just how well this behavioral software can recognize a virus and create the “cure” code, it seems the bigger issue is how can you really keep that separate dedicated network secure? Wouldn’t that be the immediate target of the determined hacker? They’d all want to figure out how to hijack that network to spread their viruses even faster.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “An Immune System For The Internet?”

Subscribe: RSS Leave a comment
anon says:

No Subject Given

Having a virtualized “honeypot” with write protection software such as Drive Shield, Clean Slate, or others and a simulated network connection could do the trick. This would allow a full compromise of the “honeypot” without actually affecting the physical machine. It would also allow for analysis of both the virus infection and the associated exploits, providing a more in-depth knowledge of the attack.

Lynx says:

Bad very bad idea

I like the idea of the Internet having some sort of immune system but like any immune system its purpose is to weed out the bad. As a computer doesn’t know what the bad is how can it distinguish from the good software and bad software. Whats not to say that it notices a program to configure the Honey Pot to write a virus? Or even write a program to prevent people from accessing their own computers?
I think this is a very very bad idea.
If done properly can render viruses useless. A system to detect viruses and distribute vaccines to uninfected systems can be handy.

melancolico catrin (user link) says:


If some viruses can disable other viruses to suit their needs, why the hell has no one made a “white T cell” virus that just stomps on other viruses when encountered and release it in the wild? Or are we waiting for 27th century Borg technology? What’s the deal?
Hold on, some tall guy is at the door, he says he’s from the future and he’s here to kill me…

honeypot squirrel says:

Why not have an effort to "uninfect" or stop attac

Why not try to diagnose any attack from any IP? If you are getting attacked, you could look at the IP and if it were not from a DNS you wanted to block out, or a range you knew (from a large scan of attacking IP ranges kept and exchanged) was safe, then you could launch your own attack on the “attacker” and perhaps install your own exploit to neutralize it.

This would work for at least the people who directly connect to the net, but not for trojan affected PC’s, but I imagine there would be some reduction if this worked.

Trojans affected PC’s might be behind firewalls, and therefor launching the attacks on you with no reverse course to take.

However it seems logical that if the systems were breached once, why not do it twice, or at least try as a way to reduce the “bot” armies

Ivan Sick says:

Reactive or proactive virus scanner?

Rather than looking at the behavior of a program to guess whether it’s a virus (or in addition to that), why not look at the user’s behavior? “Has the mouse been moving and have any programs or files been opened or scrolled in the past x minutes? No? Then I will not allow this program to install or download.”
The scanner should also recognize human patterns, accuracy, and activities, and be able to distinguish between those and a spoof.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...