An Immune System For The Internet?

from the until-it-gets-infected,-of-course dept

We've talked about the problems with many anti-virus solutions today that rely on a fingerprint of the virus that then gets sent out to client applications on a regular basis. It's a reactive approach that is often too late -- especially as new viruses are created and spread faster than ever. Another approach to fighting viruses is behavioral, where the anti-virus software tries to recognize actions commonly associated with viruses, and block them off. This has problems also, in that plenty of legitimate products may also take similar actions, and the new scam will be tricking people into "accepting" malicious software by having it piggyback on something legitimate. However, if the behavioral products are on the network, some can be decent at spotting threats -- but still they face the problem of distributing the protective code out to other machines fast enough. The infections move just as fast, if not faster, and they have a head start. So, some researchers have tried to attack the second part of that problem, and devised a system of honeypots that could be outfitted with the behavioral software. The trick, though, is that those honeypots would also be connected to each other "via a dedicated and secure network." Think of the dedicated network as a shortcut to all the important hubs. Thus, once one honeypot machine discovers a virus and cures it, it can widely distribute the cure very quickly. The researchers mathematically show that it would beat the virus to most machines -- and it gets even better as the network gets larger. Of course, even ignoring the questions about just how well this behavioral software can recognize a virus and create the "cure" code, it seems the bigger issue is how can you really keep that separate dedicated network secure? Wouldn't that be the immediate target of the determined hacker? They'd all want to figure out how to hijack that network to spread their viruses even faster.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    anon, 2 Dec 2005 @ 4:01am

    No Subject Given

    Having a virtualized "honeypot" with write protection software such as Drive Shield, Clean Slate, or others and a simulated network connection could do the trick. This would allow a full compromise of the "honeypot" without actually affecting the physical machine. It would also allow for analysis of both the virus infection and the associated exploits, providing a more in-depth knowledge of the attack.

    reply to this | link to this | view in chronology ]

  • identicon
    pmtracker, 2 Dec 2005 @ 4:57am

    AI based virus detector

    There is a possibility for integrating Artificial Intelligent Signature with virus detection systems for detecting malicious patterns in the program execution. Not sure about the extent of feasibility. - pmtracker http://pmtracker.siteburg.com

    reply to this | link to this | view in chronology ]

  • identicon
    Lynx, 2 Dec 2005 @ 6:20am

    Bad very bad idea

    I like the idea of the Internet having some sort of immune system but like any immune system its purpose is to weed out the bad. As a computer doesn't know what the bad is how can it distinguish from the good software and bad software. Whats not to say that it notices a program to configure the Honey Pot to write a virus? Or even write a program to prevent people from accessing their own computers?
    I think this is a very very bad idea.
    ALTHOUGH
    If done properly can render viruses useless. A system to detect viruses and distribute vaccines to uninfected systems can be handy.

    reply to this | link to this | view in chronology ]

  • identicon
    TravisOwens, 2 Dec 2005 @ 7:07am

    No Subject Given

    One word... SkyNet

    reply to this | link to this | view in chronology ]

  • icon
    bmac (profile), 2 Dec 2005 @ 7:14am

    Anyone ever heard of IPS?

    You may remember Zotob from several weeks ago. Although Microsoft didn't have a patch, and anti-virus vendors didn't have a signature on day zero, our Intrusion Prevention System had the checks for the exploit 6 months in advance of the virus, resulting in ZERO infections to our company.

    reply to this | link to this | view in chronology ]

  • identicon
    melancolico catrin, 2 Dec 2005 @ 7:43am

    Techno-Darwinism

    If some viruses can disable other viruses to suit their needs, why the hell has no one made a "white T cell" virus that just stomps on other viruses when encountered and release it in the wild? Or are we waiting for 27th century Borg technology? What's the deal?
    Hold on, some tall guy is at the door, he says he's from the future and he's here to kill me...

    reply to this | link to this | view in chronology ]

  • identicon
    Mauls Things, 2 Dec 2005 @ 7:54am

    No Subject Given

    honeypots are rather easy to bypass.

    reply to this | link to this | view in chronology ]

  • identicon
    Justin Shattuck, 2 Dec 2005 @ 9:58am

    Bait and Switch

    The good ole bait and switch routine would work, I have a honey net that I used with b&s and it works well for keeping up with the script kiddies out there. I have a small solution for auto generating snort signatures to throw onto test development IDS sensors, eventually I might go production.. bah doubt it :(

    reply to this | link to this | view in chronology ]

  • identicon
    honeypot squirrel, 2 Dec 2005 @ 10:34am

    Why not have an effort to "uninfect" or stop attac

    Why not try to diagnose any attack from any IP? If you are getting attacked, you could look at the IP and if it were not from a DNS you wanted to block out, or a range you knew (from a large scan of attacking IP ranges kept and exchanged) was safe, then you could launch your own attack on the "attacker" and perhaps install your own exploit to neutralize it.

    This would work for at least the people who directly connect to the net, but not for trojan affected PC's, but I imagine there would be some reduction if this worked.

    Trojans affected PC's might be behind firewalls, and therefor launching the attacks on you with no reverse course to take.

    However it seems logical that if the systems were breached once, why not do it twice, or at least try as a way to reduce the "bot" armies

    reply to this | link to this | view in chronology ]

  • identicon
    Ivan Sick, 3 Dec 2005 @ 12:39pm

    Reactive or proactive virus scanner?

    Rather than looking at the behavior of a program to guess whether it's a virus (or in addition to that), why not look at the user's behavior? "Has the mouse been moving and have any programs or files been opened or scrolled in the past x minutes? No? Then I will not allow this program to install or download."
    The scanner should also recognize human patterns, accuracy, and activities, and be able to distinguish between those and a spoof.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Close
Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.