Re[2]: Some weekend entertainment

[Pierre Vandevenne <pierre () datarescue com>]

Good Day,

See "an immune system for cyberspace" by Chess and Kephart.

http://www.research.ibm.com/antivirus/

Heavily "promoted" by IBM in the past, to the point of having its own
full article in Scientific American. Extremely weak on the biological
side: as I understand, from David Chess himself, IBM invited an
immunologist at IBM for a day or so, to explain him how computer
viruses and anti-virus worked and got some suggestions at the (very)
weak analogy level and a very basic understanding of biological immune
response. They coaxed the weak analogy into sellable, almost sci-fi
sounding prose and that story got much better publicity than a paper
titled "an automated analysis & response method almost practical for
certain cooperative types of malware". Since a-v labs around the world
were interested in our stuff and I was loosely associated with a-v
analysts and competing companies and since David Chess was a very nice
guy (and probably still is), saying blandly "what a truckload of
crapola that is" wasn't a good idea so I shut up but sniped on a few
occasions on alt.comp.virus combining with my then relatively fresh
medical knowledge with my virus analysis experience.

As far as I know the full system never led to any practical, workable
implementation of anything, except partially as an internal tool that
could help sort the false alerts from the "to be investigated" stuff
in the constant stream of trash a-v labs were constantly receiving.
Whether it beats checksumming of submitted suspect files or
packer/protection recognition was never publicly assessed I believe

Today, I'd try to judge those "immune response" type of things on
their technical merits alone, and try to avoid very much being
convinced by the immune system analogies.

Quoting from the paper

"The real trick is to make sure that the antiviral signature travels
faster through the Internet than the virus itself, so that whenever a
malicious program arrives it finds a sentinel blocking the way. "You
need to build extra links into the network that only the immune agent
can use," says Shir. "They're like wormholes through cyberspace."

(two very loaded analogies, no less "immune agent" and "wormholes"...)

IMHO, the real trick is to obtain reliable A-V signatures quickly
enough. (wormholes can help there, keep reading) It is harder than
distributing it quickly. Once you see the speed at which some worms
"slam" the net (pun intended), you realize you either need

- a completely automated malware analysis and signature extraction
tool that responds in a matter of minutes, something that may be
possible for very simple, very obvious wormy stuff, but that is
clearly impossible in the general case... (and that leads us back to
the old IBM system)

or

- a large team of competent a-v analysts, available round the clock,
and constantly and reliably pushing sigs into the system. Since one
"only needs" about 800.000 honeypots, a good starting point would be
to convince all the a-v companies to team into a system that _could_
solve the problem that they are, in some ways, living off... Minor
task, I am sure.

And if you run the honeypots on your user base machines, in the
framework of a normal installation, you've opened a Sony BMG like can
of worms..... ;-)

<semi-joking mode>
Microsoft could probably actually put such a system into practice by
using, for the honey pots, beta testers or willing guinea pigs among
their OS user base (run this, get your OS and a couple of ringtones
for free) and by employing one half of the people an eventually free
OneCare service would put out of their job as analysts.
</semi-joking mode>

Then, of course, as it has just been said by others, when the mother
of all cyberspace immune systems is in place, the enemy will evolve
around it...

This thing touches a lot of hard topics

- automatically deciding that a piece of code IS a worm, a virus, or
generally hostile preferably with a 100% specificity (no false
positive) and a very high sensitivity (few false negatives).

- then automatically finding a way to IDENTIFY it reliably.

- then automatically distributing the identification patterns where it
needs to be sent, before the epidemic does its damage.

The third point is the easiest one imho, and even easier if one uses
"wormholes" in the internet...

Ah, and while we are on the topic of overstreched, abused or raped
analogies, I have a better suggestion: we all know the basic
properties of those eminently practical "wormholes".

That's why I hereby propose the "ultimate immune system for
cyberspace". It is a system where a single malware analyst's mind,
possibly a guy condemned to an infinite number of life sentences for
illegally sharing music with an infinite number of people, is kept
alive, nanotechnologically imprinted into an IBM mainframe, and spends
his time analyzing each and every malware, or even program, for any
potentially bad signs. We don't even need a very good or dedicated
analyst, he could take years to analyze basic worms if he wanted
because, and here comes the real beauty of the system, once the sig is
obtained, it would be sent through a small wormhole, back to a time
slight BEFORE the outbreak even begins.

Hmmmm, what the malware author does, if he also has access to wormhole
technology, is left as an exercise to the reader... ;-)

PS: I am a nice guy, I won't even patent the idea. That looks like a
nice project for the open source community, doesn't it?




Friday, December 2, 2005, 5:35:01 PM, you wrote:

VKve> On Fri, 02 Dec 2005 16:13:18 +0100, Peter Kruse said:
> > Model shows viruses can be beaten at their own game.
> > http://www.nature.com/news/2005/051128/full/051128-11.html

VKve> Of course, the reason we don't have a vaccine for the common cold is because
VKve> the damned thing mutates fairly regularly.

VKve> Polymorphic viruses, anybody? Oh wait... those are *so* last century. ;)



-- 
Best regards,
 Pierre                            mailto:pierre () datarescue com

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.