funsec mailing list archives
Re[2]: Some weekend entertainment
From: Pierre Vandevenne <pierre () datarescue com>
Date: Fri, 2 Dec 2005 21:19:58 +0100
Good Day, See "an immune system for cyberspace" by Chess and Kephart. http://www.research.ibm.com/antivirus/ Heavily "promoted" by IBM in the past, to the point of having its own full article in Scientific American. Extremely weak on the biological side: as I understand, from David Chess himself, IBM invited an immunologist at IBM for a day or so, to explain him how computer viruses and anti-virus worked and got some suggestions at the (very) weak analogy level and a very basic understanding of biological immune response. They coaxed the weak analogy into sellable, almost sci-fi sounding prose and that story got much better publicity than a paper titled "an automated analysis & response method almost practical for certain cooperative types of malware". Since a-v labs around the world were interested in our stuff and I was loosely associated with a-v analysts and competing companies and since David Chess was a very nice guy (and probably still is), saying blandly "what a truckload of crapola that is" wasn't a good idea so I shut up but sniped on a few occasions on alt.comp.virus combining with my then relatively fresh medical knowledge with my virus analysis experience. As far as I know the full system never led to any practical, workable implementation of anything, except partially as an internal tool that could help sort the false alerts from the "to be investigated" stuff in the constant stream of trash a-v labs were constantly receiving. Whether it beats checksumming of submitted suspect files or packer/protection recognition was never publicly assessed I believe Today, I'd try to judge those "immune response" type of things on their technical merits alone, and try to avoid very much being convinced by the immune system analogies. Quoting from the paper "The real trick is to make sure that the antiviral signature travels faster through the Internet than the virus itself, so that whenever a malicious program arrives it finds a sentinel blocking the way. "You need to build extra links into the network that only the immune agent can use," says Shir. "They're like wormholes through cyberspace." (two very loaded analogies, no less "immune agent" and "wormholes"...) IMHO, the real trick is to obtain reliable A-V signatures quickly enough. (wormholes can help there, keep reading) It is harder than distributing it quickly. Once you see the speed at which some worms "slam" the net (pun intended), you realize you either need - a completely automated malware analysis and signature extraction tool that responds in a matter of minutes, something that may be possible for very simple, very obvious wormy stuff, but that is clearly impossible in the general case... (and that leads us back to the old IBM system) or - a large team of competent a-v analysts, available round the clock, and constantly and reliably pushing sigs into the system. Since one "only needs" about 800.000 honeypots, a good starting point would be to convince all the a-v companies to team into a system that _could_ solve the problem that they are, in some ways, living off... Minor task, I am sure. And if you run the honeypots on your user base machines, in the framework of a normal installation, you've opened a Sony BMG like can of worms..... ;-) <semi-joking mode> Microsoft could probably actually put such a system into practice by using, for the honey pots, beta testers or willing guinea pigs among their OS user base (run this, get your OS and a couple of ringtones for free) and by employing one half of the people an eventually free OneCare service would put out of their job as analysts. </semi-joking mode> Then, of course, as it has just been said by others, when the mother of all cyberspace immune systems is in place, the enemy will evolve around it... This thing touches a lot of hard topics - automatically deciding that a piece of code IS a worm, a virus, or generally hostile preferably with a 100% specificity (no false positive) and a very high sensitivity (few false negatives). - then automatically finding a way to IDENTIFY it reliably. - then automatically distributing the identification patterns where it needs to be sent, before the epidemic does its damage. The third point is the easiest one imho, and even easier if one uses "wormholes" in the internet... Ah, and while we are on the topic of overstreched, abused or raped analogies, I have a better suggestion: we all know the basic properties of those eminently practical "wormholes". That's why I hereby propose the "ultimate immune system for cyberspace". It is a system where a single malware analyst's mind, possibly a guy condemned to an infinite number of life sentences for illegally sharing music with an infinite number of people, is kept alive, nanotechnologically imprinted into an IBM mainframe, and spends his time analyzing each and every malware, or even program, for any potentially bad signs. We don't even need a very good or dedicated analyst, he could take years to analyze basic worms if he wanted because, and here comes the real beauty of the system, once the sig is obtained, it would be sent through a small wormhole, back to a time slight BEFORE the outbreak even begins. Hmmmm, what the malware author does, if he also has access to wormhole technology, is left as an exercise to the reader... ;-) PS: I am a nice guy, I won't even patent the idea. That looks like a nice project for the open source community, doesn't it? Friday, December 2, 2005, 5:35:01 PM, you wrote: VKve> On Fri, 02 Dec 2005 16:13:18 +0100, Peter Kruse said:
Model shows viruses can be beaten at their own game. http://www.nature.com/news/2005/051128/full/051128-11.html
VKve> Of course, the reason we don't have a vaccine for the common cold is because VKve> the damned thing mutates fairly regularly. VKve> Polymorphic viruses, anybody? Oh wait... those are *so* last century. ;) -- Best regards, Pierre mailto:pierre () datarescue com _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- MS Viri Beta Dude VanWinkle (Dec 01)
- Re: MS Viri Beta Joe Jaroch (Tera Innovations, Inc.) (Dec 01)
- Re: MS Viri Beta Rob Slade, doting grandpa of Ryan, Trevor, Devon, and Hannah (Dec 01)
- Re: MS Viri Beta Dude VanWinkle (Dec 01)
- Re: MS Viri Beta Jeff Kell (Dec 01)
- Some weekend entertainment Peter Kruse (Dec 02)
- Re: Some weekend entertainment David Lodge (Dec 02)
- Re: Some weekend entertainment Valdis . Kletnieks (Dec 02)
- Re[2]: Some weekend entertainment Pierre Vandevenne (Dec 02)
- Re: Some weekend entertainment Hank Nussbacher (Dec 03)
- Re: Some weekend entertainment Dude VanWinkle (Dec 03)
- Re: MS Viri Beta Rob Slade, doting grandpa of Ryan, Trevor, Devon, and Hannah (Dec 01)
- Message not available
- Re: Some weekend entertainment Hank Nussbacher (Dec 03)
- Re: MS Viri Beta Joe Jaroch (Tera Innovations, Inc.) (Dec 01)
- <Possible follow-ups>
- Re: MS Viri Beta Fergie (Dec 01)