Monday, January 8, 2007

Computer Security: Adapt or Die

Computer Security: Adapt or Die

Gary Anthes

January 08, 2007 (Computerworld) Intel Corp. is developing a way for networked computers to “gossip” among themselves, sharing their experiences and “beliefs.” The idea is to stay a step ahead of hackers.

For years, the backbone of computer security has been the use of tools, such as firewalls and virus scanners, that base their actions on knowledge, or “signatures,” of past attacks. But this has two problems: The tools generally don’t recognize new threats, and they can’t be updated rapidly enough to deal with fast-spreading exploits.

The answer, IT researchers say, lies in new tools for “adaptive and resilient computing security,” the name of a recent workshop sponsored by the Santa Fe Institute and BT Group PLC.

“Signature-based technology is limited,” says Robert Ghanea-Hercock, a research engineer at BT in London and the leader of the workshop. “For cutting-edge day-to-day protection, you’ll have to have adaptive things that monitor what’s happening on the network in real time.”

That’s just what Intel is developing. “Anomaly detectors” at local nodes on a network look for evidence of worms, such as unusual spikes in activity. A machine that normally makes just a few network connections per second might suspect that something is amiss if it is suddenly instructed to make connections at a higher rate. So, using a peer-to-peer “gossip” protocol, it transmits to other machines its so-called belief, in the form of a probability, that the network may be under attack. If the total number of beliefs that any given machine receives from other nodes is high enough, it will assume that an attack is under way and take some defensive action, such as sounding an alarm or disconnecting from the network.

Intrusion-detection systems that look for anomalous behavior are not new. And it’s not hard to detect an intrusion by a fast-spreading worm such as the infamous SQL Slammer, which infected more than 10,000 machines per second (response is a different matter). But more recently, hackers have deliberately slowed the spread of their malware so it will pass under the radar of conventional detectors.

The era of massive, highly visible worm attacks has largely passed, says Richard Ford, a computer science professor at the Florida Institute of Technology in Melbourne.

“Now what we are seeing is that hackers keep exploits close to their chests and use them for high-value targets,” he says. “That dramatically changes the threat profile.”

The Intel prototype, called Distributed Detection and Inference (DDI), uses Bayesian probability to detect these more stealthy worms. The idea is that if just one node is seeing a big increase in connections, that could be a temporary, random fluctuation, but 50 nodes experiencing even a modest increase in traffic very likely means that the network is under attack and that a protective response is warranted.

DDI’s probabilistic thresholds can be adjusted to produce very few false positives, which would annoy users by shutting down the network unnecessarily, Intel researcher John Mark Agosta told workshop attendees.

“It’s based on the law of large numbers,” he says. “If I can average over a large number of signals, I can pull out a weak signal from the noise.”

Technodiversity

False positives, which can inconvenience users and sometimes lead them to ignore warnings, and false negatives are the chief weakness of adaptive detection mechanisms and the reason they are often difficult to implement, Ghanea-Hercock says.

Nevertheless, adaptive security measures are beginning to creep into the commercial world, he says. For example, Microsoft Corp.’s Windows Vista has a feature called Address Space Layout Randomization that makes it harder for malware to find the code it wants to attack. ASLR puts certain critical code into different memory locations each time the machine boots up so that, in essence, every computer looks different to an attacker.

ASLR is an example of a principle computer scientists have borrowed from biology: Systems — of organisms or computers — are more robust when diverse. A population is most vulnerable to catastrophic failure when it is genetically homogeneous.

A network could be made more secure by making it more diverse — mixing Macs with PCs, or rolling out different versions of software, for example — but the trend is in the opposite direction, toward standardization. And with sameness comes exposure to risk, say the proponents of adaptive security methods.

While the research projects presented at the workshop dealt mostly with ways to make systems adaptive and resilient, Ford presented an idea for making users more adaptive. The idea is based on the observation that occasional small forest fires, which may scorch trees but not kill them, are beneficial because they remove combustible material before so much accumulates that the forest is vulnerable to a devastating inferno.

Ford has proposed that low-level virus or worm infections could be used to strengthen systems against catastrophic failures. In many biological systems, regular, moderate disruptions lead to rich diversity and, hence, resilience, he observes. Computer systems, in contrast, tend to be very brittle.

So Ford has suggested virtual “controlled burns,” deliberate releases of nonvirulent worms onto the Internet. They would force administrators to strengthen and update their protective measures while doing far less damage than a malicious worm.

“The technical issues are dwarfed by the ethical and legal issues,” Ford says of his proposal. “Nobody is publicly touching it with a 10-foot pole.

“I’m not suggesting we go out tomorrow and do it,” he adds. “But we need to look at novel solutions, because what we are currently doing, long-term, isn’t going to work.”

Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc