ARCS Computerworld article

In case you missed the 08Jan07 Computerworld article:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=277028

Computer Security: Adapt or Die
As security threats evolve, systems will have to become adaptive and resilient.
Gary Anthes
January 08, 2007  (Computerworld) -- Intel Corp. is developing a way for
networked computers to ?gossip? among themselves, sharing their experiences and
?beliefs.? The idea is to stay a step ahead of hackers.

For years, the backbone of computer security has been the use of tools, such as
firewalls and virus scanners, that base their actions on knowledge, or
?signatures,? of past attacks. But this has two problems: The tools generally
don?t recognize new threats, and they can?t be updated rapidly enough to deal
with fast-spreading exploits.

The answer, IT researchers say, lies in new tools for ?adaptive and resilient
computing security,? the name of a recent workshop sponsored by the Santa Fe
Institute and BT Group PLC.

?Signature-based technology is limited,? says Robert Ghanea-Hercock, a research
engineer at BT in London and the leader of the workshop. ?For cutting-edge
day-to-day protection, you?ll have to have adaptive things that monitor what?s
happening on the network in real time.?

That?s just what Intel is developing. ?Anomaly detectors? at local nodes on a
network look for evidence of worms, such as unusual spikes in activity. A
machine that normally makes just a few network connections per second might
suspect that something is amiss if it is suddenly instructed to make
connections at a higher rate. So, using a peer-to-peer ?gossip? protocol, it
transmits to other machines its so-called belief, in the form of a probability,
that the network may be under attack. If the total number of beliefs that any
given machine receives from other nodes is high enough, it will assume that an
attack is under way and take some defensive action, such as sounding an alarm
or disconnecting from the network.

Intrusion-detection systems that look for anomalous behavior are not new. And
it?s not hard to detect an intrusion by a fast-spreading worm such as the
infamous SQL Slammer, which infected more than 10,000 machines per second
(response is a different matter). But more recently, hackers have deliberately
slowed the spread of their malware so it will pass under the radar of
conventional detectors.

The era of massive, highly visible worm attacks has largely passed, says
Richard Ford, a computer science professor at the Florida Institute of
Technology in Melbourne.

?Now what we are seeing is that hackers keep exploits close to their chests and
use them for high-value targets,? he says.

?That dramatically changes the threat profile.?

The Intel prototype, called Distributed Detection and Inference (DDI), uses
Bayesian probability to detect these more stealthy worms. The idea is that if
just one node is seeing a big increase in connections, that could be a
temporary, random fluctuation, but 50 nodes experiencing even a modest increase
in traffic very likely means that the network is under attack and that a
protective response is warranted.

DDI?s probabilistic thresholds can be adjusted to produce very few false
positives, which would annoy users by shutting down the network unnecessarily,
Intel researcher John Mark Agosta told workshop attendees.

?It?s based on the law of large numbers,? he says. ?If I can average over a
large number of signals, I can pull out a weak signal from the noise.?

Technodiversity

False positives, which can inconvenience users and sometimes lead them to
ignore warnings, and false negatives are the chief weakness of adaptive
detection mechanisms and the reason they are often difficult to implement,
Ghanea-Hercock says.

[sidebar]
Security Challenges
?  Increased complexity
?  Increased connectivity
?  Increased sophistication of hackers and tools, as hackers adopt targeted,
stealthy, hard-to-detect methods
?  Changing motives ? hacking for money, not fun
?  Security that's often limited to perimeter defense
?  Too much reliance on user actions (passwords, patches, etc.)
?  Security tools that are mostly reactive (against known viruses, etc.)
?  Security tools that focus on individual nodes, not the network

Source: Sanjay Goel, SUNY Albany; Adaptive and Resilient Computer Security
Workshop 2006, Santa Fe Institute
[\sidebar]

Nevertheless, adaptive security measures are beginning to creep into the
commercial world, he says.

For example, Microsoft Corp.?s Windows Vista has a feature called Address Space
Layout Randomization that makes it harder for malware to find the code it wants
to attack. ASLR puts certain critical code into different memory locations each
time the machine boots up so that, in essence, every computer looks different
to an attacker.

ASLR is an example of a principle computer scientists have borrowed from
biology: Systems ? of organisms or computers ? are more robust when diverse. A
population is most vulnerable to catastrophic failure when it is genetically
homogeneous.

A network could be made more secure by making it more diverse ? mixing Macs
with PCs, or rolling out different versions of software, for example ? but the
trend is in the opposite direction, toward standardization. And with sameness
comes exposure to risk, say the proponents of adaptive security methods.

While the research projects presented at the workshop dealt mostly with ways to
make systems adaptive and resilient, Ford presented an idea for making users
more adaptive. The idea is based on the observation that occasional small
forest fires, which may scorch trees but not kill them, are beneficial because
they remove combustible material before so much accumulates that the forest is
vulnerable to a devastating inferno.

Ford has proposed that low-level virus or worm infections could be used to
strengthen systems against catastrophic failures. In many biological systems,
regular, moderate disruptions lead to rich diversity and, hence, resilience, he
observes. Computer systems, in contrast, tend to be very brittle.

So Ford has suggested virtual ?controlled burns,? deliberate releases of
nonvirulent worms onto the Internet. They would force administrators to
strengthen and update their protective measures while doing far less damage
than a malicious worm.

?The technical issues are dwarfed by the ethical and legal issues,? Ford says
of his proposal. ?Nobody is publicly touching it with a 10-foot pole.

?I?m not suggesting we go out tomorrow and do it,? he adds. ?But we need to
look at novel solutions, because what we are currently doing, long-term, isn?t
going to work.?

["Deriving evidence from gossip" figure is at:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=277028&pageNumber=3
]


 
____________________________________________________________________________________
The fish are biting.
Get more visitors on your site using Yahoo! Search Marketing.
http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php