How to immunize your computer

[Menydh]

How to immunize your computer

Model shows viruses can be beaten at their own game.

Nature
December 1, 2005

Malicious computer viruses could be stopped in their tracks by immunity software that spreads faster than the virus itself, says a team of computer experts from Israel.

Their proposal relies on setting up a network of shortcuts through the Internet that only antiviral programs can use, allowing them to immunize computers before a virus arrives.

Eran Shir of Tel Aviv University began thinking about the problem when the infamous Blaster worm spread across the Internet in 2003. "It really got me annoyed," he recalls. "Conventional antivirus software just couldn't keep up with its spread."

Antivirus software aims to stop attacks on healthy computers, and to clean up those already infected. Teams work around the clock to look for new viruses and build software 'patches'. These patches are distributed to computer users to install on their machines, hopefully before the virus arrives. But the strategy means that some viruses stay one step ahead for days, wreaking havoc as they spread.

"The software companies just regard the Internet as a sophisticated FedEx service," Shir says. "Our focus is to immunize the whole network, not to clean individual computers or fix what is already broken." This means using the malicious code's own techniques to distribute immunity.

Honeypots and wormholes

Shir and his colleagues propose a system in which a few 'honeypot' computers lie in wait for viruses. These computers run automated software that first identifies the virus, and then sends out its 'signature' across the Internet. This enables a sentinel program on all the other computers in the network to identify the virus and bar it before it can attack them.

The real trick is to make sure that the antiviral signature travels faster through the Internet than the virus itself, so that whenever a malicious program arrives it finds a sentinel blocking the way. "You need to build extra links into the network that only the immune agent can use," says Shir. "They're like wormholes through cyberspace."

These wormholes would form a parallel network connecting the honeypot computers. Assuming that the shortcuts can be set up and made secure, the antiviral signature should be able to stay one step ahead.

The team's simulations show that surprisingly few honeypots are needed to protect large networks. There are roughly 200 million computers in the United States; just 800,000 of them acting as honeypots would restrict a viral outbreak to 2,000 machines.

"And as the network grows, the same proportion of honeypots, around 0.4%, gives you even better protection," says Shir. He and his team present their proposal in this month's edition of Nature Physics1.

Building the matrix

It's an intriguing plan, but would it work? "That's the million-dollar question," says Alessandro Vespignani, an informatics expert from Indiana University in Bloomington.

"All the ingredients are already there, or could be worked out in a short time," Vespigiani says. He says that some company intranets already run programs that automatically detect the arrival of a new virus, and the architecture of the Internet is sufficiently well understood to position the honeypot computers strategically.

However, he points out that someone would still need to run the honeypot computers, and it is not clear how to secure the wormholes so that only antiviral agents can use them. "These virus writers are smart guys, and they could find a way to attack the parallel network itself," he cautions.

Shir does not have any plans to commercialize the idea. He hopes that people will realize the scheme in an open-source project, freely available to all computer users who want to get involved. "But even if a company takes the idea and makes it happen, we'd all have a better defence against viruses," he says.


[source]

[Siegmund]

Quote:

Originally Posted by Mynydd

Quote:

This idea reminds me of something that is currently underway on many of the toll highways in the US: the government has created sensors at discrete intervals that read a device in one's car that is linked indirectly to one's bank account, deducting the amount of the toll automatically rather than having the motorist stop his or her car to pay it manually.

How convenient! Simply wonderful... until one realizes that the government has also installed cameras to photograph the license plates of all cars that pass through the automated area without a valid device. In such an event, a photo is taken, and an invoice for a fine is mailed to the driver's address of record.

Hmmm. Still not so bad... until one realizes that the next phase of this project will be to control speeding by photographing the license plates of offending motorists, and mailing an invoice for a fine to the driver's address of record.

Ah, now it's become a major nuisance. Virtually no one drives at the impossibly low speed limits in force on most of the toll roads. And not just a nuisance, but a potential financial and legal burden on oneself and one's family.

And then one discovers the true purpose/potential of this system of monitoring devices and cameras: to track and control the population in whatever way the government decides will serve the "national interest" in the future. And so, at the end of it, this seemingly benign and civic-minded project represents a horrifying threat to personal freedom.

The reason this scenario came to mind in the context of this news article is the parallel between the two in terms of ostensible vs. true intent. In principle, there would be nothing to prevent governments from using these cyber "wormholes" and "honeypots" for purposes other than protecting computer users from viruses. A little imagination, and the possibilities are endless. For just one example, how about systematic global mapping, tracking and eventual control of people who use the internet to discuss politicallly incorrect notions of ethno-cultural freedom and preservation?

[Menydh]

Yes, what you depict is a most likely scenario.

By the way, a honeypot is only a computer system which replicates a real production system, sitting in between the network and the internet with the object of being attacked. A honeypot will be configured with a series of sensor systems installed for intrusion detection, and to record every move from intruders inside the system.

You can set up one yourself on a different computer (or even the same computer). For Unix systems, honeyd is an excellent choice.

In itself the concept is excellent, and serves to identify the attacks and the attackers, and to protect the network. It is a passive system, not meant to counter-attack or to send anything over the internet. But as with everything else, I suppose that it can be twisted to serve different goals.