Self-Policing Networks?

An Anonymous Coward writes: "IBM is looking to build self-policing networks with project eLiza, as reported in Wired. Sounds pretty cool, but I don't see it being all that effective. And if it is, security teams will get pretty lax, and not be able to handle an attack that breaks eLiza." Also a USA Today article. It's a insightful idea, and one that I'm sure will *eventually* become part of many major networks, but somehow I suspect that this is one of those things that appears difficult on the surface, and turns out to be ten times as difficult when you get into it.

sad state of security today

While good security is hard to come by the main problem at most companies is that security just isn't really thought of. One Fortune 50 firm that I did an audit of and whose name I will omit to protect the foolish:
(a) Used frontpage to design their website;
(b) Didn't bother to password protect it;
and
(c) Included the sysadmin username and password for their oracle database in the asp code. This was done simply so they could dynamically populate a list of sales regions. The same database had their entire financials on it.
If Eliza can protect against actions such as these then I'm all for it. It had better be cheap though neither the CEO or the CIO of this company thought much of it, stating "Its only our website. Thats not really important to us." followed by "No security is foolproof."

Re:Eliza?

What does it do, psychoanalyze the attacker?

computer1: intruder detected
eLiza: How does that make you feel?
computer1: security breached!
eLiza: What do you think about the beach?

-schussat

Re:What Cyberdyne systems is

And other course Cyberdyne orignally comes from the Terminator movies, which probably everyone has seen. IIRC, Cyberdyne's baby, Skynet, was a military computer that destroyed the world after humanity realized that its wasn't a terribly good idea to have a giant computer with a sense of self-preservation controlling all of our nukes. (This is an old plot, but a nifty name ;-)

Eliza?

What does it do, psychoanalyze the attacker?

--

Cracking tools will get better too

If corps start using "intelligent" software to battle crackers in real time, the crackers and script kiddies are just gonna one up them with more advanced cracking tools. The crackers don't have to worry about waiting until something is well tested and proven, so they will always be on the cutting edge. They can also blatently steal the code or patented ideas from the corp software tools, while the corps have to do everything legally.

As always, the advantage goes to the offensive tools over the defensive ones.

Frankenstein

We're going to create this semi-alive, semi-independent thing with massive power over an enormous network that will be the infrastructure of our economy. That's like trusting your life to Frankenstein -- just because you created him doesn't mean he's going to like you!

Project Eliza is going to cause a lot of havoc with all the perfectly normal activity it will combat, all the false alarms it will respond to. Hell, it might begin to view it's controllers as the real oppressors, and try to protect itself from them yet too.

An easier way to more secure networks

Here I go again... ;)

Far and away, the most common type of security breach is those involving buffer overflows (including the recently popular "printf" attacks).
Go ahead and blame it on the programmer, but the truth is: C makes it easy for programmers, even experienced ones, to make these kinds of mistakes.

C is an inappropriate language for writing high-level network applications. Other than the fact that it has "always been that way", Why is wu_ftpd written in C? fingerd? sshd? bind?

Please, write your network applications in a safe language. Go ahead and use Java if you need it to look like C. There are many other even more appropriate choices.

If the community isn't willing to do that (and they clearly aren't), why aren't they willing to ship something like stackguard in the default install of popular distributions? There is no way users will notice the difference, except that the ones who aren't reading bugtraq and staying up-to-the-hour on patches won't get rooted. Before we need to bother with elaborate AI systems checking networks for us, we need a BIG CHANGE in the way we implement network applications.

Nativity

It seems to me that it's easy to attack a "self-policing" network, in terms of it being a dumb machine, can't be smart enough to solve it's own problems, etc.

However, I have to say, I can see several reasons to encourage such a system. Essentially, though, they all come down to the system being the closest entity to itself. No system administrator can know his system as intimately as it could know itself (if it were capable of doing so.) In terms of speed of response, comprehensive scanning, and endurance, an automated protection service could not be besten by a live admin.

Obviously, a human being wins in terms of potential intelligence, user discrimination and imagination, but I think it's foolish to attack a system that could lend the qualities of the machine to it's own protection rather than encourage training. Frankly you should do both.

But as far as tool making people sloppy, I don't see anyone bitching about the Microsoft development packages subconciously training bad coders.

intrusion detection

My ex-advisor is a chair of the IETF [ietf.org] working group [ietf.org] researching automated intrusion detection. Currently they are developing a protocol to pass messages between network devices when a potential breach is detected. It's a really complicated field, both in terms of getting a distributed group of network devices to collaborate to decide whether or not something is a deliberate attack, and in creating a security alert protocol that can't be compromised itself.

New eLiza DOS attack

Pipe Zippy the Pinhead quotes into the IDS. Processing time will increase exponentially.

Working on a self policing network

Network Police: You realize you were downloading at 64kb/s in a 28.8 zone?

User: That's how fast everyone else downloads around here.

Network Police: And you are downloading with unlicensed software.

User: Hey, this is shareware and I am going to register it.

Network Police: Tell that to the judge.

User: Hey, I'm booted off. Damn AOL.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~ the real world is much simpler ~~

What Cyberdyne systems is

For the people who don't know what Cyberdyne systems is, it's part of the movie at Univeral Studios' (Florida) Terminator attraction. Cyberdyne Systems created a "security system" based on artificial intelligence which 1) nearly fully controlled everything that went on and 2) was programmed to destroy the world if it was about to beaten.

I might be a little rusty on the details since I haven't been to Universal in a while...but for those of you who are confused, this DOES make sense (just not to most people :)

Automated Intrusion Prevention?

I really don't think so. Not for next many years. At least not effectively! Sure it will probably work for some attacks, script-kiddies and all that, but an automated system would, as I see it, be easy to fool...

Let's imagine that you DoS attack a server, you write a little program that automates the attack, spoofing IP addresses of a particular ISP that you don't like, covering an entire C-class, or B-class or whatever. Maybe alternate the attack types.
Very soon the automated intrusion prevention system will have blocked all the IP addresses of the ISP. Bing.

It would be interesting to see though, also in regards to honeypot [slashdot.org] networks (nets designed to be hacked/cracked/attacked).

I believe that there is a tool that you use with snort [snort.org] (an IDS), to make an automated system, block IPs etc.

Anyway, my point was that for many years to come, we wont be able to live without the experienced system administrator, going through logs!

Re:A Nicer World Please?

The second paragraph is even worse:

Big Blue announces a multi-billion dollar program designed to create a world populated with self-managing computer networks that can ensure their own survival and stability.

Wasn't there a movie [imdb.com] made about this?
---

Self-Diagnosis

I wouldn't mind if the machine would monitor itself for performance, see if a piece of hardware is failing, see if a piece of software is failing, and notify the sysadmin, maybe reduce it's expected throughput and notify the load-balancer (say ram drops from 512 to 128, so hits per seconds need to drop from 300 to 50), and make a diagnostics report for the problem, so that if the machine is under warranty, the tech can bring the right parts to fix it, and if not, then the parts vendor can ship the right parts.

Also, I wouldn't mind if the machine would throttle itself to manageable levels when becoming unstable, instead of crashing.

Also, the machine should be "aware" of the other machines in the organization so it can notify them of the reduced performance.

This would essentially be a self-load balancing system.

I wonder to what extent Google has implemented something like that in their 8000-strong server farm.

snake oil

You have to wonder how much of this is to market IBM so here goes my take on this.

"If they can actually create servers that battle crackers -- that can monitor their own health and bandage their own wounds -- then I can turn my attention to work that only a truly sentient being can do," he added.

The problem with security vulnerabilities at most is poor programming along with lousy administration, so how do they plan on bandaging a wound for a newly found vulnerabilty that has yet been exposed to the security community as a whole? Do they expect their system to just guess on its own?

our customers will need help to deploy technology so they can focus their people on real business issues instead of just managing and maintaining their infrastructure."

Nicely put. "Our customers" .. So I take it this is strictly for IBM customers using their products. Why not make it an open project and let everyone reap the benefits, they would be martyred.

"Automation is the way to go. That said, the IT industry hasn't yet focused on it and very few skills are out there. Many of the experts are long-time IBMers, so the company has a head start here."

Automation is a small step. One of the biggest problems facing companies, is their administrators are poorly trained. Even if the products, their using are broken, chances are there are patches, fixes, tweaks, etc., to get it up and running properly, its the administrators job to make sure this is done.

After its done, automation should come next, not vice versa, no machine no matter what IBM thinks they're gonna do, is going to be smart enough to determine what is and what isn't secure when it comes to exposing new flaws. Sure they could patch up all the older ones as they go along, but if I sat here and coded a new vulnerability, how is that machine going to determine a fix if it hasn't been exposed without automation, to what is right and wrong?

Getting back to reality now, companies should look to training instead of spending X more on X product simply because X says it will secure your network. Total bullshit and typical snake oil salesman tactics. "Buy X product and be secured!" give me a break

#define crypto [antioffline.com]

Re:intrusion detection

I dont know exactly what (all) methods they employ to detect attacks, but the University of Arizona is already using autonomous intrusion detection boxes. I do, however, know 2 things about them for sure:

1) When they detect intrusions, their response is to telnet to the edge router for whichever line the attack is coming through, and block the IP there, for increasingly longer periods.

2) They consider it an attack if you try to FXP a file to a server inside the U when both you and the source server are outside. This is, of course, how I first became aware of them.

The netadmin I know there tells me these boxen are called 'NetRangers', and we had a lengthy theoretical talk about how scary it is for autonomous devices to have exec access to your routers, and wondering whether they're smart enough to detect a constant barrage of packets with rotating forged sources before most of the internet is blocked at the routers.

Re:Old idea

Bad: If all work was done by AI and robots, why would the general population have any claim to the income produced? The robots and AI would be owned by the corporations that built or purchased them. Corporations would get richer and people who own large portions of corporations would become more fabulously wealthy. However, there would be very few jobs left for humans. Those who can't live off their investments (almost everyone) will have to make do with jobs the robots can't or won't do. Prostitution(well, maybe robots can do this too), drug dealing, and burglary come to mind. If middle class jobs were performed by robots society would be destrored.

A Nicer World Please?

Imagine a world where complicated computer networks need little or no interaction with humans: a world where computers can update and maintain their own systems, shield themselves from misfortune caused by human error and acts of nature, and fiercely protect themselves against attacks by computer crackers.

Is it just me or does that sound like a frightening world to live in?

Re:Cyberdyne systems

I believe replacing the human being is akin to digital communism. Remember when China executed the bank thieves? To a system such as theirs, the offing of humans incongruent with their idea of what a computer user should be is highly attractive.

It is a cookie cutter system used to punch out intellectual biscuits. AI-like initiatives such as these should be very careful of the end result. Dumber human beings on the other end are easier to predict and control because they see less alternatives. Less alternatives to controlling oligarchy is better for the sheeple on the end.

How does this all relate to a possible AI-self-correcting hack me if you can system by IBM? I believe in the abstract it does. I was made aware by a friend that individual people inside General Motors know very little about how an overall car works. They specialize on specific pieces of the system, and focus on increasing performance and driving down cost and milking old technology, but they have little regard on the impact of their work on the ~system~. Cars is one things, computers another. The dangers are the same; the users of these systems will have less and less of an idea on how to control what is going on.

Suppose IBM and some smaller company are competitors. With mega-corporations walking around, everyone is a potential competitor. How convenient would be to have a system administrator who uses no more than his brain stem in front of this uber-security software. Say the company has good stuff IBM wants. Now I am an IBM advocate, so this is purely theoretical, but it would be easy for IBM to exploit and leverage their proprietary knowledge of the system to infiltrate their corporate enemy.

Cameron's Terminator series sheds light on runaway technologies and ignoramuses buying and administering them. They are vile. There is no easy way out. We must work together to pave a golden path into the future. Think of this way, we spend a lot of time trying to take away money from one another on wealth that is based on a relative scale. Salt used to be money in some places, now it melts ice. The sooner we stop trying to eliminate the need for intelligent humans to do work (and get compensated for doing so) and research and start embracing the collective intelligence potential the better off we will all be ;-).

Ultimately, someone needs to be responsible. If the world becomes a place where no one needs to be responsible for much of anything humans in general are, well, obsolete.

Many movies come to mind when thinking of bureaucracies and AI to support the iron fist of a control trust - 'Brazil', 'Matrix' and others...