Pledge aside, it would be nice if the set of Google folks who signed up would start submitting some more of their work for publication.
:) I understand that publication record doesn't count much internally at Google (unlike in more traditional corporate labs.).
arXiv holds pre-prints, and several fields, including some CS research, not only Physics uses the service. It doesn't count as publication in the academic world, since papers are not reviewed, so the entire edifice by which scholars get credit for their work doesn't apply. The open access movement, on the other hand, does apply to publications that count toward a scholar's reviewed work. Physics as a field, incidentally, is one of the more hide-bound in terms of adopting new publication schemes.
Mtn. Vw's neighboring town, Palo Alto installed a fiber loop abt 10 yrs ago that sadly remains largely dark, except for several proximate firms that have rented access from the city. For instance, Facebook hdquarters had a tap installed when they moved. I don't think Google can follow, since it isn't sitting near the Palo Alto loop anywhere, however.
Actually it would help detecting distributed attacks, since it is looking for a combination of small increments of traffic on numerous machines. Small, unreliable detections averaged over many machines equals a significant, reliable detection. This is having the law of large numbers on your side. Again, much of the work on distributed worm detection has been published, I recommend folks read it before spewing speculation. -JMA
Yes, I'll agree the article isn't revealing. The difference between our work and "Autograph" type approaches that WormShield builds on is that we are doing traffic anomaly detection and these more involved approaches attempt to automatically build a signature. The paper is available (only, sigh) from Springer, in "Recent Advances in Intrusion Detection 11th International Symposium", RAID 2008, Cambridge, MA, USA. -JMA
No its not dshield. It has nothing to do with sharing logs or firewalls. The concept is an entirely distributed anomaly detector. Please read the paper.
>> Detecting anomalies requires a baseline of what "normal" is. Yes, and this is done by each machine, so there is no exchange of information particular to the machine. Pls read the paper. One of the authors -jma
Actually I can tell what it is, as one of the authors (& for those who don't feel the need to check the paper) -- no distribution of code, or patching systems, etc. It's a distributed anomaly detector, that meters connectivity for suspicious connections. -JMA