Home > Information Security, Musings > New Peer-to-Peer Anomaly Detection Tools: Hmmmm…..

New Peer-to-Peer Anomaly Detection Tools: Hmmmm…..

January 23rd, 2009

So once in a RARE while, I actually get something useful from the massive numbers of trade mags that show up at my house. You know, the ones you can get for free by saying that you’re an executive with a $100 million budget? 🙂

Network World tipped me off in the “GoodBadUgly” section to a new research project at the University of California at Davis. It uses peer-to-peer technology to detect anomalous behavior on systems, correlate it with behavior on other systems in the peer-to-peer network, and make decisions for active response with existing firewalls and IDS engines. Sounds kinda cool, right? Sure! My inner geek was curious, so I looked online and found an article with a little more detail at ComputerWorld.

On the surface, it sounds like a little more interconnected version of the Internet Storm Center (formerly known as DShield). Plus, the ability to interact with FW and IDS software based on some sort of behavior threshold reminds me of the Active Response functionality in Snort and other tools. Sounds cool. But……..I’m bothered for a few reasons. Let me explain:

  1. In the article, it explains that “[t]he software would interact with existing personal firewalls and intrusion detection systems to gather data about anomalous behaviour…The software would share this data with randomly selected peer machines to determine how prevalent the suspicious activity was…”. I don’t know about anyone else, but I don’t want peer-to-peer software sharing IDS or FW details with other systems, especially random ones. This just sounds ripe for abuse.
  2. End users are not intended to modify the detection parameters. OK, I can go for that. But what about security geeks like me? A quote from one of the researchers just didn’t sit right with me: “We don’t want to have humans in the loop.” Huh?

So let me get this straight. I am trusting a distributed system that interacts with my known and trusted security tools (IDS, FW), sends data to random systems, and doesn’t let me interact or tune the detection engine. Anyone else having visions of HAL and SkyNet? Or am I just a paranoid dork?

Wait, don’t answer that. Happy Friday.

Categories: Information Security, Musings Tags:
  1. January 24th, 2009 at 18:24 | #1

    Hey,

    At the University of Idaho, we had an interesting DoD funded Distributed IDS project that had some similar ideas. Mostly, though, it was designed around the idea that sites could share IDS information but also weight it. In that way, if a site’s IDS was compromised or at least had misleading info, the info itself and the trust level of the info could be managed.

    The project was originally named Hummingbird, but since that was found to be used for many other project names they just renamed it Hummer. Some info at http://www.csds.uidaho.edu/deb/Dist.NetworkDef.pdf

  2. admin
    January 24th, 2009 at 18:48 | #2

    @Jim
    The concept is cool! I actually like the notion of an IDS “cloud” with no single point of failure, sharing info is good, etc. There’s just a few privacy and confidentiality issues I’d want to see worked out beforehand, though, and the way these folks came across gave me the vibe that all they were focused on was full automation, not necessarily information protection. Thanks for the comment, Shew!

Comments are closed.