Re: [Fed-Talk] Death of signatures
Re: [Fed-Talk] Death of signatures
- Subject: Re: [Fed-Talk] Death of signatures
- From: David Mueller <email@hidden>
- Date: Tue, 14 Feb 2012 07:58:31 -0800
- Thread-topic: [Fed-Talk] Death of signatures
What you describe sounds a lot like what SELinux does.
- David
On 2/14/12 4:04 AM, "William Cerniuk" <email@hidden> wrote:
> Honestly I have not been following this closely but has the topic of app
> signatures come up?
>
> The issue with viruses is that they are developed rapidly and some developed
> to intentionally mutate. Like a real biological virus, it make the computer
> virus much harder to track and thwart.
>
> Think of this in biological terms. Imagine having to identify unknown and
> un-discovered viruses with anti-viral compounds. Very much like a broad
> spectrum antibiotic, the current antivirus software operates as a wide barrier
> to 'infection".
>
> What we lack are not indicators of infection but tracking indicators of
> health. From the biological side, we tell the doc we don't feel normal, don't
> feel goods, something is wrong. This frequently happens well before the
> infection is serious. The sillcon corrilary is tracking normal application
> and user behavior.
>
> For example, we know that Microsoft Word should not be accessing the kernel
> extensions. We also know that MS Word should not make any network connections
> outside of operating system services. MS Word should not be probing the
> network, pinging other machines in the local subnet, accessing any network
> connection short of update services and user initiated links in documents. If
> it does start doing this we would say it is not feeling well or potentially
> has a cold.
>
> In this way an outbreak of a new virus could be detected. If the software that
> acted as the 'nurse' in this case reported the problem to the 'doctor' (the
> central virus detection database') outbreaks could be detected and thwarted in
> their very early stages.
>
> From a "truth in lending" perspective, this is from a conversation I had with
> a friend in the antivirus business. They call this feature "heuristic
> detection". It establishes a baseline of any app's activity and then when the
> app starts operating out of bounds, the user is flagged with a warning and the
> ability to stop the app from performing the out of bounds activity.
>
> Best, Wm.
>
>
> On Feb 13, 2012, at 4:16 PM, Todd Heberlein <email@hidden> wrote:
>
>>
>> On Feb 12, 2012, at 6:21 PM, Joel Esler wrote:
>>
>>> So what's new?
>>
>> That it is called out specifically at the budget level.
>>
>> For about 15 years starting in 1988 I received gov't funding for IDS (DOE,
>> DARPA, AFRL, ...), and none of them wanted work done on signatures. They were
>> always looking for solutions that could address unknown vulnerabilities &
>> attacks (and insiders). So nothing knew there. I've just never seen it
>> escalate so high on the budgetary wish list.
>>
>> Over the years the challenge that I could see was that solutions that worked
>> well in researchers' hands running in labs struggled in operational
>> environments.
>>
>> Todd
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden