Morton Swimmer

Blueprint for a Computer Immune System

There is legitimate concern that, within the next few years, the Internet will proviEn a fertile medium for new breeds of computer viruses capable of spreading orders of magnituEn faster than todays viruses. To counter this threat, we have Enveloped an immune system for computers that senses the presence of a previously unknown pathogen, and within minutes automatically Enrives and Enploys a prescription for Entecting and removing it. The system is being integrated with a commercial anti-virus product, IBM AntiVirus, and will be available as a pilot in 1997

Using the danger model of immune systems for distributed defense in modern data networks

This paper represents a departure from the current paradigms of centralized attack defenses and introduces the idea of the Danger model to autonomic defense systems. In existing systems, such as anti-viruses (AV) or intrusion prevention systems (IPS), a central authority generates the defense mechanisms and deploys these to the systems in the field. While this strategy works fairly well in static systems, currently the trend is towards large and more dynamically configured systems. The future is likely to belong to ubiquitous systems where the number of devices and their diversity exceed the capacity to centrally administer them. Furthermore, ubiquitous systems will also contain many devices that are not connected all the time nor to all other devices equally. To address these issues, this paper looks at the Danger Model of computer immune systems and its application to attack defense to create a fully decentralized model. The main paradigms are co-stimulation using both evidence of an attack (knowledge-based or behavior-based) with evidence of real danger or damage. By combining these two detection models we are able to reduce the chance of an auto-immune reaction in the Active Defense Network.

An immune system for cyberspace

There is legitimate concern that, within the next few years, the Internet will provide a fertile medium for new breeds of computer viruses capable of spreading orders of magnitude faster than they do today. To counter this threat, we have developed an immune system for computers that senses the presence of a previously unknown, pathogen, and then within minutes automatically derives and deploys a prescription for detecting and removing it. The system is being integrated with a commercial anti-virus product, IBM AntiVirus, and is expected to be offered as a pilot in late 1997.

Elevating the Discussion on Security Management: The Data Centric Paradigm

Corporate decision makers have normally been disconnected from the details of the security management infrastructures of their organizations. The management of security resources has traditionally been the domain of a small group of skilled and technically savvy professionals, who report to the executive team. As threats become more prevalent, attackers get smarter and the infrastructure required to secure corporate assets become more complex, the communication gap between the decision makers and the implementers has widened. The risk of misinterpretation of corporate strategy into technical safe controls also increases with the above-mentioned trends. In this paper, we articulate a paradigm for managing enterprise security called the data centric security model (DCSM), which puts IT policy making in the hands of the corporate executives, so that security decisions can be directly executed without the diluting effect of interpretation at different levels of the Infrastructure and with the benefit of seeing direct correlation between business objective and security mechanism. Our articulation of the DCSM vision is a starting point for discussion and provides a rich platform for research into business-driven security management.

Editorial: Editorial for Computer Networks special issue on ''Botnet Activity: Analysis, Detection and Shutdown''

Large scale attacks and criminal activities experienced in recent years have exposed the Internet to serious security breaches, and alarmed the world regarding cyber crime. In the center of this problem are the so-called botnets – collections of infected zombie machines (bots) controlled by the botmaster to perpetrate malicious activities and massive attacks. Some recent botnets are composed of millions of infected machines, making use of this attack vector inevitably harmfully. Hence, it is paramount to detect, analyze and shutdown such overlay networks before they become active. This special issue of Computer Networks is intended to foster the dissemination of high quality research in all aspects regarding botnet activity, detection and countermeasures. We are pleased to introduce a series of stateof-the-art papers exploring an array of the many challenges related to this exciting topic. A total of 53 submissions were received in response to the call for papers. After a rigorous review process, we accepted 13 high quality papers covering the subject from different perspectives and offering to the readers a rather complete view of the different research challenges currently being considered by the community. We start the special issue with an important and updated survey on botnets. Silva et al. [1] present a comprehensive tutorial-like study that broadly exposes the botnet problem from more than 200 references. An interesting timeline shows the evolution of botnet technology and features. The main architecture, protocols, topologies and life cycle are also shown. A great part of the survey is devoted to botnet detection techniques; taxonomy is presented together with complete discussions about pros and cons of each technique. The paper also presents defense techniques, new trends and platforms, challenges and open problems. The second paper of this special issue deals with botnet modeling. Khosroshahy et al. [2] proposed a CTMC-based model, called SIC (Susceptible-Infected-Connected), which is capable of capturing the dynamics involving botnet lifecycle as nodes change states. The model can be used, for instance, to support the estimation of botnet sizes and on the evaluation of botnet mitigation strategies. The next three papers are concerned with in-depth analysis of some modern botnets, namely: Zeus, SpyEye

Malicious Software in Ubiquitous Computing

Malware (malicious software) is rampant in our information technology infrastructures and is likely to be so for the foreseeable future. We will look at various types of malware and their characteristics and see what defenses currently exist to combat them. Various aspects of ubiquitous computing will likely prove game-changers for malware and we will look into how the problem will evolve as ubiquitous computing (UbiComp) is deployed.

Meeting the Global Challenges of Security Incident Response

Responding to computer security incidents has become a critical function within an information technology program of any enterprise. These incidents are threats not only to computing equipment but also to the stability of establishments, such as small to large governments or utilities serving large populations. New types of security-related incidents emerge frequently and massive activities take place across the globe to mitigate the violations of security policies or recommended security practices. In spite of the concerted efforts from many organizations, complete solutions are still lagging behind. Proactive or predictive research and planning activities are on the rise in many industrialized nations. However, they seem to fall short on coping up with an unexpected global incident before incurring a substantial damage. What can the global security-aware organizations and communities do? This paper is intended to help set the stage for a panel discussion to be chaired by the first author with the members of the IFIP WG9.6/11.7, “IT Misuse and the Law”.