[Discussion] Hooks for Other than Blocking
Claudio Criscione
c.criscione at securenetwork.it
Sun Jan 18 18:18:24 UTC 2009
On Sunday 21 December 2008 19:13:07 Matt Jonkman wrote:
> Claudio Criscione wrote:
> > Redirection could also be used to escalate to more CPU intensive checks
> > (antiviruses?),
> I like that idea. Use circumstances to help decide if a binary needs to
> be quarantined/av scanned. Maybe source, have we seen god/bad binaries
> from this source before, size of the binary (haven't seen many 50meg
> viruses of late), etc. What other factors might we consider?
For instance cross checks leveraging big databases (like comparisons on log
files) or in memory checks on potentially compromised machines.
I think what really matters at this stage is to define a logical element in the
architecture, the details of what can be done could be sorted out later maybe,
or not?
> > Think about blocking some "high confidence" attacks and introducing some
> > human interaction on more uncertain results in order to improve detection
> > with time.
> What kind of human interaction do you mean here? Human approval?
For instance, or human confirmation. Even a signature based system could benefit
from such an engine. think about "proposed" signature: if you are not sure
that the signature is false-positive prone you assign it to a specific group
and every time an alert is generated you require the user to say "true or
false", thus either "improving" the signature (automatically or via a human,
p2p signature review network) or assigning a minor or major weight to it in
your system in order to have less false positives and eventually promote or
remove the signature.
If we think of any anomaly based system, instead, the benefits are quite
obvious.
Sorry for the late answer ;)
--
Claudio Criscione
Secure Network S.r.l
Via Venezia, 23 - 20099 Sesto San Giovanni (MI) - Italia
Tel: +39 02.24126788 Mob: +39 392 3389178
email: c.criscione at securenetwork.it
web: www.securenetwork.it
More information about the Discussion
mailing list