

Network security with ants - ptn
http://www.physorg.com/news173108776.html

======
skolor
I may be missing a crucial point here, but this sounds like all it is is
running a modular malware scanner off of a server, and checking each computer
on the network.

This seems to fall under a classic problem (well, maybe not classic, but I see
it a lot): people see something in nature and assume it will work on a
computer. Taking a look at the metaphors used in the article, it looks like
these researchers may have fallen into the same trap.

Worms in the digital sense are nothing like worms in the natural sense.
Digital worms propagate by attacking a computer, taking it over, and then
using that computer to launch out its own attacks at as many other computers
as it can. The only way it resembles a natural worm, is because both of them
leave a clear, followable trail, as long as you know where to look. While the
natural worm's trail is in the dirt, the digital worm's trail is through
infected computers. They're hard to trace back to their source, but it may be
possible.

Assuming I understand the concept of security "ants" correctly, it will only
work until viruses catch on, at which point it will be even more susceptible
to attacks than current generation virus scanning. What so many people fail to
understand is that once a computer is infected with malware, you cannot trust
anything it tells you. I can't stress that enough, an infected computer can
very easily lie to you. So, what it looks like from the article, is (for
instance) we have 3000 "ants" running off a server, which each check every
computer for a specific symptom of running a virus. If the computer has that
symptom, more and more ants are sent to that computer to find and disable it.

To give this another metaphor: lets say we have 3000 police officers, who
patrol a neighborhood with several homes in it. We know from experience that
there are criminals who break into homes, and use it for all sorts of
nefarious purposes. In a particular home, someone has broken in and set up a
Meth Lab. A police officer comes up, knocks on the door, and one of the
criminals comes to the door. The following dialogue ensues:

Officer: Hi, I'm checking for illegal assault rifles today. Any chance you
guys have any assault riffles in there? Criminal: No. Officer: Ok, Have a nice
day.

The problem of running a virus scan off the network is similar to the problem
an officers faces without a warrant. The network scanner cannot directly check
the hard drive and processes running on a computer. It has to ask the computer
to check those things, and then report back to the scanner, or, alternately
ask the computer to make those resources available to it and check them
itself. All the malware has to do is make the computer it has infected lie to
the scanner, and its free. This is difficult, but possible when the scanner is
on the local machine. When its on the network though, it doesn't stand a
chance.

