Morton Swimmer John Jay College of Criminal Justice/CUNY
download slides (PDF)
For many reasons, our systems still contain vulnerabilities and are likely always to do so until the economics of system design and implementation change dramatically. Our best defence against the exploitation of these vulnerabilities is to use reactive technology such as anti-virus, anti-spyware, intrusion detection and prevention systems (IDS and IPS), firewalls, etc. They are reactive in that they mostly use a priori knowledge designed by a central authority to detect the attack. The time required to get the sample to the vendor, then through analysis, and finally distributed to the clients is still much longer than it potentially takes for the malware itself to spread. It would be an advantage to have a more systematic and immediate way of creating these signatures and then deploy them to where they are needed most as quickly as possible. The cure must spread faster than the disease (as we used to say when working on the IBM Digital Immune System).
In this paper, we see how the convergence of various security technologies can help us achieve this goal. This is achieved by utilizing the strengths of various sensors and generating semantically relevant signals from these. The signals can only be used for alerting and automatic reaction when two or more can be combined (costimulation). However, combination is only possible if the signals are ontologically orthogonal to each other, giving us a meaningful combination of information instead of the currently more common correlation of ontologically parallel signals. While the former leads to a true confirmation, the latter may merely compound an already faulty diagnosis. From this framework, a useful architecture for dealing automatically with threats can evolve.
