Defending your computer from cyber-attacks, Sun Tzu style

January 21, 2016 by Alisson Clark

We want our computers to perform the way we expect. But what if the key to defeating malware is introducing a bit of chaos?

Daniela Oliveira, a professor in the University of Florida Herbert Wertheim College of Engineering, thinks a bit of unpredictability could help outsmart . That's the logic behind Chameleon, the operating system she's developing with colleagues at UF, Stony Brook University and the University of California, Davis.

In Chameleon, which is still at the conceptual phase, unknown programs that could be malware run in a special "unpredictable" environment, where the OS intentionally introduces some unpredictability to the way they operate.

"Even though it seems crazy to impact functionality, it can be very effective at countering attacks if it only impacts software that could be malicious," Oliveira said. "The malicious process thinks it's in control, but it's not."

Programs you know and trust could be approved to run in a standard environment where they'll function normally, while detected malware are sequestered in a third environment, called deceptive. Instead of squashing them immediately, Chameleon would let the malicious processes continue to work in a fa├žade environment while collecting information that can be used to understand and defeat them.

Oliveira's inspiration came in part from her interest in military strategy.

"I've read a lot about warfare. Sun Tzu, Julius Caesar - they were successful because of the element of surprise. Cyberwarfare is the same," she said.

Deception has been used against cyber-attacks before, mostly in "honeypot" strategies that lure attackers in to gather information. But those deceptions typically are quickly revealed, Oliveira says, which limits their effectiveness. What sets Chameleon apart is inconsistent deception: Software that has been quarantined - or malware that bypasses standard detection systems - runs in an unfavorable environment until proven either benign or malicious.

An operating system like Chameleon would be great for a corporate , where the mission-critical software is known in advance, Oliveira says. That's good news not just for corporations, but also for those of us who entrust our sensitive data to them.

"Predictable computer systems make life too easy for attackers," she said.

Explore further: One-in-14 software downloads malicious: Microsoft

Related Stories

Closing a malware security loophole

December 7, 2015

An add-on for antivirus software that can scan across a computer network and trap malicious activity missed by the system firewall is being developed by an international team. Details are reported in the International Journal ...

Hyatt says 250 hotels had malware last year

January 14, 2016

Hyatt said Thursday that it found malicious software in about 250 of its hotels that may have exposed customers' credit- and debit-card numbers and other information to hackers.

Recommended for you

Inferring urban travel patterns from cellphone data

August 29, 2016

In making decisions about infrastructure development and resource allocation, city planners rely on models of how people move through their cities, on foot, in cars, and on public transportation. Those models are largely ...

How machine learning can help with voice disorders

August 29, 2016

There's no human instinct more basic than speech, and yet, for many people, talking can be taxing. 1 in 14 working-age Americans suffer from voice disorders that are often associated with abnormal vocal behaviors - some of ...

Apple issues update after cyber weapon captured

August 26, 2016

Apple iPhone owners on Friday were urged to install a quickly released security update after a sophisticated attack on an Emirati dissident exposed vulnerabilities targeted by cyber arms dealers.

9 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

Nanook
5 / 5 (1) Jan 21, 2016
A bit of irony, when I first attempted to view this article, I got:
503 Service Unavailable
No server is available to handle this request.
SciTechdude
not rated yet Jan 21, 2016
Chaos!
Eikka
1 / 5 (1) Jan 22, 2016
If you set up an FTP server online these days, you'll find that eventually there's a port-scanning worm that tries to get in by guessing passwords and trying all sorts of exploits against bugs known to exist in FTP server software.

If you let them bang at the door, they'll eventually show themselves in. If on the other hand you create an empty public account that lets everyone in, the worm gets slowed down immensely because it bumbles through the door without resistance, downloads a list of meaningless files, tries to create files, delete files, do anything, and eventually it concludes that it's been duped and it has to start over. The repetition rate goes down and it takes literally forever for the worm to actually break in.

It's like, if you were trying to break a window to rob a house, but the window just stretched in like a sheet of rubber.
antialias_physorg
5 / 5 (4) Jan 22, 2016
You can watch an abstract of cyberattacks the world over on the "NORSE" map (makes an awesome screensaver)
http://map.norsecorp.com/
The centralized points that get "attacked" are the honeypots they set up.

Kaspersky has a similar site (which is even more graphically neat, though a bit more confusing to watch)
https://cybermap....sky.com/

The number of cyberattacks going on in the world all the time is pretty scary.
Gettingitdone
5 / 5 (1) Jan 22, 2016

If you set up an FTP server online these days, you'll find that eventually there's a port-scanning worm that tries to get in by guessing passwords and trying all sorts of exploits against bugs known to exist in FTP server software.
.


It's been this way since just after the BB days. 0-Day exploits of FTP's, commonly used to store digital data in hidden folders. Few people with admin titles even know how to remove the hidden folders, let alone enter the folders and see what is there. There used to be a special scanner that would use special algorithms to traverse the hidden folder chain on already jacked FTP's and reveal what was hidden there. Just because someone doesn't pop up a chat window on your computer and talk to you, against your will, or because you may not personally know anyone with those skills, I can assure you there are many that can walk right into your computer with only the desire to do so and between minutes to a few hours of background work
Eikka
5 / 5 (2) Jan 22, 2016
Few people with admin titles even know how to remove the hidden folders, let alone enter the folders and see what is there.


Sounds like some sort of horror story the old sysadmins told the script kiddies at night.

When you run your FTP server in a virtual machine, it's pretty easy. Just see what difference it has made to the filesystem.

Even if you suppose that the intruder has somehow made super-secret changes that the guest operating system itself can't see and won't show (which presumes you've not only cracked the FTP server but gained remote access to the OS as well), it'll still show up because the system image has changed.
Eikka
not rated yet Jan 22, 2016
The number of cyberattacks going on in the world all the time is pretty scary.


Or that's the way the security companies want to make it look like, at least, so you'd buy their products.
Gettingitdone
not rated yet Jan 22, 2016
Few people with admin titles even know how to remove the hidden folders, let alone enter the folders and see what is there.


Sounds like some sort of horror story the old sysadmins told the script kiddies at night.

When you run your FTP server in a virtual machine, it's pretty easy. Just see what difference it has made to the filesystem.

Even if you suppose that the intruder has somehow made super-secret changes that the guest operating system itself can't see and won't show (which presumes you've not only cracked the FTP server but gained remote access to the OS as well), it'll still show up because the system image has changed.


I have to laugh. Since when does someone check their audio and video BIOS, let alone the the CMOS?
Eikka
not rated yet Jan 23, 2016
I have to laugh. Since when does someone check their audio and video BIOS, let alone the the CMOS?


You're ascribing superhuman qualities on the attacker, who does not know what kind of machine is running underneath the virtual machine. Now you've let the hacker throught the FTP server, escalated his privileges in the guest OS, broken out of the virtualized environment, broken the host OS, and then found their way to the actual hardware and its firmware.

All that with "between minutes to a few hours of background work", originating with a "0-day exploit" in the FTP software.

Please.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.