Current methods of host-based signature sharing require large amounts of bandwidth to transmit potentially sensitive information that can be trivially used to evade host-based defenses if the defended device or update traffic is obtained or captured by an adversary.
Both host and network based security systems can help to detect the presence of an adversary in on networks and operating on our systems. However, traditional host and network based security systems are designed for strategic/enterprise networks where bandwidth, memory and computational resources are readily available. People operating in obscure and/or constrained environments may employ devices with reduced size and weight, which in turn often reduces available battery, bandwidth and computational power. At the same time, the operating environment of these devices may be heavily contested as well, with attackers potentially disrupting network communications and attempting to seize control of these devices concurrent with kinetic operations.
While host based security systems scanning and classification processes can also be resource intensive, one of the most significant issues with enterprise host based security systems operation is its bandwidth requirements. Virus definition or DAT files contain virus signatures and other information that Intel Security anti-virus products use to protect the network against existing and new potential threats. DAT files are released on a reoccurring basis. Normal enterprise host based security systems operation requires a daily distribution of DAT file which contain updated threat/virus signatures along with policy information. On average these files are approximately 80 MB in size. Once this DAT file is downloaded to every node in the network, it must be processed by the host based security system and incorporated into its operation. Although the portion of the DAT file devoted to signatures vs. policy configurations will vary, it is assumed that the signatures occupy a significant portion as is the case with all signature based AV. This transmission and processing at every node is extremely costly to the tactical network as a whole as well as the tactical nodes individually.
Bloom filters have proven to be extremely useful and applicable to a vast range of problems, as reported in A. Broder and M. Mitzenmacher, “Network Applications of Bloom Filters: A Survey,” Internet mathematics, vol. 1, no. 4, pp. 485-509 (2004), hereby incorporated by reference. Bloom filters have been used in network security applications using various methods to allow Bloom filters to rapidly classify network packets, often with the goal of intrusion detection. These can either be explicitly signature-based, in which a signature is encoded into a Bloom filter and each packet is flagged if the membership test returns a positive result, or anomaly based, in which normal traffic is encoded into a Bloom filter and membership tests with a negative result are flagged. The work of K. Shanmugasundaram, et al., “Payload attribution via hierarchical bloom filters,” in Proceedings of the 11th ACM conference on Computer and communications security (2004), hereby incorporated by reference herein in its entirety, examines the use of hierarchical Bloom filters to attribute packet payloads in the absence of header information by tagging n-grams with their position in a payload and inserting them into a Bloom filter; by examining block lengths of geometrically changing size, the number of Bloom filter membership tests and the degree of confidence of those tests can be controlled. The work of E. H. Spafford, “Opus: Preventing weak password choices,” Computers & Security, vol. 11, no. 3, pp. 273-288 (1992), hereby incorporated by reference herein in its entirety, examines a different security policy issue, and uses Bloom filters to enforce password policy. Notably, the noninvertible nature of the Bloom filter is exploited to prevent the re-use of passwords in a manner that is both space-efficient and secure.
There is an obvious and significant need for robust, lightweight, on-device security that can leverage but is not dependent on network connectivity for protection.