[linux-elitists] RE: Robert Graham's SQL Slammer analysis (was Re: [linux-elitists] MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!)
Fri Jan 31 22:03:37 PST 2003
On Fri, 31 Jan 2003, Steve Beattie wrote:
> On Sat, Feb 01, 2003 at 12:30:48AM -0500, Jay Sulzberger wrote:
> > Oddly enough, if you put
> > changepoint
> > to Google, you mainly get back nonsense about a company named
> > "Changepoint". Of course, that it has this name is a sign that one of the
> > founders knows something.
> > changepoint analysis
> > gets you better stuff, but still no decent introduction is pointed to in
> > the first ten pages of Google results.
> > Here is a paradigm case of changepoint analysis:
> > Consider that every tenth of a second we produce a summary of all traffic
> > to/from a node on the net, this summary being done in tenth second blocks.
> > Let us form the time series of such summaries. Now we want to know when
> > something of interest to us changes by looking at the time series. An
> > analysis that gives us an answer is a changepoint analysis.
> There is a somewhat vaguely related vein of research in the computer
> security field, called anomaly detection. Mostly, it's been applied to
> host based intrusion prevention and detection (in general, unsuccessfully,
> IMHO), but there's people doing it at the network level, I'm sure.
Yes, "anomaly detection" is very close to "changepoint analysis", many
would say a part of changepoint analysis. Both are much used today in the
analysis of genomic, seismographic, medical, and business data.
> I also seem to recall reading a paper in the last six months that did
> pretty much what you're proposing, restricting the number of outgoing
> connections of a client machine to a tunable limit (n/sec, n ~= 5--10),
> so that even if the machine was 0wned, the amount of bandwidth it could
> effectively use was throttled. Unfortunately, I can't seem to track
> down where I saw it...
> Steve Beattie Don't trust programmers?
Yes, throttling is an important part of a standard minimal system. Indeed
there should be almost no nodes on the net without the throttle set very
More information about the linux-elitists