[sniffer] Re: IP Change on rulebase delivery system

Fri, 24 May 2013 07:21:16 -0700 

On 2013-05-24 08:38, Richard Stupek wrote:

Pete
I thought the local gbudb got updates from the service or was that a future enhancement? 


That's true right now. GBUdb is part of a distributed machine learning 
system. There is a conversation going on between all SNF nodes where 
they share their point of view on IP reputations. This happens 
approximately once per minute, out of band.



Each node alerts the system that they have new activity on a given IP. 
Then, via the SYNC server(s), each node receives a reflection of the 
consensus on that IP. So, when an IP is new to a node it will be updated 
within about a minute with the consensus reputation from the other 
nodes. As there are more interactions, the consensus matters less and 
the local experiences matter more -- but the conversation continues so 
the each node is always influencing the other nodes about any active IPs.



The conversation protocols are intelligent so that there is just enough 
traffic to accomplish the learning goals and so that a hostile / 
compromised node cannot poison the system; and so that each node can 
maintain it's own point of view about each IP.



For example: Say node A regularly corresponds with an ISP in 
blackhatistan. So, node A sees a mixture of good and bad messages. Node 
B only gets bad messages from the same ISP. Node A will have a local 
reputation for the ISP that is good enough to let messages through on 
that system, but node B will have a local reputation for the ISP that 
blocks most messages. The consensus of all GBUdb nodes will be somewhere 
in between.


Hope this helps,

_M

--
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller


#############################################################
This message is sent to you because you are subscribed to
 the mailing list <sniffer@sortmonster.com>.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to  <sniffer-requ...@sortmonster.com>
























					Reply via email to