On 2013-05-24 08:38, Richard Stupek wrote:
Pete
I thought the local gbudb got updates from the service or was that a
future enhancement?
That's true right now. GBUdb is part of a distributed machine learning
system. There is a conversation going on between all SNF nodes where
they share their point of view on IP reputations. This happens
approximately once per minute, out of band.
Each node alerts the system that they have new activity on a given IP.
Then, via the SYNC server(s), each node receives a reflection of the
consensus on that IP. So, when an IP is new to a node it will be updated
within about a minute with the consensus reputation from the other
nodes. As there are more interactions, the consensus matters less and
the local experiences matter more -- but the conversation continues so
the each node is always influencing the other nodes about any active IPs.
The conversation protocols are intelligent so that there is just enough
traffic to accomplish the learning goals and so that a hostile /
compromised node cannot poison the system; and so that each node can
maintain it's own point of view about each IP.
For example: Say node A regularly corresponds with an ISP in
blackhatistan. So, node A sees a mixture of good and bad messages. Node
B only gets bad messages from the same ISP. Node A will have a local
reputation for the ISP that is good enough to let messages through on
that system, but node B will have a local reputation for the ISP that
blocks most messages. The consensus of all GBUdb nodes will be somewhere
in between.
Hope this helps,
_M
--
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller
#############################################################
This message is sent to you because you are subscribed to
the mailing list <sniffer@sortmonster.com>.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to <sniffer-requ...@sortmonster.com>