Collective threat intelligence is the use of combined information from many sources to detect, identify, and (ultimately) mitigate attacks, and has been applied to cyber-security for many years. The approach has typically been applied to protect human-operated systems and required human agents to collect the intelligence. But now, it seems, it can also benefit the Internet of Things (IoT).
A company called Webroot recently announced technology that will allow implementation of collective threat intelligence for the IoT. The Webroot Intelligence Network has three components: a monitoring agent running on deployed systems, an analytic engine that assesses threats, and security service that serves as both a repository and distributor of threat information. The idea is to form a kind of “shared consciousness” of real-time data so that a never-before-seen cyber-attack on one system will be automatically identified and the information made available to all the other deployed systems.
A key element of Webroot's technology is the analysis engine, which the company claims uses a unique approach to machine learning called maximum entropy discrimination. It allows the engine to classify and evaluate URLs, IP addresses, files, and mobile apps that seek to interact with a protected system. The quoted specs indicate the engine can classify more than 2500 URLs per second with less than 2% error rate.
Fully-realized agents in this system require about 750k of code space, so they are best suited for IoT networks that employ a gateway (which would hold the agent) as an intermediary between the end nodes and the wide area network. For those IoT devices that connect directly to the WAN, a developer would need to work with Webroot to evaluate the device's CPU and memory footprint as well as its intended data content to see what kind of protection is needed and what type of agent can be implemented. The company is also actively looking to create links into real-time operating systems to facilitate protection of endpoint devices.
The approach may not be suitable for everything in the IoT, at least as far as the IoT is currently envisioned. Expectations are that there will be many endpoint devices directly connected to the WAN without the resources to implement the approach. It's debatable how many of those devices will actually need extensive protection, but there are likely to be some. Still, the idea of collective threat intelligence looks very promising as an approach to IoT security that doesn't require each design team to independently solve the security problem.