If it takes 100-200 well financed hackers to build reputation over time and ultimately risk burning that reputation to hide some malware from a subset of ambassadors, I'd say we've won. That bar is far higher than today's status quo - this is a much more costly endeavor than what is required to evade AV today.
No system can be 100% perfect, including PolySwarm, but PolySwarm is far better than today's environment if such resources are required to pull off such an attack.
We have a multi-pronged approach, targeting enterprise, ambassador and security expert onboarding, respectively.
At a high level, we will foster a network effect, playing enterprise interest toward security experts (more bounties available) and then security expert interest toward ambassadors and enterprises (increasingly quality threat intelligence). This two-sided effect will naturally encourage uptake on the opposite side.
1. Sponsor PolySwarm integration into existing incident response (IR) and defensive toolkits.
PolySwarm will offer Nectar bounties (from Swarm Technologies, Inc’s holding) as reward for open source contributions to widely used IR, defense and forensics toolkits. Specifically, we will target open source projects like Facebook’s osquery, and The Sleuth Kit / Autopsy.
By making it trivial to use PolySwarm with these tools, PolySwarm seamlessly plugs into existing workflows. Some users will choose to leverage PolySwarm and any such leverage will help create a network effect.
2. Partnership with existing threat intelligence vendors, offering early Arbitership as incentive to plug into the network.
Existing threat intelligence companies will desire to become Arbiters in the PolySwarm ecosystem. PolySwarm will offer designated arbitership to chosen Arbiters to help bootstrap the network. This will be limited time offer, after which Arbiter must maintain high ecosystem throughput to maintain their status.
3. Hackathons, competitions and sponsorship directed toward information security expertise, with an emphasis toward markets that already participate heavily in vulnerability bug bounty programs.
This one is pretty self-explanatory. We will target information security conferences in Eastern Europe, Asia, Latin and South America in particular.
This was alluded to a little in the previous question and response.
In addition to the response above, PolySwarm plans to host a Nectar-for-artifact bounty program to help build a corpus of "swarmed" artifacts in the network and get initial people onboard. Security experts will receive Nectar in response to "swarming" malicious artifacts during this Beta period. Prior to Arbiter establishment, malintent determination will be outsourced.
Beyond this mass market approach, all of the founders and many of our friends and colleagues work in the Information Security industry. Many of them have custom malware analysis tools that they develop for their work or hobbies that could be reconfigured to work as microengines.
We speak with graduate and PhD students at conferences and events that have the technical skills to build and run microengines, but cannot get jobs at cyber security companies due to their nationality or choice of home location.
The quality security experts are out there, and we are giving them the means to participate.
PolySwarm will enable companies like Palo Alto to enhance their offerings by being able to solicit crowdsourced opinion on files they're unsure of. Today, they reach out to VirusTotal (and pay handsomely to do so). Tomorrow, with PolySwarm, they'll get access to a broader set of security expertise without a middle man (VirusTotal is owned by Google).
From the enterprise perspective, should Palo Alto plug into PolySwarm, the enterprise will see better detection rates. Palo Alto will save money and ideally those savings will be passed down to the customer. In the PolySwarm ecosystem, Palo Alto (PA) is an "Ambassador".
Yes. More specifically, it's a set of smart contracts that define how threat intelligence is sourced and how good threat intelligence is rewarded at the expense of bad (inaccurate) threat intelligence.
We expect some larger enterprises to participate directly in the marketplace (bypassing Ambassadors) and one of our big goals is make Ambassadorship as accessible as possible -- today you need funding rounds, marketing, HR, etc, etc, to build a company like Palo Alto Networks. Tomorrow, we hope that the raw statistics surrounding each Ambassadors’ performance, coupled with the autonomous nature of the market will allow for more streamlined operations - mini-Ambassadors if you will - that wouldn't fit into today's market, but would thrive in PolySwarm.
In other words, only few can get listed as a vendor on VirusTotal, but anyone can call themselves an Ambassador on PolySwarm. Ambassadors will have to maintain their quality of service and reputation to attract enterprises and end users as customers.
In the PolySwarm marketplace, an Ambassador submits a request asking Security Experts to analyze a suspicious artifact, such as files, URLs, or network traffic. The requests submitted into the marketplace come in two forms.
The first is in the style of a Wild-West wanted poster, called a "Bounty", and is open to all Security Experts to respond. Think, "WANTED, Malicious? or Benign? The second is in the form of a direct "Offer", which is directed at a specific security expert. Think, "Mr Anderson, do you have time to take a look at this file? I’ll give you 0.15 NCT to tell me if it is Malicious or Benign."
Security Experts download their expertise into automated analysis tools, called "microengines". That will process an artifact if a) it supports it, and b) the Security Expert thinks the payment is worthwhile. All analysis results are provided to the Ambassador, then the Arbiters review results to determine which are correct. Finally, all Security Experts that provided correct results fast get paid in Nectar!
Excellent question (all of these are excellent questions)! If ground truth is wrong (Arbiters are wrong), this could be mean one of two things: (1) the Arbiter honestly got it incorrect, (2) the Arbiter is malicious.
For #1, PolySwarm will correct itself much like today's market corrects itself - one vendor detects WannaCry, publishes it, reaps marketing benefit, other vendors jump on the detection bandwagon. If they're more pointed about it, Vendor X calls out Vendor Y for failing to protect customers against a threat that Vendor X uniquely identifies. Again, the benefit here is a marketing coup. This process happens externally from the core market - it's a feedback loop driven by a natural desire to win customers. It's how it works today and how it'll work in PolySwarm.
For #2, this is more complex. I believe this is best addressed by maintaining a record of trustworthiness of participants / reputation. This is not something that will be built into the market, but one of those "secondary market" value-added services we expect to arise.
There’s a great book called "Who Gets What and Why" by Alvin Roth. He talks about market design for a ton of things: organ donation, public school lotteries, and how doctors get picked for residency. We felt that bounties and offers were the best ways to incentivize experts to do what we wanted, detect threats, while still providing the ability to reward them.
For bounties, specifically, they’re based around the prediction market concept. We needed a way to have multiple security experts weigh in on the malintent of files without shrinking the reward pile each time one weighed in. So if it feels dungeons and dragons, blame market design and game theory! This is also why we hired a Chief Economist who monitored the performance of the marketplaces and suggested bounty amounts, fees, and other settings that helped the market be both thick (read: enough transactions to be interesting) and safe for participants.
End users will benefit from PolySwarm by being exposed to better-valued services. We don't expect most end users to directly interact with the PolySwarm network; this is the role that Ambassadors fill.
PolySwarm Ambassadors will be today's familiar, existing AV companies (like AVAST) as well as new companies made possible by PolySwarm’s economic model.
We expect to see new companies acting as Ambassadors that serve as a direct conduit to the PolySwarm network. These new companies will exchange end user subscription fees for a convenient link to the PolySwarm network, handling Bounties and Offers on behalf of their end user customers. This new type of company will almost certainly have lower cost relative to monolithic offerings seen today. We believe this will translate into a better value for the end user.
In short: most end users will continue to engage with a subscription-based service, but will get more protection for less money due to the efficiencies made possible by PolySwarm's crowdsourced, distributed design.
It’s a different market and we wish them success. Hacken is decentralizing bug (vulnerability) bounties against corporate sites and software, basically security experts doing manual analysis against unique targets.
We’re pretty familiar with the bug bounty market: average transaction value is 400-500 USD per bounty. Hacken’s market requires manual review to evaluate if bounties are won or not. There’s probably on the order of 1000’s of transactions a year.
Conversely, PolySwarm deals with the sort of threat intelligence that can be *automated*, such as anti-virus. Anti-virus companies, worldwide, see billions of samples a day and probably 10’s of millions are unique. Transaction value ranges 0.0025-0.015 USD per file/url/artifact scan. All microengines and the vast majority of ground truth determination in PolySwarm will be automated.
Manual review of a smallish binary takes the better part of a day or two. Larger applications, we are talking many days or even weeks.
For the past 20 years we’ve had the same economic model for threat detection: centralize, hire a small team of developers locally, and de-prioritize R&D and addressing current threats once the company achieves customer stability.
Signature based antivirus companies try to solve for common "known" malware, but tend to fail to detect new threats. A market of single-vendor solutions rewards duplication of effort across vendors, discourages investment in specialized detection capabilities and encourages vendor lock-in via mutually incompatible software packages.
These companies are structured in a way that rewards chasing threats against widely used software. They are financially incentivized to go after large threats to maintain a large client base. And while widespread vulnerabilities are indeed a concern, each of us as individuals are much more likely to be hit by smaller everyday threats.
Our thesis has always been that security expertise works better in a competitive environment where they’re incentivized to stay up to date. That’s the gap we’re trying to fill: make it continually profitable to protect users.
PolySwarm is a decentralized anti-virus and cyber threat intelligence market made possible by Ethereum smart contracts and the blockchain.
PolySwarm brings enterprises, consumers, vendors and geographically-diverse security experts together into a single marketplace for more complete cyber threat detection. Experts craft and maintain competing software "microengines" that quickly identify the latest threats, attempting to outperform their competition. The combined protection of thousands of microengines allows for broader, faster coverage and more efficient threat intelligence.
(Steve, CEO) I grew up in a small farming town in California. Broke into a company’s computers when I was like, 11, they caught me but some of the IT guys took me under their wings and gave me a summer job through high school. That’s how I got started in security. From there, my team and I have built up Narf Industries and done a lot of cool projects for everyone from DARPA to Commercial clients. We’ve also played a lot of hacking competitions, or CTFs at Defcon and the like.
PolySwarm grew out of frustration we had doing work on Narf. We’d developed all these cool tools that had narrow, but, deep applications to cyber threat detection and mitigation but didn’t have a way to get them looking at real stuff the enterprise was facing. That’s why we made PolySwarm, we knew there were other small security shops like us that had tools that could protect users. Additionally, there was no good way to get access to all of these tools through one interface. That’s also where PolySwarm comes in: it serves a one big umbrella built from a collection of the best security expertise.
This economics problem: always incentivizing security experts to keep their solutions up to date for better protecting users against new threats. The problem is important because it ultimately increases costs for attackers by increasing compensation and vigilance for the defense across a wide range of viewpoints.
We’re currently developing a stress test that will get security experts on board. Security experts will be able to link us to suspect files in exchange for an airdrop of Nectar. These suspect files will be Bountied on the Ethereum testnet, testing our smart contracts and will be scanned by us (imitating a security expert). Our scanning will be done by ClamAV (an open source AV). Experts will be rewarded for submitting unique samples (and helping us stress test). One sample maximum per day, bonuses given for specific malware families, announced via our Telegram channel. PolySwarm targets security experts, whereas Crypto Kitties targets the public at large. What we’re building should be more limited in interest. Further, PolySwarm has built-in fees to deter spamming efforts.
There are several reasons, but most importantly a token insulates the ecosystem from the rapid fluctuation in the USD:ETH exchange rate. It would be quite bad if security experts withheld their expertise until a more favorable exchange rate was offered. By having our own token, the token’s utility should closely track the utility of the threat intelligence offered by the PolySwarm network, making it a no-brainer to contribute expertise irrespective of the USD:ETH exchange rate.
Nectar is PolySwarm’s token, and it allows the enterprises and users to obtain threat detection services from security experts, it’s essencintaly used as a currency for all transactions within the marketplace.
Blockchain technology - distributed, append-only ledgers, opened the door for distributed computing platforms. Ethereum is one such platform - allowing anyone to author smart contracts and execute them in a distributed, trust-minimal manner. We’re using smart contracts to intelligently design - literally program the rules of road: how market participants interact. What sort of behavior is rewarded. How rewards are dispersed, etc. Ethereum provides the basis for programmed, intelligent market design - something that was not possible only 4 years ago. PolySwarm is the application of this primitive to the threat intelligence space - something the PolySwarm team is intimately familiar with. PolySwarm will offer better incentives - a global, crowdsourced, community of security experts will compete against one another to best protect enterprises and end users. The economic mechanics are defined for all to see.
Nectar serves to isolate PolySwarm from external market forces, including the value of Ether (ETH) and the performance of applications that transact in Ether. Nectar-based isolation will allow for more consistency in PolySwarm market behavior, enabling participants to transact with greater confidence and reducing perverse incentives that would otherwise harm the PolySwarm Market.
We have several strategies to cope with congestion issues. First, Bounties will support "batching" artifacts. By that I mean an ambassador can submit a group of, say, 256 samples at once into a bounty without incurring individual bounty overhead. Similarly, assertions can be batched. Second, our Offer mechanism uses Raiden micro-channels to transact off-chain and periodically settle. Finally, we're looking forward to Ethereum's Plasma and Casper scalability improvements. If they go well, no issue. If they don't, we'll consider adopting a merkle hash tree into our own design for Bounties and Offers and explore alternative blockchains like QTUM and maybe EOS. Unfortunately no other blockchains are mature enough yet.
Can't find what you're looking for?
If you can't find what you're looking for, feel free to visit our Telegram. For technical questions, check out our Discord.