If it takes 100-200 well financed hackers to build reputation over time and ultimately risk burning that reputation to hide some malware from a subset of ambassadors, I'd say we've won. That bar is far higher than today's status quo - this is a much more costly endeavor than what is required to evade AV today.
No system can be 100% perfect, including PolySwarm, but PolySwarm is far better than today's environment if such resources are required to pull off such an attack.
We have a multi-pronged approach, targeting enterprise, ambassador and security expert onboarding, respectively.
At a high level, we will foster a network effect, playing enterprise interest toward security experts (more bounties available) and then security expert interest toward ambassadors and enterprises (increasingly quality threat intelligence). This two-sided effect will naturally encourage uptake on the opposite side.
1. Sponsor PolySwarm integration into existing incident response (IR) and defensive toolkits.
PolySwarm will offer Nectar bounties (from Swarm Technologies, Inc’s holding) as reward for open source contributions to widely used IR, defense and forensics toolkits. Specifically, we will target open source projects like Facebook’s osquery, and The Sleuth Kit / Autopsy.
By making it trivial to use PolySwarm with these tools, PolySwarm seamlessly plugs into existing workflows. Some users will choose to leverage PolySwarm and any such leverage will help create a network effect.
2. Partnership with existing threat intelligence vendors, offering early Arbitership as incentive to plug into the network.
Existing threat intelligence companies will desire to become Arbiters in the PolySwarm ecosystem. PolySwarm will offer designated arbitership to chosen Arbiters to help bootstrap the network. This will be limited time offer, after which Arbiter must maintain high ecosystem throughput to maintain their status.
3. Hackathons, competitions and sponsorship directed toward information security expertise, with an emphasis toward markets that already participate heavily in vulnerability bug bounty programs.
This one is pretty self-explanatory. We will target information security conferences in Eastern Europe, Asia, Latin and South America in particular.
Beyond this mass market approach, all of the founders and many of our friends and colleagues work in the Information Security industry. Many of them have custom malware analysis tools that they develop for their work or hobbies that could be reconfigured to work as microengines.
We speak with graduate and PhD students at conferences and events that have the technical skills to build and run microengines, but cannot get jobs at cyber security companies due to their nationality or choice of home location.
PolySwarm will enable companies like Palo Alto to enhance their offerings by being able to solicit crowdsourced opinion on files they're unsure of. Today, they reach out to VirusTotal (and pay handsomely to do so). Tomorrow, with PolySwarm, they'll get access to a broader set of security expertise without a middle man (VirusTotal is owned by Google).
From the enterprise perspective, should Palo Alto plug into PolySwarm, the enterprise will see better detection rates. Palo Alto will save money and ideally those savings will be passed down to the customer. In the PolySwarm ecosystem, Palo Alto (PA) is an "Ambassador".
In the PolySwarm marketplace, an Ambassador submits a request asking Security Experts to analyze a suspicious artifact, such as files, URLs, or network traffic. The requests submitted into the marketplace come in two forms.
The first is in the style of a Wild-West wanted poster, called a "Bounty", and is open to all Security Experts to respond. Think, "WANTED, Malicious? or Benign? The second is in the form of a direct "Offer", which is directed at a specific security expert. Think, "Mr Anderson, do you have time to take a look at this file? I’ll give you 0.15 NCT to tell me if it is Malicious or Benign."
Security Experts download their expertise into automated analysis tools, called "microengines". That will process an artifact if a) it supports it, and b) the Security Expert thinks the payment is worthwhile. All analysis results are provided to the Ambassador, then the Arbiters review results to determine which are correct. Finally, all Security Experts that provided correct results fast get paid in Nectar!
Excellent question (all of these are excellent questions)! If ground truth is wrong (Arbiters are wrong), this could be mean one of two things: (1) the Arbiter honestly got it incorrect, (2) the Arbiter is malicious.
For #1, PolySwarm will correct itself much like today's market corrects itself - one vendor detects WannaCry, publishes it, reaps marketing benefit, other vendors jump on the detection bandwagon. If they're more pointed about it, Vendor X calls out Vendor Y for failing to protect customers against a threat that Vendor X uniquely identifies. Again, the benefit here is a marketing coup. This process happens externally from the core market - it's a feedback loop driven by a natural desire to win customers. It's how it works today and how it'll work in PolySwarm.
For #2, this is more complex. I believe this is best addressed by maintaining a record of trustworthiness of participants / reputation. This is not something that will be built into the market, but one of those "secondary market" value-added services we expect to arise.
Conversely, PolySwarm deals with the sort of threat intelligence that can be *automated*, such as anti-virus. Anti-virus companies, worldwide, see billions of samples a day and probably 10’s of millions are unique. Transaction value ranges 0.0025-0.015 USD per file/url/artifact scan. All microengines and the vast majority of ground truth determination in PolySwarm will be automated.
PolySwarm brings enterprises, consumers, vendors and geographically-diverse security experts together into a single marketplace for more complete cyber threat detection. Experts craft and maintain competing software "microengines" that quickly identify the latest threats, attempting to outperform their competition. The combined protection of thousands of microengines allows for broader, faster coverage and more efficient threat intelligence.
複数の理由がありますが、もっとも重要なのは、トークンにより、米ドルと ETH の為替レートの急激な変動からこのエコシステムを分離できることです。より望ましい為替レートになるまでセキュリティー専門家が専門知識を出すのを控えた場合、残念な結果になります。独自のトークンを用意することで、トークンのユーティリティーは、PolySwarm ネットワークで提供される脅威インテリジェンスのユーティリティーと密接に関係することになるため、米ドルと ETH の為替レートとは関係なく、専門知識が迷わず提供されるようになります。