Cory Doctorow has an interesting article he posted while cruising about high above the earth in his blogosphere about an immune system for the internets.  He brings up some curious points about how difficult it is to unfuck the immune system once it thinks something fishy is going on, and then goes on to compare the immune system's issues with how dangerously hard it is to get a computer system to acknowledge that you are in fact harmless once it identifies you as a threat.  This metaphor of the internet as a body with an immune system made me think of the other implications contained therein.

Doctorow suggests that perhaps something should be done to automate the unfucking of these systems.  For example, he recalls staying at a hotel whose network decided his laptop's frequent pings towards other hosts on the network were the start of some malicious port-scanning, when in fact it was just a game he was playing on his laptop's attempts to find other hosts to play with.  If only he could hit a reset button to restore internet access to his hotel room as easily as he tripped the "DANGER HAXX!" tripwire!

Well, why can't he?  Just like we have sophisticated immune systems built over time, we could rig networks with sophisticated immune systems built from experience.  Why not have multiple layers of defense, with incremental response?  Instead of just hosing anything looking for hosts, the hotel might consider this a step to future hosing.  First, is the offender checking many ports all over?  Yes.  Branch down MULTPORTS path of the decision tree.  Instead of cutting access here, seek to understand what the program is doing.  Check the packet payload.  Hmm, its structure looks similar to another branch of the tree, GAMEPACKET.  Use Bayesian filtering to decide that it either is or isn't a game packet.  If it is, let it go about its merry way.  If it isn't, seek other possible intents that match the packet.  If none are found, kill the program.  If it is legit, the man in the hotel room will call up and complain, and you can add another layer to your filter. 

This sort of ad-hoc system for determining intent would interesting to implement.  Perhaps it would find too many false positives to be useful, but it is interesting to think of the ups and downs of an internet immune system, and why it is worth attempting to fix it or not.