Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Researchers aim for cheap peer-to-peer zero-day worm defense

Researchers claim peer-to-peer software that shares information about anomalous behaviour could be the key to shutting down computer attacks inexpensively

Shutting down zero-day computer attacks could be carried out inexpensively by peer-to-peer software that shares information about anomalous behaviour, say researchers at the University of California at Davis.

The software would interact with existing personal firewalls and intrusion detection systems to gather data about anomalous behaviour, says Senthil Cheetancheri, the lead researcher on the project he undertook as a grad student at UC Davis from 2004 to 2007. He now works for SonicWall.

The software would share this data with randomly selected peer machines to determine how prevalent the suspicious activity was, he says. If many machines experience the identical traffic, that increases the likelihood that it represents a new attack for which the machines have no signature.

The specific goal would be to detect self-propagating worms that conventional security products have not seen before.

"It depends on the number of events and the number of computers polled, but if there is a sufficient number of such samples, you can say with some degree of certainty that it is a worm," Cheetancheri says. For that decision, the software uses a well-established statistical technique called sequential hypothesis testing, he says

The detection system is decentralized to avoid a single point of failure that an attacker might target, he says.

The task then becomes what to do about it, he says. In some cases, the cost of a computer being infected with a worm might be lower than the cost of shutting it down, in which case it makes sense to leave it running until a convenient time to clean up the worm, he says.

In other cases, the cost to the business of the worm remaining active might exceed the cost of removing the infected machine from the network, he says.

That cost-benefit analysis would be simple to carry out, he says, but network executives would have to determine the monetary costs and enter them into the software configuration so it can do its calculations he says.

End users would not program or modify the core detection engine, he says. "We don't want to have humans in the loop," he says.

He says he and his fellow researchers have set up an experimental detection engine, but it would have to be modified to run on computers in a live network without interfering with other applications and without being intrusive to end users, Cheetancheri says.

So far no one he knows of is working on commercializing the idea.

The software would be inexpensive because it would require no maintenance other than to enter the cost of each computer being disconnected from the network.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: SonicWall, SonicWALL

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: sonicwall, worm, zero day initiative
Latest Blog Posts
Whitepapers
  • 8 reasons why Citrix NetScaler beats the competition
    Application delivery controllers (ADC) are one of the most critical elements of cloud infrastructures and enterprise data centre architectures. ADCs strongly impact performance, scale and security of the entire application environment, so it is extremely important for IT leaders to choose the right one.
    Learn more »
  • Implementing, Serving, and Using Cloud Storage
    Organisations of all types are trying to control costs and satisfy increasing demands at the same time— demands created by explosive data growth and ever-changing regulations. To address these challenges, storage industry professionals are turning to cloud computing and cloud storage solutions.
    Learn more »
  • Book 2 - The Practical Guide to Securing Assets
    Keeping your information technology (IT) systems and information secure in the face of constant changes in hardware, software, threats, and regulations can seem like an impossible task. You must constantly monitor and evaluate asset security controls effectiveness in addition to monitoring regulatory and contractual security requirement compliance. To be effective, you must implement IT controls in context with your entire organisation assets. Read on.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments

HP and IDG news, product videos and resources