Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Researchers aim for cheap peer-to-peer zero-day worm defense

Researchers claim peer-to-peer software that shares information about anomalous behaviour could be the key to shutting down computer attacks inexpensively

Shutting down zero-day computer attacks could be carried out inexpensively by peer-to-peer software that shares information about anomalous behaviour, say researchers at the University of California at Davis.

The software would interact with existing personal firewalls and intrusion detection systems to gather data about anomalous behaviour, says Senthil Cheetancheri, the lead researcher on the project he undertook as a grad student at UC Davis from 2004 to 2007. He now works for SonicWall.

The software would share this data with randomly selected peer machines to determine how prevalent the suspicious activity was, he says. If many machines experience the identical traffic, that increases the likelihood that it represents a new attack for which the machines have no signature.

The specific goal would be to detect self-propagating worms that conventional security products have not seen before.

"It depends on the number of events and the number of computers polled, but if there is a sufficient number of such samples, you can say with some degree of certainty that it is a worm," Cheetancheri says. For that decision, the software uses a well-established statistical technique called sequential hypothesis testing, he says

The detection system is decentralized to avoid a single point of failure that an attacker might target, he says.

The task then becomes what to do about it, he says. In some cases, the cost of a computer being infected with a worm might be lower than the cost of shutting it down, in which case it makes sense to leave it running until a convenient time to clean up the worm, he says.

In other cases, the cost to the business of the worm remaining active might exceed the cost of removing the infected machine from the network, he says.

That cost-benefit analysis would be simple to carry out, he says, but network executives would have to determine the monetary costs and enter them into the software configuration so it can do its calculations he says.

End users would not program or modify the core detection engine, he says. "We don't want to have humans in the loop," he says.

He says he and his fellow researchers have set up an experimental detection engine, but it would have to be modified to run on computers in a live network without interfering with other applications and without being intrusive to end users, Cheetancheri says.

So far no one he knows of is working on commercializing the idea.

The software would be inexpensive because it would require no maintenance other than to enter the cost of each computer being disconnected from the network.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: SonicWall, SonicWALL

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: sonicwall, worm, zero day initiative
Latest Blog Posts
Whitepapers
  • Six tips for choosing a unified threat management (UTM) solution
    As network security grows more complex, businesses are demanding the simplicity of unified threat management (UTM). Businesses like yours are replacing multiple, outdated and costly appliances from different vendors with a single, reliable UTM solution. The best solutions offer a more powerful way to manage network security today and in the future. UTM also promises to slash your network security management efforts and hardware costs. This whitepaper offers you detailed advice on how to choose the comprehensive unified threat management (UTM) that best suits your business.
    Learn more »
  • IDC Forecast: Worldwide Purpose - Built Backup Appliance 2011 – 2015, Forecast Update: Explosive Growth in 2011
    This IDC Forecast Update provides share positions for revenue and raw capacity for nine named PBBA vendors for the first half of 2011. In addition, this study provides the market size and a five-year forecast for the worldwide PBBA market as part of IDC's Storage Solutions coverage. The five-year forecast includes total factory revenue and raw capacity in terabytes through 2012. The worldwide PBBA market covers both open system-and mainframe-attached products.
    Learn more »
  • Justifying Business Intelligence Applications
    This white paper explores the decision criteria used in a build vs. buy scenario when considering the Oracle BI Applications. The major benefits of the BI Applications will be discussed in the framework of an overall buy vs. build argument.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments