Low-cost strategy developed for curbing computer worms

Jan 13, 2009

Thanks to an ingenious new strategy devised by researchers at University of California, Davis and Intel Corporation, computer network administrators might soon be able to mount effective, low-cost defenses against self-propagating infectious programs known as worms.

Many computers are already equipped with software that can detect when another computer is attempting to attack it. Yet the software usually cannot identify newly-minted worms that do not share features with earlier marauders. When network managers detect suspicious activity, they face a major dilemma, said Senthil Cheetancheri, who led efforts to develop the strategy. "The question is, 'Should I shut down the network and risk losing business for a couple of hours for what could be a false alarm, or should I keep it running and risk getting infected?'"

Cheetancheri, a graduate student in the Computer Security Laboratory at UC Davis when he did the work, has shown that the conundrum can be overcome by enabling computers to share information about anomalous activity. As signals come in from other machines in the network, each computer compiles the data to continually calculate the probability that a worm attack is underway. "One suspicious activity in a network with 100 computers can't tell you much," he said. "But when you see half a dozen activities and counting, you know that something's happening."

The second part of the strategy is an algorithm that weighs the cost of a computer being disconnected from the network against the cost of it being infected by a worm. Results of this ongoing process depend on the calculated probability of an attack, and vary from computer to computer depending on what the machine is used for. The algorithm triggers a toggle to disconnect the computer whenever the cost of infection outweighs the benefit of staying online, and vice versa.

The computer used by a person working with online sales, for example, might be disconnected only when the threat of an attack is virtually certain; the benefit she provides by continuing to work during false alarms far outweighs the cost of infection. On the other hand, a computer used by a copy writer who can complete various tasks offline might disconnect whenever the probability of an attack rises above even a very low level.

The study is published in "Recent Advances in Intrusion Detection, 2008," the proceedings of a symposium that was held in Cambridge, Mass., in September, 2008.

Source: University of California - Davis

Explore further: Researchers parallelize a common data structure to work with multicore chips

add to favorites email to friend print save as pdf

Related Stories

Linux distrib vendors make patches available for GHOST

Jan 29, 2015

Qualys said on Tuesday that there was a serious weakness in the Linux glibc library. During a code audit, Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. ...

Computerised vehicles are vulnerable to hacking and theft

Jan 27, 2015

Theft of vehicles is about as old as the notion of transport – from horse thieves to carjackers. No longer merely putting a brick through a window, vehicle thieves have continually adapted to new technology, ...

US penetrated N. Korea computer systems in 2010: report

Jan 19, 2015

The United States secretly penetrated North Korea's computer systems four years ago—a breach that allowed Washington to insist Pyongyang was to blame for the recent cyberattack on Sony Pictures, the New York Times report ...

Recommended for you

Moving big data faster, by orders of magnitude

Jan 28, 2015

In today's high-productivity computing environments that process dizzying amounts of data each millisecond, a research project named for "a trillion events per day" may seem relatively ordinary.

User comments : 5

Adjust slider to filter visible comments by rank

Display comments: newest first

physpuppy
5 / 5 (1) Jan 13, 2009
he conundrum can be overcome by enabling computers to share information about anomalous activity. As signals come in from other machines in the network, each computer compiles the data to continually calculate the probability that a worm attack is underway.

...
The algorithm triggers a toggle to disconnect the computer whenever the cost of infection outweighs the benefit of staying online, and vice versa


If implemented, who wants to bet that someone will come up with malicious code that causes false positives and triggers this protection code to pull machines off the network.

Corban
not rated yet Jan 13, 2009
The worm would no longer deal damage to computers, but Physpuppy's got the right idea: what about a DDOS?
physpuppy
not rated yet Jan 13, 2009
If you're interested in this sort of thing - security and computer risks, this is an interesting forum with lots of good information:

http://catless.ncl.ac.uk/risks

(Forum On Risks To The Public In Computers And Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator)

NeilFarbstein
not rated yet Jan 13, 2009
you can run but you cant hide
superhuman
not rated yet Jan 14, 2009
The proper solution is to develop an open source standardized operating system and programming software designed with security in mind from the start. Computers are fast enough today to dedicate quite a lot of computing resources to security so a modular simple system with transparent logic capable of being validated with mathematical proofs and tested by everyone is the way to go.

Once governments realize national security depends on software they will hopefully realize it's the way to go and will fund academic efforts aimed at reaching that goal. Don't count on software industry it's not in their interest to produce safe software that lasts.

Current computer technology is mature enough and there is no longer any need for operating system and software to change every few years despite what micro$oft and others who profit on this wants you to think. Current OSes provide everything applications need expect for one thing - security, frequent changes of software is one of the primary reason for poor security.

A properly written OS for business and government applications can easily last decades with only hardware, drivers and applications need to be updated if needed.

The world desperately needs an open, standardized, transparent and safe software platform and it will be developed sooner or later, its inevitable, but the likes of Microsoft will do everything to postpone it.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.