Researchers put lid on can of worms

gallery

Researchers have devised a way of tagging worms and containing them before they damage computer systems.

The research was carried out by Peng Liu, associate professor of information services and technology and director of the Cyber Security Lab at Penn State University.

The technology, dubbed Proactive Worm Containment (PWC), doesn't rely on signature databases but looks at a packet's rate or frequency of connections and the diversity of connections to other networks - which, the researcher said, allowed PWC to react far more quickly than other technologies.

"A lot of worms need to spread quickly in order to do the most damage, so our software looks for anomalies in the rate and diversity of connection requests going out of hosts," said Liu.

When a host infected with a worm is identified, the technology contains that host so that no packets with worm code can be sent out. Liu said that only a few dozen infected packets may be sent out to other networks before PWC can quarantine the attack. In contrast, the Slammer worm, which attacked Microsoft SQL Server, on average sent out 4,000 infected packets every second, Liu said.

He said that the technology also uses two other techniques to ensure that the host is uninfected. These techniques use vulnerability-window and relaxation analyses to overcome the denial-of-service effect that could be caused by false positive.

"PWC can quickly unblock any mistakenly blocked hosts," Liu said.

The researchers are currently beta-testing the software and said it could be easily integrated with existing signature-based worm filtering systems.

Email to a friend

Print this page