TimmyHNew way to contain Internet Worms
June 16th 2008 09:37
According to new research released by IEEE Transactions on Dependable and Secure Computing, Internet worms could soon become less damaging. The method they have developed watches computers for the behaviour exhibited by infected hosts.
In theory, this method would have advantages over others that currently exist because it is designed to minimise interference with users’ normal work patterns. Ness Shroff of Ohio State University says that the research technique could be used in corporate networks and intranets to identify and quarantine infected computers. Large numbers of infected computers in these sorts of systems can mean drastically slowed Internet Traffic rates because internet worms can limit legitimate users’ access to websites or install backdoors to create botnets.
The Ohio State method initially works to stop the classes of worms that scan the internet randomly for vulnerable systems like the “Code Red” scare of 2001 which infected more than 350,000 computers in a matter of hours and cost over $2.5 billion to fix.
This class of worms is very simple and easy to develop and program, but at the same time, they're not as easy to contain. Understanding these is the key to being able to conquer the more troublesome worms out there.
“Many existing models are based on an analogy to the spread of epidemics,” says Shroff. The Ohio State model revealed that the key to whether or not a worm will spread is the total number of times that an infected host scans the Internet in an attempt to find new hosts.
Other methods of containing worms focus on monitoring computers for change sin the rate at which they scan the Internet. But this system has the potential to interfere with users’ daily activities. “Scan rates fluctuate a lot, so if you go online, you may scan a lot of times during a very short period of time, and then not scan at all,” says Shroff. “We felt that the scan rate was too restrictive and could interfere with the normal operation of the network.”
If instead, scans are conducted over a longer time scale, worms can be contained without creating alarm amongst users. Software would monitor the number of scans sent by a computer on any network and quarantine any of those that might exceed reasonable limits. But at the same time, legitimate scans of the Internet would be less likely to be deemed Worm activity.
“In a sense, what we're doing is taking advantage of the fact that this worm is trying a lot of things and missing many times, and each time it misses, it's giving out some information,” Shroff says.
The process would work best in corporate or education networks where the temporary loss of infected computers can be covered by others. In small networks this becomes more difficult because of the workload on the remaining system.
While the Ohio State researchers are concentrating on stopping worms at the level of host computers, another possible direction could be to make software that would allow routers to watch for suspicious traffic patterns. This approach could allow a relatively large number of computers to be monitored from a single point. But it would also require significant changes to how routers operate. They would have to monitor the source and destination of Internet traffic in that case.
My Internet Worm
In theory, this method would have advantages over others that currently exist because it is designed to minimise interference with users’ normal work patterns. Ness Shroff of Ohio State University says that the research technique could be used in corporate networks and intranets to identify and quarantine infected computers. Large numbers of infected computers in these sorts of systems can mean drastically slowed Internet Traffic rates because internet worms can limit legitimate users’ access to websites or install backdoors to create botnets.
The Ohio State method initially works to stop the classes of worms that scan the internet randomly for vulnerable systems like the “Code Red” scare of 2001 which infected more than 350,000 computers in a matter of hours and cost over $2.5 billion to fix.
This class of worms is very simple and easy to develop and program, but at the same time, they're not as easy to contain. Understanding these is the key to being able to conquer the more troublesome worms out there.
Catching the Worm
“Many existing models are based on an analogy to the spread of epidemics,” says Shroff. The Ohio State model revealed that the key to whether or not a worm will spread is the total number of times that an infected host scans the Internet in an attempt to find new hosts.
Other methods of containing worms focus on monitoring computers for change sin the rate at which they scan the Internet. But this system has the potential to interfere with users’ daily activities. “Scan rates fluctuate a lot, so if you go online, you may scan a lot of times during a very short period of time, and then not scan at all,” says Shroff. “We felt that the scan rate was too restrictive and could interfere with the normal operation of the network.”
If instead, scans are conducted over a longer time scale, worms can be contained without creating alarm amongst users. Software would monitor the number of scans sent by a computer on any network and quarantine any of those that might exceed reasonable limits. But at the same time, legitimate scans of the Internet would be less likely to be deemed Worm activity.
“In a sense, what we're doing is taking advantage of the fact that this worm is trying a lot of things and missing many times, and each time it misses, it's giving out some information,” Shroff says.
The process would work best in corporate or education networks where the temporary loss of infected computers can be covered by others. In small networks this becomes more difficult because of the workload on the remaining system.
While the Ohio State researchers are concentrating on stopping worms at the level of host computers, another possible direction could be to make software that would allow routers to watch for suspicious traffic patterns. This approach could allow a relatively large number of computers to be monitored from a single point. But it would also require significant changes to how routers operate. They would have to monitor the source and destination of Internet traffic in that case.
| 81 |
| Vote |
subscribe to this blog
