US researchers have come up with a technique that claims to be able to stop Internet worms within milliseconds of an outbreak.
The Proactive Worm Containment (PWC) system, as its inventors at Penn State University call it, uses no signatures to identify an attack. Instead it relies on the frequency of connections at a packet level, and analyses the number of connections this traffic is making to other networks.
This is said to counter one of the biggest issues in worm defence, namely that they spread at incredible speed before they can be stopped. By the time security systems have recovered, the damage is often done.
To avoid the danger of false positives – the researchers admit that not all traffic showing these patterns is necessarily non-legitimate – the system uses what appear to be algorithmic techniques to double-check the initial diagnosis. Any host identified as spreading a worm is disconnected from the node to which it is attempting to connect and spread its payload. Taken across networks as a whole, this could at least slow down the spread of a particular worm so that defences can be hardened.
“A lot of worms need to spread quickly in order to do the most damage, so our software looks for anomalies in the rate and diversity of connection requests going out of hosts,” said Peng Liu, the leader of the research team at the University.
Liu admits the technique, which is to be patented, cannot stop the movement of slow-spreading worms, though these might be reckoned to be less hazardous. “PWC can quickly unblock any mistakenly blocked hosts,” said Liu.
Penn State’s PWC is far from the first anti-worm system out there. IBM also has its ’Billy Goat’ which creates a series of virtual servers in order to detect and isolate network traffic anomalies, including DDoS attacks and worms.