On GameSpot: The top games of the 2000s so far?
BNET Business Network:
BNET
TechRepublic
ZDNet

February 10th, 2007

Penn State researchers invent anti-worm technology

Posted by Ryan Naraine @ 8:37 am

Categories: Botnets, Data theft, Exploit code, Hackers, Spyware and Adware, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Penn State, Network, Worm, Ryan Naraine

Researchers at Penn State have filed a provision patent for new anti-worm technology that promises to identify and contain network worms milliseconds into an attack without using anti-virus signatures.

The technology, dubbed Proactive Worm Containment (PWC), pinpoints worm activity on a network by targeting a packet’s rate or frequency of connections and the diversity of connections to other networks, according to a report on Penn State Live.

A brief overview of the PWC approach can be found in this PDF file.

“A lot of worms need to spread quickly in order to do the most damage, so our software looks for anomalies in the rate and diversity of connection requests going out of hosts,” Peng Liu explained. When suspicious activity is spotted on a host, PWC quarantines that host to block packets associated with a worm from getting out.

However, because high connection rate transmissions do not always indicate worm activity, the new technology can verify that suspect hosts are clean or not infected. These techniques use vulnerability-window and relaxation analyses to overcome the denial-of-service effect that could be caused by false positives, Peng Liu said.

According to Penn State Live, the PWC software is currently in beta and can be integrated seamlessly with existing signature-based worm filtering systems.

The idea behind PWC sounds useful but it just might be a day late. The last major network worm, Sasser, occurred in 2004. Since then, the attacks have shifted significantly away from using disruptive worms that create havoc — and raise awareness around software patching. Instead, malware attacks are now smaller and more targeted, relying mostly on social engineering lures.

[UPDATE: February 10, 2007]: Val Smith from the Offensive Computing project pinged me to mention that the Los Alamos National Laboratory already offers NARQ (Network Automated Response and Quarantine), an anti-worm mapping and quarantine system that appears similar to the Penn State technology. Details on NARQ can be found in this 2005 statement.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 5 Talkback(s)
Software Can't Protect Software
Gary is right, whether via hard-coded ROM or a dedicated security engine sitting on the BUS as a gatekeeper outside the Host address space the only effective protection against malware is hardware.

Richard... (Read the rest)
Posted by: rpjonz Posted on: 02/12/07 You are currently: a Guest | | Terms of Use
Why patent an anti-worm technology?  Grayson Peddie | 02/10/07
Patent technology only to make money, what else.  Mr. Roboto | 02/11/07
Nice try, but...  ejhonda | 02/12/07
two ways  gdstark13 | 02/12/07
Software Can't Protect Software  rpjonz | 02/12/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More