Computerworld - Intel Corp. is developing a way for networked computers to “gossip” among themselves, sharing their experiences and “beliefs.” The idea is to stay a step ahead of hackers.
For years, the backbone of computer security has been the use of tools, such as firewalls and virus scanners, that base their actions on knowledge, or “signatures,” of past attacks. But this has two problems: The tools generally don’t recognize new threats, and they can’t be updated rapidly enough to deal with fast-spreading exploits.
The answer, IT researchers say, lies in new tools for “adaptive and resilient computing security,” the name of a recent workshop sponsored by the Santa Fe Institute and BT Group PLC.
“Signature-based technology is limited,” says Robert Ghanea-Hercock, a research engineer at BT in London and the leader of the workshop. “For cutting-edge day-to-day protection, you’ll have to have adaptive things that monitor what’s happening on the network in real time.”
That’s just what Intel is developing. “Anomaly detectors” at local nodes on a network look for evidence of worms, such as unusual spikes in activity. A machine that normally makes just a few network connections per second might suspect that something is amiss if it is suddenly instructed to make connections at a higher rate. So, using a peer-to-peer “gossip” protocol, it transmits to other machines its so-called belief, in the form of a probability, that the network may be under attack. If the total number of beliefs that any given machine receives from other nodes is high enough, it will assume that an attack is under way and take some defensive action, such as sounding an alarm or disconnecting from the network.
Intrusion-detection systems that look for anomalous behavior are not new. And it’s not hard to detect an intrusion by a fast-spreading worm such as the infamous SQL Slammer, which infected more than 10,000 machines per second (response is a different matter). But more recently, hackers have deliberately slowed the spread of their malware so it will pass under the radar of conventional detectors.
The era of massive, highly visible worm attacks has largely passed, says Richard Ford, a computer science professor at the Florida Institute of Technology in Melbourne.
“Now what we are seeing is that hackers keep exploits close to their chests and use them for high-value targets,” he says. “That dramatically changes the threat profile.”
The Intel prototype, called Distributed Detection and Inference (DDI), uses Bayesian probability to detect these more stealthy worms. The idea is that if just one node is seeing a big increase in connections, that could be a temporary, random fluctuation, but 50 nodes experiencing even a modest increase in traffic very likely means that the network is under attack and that a protective response is warranted.
Free Insider GuideCopyright © 1994 - 2013 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
