We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
 
74,953 News Articles

P2P software could help detect zero-day attacks

Software would interact with firewalls to gather data

P2P software could be an effective weapon in the fight against zero-day computer attacks, say University of California researchers.

The software would interact with existing personal firewalls and intrusion detection systems to gather data about anomalous behaviour, says Senthil Cheetancheri, the lead researcher on the project he undertook as a grad student at UC Davis from 2004 to 2007. He now works for SonicWall.

The software would share this data with randomly selected peer machines to determine how prevalent the suspicious activity was, he says. If many machines experience the identical traffic, it is likely it represents a new attack for which the machines have no signature.

The specific goal would be to detect self-propagating worms that conventional security products have not seen before.

"It depends on the number of events and the number of computers polled, but if there is a sufficient number of such samples, you can say with some degree of certainty that it is a worm," Cheetancheri says.

For that decision, the software uses a well-established statistical technique called sequential hypothesis testing, he says

The detection system is decentralised to avoid a single point of failure that an attacker might target, he says.

Visit Security Advisor for the latest internet threat news, FREE net threat email newsletters, and internet security products

The task then becomes what to do about it, he says. In some cases, the cost of a computer being infected with a worm might be lower than the cost of shutting it down, in which case it makes sense to leave it running until a convenient time to clean up the worm, he says.

In other cases, the cost to the business of the worm remaining active might exceed the cost of removing the infected machine from the network, he says.

That cost-benefit analysis would be simple to carry out, he says, but network executives would have to determine the monetary costs and enter them into the software configuration so it can do its calculations he says.

End users would not program or modify the core detection engine, he says. "We don't want to have humans in the loop," he says.

He says he and his fellow researchers have set up an experimental detection engine, but it would have to be modified to run on computers in a live network without interfering with other applications and without being intrusive to end users.

So far no one he knows of is working on commercialising the idea.

The software would be inexpensive because it would require no maintenance other than to enter the cost of each computer being disconnected from the network.

See also: Flaw found in Safari for Windows


IDG UK Sites

Amazon 3D smartphone release date, price and spec: The hologram phone?

IDG UK Sites

You're never alone with a clone: How the App Store got taken over by copycats

IDG UK Sites

PCs vs consoles: PCs still pwn when it comes to gaming (and everything else)

IDG UK Sites

The art of rebranding: Creative agency The Neighbourhood explains how & why it rebranded