February 23, 2004 2:59 PM PST
HP aims to throttle Net threats
One service, known as virus throttling, will limit the speed at which viruses and worms can spread by reducing the number of connections an infected computer can have to the Internet. A second service that HP intends to offer mimics medical vaccinations by placing devices within a network that will continually attack a company's computers with the digital equivalent of dead germs.
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
The plans are part of HP's
"We want to construct systems that are responsive to change," he said. Pato will describe the two services in a keynote presentation Thursday at the RSA Conference in San Francisco.
The two techniques are the latest research developments that draw their foundations from treating digital systems like biological ones. Notably, IBM has researched ways to make computers and networks self-healing and has researched better ways of responding to digital attacks under its Digital Immune System project.
The two services that HP plans to outline at the RSA Conference could help companies respond to fast-spreading threats and maintain their defenses against everyday attacks.
Once they have installed themselves on a PC, worms such as MSBlast and viruses such as MyDoom spread quickly because they are able to send copies of their code to the Internet through a large number of connections. These connections are not the physical phone or cable line that connects a household to its Net access provider, but rather the software connections that link one computer to another. In studying the common behavior of such threats, Pato and others noticed that the worst worms and viruses created multiple connections.
"Some of the things that were evident were that worms tended to generate a large number of new connections in a short time," Pato said. Users can't create such links nearly as fast as automated software, so limiting the number of connections that can be established does not hobble the PC but can dramatically reduce the speed at which a virus spreads, he said.
In many ways, virus throttling attacks a common denominator in the spread of viruses in both the computing and the real world: Diseases spread farther and faster with improvements in transportation. In the real world, expanded trade routes helped spread the bubonic plague in the 1300s and airplanes contributed to influenza pandemics.
Similarly, viruses first hitched rides on infected files carried on
computer disks and then spread faster and wider with the advent of e-mail. Worms hastened their spread by establishing direct computer-to-computer transfers through vulnerable services. The first example of a flash worm, Slammer,
HP's throttling service could either run on a device on the customer's network or as a modification to a computer's operating system.
The company's second service will likely run on one or more network devices. Rather than try to prevent attacks, the device will constantly attack computers on a customer's network.
However, like the dead viruses and bacteria in a vaccination, the attacks used by the Active Countermeasures service will be benign. Rather than compromising the target computer, they will instead run a simple program that notifies the system's administrator that the computer needs to be patched.
The technique will also help to lock down the estimated 10 percent of devices on corporate networks that the company does not know about, said Pato. Such "black holes" in the networks can be weak points during an attack.
"There are a number of systems that aren't known to administrators, that aren't part of the asset management system, and aren't regularly maintained," he said. "Here we take exploit code that is taking advantage of a vulnerability and use that to put mitigation code on the machines."
When a new attack--also called an "exploit"--is seen by HP, the company will sterilize the code, so that it doesn't pose a danger to customers. Then, the company will ship a new version of the code out to the devices on customers' networks, which then attack the local computers with the benign attack. Any computers that are vulnerable will run the mitigation code, a small program that could display a message to the administrator or start the computer's patch program.
"It will take some action, but that action is chosen from a set of benign responses," Pato said.
HP plans to test the two services this year in small trials and then roll out these and other services by the end of the year, he said.