Stopping a cyber attack before it begins

Staying ahead of computer villains
“It’s certainly impossible to figure out in advance what the bad guys are going to try,” Wool said. “And that is really the approach that is taken by intrusion detection systems.”

Like the human immune system, he said, such systems study traffic patterns. When they see a pattern known to emanate from a malicious source, they stop it.

“That’s fine, except that it is always reactive,” he said.

In order to stop the attack, the detection system must find the threat and then identify it as such, leaving an inevitable time delay from the malware’s debut until its deactivation.

“That’s a losing proposition in general,” he said. “The bad guys always have an advantage here.”

But with an approach that isn’t based on signatures, none of the traffic needs to be tracked in advance, and an attack can be stopped on what is known as Day 0.

Patrick Peterson, a computer security expert at IronPort, an independent business unit of San Jose, Calif.-based Cisco Systems, praised the Korset program and like-minded applications as being essential innovations for beefing up existing safeguards. “The bottom line is anti-virus software still has its place but criminals have become far too good at beating it to rely on this as a primary source of defense,” he said.

Based on reputation scores alone, around 80 percent of the data circulating through the Internet is considered harmful, Peterson said. One major advantage with technology like Korset in addressing all that, he said, is that it doesn’t rely on the airline terminal X-ray scanning approach to spotting such malware. “Criminals have spent 15 years getting past the X-ray antivirus scanner.”

The downside for an application like Korset may be the difficulty in picking up on well-cloaked actions or keeping up with huge institutions whose thousands of unique applications demand regular updating — and thus, re-registration with the security program. Every new method of protection system “often appears to be a silver bullet,” Peterson said. “But in reality it takes a lot of work.”

Nevertheless, he said he’s betting on the general approach as the promising future of security technology.

Wool and his collaborators have successfully included a Korset prototype into the Linux operating system and demonstrated in a proof-of-principle experiment that it can stop a simple attack. The team also has released its open-source code to promote further development of the software.

“It is our hope that this becomes mainstream and that this approach is adopted in standing distributions of operating systems,” Wool said. “If somebody like Microsoft looked at this work and decided to do something along the same type of line in the Windows operating system, that could have a tremendous effect on the safety of computers in the future.”

MORE FROM FRONTIERS

Tourist or terrorist? Computer knows

Tourist or terrorist? Computer knows Climbing no obstacle for snakebots The next 'American Idol'? Ask your computer How a deadly avalanche can be triggered Green alternative to plastics: liquid wood Getting lost for better architecture Turning air into drinking water Revving up the race for fuel efficiency How to be a disagreeable (but likable) robot Can concept of clean coal be salvaged?   Add Frontiers headlines to your news reader: