U.S. researchers have developed a new way to identify and block computer worms within fractions of a second of an attack and cancel the quarantine in the event of a false alarm.
The innovation by Penn State University computer scientists can react to an attack within milliseconds because unlike most security technologies, it does not rely on matching patterns of known viruses or other malicious software.
The signature-recognition approach commonly used in most internet security systems can allow minutes to pass before an attack is detected and a pattern can be created to block a new worm. That method can let rapidly mutating worms through.
A worm is a malicious, self-replicating computer program.
Penn State's new Proactive Worm Containment (PWC) technology examines the rate at which connections to a network-connected computer are being made and the differences between the connections.
The new system identifiesa host computer with a high rate of homogeneous connection requests,and blocks the offending computer so no worm-infected packets of data can be sent from it.
Pen Liu, the lead researcher on the project and director of the university's Cyber Security Lab, estimates that under the new system,only a few dozen packets could be sent before an attack is halted. In comparison, the Slammer worm sent about 4,000 packets a second.
But because high packet rates aren't always triggered by worms, the new technology can also determine whether a suspected host is actually infected and release clean systems.
"PWC can quickly unblock mistakenly blocked hosts," said Liu, an associate professor of information sciences and technology at Penn State.
