Penn State researchers invent anti-worm technology

Penn State researchers invent anti-worm technology

Summary: Researchers at Penn State have filed a provision patent for a new anti-worm technology that promises to identify and contain network worms milliseconds into an attack without using anti-virus signatures.

TOPICS: Networking
Researchers at Penn State have filed a provision patent for new anti-worm technology that promises to identify and contain network worms milliseconds into an attack without using anti-virus signatures.

The technology, dubbed Proactive Worm Containment (PWC), pinpoints worm activity on a network by targeting a packet's rate or frequency of connections and the diversity of connections to other networks, according to a report on Penn State Live.

A brief overview of the PWC approach can be found in this PDF file.

"A lot of worms need to spread quickly in order to do the most damage, so our software looks for anomalies in the rate and diversity of connection requests going out of hosts," Peng Liu explained. When suspicious activity is spotted on a host, PWC quarantines that host to block packets associated with a worm from getting out.

However, because high connection rate transmissions do not always indicate worm activity, the new technology can verify that suspect hosts are clean or not infected. These techniques use vulnerability-window and relaxation analyses to overcome the denial-of-service effect that could be caused by false positives, Peng Liu said.

According to Penn State Live, the PWC software is currently in beta and can be integrated seamlessly with existing signature-based worm filtering systems.

The idea behind PWC sounds useful but it just might be a day late. The last major network worm, Sasser, occurred in 2004. Since then, the attacks have shifted significantly away from using disruptive worms that create havoc -- and raise awareness around software patching. Instead, malware attacks are now smaller and more targeted, relying mostly on social engineering lures.

[UPDATE: February 10, 2007]: Val Smith from the Offensive Computing project pinged me to mention that the Los Alamos National Laboratory already offers NARQ (Network Automated Response and Quarantine), an anti-worm mapping and quarantine system that appears similar to the Penn State technology. Details on NARQ can be found in this 2005 statement.

Topic: Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Why patent an anti-worm technology?

    Can someone make a nutshell for why an anti-worm technology gets patented?

    Seriously, I think this would be an unfair competition for other manufacturers to compete on getting those worms off of the computer systems...

    I only skimmed the article, so I didn't read it all...
    Grayson Peddie
    • Patent technology only to make money, what else.

      Not that Penn State is going to make much off their anti-worm tech because:

      1) Los Alamos National Labs already released anti-worm tech in 2005 (update @ bottom of story).


      2) Hackers now use targeted methods with social engineering and specialized spam with malware attachments.

      But every little penny helps.
      Mr. Roboto
  • Nice try, but...

    The golden ring of "stop it from even gaining foothold on one server" is still sitting there waiting to be grabbed...

    This would be a nice interim solution in the meantime, I guess.
  • two ways

    Suppose you raise sheep. Each night you risk losing sheep to various threats...wolves, tigers, poachers. You have two choices:

    1) wait outside with your shotgun and hope you can outsmart every wild animal that might visit, hoping you don't fall asleep.

    2) build a fence

    Obviously (2) is the best solution. Same applies with computers. Rather than try to outsmart every badguy that comes along, just protect your code with hardware. The smartest cyber-thief in the world can't erase or overwrite code stored in ROM. Even social engineering attacks are thwarted. Computer & software makers need to start relying on the fence approach to security. Enough of this silliness.

  • Software Can't Protect Software

    Gary is right, whether via hard-coded ROM or a dedicated security engine sitting on the BUS as a gatekeeper outside the Host address space the only effective protection against malware is hardware.