The technology, dubbed Proactive Worm Containment (PWC), pinpoints worm activity on a network by targeting a packet's rate or frequency of connections and the diversity of connections to other networks, according to a report on Penn State Live.
A brief overview of the PWC approach can be found in this PDF file.
"A lot of worms need to spread quickly in order to do the most damage, so our software looks for anomalies in the rate and diversity of connection requests going out of hosts," Peng Liu explained. When suspicious activity is spotted on a host, PWC quarantines that host to block packets associated with a worm from getting out.
However, because high connection rate transmissions do not always indicate worm activity, the new technology can verify that suspect hosts are clean or not infected. These techniques use vulnerability-window and relaxation analyses to overcome the denial-of-service effect that could be caused by false positives, Peng Liu said.
According to Penn State Live, the PWC software is currently in beta and can be integrated seamlessly with existing signature-based worm filtering systems.
The idea behind PWC sounds useful but it just might be a day late. The last major network worm, Sasser, occurred in 2004. Since then, the attacks have shifted significantly away from using disruptive worms that create havoc -- and raise awareness around software patching. Instead, malware attacks are now smaller and more targeted, relying mostly on social engineering lures.
[UPDATE: February 10, 2007]: Val Smith from the Offensive Computing project pinged me to mention that the Los Alamos National Laboratory already offers NARQ (Network Automated Response and Quarantine), an anti-worm mapping and quarantine system that appears similar to the Penn State technology. Details on NARQ can be found in this 2005 statement.