UK lab researches worm-throttling

HP researchers are working on ways to choke Internet-based worms and viruses and stop them spreading their destructive payloads

Researchers at Hewlett-Packard laboratories in Bristol have been working on a new technology designed to choke off Internet worms and viruses in an attempt to slow them down and control their spread.

Matt Williamson, the researcher spearheading the research, has released a paper on "virus throttling". It details the logic behind the new concept, and outlines some of the techniques that HP is currently researching and implementing.

The core logic of virus throttling hinges on the idea that a computer infected by a worm will often try to connect to as many different machines as possible within the shortest time-frame, whereas a computer under the control of a human will behave quite differently.

Human Web browsing will result in a connection rate of less than two outgoing Internet connection attempts per second. The Nimda and Code Red worms, on the other hand, would pump out up to 500 connection attempts per second.

No human interaction with a computer could cause such a high connection rate, so Williamson and his team are working out how to best choke off these rapid-fire connection attempts, hence dramatically slowing down the spread of a given worm. Slowing down a worm can dramatically impair its ability to propagate.

"Since a machine that is infected, but throttled, isn't spreading the virus any more, the overall speed of infection is reduced. Also, since there will be fewer machines actively spreading the virus, the load on network infrastructure --- routers for instance --- will be reduced," Williamson said.

Although tests have already been conducted, that the research is still at an early stage.

"We have a number of ideas and new approaches to take it further," he said.

Williamson and the rest of his team have actually tested the early stage system on live viruses. They have used worms such as Nimda in a controlled environment at the Bristol laboratories.

They have found that although the system won't completely stop worms and viruses from spreading, it slows the rate at which they spread down to a controllable level.

The research group say the next step is to create custom worms designed to perform for test operations, such as varying propagation speed. Jonathon Griffin, a member of Williamson's research team, says they are seeking to create a "test virus" that they can deploy in a controlled environment.

"It will be like a cross between a virtual wind tunnel and an electronic test track for us," he said.

Eventually the system may prove to be very effective at detecting and possibly acting on worm infections.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.