Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stopping Malware Before It Hits

Posted by timothy on from the every-bit-helps dept.

SpudGunMan writes "John Lockwood, Ph.D, an assistant professor of computer science at Washington University, and the graduate students that work in his research laboratory, have developed a hardware platform called the Field-programmable Port Extender (FPX) that scans for malware transmitted over a network and filters out unwanted data."

5 of 163 comments (clear)

  1. Re:Wow by Anonymous Coward · · Score: 2, Informative

    Well, it's not software based like every other IDS out there, but you'd only know that if you read the article.

  2. RTFA by JThundley · · Score: 2, Informative

    'Unlike existing network intrusion systems, the FPX uses hardware, not software, to scan data quickly. The FPX can scan each and every byte of every data packet transmitted through a network at a rate of 2.4 billion bits per second. In other words, the FPX could scan every word in the entire works of Shakespeare in about 1/60th of a second.'

    And:

    'The FPX itself fits within a rack-mounted chassis that can be installed in any network closet. When a virus or worm is detected, the system can either silently drop the malicious traffic or generate a pop-up message on an end-user's computer. An administrator uses a web-based interface to control and configure the system.'

  3. Re:Some questions: by Txiasaeia · · Score: 2, Informative
    >>? Why should we look at this product as opposed to AdAware, a good firewall and a good AV program?

    >...because what you mentioned isn't working

    Perhaps because of the end user? How many joe sixpacks do you know with a properly configured firewall, an up-to-date AV program, and have even heard of AdAware?

    >>How do you plan to adapt your hardware once the creators of Malware adapt to yours?

    >Same is true with the methods you mention that you suggest work just fine. The Ad Aware people and the AV people are always fighting the cold war too. So are the anti-spam people. Another piece of tech that helps is a win for the good guys.

    It's a lot easier to release new AdAware definitions than it is to patch a piece of hardware... let's look at security updates from MS versus driver updates...

    >> How much will this *really* slow down a LAN or Intranet?

    >If it works like its described it would actually speed up malware infested LAN and WAN connections.

    I think the point is to *remove* malware, not make "malware infested LAN and WAN connections" faster... otherwise, I'd be happy with a speed boost :)

    --
    Condemnant quod non intellegunt.
  4. Re:Wow by Anonymous Coward · · Score: 1, Informative

    IntruVert uses FPGA's. Many appliance-based IDS's have some amount of hardware acceleration. This is typical of college-taught computer security research... way behind the commercial efforts.

  5. It's NOT a censor-box, it's a Good Thing by shostiru · · Score: 3, Informative
    I think a lot of people are confused about what this box does, and what it doesn't, do.

    By using FPGAs to scan network traffic (not a new idea, by the way), the device looks for fixed signatures much faster than an equivalent software solution can do so (yes, software may control it, but the actual "decisions" are made by hardware. Think level 3 switch). I'm guessing there's probably some sort of state engine implemented in the FPGAs (I haven't kept up on field-programmable logic), and optimization to look for multiple signatures in parallel, but that's just a guess. It's no different in theory from a virus detection add-on to a mail transfer agent that uses fixed string (as opposed to regex) detection, it's just much more efficient.

    Because there's no regex capability, any attempt to use this box for censorship will fail. For example, suppose your upstream programs in a ruleset to match "nuclear". Fine, just pull a Dubya and use "nucular", or "nuke", or "nook-yoo-lar". Problem solved. Or for that matter just zip, tarball, or rot-13 encrypt your file before sending it.

    Furthermore, no actual signature would be this short; the false positive rate would be enormous. In practice expect signature lengths of 64 bytes and up, which is what we use when scanning email traffic for viruses.

    Why is this a good thing? Keep in mind this is NOT intended as an end-user box, it's intended for network providers. As one, I can tell you that viruses and worms cost real money. Even when we do disable customers for virus activity (and invariably piss off most of them), it takes time to detect and do this. It also takes staff hours; tracking down the customer's username isn't always trivial (RADIUS accounting packets get lost, some outsourced dialup providers send accounting data only on termination, and open wireless points are a huge pain)

    For example, Nachi sends out vast numbers of ICMP pings to sequential IP addresses, which rapidly fills the IP cache and depletes the memory of many Cisco routers (why they cache IPs for ICMP is beyond me, but they do, and the patch -- which requires a maintenance contract to get by the way -- doesn't work very well). Watching multi-kilobuck routers die repeatedly because a handful of customers have a worm is NOT my idea of a good day. And don't get me started on mail server load.

    I don't know what price they're going to ask for this, but if it's reasonable ($10K or lower) it could easily pay for itself in six months for us. Even if it's an order of magnitude pricier, larger NSPs will probably snatch them up if they work. Trying to do this in software with the same bandwidth (the article quoted 2.4Gbps, right?) may well cost more, esp. when you have to drop a couple of OC-whatever cards in your linux box, harden it, and make sure it never *ever* goes down.