Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stopping Malware Before It Hits

Posted by timothy on from the every-bit-helps dept.

SpudGunMan writes "John Lockwood, Ph.D, an assistant professor of computer science at Washington University, and the graduate students that work in his research laboratory, have developed a hardware platform called the Field-programmable Port Extender (FPX) that scans for malware transmitted over a network and filters out unwanted data."

1 of 163 comments (clear)

  1. It's NOT a censor-box, it's a Good Thing by shostiru · · Score: 3, Informative
    I think a lot of people are confused about what this box does, and what it doesn't, do.

    By using FPGAs to scan network traffic (not a new idea, by the way), the device looks for fixed signatures much faster than an equivalent software solution can do so (yes, software may control it, but the actual "decisions" are made by hardware. Think level 3 switch). I'm guessing there's probably some sort of state engine implemented in the FPGAs (I haven't kept up on field-programmable logic), and optimization to look for multiple signatures in parallel, but that's just a guess. It's no different in theory from a virus detection add-on to a mail transfer agent that uses fixed string (as opposed to regex) detection, it's just much more efficient.

    Because there's no regex capability, any attempt to use this box for censorship will fail. For example, suppose your upstream programs in a ruleset to match "nuclear". Fine, just pull a Dubya and use "nucular", or "nuke", or "nook-yoo-lar". Problem solved. Or for that matter just zip, tarball, or rot-13 encrypt your file before sending it.

    Furthermore, no actual signature would be this short; the false positive rate would be enormous. In practice expect signature lengths of 64 bytes and up, which is what we use when scanning email traffic for viruses.

    Why is this a good thing? Keep in mind this is NOT intended as an end-user box, it's intended for network providers. As one, I can tell you that viruses and worms cost real money. Even when we do disable customers for virus activity (and invariably piss off most of them), it takes time to detect and do this. It also takes staff hours; tracking down the customer's username isn't always trivial (RADIUS accounting packets get lost, some outsourced dialup providers send accounting data only on termination, and open wireless points are a huge pain)

    For example, Nachi sends out vast numbers of ICMP pings to sequential IP addresses, which rapidly fills the IP cache and depletes the memory of many Cisco routers (why they cache IPs for ICMP is beyond me, but they do, and the patch -- which requires a maintenance contract to get by the way -- doesn't work very well). Watching multi-kilobuck routers die repeatedly because a handful of customers have a worm is NOT my idea of a good day. And don't get me started on mail server load.

    I don't know what price they're going to ask for this, but if it's reasonable ($10K or lower) it could easily pay for itself in six months for us. Even if it's an order of magnitude pricier, larger NSPs will probably snatch them up if they work. Trying to do this in software with the same bandwidth (the article quoted 2.4Gbps, right?) may well cost more, esp. when you have to drop a couple of OC-whatever cards in your linux box, harden it, and make sure it never *ever* goes down.