Stopping Malware Before It Hits

SpudGunMan writes "John Lockwood, Ph.D, an assistant professor of computer science at Washington University, and the graduate students that work in his research laboratory, have developed a hardware platform called the Field-programmable Port Extender (FPX) that scans for malware transmitted over a network and filters out unwanted data."

A great idea, but.....

[thewiz]

Who does the reprogramming of the device; the end user or the company that make the device? For security, I'd rather it be the end user.
Also, shouldn't they make a cheap version for home users since those are the machines that are most vulnerable?

Re:A great idea, but.....

> Who does the reprogramming of the device;
> the end user or the company that make the device?

The virus writer.

Re:A great idea, but.....

[LostCluster]

I think the concept is for it to be the device itself, making its decision based on patterns that just plain shouldn't appear in normal traffic. If people all over the world are sending the exact same long message into your network, something's up and it's likely not good.

- If the same e-mail attachment comes through your network a few hundred times, it must be a virus.
- If the same kilobyte-long web address keeps getting requested, it must be a worm.
- If the same messages are headed to your NetBIOS ports, it must be the pop-up-message spam of the week. In fact, if somebody wants to deliver any message any kind to all of your ports one-by-one, it must be the exploit of the week.

This seems to be all about patern matching... the device isn't meant to replace your firewall and antivirus systems, but to be faster than them and to take off the work load of having to identify this week's worm when it comes in for the 34,939th time. This might even be useful for ISPs to cut off D-DOS attempts before entering the major traffic exchages so that less of traffic makes it to the victim's bandwidth pipe.

Nifty.

[MoriarGryphon]

Sounds like a nifty piece of hardware. Put one at the front of your network, and reduce internal bandwidth wastage from propogation of virii/worms inward. Even if all your stuff is patched, this could help keep all your servers from having to listen to the worms and script kiddies several hundred times a second. ;>

Re:Nifty.

[insertionPoint]

Put one at the front of your network, and reduce internal bandwidth wastage from propogation of virii/worms inward.

Or you could carefully configure the router / firewall at the front of your network (like according to RFCs?!?). Everybody is looking for something to eliminate the burden of proper management / administration. Hows about people read the RFCs know their OSes and their limitations and create management strategies accordingly.

Treating the symptoms, not the disease

[Dark+Lord+Seth]

I suggest enlightening the users about malware while they download it. Let's go for the Pavlov effect and hook the hardware platform up to a pellet gun, tazer and a program which mails the squid logs of the current day of said victim to his/her mother/SO. Users learn so much easier that way...

Some questions:

[Txiasaeia]

1) Why is this useful? Why should we look at this product as opposed to AdAware, a good firewall and a good AV program? The article mentions DDOS attacks -- is that all it's good for?

2) How do you plan to adapt your hardware once the creators of Malware adapt to yours?

3) How much will this *really* slow down a LAN or Intranet? Not "it shouldn't slow it down at all" -- I mean real-world tests?

Re:Some questions:

[gnu-generation-one]

"Why should we look at this product as opposed to AdAware, a good firewall and a good AV program?"

Because you don't always have control of the computers which will be running the virus?

"How do you plan to adapt your hardware once the creators of Malware adapt to yours?"

The article mentioned that it took less than 9 minutes for someone familiar with the web interface to add a new rule.

"How much will this *really* slow down a LAN or Intranet?"

Read the article (or the linked paper) for precise figures. It's less than a router, and comparable to a hardware firewall

Re:Some questions:

[hazzey]

"The article mentions DDOS attacks -- is that all it's good for?" I'm pretty sure that even if that IS all that it is good for, it is worth its weight in gold. Wouldn't it be nice if every semi-large website could have one of those? Then we would never have to worry about all of the new reports of DDOS blackmail.

a new worm will come out and this

hardware device will fail to notice it
unless it has an update. Same problem
for antivirus software. A new worm will
get past it until they teach the device to see it. snake oil.

May be useful...

Lockwood is a smart guy. When I was an undergrad, I had him as a professor when he was at U of I (I was surprised he wasn't there anymore). ECE 291 was one of the coolest classes offered. I haven't read his paper yet, but it looks like it's a two-edged sword that could be used to restrict transfer of any data, and someone still has to program the filter...

What utter marketroid-fuelled drivel.

[Mr+Thinly+Sliced]

They claim that the product is able to 'scan data quickly ... uses hardware, not software to scan quickly ...'.

This product seems entirely built upon PHB fear of technology - its a rack mounted unit that scans network traffic looking for rogue packets/signatures. So to do this effectively, you'd need one of these devices in place _for every router, firewall and computer to computer connection_ - along with some way to travel into the future to obtain the signatures of the all the viruses of the future.

I just don't see how this is securing a network against viruses and worms. The best thing corporates can do (who I guess this particular piece of IT jewelry is aimed at), is lock down the desktop as far as they can go, and have a sensible patch system in place to roll out automagically.

I mean, when "Travelling Salesman Dixie" brings his laptop back from the wild of the Sales Conference and plugs it in, do they honestly think that having it in hardware, rather than software, will cover their asses?

Full marks for receiving funding though. I'm probably just bitchy cos I didn't think of it.

Re:What utter marketroid-fuelled drivel.

[Helter]

Which is easier, trying to force thousands of people to practice network security, or installing a device that does it for them?

Sure you need to update the thing as new viruses come out, but you need to do the same thing with your AV software, that doesn't make it worthless. This won't stop virus' and worms from being written, but it can stop them from spreading past day 2.

Oh, great.

[volkerdi]

While in theory this is a great idea, in practice it's likely to be less great. I commonly get sent reports that .ZIP files used in ZipSlack (which have never seen a Windows machine in handling by me), are infected with viruses. This is because "signatures" thought by virus scanning companies to be unique are a lot less unique than they imagined.

If something like this is ever implemented on a wide scale, expect the system to refuse to allow random non-malware files to be used, transferred, or handled, in those cases where they happen to match a banned bit-pattern. Files and emails might even be silently dropped with no notification at all, depending on the implementation (and with an eye to history).

Re:Oh, great.

[rgmoore]

It seems to me that this is just more evidence that computer systems will wind up looking like biology. First we had viruses and similar infectious things. Now people are trying to create the machine equivalent of an immune system. The problem is that in the process they're likely to rediscover all of the problems that our immune system causes as well as the benefits.

This particular case is quite similar to allergies in the natural immune system. It's an overly aggressive response to an essentially harmless signal. The big problem is that virus and worm scanners are going to be succeptible to the computer equivalent of autoimmune disease; they'll start thinking that essential system files have been corrupted and try to wipe out something really important. I just hope they never develop the computerized equivalent of leukemia.

it's the freeware, stupid

[Potor]

Indeed. Funny how malware does not seem to infest products we actually pay for. The desire to find free software leads us to download products that are more and more iffy. The key is not detecting malware, for malware will always be one step ahead. The key is carefully screening what we will download, searching out reviews, reading the EULA before the install, and basically being intelligent.

I am not against freeware -- far from it. However, I would say that there is freeware addiction out there that opens the doors to malware. Moreover, I am not against this product; it will certainly be helpful. Yet, those who put their trust in yet another algorithm will certainly get bit again, albeit in some other way.

cheers, potor

Re:it's the freeware, stupid

[gnu-generation-one]

"The key is carefully screening what we will download, searching out reviews, reading the EULA before the install, and basically being intelligent."

Try only running software without an EULA. It tends to work better, and in general it's less of a worry.

When an installation program starts up, the first few words should be "GNU GENERAL PUBLIC LICENSE Version 2, June 1991", and you can be pretty sure that the software is good to install. (all we need now is GPL'd malware to really put people off, but for now it's safe!)

An Apple Troll is funny how?

Please explain.

A post that derides Apple users/platform is instantly modded down, never seeing the light of day. Yet whenever a Mac user cracks an equally unfunny "joke", some stupid mod thinks its hilarious and mods it up.

Sounds great.

[rune.w]

Quoting from the abstract of the paper:

FPGA logic is used to implement circuits that track the state of Internet flows and search for regular expressions and fixed-strings that appear in the content of packets.

So apparently this hardware can only recognize patterns programmed beforehand (which makes a lot of sense). However, a problem would arise whenever an original piece of malware is released into the net. I mean, how do they plan to identify and program new strings into the machine before the systems behind it are infected? Worms tend to expand fairly quickly...

Further insight is always welcome.

R.

Isn't this just a network censorship device?

[Bookwyrm]

I am rather surprised at the commentary so far on this device, given the usual tone of responses made on slashdot that I have seen.

This device appears to be, at heart, a box that is put in along side the routers to filter out content that the owner of the device does not want to be sent over the network. It is capable of looking for specific patterns of data and blocking the transfer of the data based on that in real time.

Is this not precisely what one would use to filter out, say, unwanted political documents going in/out of China? To, say, spot a specific MP3 file being traded on a P2P network and stop it?

Other comments seem to suggest people think this might actually be a workable, good idea -- guess folks are finally realizing that the Internet cannot route around all forms of censorship after all, if they think this will work.

yah, right.

no matter how much they put into this, someone will figure a way around it.

Re:Wow

Try reading the article first....or maybe even the paper if you're abitious.

It's implemented in hardware and using FPGAs, which can be reprogrammed. Think of it as dynamic hardware based IDS. 2.4 Gigabit speeds...I'd love to see snort handle that.

From the time you get a pattern of a new virus to the time it can be deployed to the system is ~ 10 minutes according to the paper. that is impresive considering it's all hardware based.

Stopping network junk "on the wire"

[mattbee]

After speaking to one of the chaps behind ddos.com I'm very excited by this kind of emerging technology: essentially ethernet/fibre "filters" which can scan and dump "unwanted" traffic without a noticeable lag on the network. I'm less excited by how much it costs at the moment: $18k list price for one of the 100Mb boxes at DDoS.com, but I suspect as competition opens up, the waffle about exciting and complicated patented technologies will give way to a decent and open discussion about the best algorithms for doing this.

As an example of the current waffle on this topic, the white paper at ddos.com promises in one of their upcoming *cough* products a wire-speed spam filter which is 100% accurate and needs no training. Sure, sure... it's this ridiculous claim which calls into question the "zero training" aspect of their DDoS prevention-- I'm sure some configuration and known "signature" patterns of abusive traffic will help matters.

I'm not here to pick on ddos.com, I'm sure they have an excellent and useful product. But since they are one of a very small number of people with such a product, they are prone to making wild claims and charging extortionate fees. I'm convinced a Linux/BSD kernel module could achieve the same effect and I'd be very interested to see the algorithms, training and so on needed to achieve it. But for the moment we're still subject to these pretty wild claims without much in the way of algorithmic detail.

FUD?

[kernelfoobar]

from article: Computer virus and Internet worm attacks, such as Nimba, Code Red, Slammer, SoBigF, and MSBlast have infected computers globally....Existing firewalls do little to protect against such attacks. Once a few systems are compromised, they proceed to infect other machines, which in turn quickly spread throughout a network.
Maybe I'm misinformed but I thought that a worm like MSBlast and Co. attacks thru SMB/CIFS protocols by the 13x familily of ports. Any self-respecting netadmin blocks those from external access. Am I right or wrong on this? Granted some of those attack thru legit ports like 80, but a firewall is not TOTALLY useless against ALL worms!