Slashdot Mirror
Stopping Malware Before It Hits
SpudGunMan writes "John Lockwood, Ph.D, an assistant professor of computer science at Washington University, and the graduate students that work in his research laboratory, have developed a hardware platform called the Field-programmable Port Extender (FPX) that scans for malware transmitted over a network and filters out unwanted data."
i predict they'll be slashdotted within 5 minutes...
By Tony Fitzpatrick
A computer scientist at Washington University in St. Louis has developed technology to stop malicious software - malware - such as viruses and worms long before it has a chance to reach computers in the home and office.
John Lockwood, Ph.D, an assistant professor of computer science at Washington University, and the graduate students that work in his research laboratory have developed a hardware platform called the Field-programmable Port Extender (FPX) that scans for malware transmitted over a network and filters out unwanted data.
'The FPX uses several patented technologies in order to scan for the signatures of malware quickly,' said Lockwood. 'Unlike existing network intrusion systems, the FPX uses hardware, not software, to scan data quickly. The FPX can scan each and every byte of every data packet transmitted through a network at a rate of 2.4 billion bits per second. In other words, the FPX could scan every word in the entire works of Shakespeare in about 1/60th of a second.'
Computer virus and Internet worm attacks, such as Nimba, Code Red, Slammer, SoBigF, and MSBlast have infected computers globally. It can take weeks to months for IT staff to clean up all of the computers throughout a network after an outbreak. The direct cost to recover from just the 'Code Red version two' worm alone was $2.6 billion.
Existing firewalls do little to protect against such attacks. Once a few systems are compromised, they proceed to infect other machines, which in turn quickly spread throughout a network.
'The number of infected computers will grow exponentially unless contained,' Lockwood said. 'In the case of SoBigF, over one million computers were infected within the first 24 hours and over 200 million computers were infected within a week.'
'Placing the burden of detection on the end -user isn't efficient or trustworthy because individuals tend to ignore warnings about installing new protection software and the latest security updates, 'Lockwood pointed out. 'New vulnerabilities are discovered daily, but not all users take the time to download new patches the moment they are posted. It can take weeks for an IT department to eradicate old versions of vulnerable software running on end-system computers.'
The high speed of the FPX is possible because the logic on the FPX is implemented as Field Programmable Gate Array (FPGA) circuits, Lockwood explained. These circuits are used to scan and filter Internet traffic for worms and viruses using FPGA circuits that operate in parallel.
Lockwood's group has developed and implemented circuits that process the Internet protocol (IP) packets directly in hardware. They have also developed several circuits that rapidly scan streams of data for strings or regular expressions in order to find the signatures of malware carried within the payload of Internet packets.
'On the FPX, the reconfigurable hardware can be dynamically reconfigured over the network to search for new attack patterns,' Lockwood said. 'Should a new Internet worm or virus be detected, multiple FPX devices can be immediately programmed to search for their signatures.
'Each FPX device then filters traffic passing over the network, so that it can immediately quarantine a virus or Internet worms within sub networks (subnets). By just installing a few such devices between subnets, a single device can protect thousands of users. By installing multiple devices at key locations throughout a network, large networks can be protected.'
The FPX itself fits within a rack-mounted chassis that can be installed in any network closet. When a virus or worm is detected, the system can either silently drop the malicious traffic or generate a pop-up message on an end-user's computer. An administrator uses a web-based interface to control and configure the system.
A greased yoda doll, presumably for shoving up your ass, can be found here.
They've invented an Intrusion Detection System. Useful, but what's so special about this one?
as malware? Say MS or any other abbreviation that is interested in declining access to competitive data just filter it. Adding a number of these devices to echelon or selling a few to repressive governments. You get the picture
So, ummm, you have your Big Brother install and maintain these, to protect 'the people' from 'malware.'
Who gets to decide what is malware?
A Good Intro to NetBS
It sounds like a traditional signature-matching IDS with most of it implemented on a FPGA. This isn't such a big deal - it won't "stop malware before it hits" because signatures still need to be installed on the device. An implementation on a FPGA is great for speed - which would make this device great for mitigating worm attacks, but the FPGA may constrain its utility as an IDS - it would probably lack capacity to perform some of the trickier IDS techniques (e.g. looking inside compressed or encoded content, traffic normalisation, etc.) The linked article was little more than a marketing blurb, so its hard to tell.
>? Why should we look at this product as opposed to AdAware, a good firewall and a good AV program?
Prevention, thats why.
Killing the packets before they arrive means more signal within the noise (look at my apache log for all those code red machines on comcast's network for instance), saving time and money by having less sys admins fighting malware 24/7, helping the technoproles out by the fact that the less viruses they are able to get the less trouble they'll have in the long run.
Lastly, because what you mentioned isn't working.
>How do you plan to adapt your hardware once the creators of Malware adapt to yours?
Same is true with the methods you mention that you suggest work just fine. The Ad Aware people and the AV people are always fighting the cold war too. So are the anti-spam people. Another piece of tech that helps is a win for the good guys.
> How much will this *really* slow down a LAN or Intranet?
If it works like its described it would actually speed up malware infested LAN and WAN connections.
Right, this goes above and beyond simple port filtering or firewalling, in that it actively deletes material from the wire. It's kind of like the case with spam. If you reject the mail at delivery-time then at least the sender of a legitimate false-positive knows to resend. But if you silently delete things, no one is ever the wiser.
I don't really like the notion of my ISP actively grepping every packet I send and selectively deleting some of them that match some rules. Sure, I don't care if it ONLY messes with malware, as that would never affect me since I keep a tight ship. But, what if someone programs a really sloppy or poorly written rule, and there are false positives? What if the ISP decides that it wants to start deleting other things, like p2p traffic that's taking up all that bandwidth? Again, this is different from blocking p2p ports outright, which, while still repulsive, would at least alert you to the fact that something's being blocked since you wouldn't be able to establish a connection on the blocked ports.
Now, on a corporate/university LAN I can see a lot fewer issues. For one thing, it's a case of "their net, their rules" in that you really have no rights (in the case of the workplace) to complain about what's filtered and what isn't. But workplaces tend to already have some form of firewall or other preventative measures in place. Not that this wouldn't help, but the real case for something like this is a consumer broadband ISP, where a single installation could potentially isolate and neuter thousands of infected home boxes of people running a stock Windows 98 with no updates and no firewall.
And ye shall all bow at the Altar of Shiny Blinkiness
Do you or your partner snore? - Visit www.snoring.com.au