Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stopping Malware Before It Hits

Posted by timothy on from the every-bit-helps dept.

SpudGunMan writes "John Lockwood, Ph.D, an assistant professor of computer science at Washington University, and the graduate students that work in his research laboratory, have developed a hardware platform called the Field-programmable Port Extender (FPX) that scans for malware transmitted over a network and filters out unwanted data."

5 of 163 comments (clear)

  1. advantages by BubbleNOP · · Score: 5, Interesting
    Some advantages I can think of:
    1. Speed. Servers often are already too loaded to run more apps that check for signatures.
    2. A hardware device is usually harder to hack than the software platform doing checking. A clever piece of malware can compromise the checking machine itself.
    3. If checking is done by a secondary machine, by the time it detects the malware the infected machine may be significantly damaged already. A hardware device placed between the network and the machine, on the other hand, can stop things early enough.
  2. What if someone wants to filter competitive data by so+sue+mee · · Score: 3, Interesting

    as malware? Say MS or any other abbreviation that is interested in declining access to competitive data just filter it. Adding a number of these devices to echelon or selling a few to repressive governments. You get the picture

  3. Re:Some questions: by gad_zuki! · · Score: 4, Interesting

    >? Why should we look at this product as opposed to AdAware, a good firewall and a good AV program?

    Prevention, thats why.

    Killing the packets before they arrive means more signal within the noise (look at my apache log for all those code red machines on comcast's network for instance), saving time and money by having less sys admins fighting malware 24/7, helping the technoproles out by the fact that the less viruses they are able to get the less trouble they'll have in the long run.

    Lastly, because what you mentioned isn't working.

    >How do you plan to adapt your hardware once the creators of Malware adapt to yours?

    Same is true with the methods you mention that you suggest work just fine. The Ad Aware people and the AV people are always fighting the cold war too. So are the anti-spam people. Another piece of tech that helps is a win for the good guys.

    > How much will this *really* slow down a LAN or Intranet?

    If it works like its described it would actually speed up malware infested LAN and WAN connections.

  4. Re:Isn't this just a network censorship device? by bedessen · · Score: 4, Interesting

    Right, this goes above and beyond simple port filtering or firewalling, in that it actively deletes material from the wire. It's kind of like the case with spam. If you reject the mail at delivery-time then at least the sender of a legitimate false-positive knows to resend. But if you silently delete things, no one is ever the wiser.

    I don't really like the notion of my ISP actively grepping every packet I send and selectively deleting some of them that match some rules. Sure, I don't care if it ONLY messes with malware, as that would never affect me since I keep a tight ship. But, what if someone programs a really sloppy or poorly written rule, and there are false positives? What if the ISP decides that it wants to start deleting other things, like p2p traffic that's taking up all that bandwidth? Again, this is different from blocking p2p ports outright, which, while still repulsive, would at least alert you to the fact that something's being blocked since you wouldn't be able to establish a connection on the blocked ports.

    Now, on a corporate/university LAN I can see a lot fewer issues. For one thing, it's a case of "their net, their rules" in that you really have no rights (in the case of the workplace) to complain about what's filtered and what isn't. But workplaces tend to already have some form of firewall or other preventative measures in place. Not that this wouldn't help, but the real case for something like this is a consumer broadband ISP, where a single installation could potentially isolate and neuter thousands of infected home boxes of people running a stock Windows 98 with no updates and no firewall.

  5. Re:Wow by Megor1 · · Score: 4, Interesting

    Actually is an Intrustion prevention system, not only does it identify the attack/virus it also blocks it.

    I'm waiting to see a nice open source/free IDS that would allow per protocol specifications so you could not only catch known viruses/exploits but also put in checks based on the protocol. For example you have an ftp server, you load up the ftp protocol module and it knows that the user field should be followed by a username, but that the username should be less than say 256 characters, so if someones tries to exploit some buffer overflow in the username for your ftp server the system would block it before it even got to the server. Also you could use them to remove identification information, so your service banner that identifies what is being run would be stripped for anything behind your IPS.

    --
    Everyone that disagrees with me is a paid shill