Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stopping Malware Before It Hits

Posted by timothy on from the every-bit-helps dept.

SpudGunMan writes "John Lockwood, Ph.D, an assistant professor of computer science at Washington University, and the graduate students that work in his research laboratory, have developed a hardware platform called the Field-programmable Port Extender (FPX) that scans for malware transmitted over a network and filters out unwanted data."

19 of 163 comments (clear)

  1. hah by mxn · · Score: 5, Funny

    Belkin beat him to it.. Though, their system goes one step further: rather than filter out unwanted data it turns it into precious precious ad revenue.

  2. A great idea, but..... by thewiz · · Score: 5, Insightful

    Who does the reprogramming of the device; the end user or the company that make the device? For security, I'd rather it be the end user.
    Also, shouldn't they make a cheap version for home users since those are the machines that are most vulnerable?

    --
    If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
    1. Re:A great idea, but..... by LostCluster · · Score: 4, Insightful

      I think the concept is for it to be the device itself, making its decision based on patterns that just plain shouldn't appear in normal traffic. If people all over the world are sending the exact same long message into your network, something's up and it's likely not good.

      - If the same e-mail attachment comes through your network a few hundred times, it must be a virus.
      - If the same kilobyte-long web address keeps getting requested, it must be a worm.
      - If the same messages are headed to your NetBIOS ports, it must be the pop-up-message spam of the week. In fact, if somebody wants to deliver any message any kind to all of your ports one-by-one, it must be the exploit of the week.

      This seems to be all about patern matching... the device isn't meant to replace your firewall and antivirus systems, but to be faster than them and to take off the work load of having to identify this week's worm when it comes in for the 34,939th time. This might even be useful for ISPs to cut off D-DOS attempts before entering the major traffic exchages so that less of traffic makes it to the victim's bandwidth pipe.

  3. Nifty. by MoriarGryphon · · Score: 5, Insightful

    Sounds like a nifty piece of hardware. Put one at the front of your network, and reduce internal bandwidth wastage from propogation of virii/worms inward. Even if all your stuff is patched, this could help keep all your servers from having to listen to the worms and script kiddies several hundred times a second. ;>

  4. Treating the symptoms, not the disease by Dark+Lord+Seth · · Score: 4, Insightful

    I suggest enlightening the users about malware while they download it. Let's go for the Pavlov effect and hook the hardware platform up to a pellet gun, tazer and a program which mails the squid logs of the current day of said victim to his/her mother/SO. Users learn so much easier that way...

    --
    Hate me!
  5. So windows.... by utlemming · · Score: 5, Funny

    Did it verify that Windows is mal-ware?
    What about Windows-update?

    These are hard questions that we need to know...

    --
    The views expressed are mine own and do not express the views of my employer.
  6. How it works by Anonymous Coward · · Score: 5, Funny

    For non geeky types, here is how it works.

    As part of the TCP/IP connection specification, Each Ethernet Cable has 65,536 exactly small fibers. To send data, a prgoram must tell the network card to "pluck" the fibers 5000 tines a second to send data.

    Now Viruses pluck usually unused fibers to confuse the Network card. Once it is confused the virus can Execute it self by running on the firmware of the Ether, which sends rouge Assebly instructions to the GBX register on the CPU which is an illegal instruction. This disables the ECIR and RIF jumpers on the motherboard. Then it can pluck all the wires at the same time, which of course causes a D-DOS attack.

    Now you know how it works, get a Firewall to stop the wrong fiber being plucked.

  7. An easier way to stop Windows malware: by Anonymous Coward · · Score: 4, Funny

    Here.

    1. Re:An easier way to stop Windows malware: by placeclicker · · Score: 4, Funny

      Or one that doesn't require a new computer..

      --

      Browse at -1, because trolls are often the most creative part of /.
  8. Oh, great. by volkerdi · · Score: 4, Insightful

    While in theory this is a great idea, in practice it's likely to be less great. I commonly get sent reports that .ZIP files used in ZipSlack (which have never seen a Windows machine in handling by me), are infected with viruses. This is because "signatures" thought by virus scanning companies to be unique are a lot less unique than they imagined.

    If something like this is ever implemented on a wide scale, expect the system to refuse to allow random non-malware files to be used, transferred, or handled, in those cases where they happen to match a banned bit-pattern. Files and emails might even be silently dropped with no notification at all, depending on the implementation (and with an eye to history).

    1. Re:Oh, great. by rgmoore · · Score: 4, Insightful

      It seems to me that this is just more evidence that computer systems will wind up looking like biology. First we had viruses and similar infectious things. Now people are trying to create the machine equivalent of an immune system. The problem is that in the process they're likely to rediscover all of the problems that our immune system causes as well as the benefits.

      This particular case is quite similar to allergies in the natural immune system. It's an overly aggressive response to an essentially harmless signal. The big problem is that virus and worm scanners are going to be succeptible to the computer equivalent of autoimmune disease; they'll start thinking that essential system files have been corrupted and try to wipe out something really important. I just hope they never develop the computerized equivalent of leukemia.

      --

      There's no point in questioning authority if you aren't going to listen to the answers.

  9. advantages by BubbleNOP · · Score: 5, Interesting
    Some advantages I can think of:
    1. Speed. Servers often are already too loaded to run more apps that check for signatures.
    2. A hardware device is usually harder to hack than the software platform doing checking. A clever piece of malware can compromise the checking machine itself.
    3. If checking is done by a secondary machine, by the time it detects the malware the infected machine may be significantly damaged already. A hardware device placed between the network and the machine, on the other hand, can stop things early enough.
  10. it's the freeware, stupid by Potor · · Score: 5, Insightful
    Indeed. Funny how malware does not seem to infest products we actually pay for. The desire to find free software leads us to download products that are more and more iffy. The key is not detecting malware, for malware will always be one step ahead. The key is carefully screening what we will download, searching out reviews, reading the EULA before the install, and basically being intelligent.

    I am not against freeware -- far from it. However, I would say that there is freeware addiction out there that opens the doors to malware. Moreover, I am not against this product; it will certainly be helpful. Yet, those who put their trust in yet another algorithm will certainly get bit again, albeit in some other way.

    cheers, potor

  11. Sounds great. by rune.w · · Score: 5, Insightful

    Quoting from the abstract of the paper:

    FPGA logic is used to implement circuits that track the state of Internet flows and search for regular expressions and fixed-strings that appear in the content of packets.

    So apparently this hardware can only recognize patterns programmed beforehand (which makes a lot of sense). However, a problem would arise whenever an original piece of malware is released into the net. I mean, how do they plan to identify and program new strings into the machine before the systems behind it are infected? Worms tend to expand fairly quickly...

    Further insight is always welcome.

    R.
  12. Isn't this just a network censorship device? by Bookwyrm · · Score: 5, Insightful

    I am rather surprised at the commentary so far on this device, given the usual tone of responses made on slashdot that I have seen.

    This device appears to be, at heart, a box that is put in along side the routers to filter out content that the owner of the device does not want to be sent over the network. It is capable of looking for specific patterns of data and blocking the transfer of the data based on that in real time.

    Is this not precisely what one would use to filter out, say, unwanted political documents going in/out of China? To, say, spot a specific MP3 file being traded on a P2P network and stop it?

    Other comments seem to suggest people think this might actually be a workable, good idea -- guess folks are finally realizing that the Internet cannot route around all forms of censorship after all, if they think this will work.

    1. Re:Isn't this just a network censorship device? by bedessen · · Score: 4, Interesting

      Right, this goes above and beyond simple port filtering or firewalling, in that it actively deletes material from the wire. It's kind of like the case with spam. If you reject the mail at delivery-time then at least the sender of a legitimate false-positive knows to resend. But if you silently delete things, no one is ever the wiser.

      I don't really like the notion of my ISP actively grepping every packet I send and selectively deleting some of them that match some rules. Sure, I don't care if it ONLY messes with malware, as that would never affect me since I keep a tight ship. But, what if someone programs a really sloppy or poorly written rule, and there are false positives? What if the ISP decides that it wants to start deleting other things, like p2p traffic that's taking up all that bandwidth? Again, this is different from blocking p2p ports outright, which, while still repulsive, would at least alert you to the fact that something's being blocked since you wouldn't be able to establish a connection on the blocked ports.

      Now, on a corporate/university LAN I can see a lot fewer issues. For one thing, it's a case of "their net, their rules" in that you really have no rights (in the case of the workplace) to complain about what's filtered and what isn't. But workplaces tend to already have some form of firewall or other preventative measures in place. Not that this wouldn't help, but the real case for something like this is a consumer broadband ISP, where a single installation could potentially isolate and neuter thousands of infected home boxes of people running a stock Windows 98 with no updates and no firewall.

  13. Re:Some questions: by gad_zuki! · · Score: 4, Interesting

    >? Why should we look at this product as opposed to AdAware, a good firewall and a good AV program?

    Prevention, thats why.

    Killing the packets before they arrive means more signal within the noise (look at my apache log for all those code red machines on comcast's network for instance), saving time and money by having less sys admins fighting malware 24/7, helping the technoproles out by the fact that the less viruses they are able to get the less trouble they'll have in the long run.

    Lastly, because what you mentioned isn't working.

    >How do you plan to adapt your hardware once the creators of Malware adapt to yours?

    Same is true with the methods you mention that you suggest work just fine. The Ad Aware people and the AV people are always fighting the cold war too. So are the anti-spam people. Another piece of tech that helps is a win for the good guys.

    > How much will this *really* slow down a LAN or Intranet?

    If it works like its described it would actually speed up malware infested LAN and WAN connections.

  14. Stopping network junk "on the wire" by mattbee · · Score: 4, Insightful

    After speaking to one of the chaps behind ddos.com I'm very excited by this kind of emerging technology: essentially ethernet/fibre "filters" which can scan and dump "unwanted" traffic without a noticeable lag on the network. I'm less excited by how much it costs at the moment: $18k list price for one of the 100Mb boxes at DDoS.com, but I suspect as competition opens up, the waffle about exciting and complicated patented technologies will give way to a decent and open discussion about the best algorithms for doing this.

    As an example of the current waffle on this topic, the white paper at ddos.com promises in one of their upcoming *cough* products a wire-speed spam filter which is 100% accurate and needs no training. Sure, sure... it's this ridiculous claim which calls into question the "zero training" aspect of their DDoS prevention-- I'm sure some configuration and known "signature" patterns of abusive traffic will help matters.

    I'm not here to pick on ddos.com, I'm sure they have an excellent and useful product. But since they are one of a very small number of people with such a product, they are prone to making wild claims and charging extortionate fees. I'm convinced a Linux/BSD kernel module could achieve the same effect and I'd be very interested to see the algorithms, training and so on needed to achieve it. But for the moment we're still subject to these pretty wild claims without much in the way of algorithmic detail.

    --
    Matthew @ Bytemark Hosting
  15. Re:Wow by Megor1 · · Score: 4, Interesting

    Actually is an Intrustion prevention system, not only does it identify the attack/virus it also blocks it.

    I'm waiting to see a nice open source/free IDS that would allow per protocol specifications so you could not only catch known viruses/exploits but also put in checks based on the protocol. For example you have an ftp server, you load up the ftp protocol module and it knows that the user field should be followed by a username, but that the username should be less than say 256 characters, so if someones tries to exploit some buffer overflow in the username for your ftp server the system would block it before it even got to the server. Also you could use them to remove identification information, so your service banner that identifies what is being run would be stripped for anything behind your IPS.

    --
    Everyone that disagrees with me is a paid shill