PSU Researchers Create Worm Speed Trap
A new method to detect and help stop worm attacks being developed by researchers at Penn State University is using the speed of connections to detect the attacks. The system also uses other algorithms to limit the number of false positives.
Current systems for detection of worms focus on signature or pattern identification in order to determine whether or not to block the traffic. However, this method is often too slow, allowing the worm to do damage long before it is stopped.
Researchers call the new technology "proactive worm containment," Looking at a packet's rate or number of connections, along with the diversity of connections to other networks, the system makes a judgment to block the traffic from those factors.
If a host is detected with a high rate of data transfer, the system would automatically contain the host. According to Peng Liu, associate professor of information sciences and technology and lead researcher on the PWC system, only a few dozen infected packets would make it out before this occurs.
"A lot of worms need to spread quickly in order to do the most damage, so our software looks for anomalies in the rate and diversity of connection requests going out of hosts," Liu said in a statement.
There are known issues with the system. PWC only detects worms with a faster spread rate, so it would likely miss those that spread slower. However, the system could be integrated with preexisting ones, offering enhanced protection.
PWC is currently in beta testing, and Penn State has filed for a provisional patent on the software.