Technology that stops malicious software
A COMPUTER scientist at Washington University in St. Louis has developed technology to stop malicious software - malware - such as viruses and worms long before it even has a chance to reach computers in the home and office. John Lockwood, an assistant professor of computer science at Washington University, and the graduate students have developed a hardware platform called the Field-programmable Port Extender (FPX) that scans for malware transmitted over a network and filters out unwanted data.
"The FPX uses several technologies to scan for the signatures of malware quickly," said Lockwood. "Unlike existing network intrusion systems, the FPX uses hardware, not software, to scan data. It can scan each and every byte of every data packet transmitted through a network at a rate of 2.4 billion bits per second." Lockwood published his results in Military and Aerospace Programmable Logic Device journal.
Recent attacks by viruses such as Nimba, Code Red, Slammer, SoBigF, and MSBlast have infected computers globally and clogged large networks. It can take weeks to months to clean the computers throughout a network after an outbreak.
In much the same way that a human virus spreads between people that come in contact, computer viruses and Internet worms spread when computers come in contact over the Internet. Viruses spread when a computer user downloads unsafe software, opens a malicious attachment, or exchanges infected computer programs over a network. An Internet Worm spreads over the network automatically when malicious software exploits one or more vulnerabilities in an operating systems, a web server, a database application, or an email exchange system.
Existing firewalls do little to protect against such attacks. Once a few systems are compromised, they proceed to infect other machines, which in turn quickly spread throughout a network.
In the case of SoBigF, over one million computers were infected within the first 24 hours and over 200 million computers were infected within a week. Today, most Internet worms and viruses are not detected until after they reach an end-user's personal computer. "Placing the burden of detection on the end -user isn't efficient or trustworthy because individuals tend to ignore warnings about installing new protection software and the latest security updates, "Lockwood pointed out.
"New vulnerabilities are discovered daily, but not all users take the time to download new patches the moment they are posted. It can take weeks for an IT department to eradicate old versions of vulnerable software running on end-system computers."
The high speed of the FPX is possible because the logic on the FPX is implemented as Field Programmable Gate Array (FPGA) circuits, Lockwood explained. These circuits are used to scan and filter Internet traffic for worms and viruses using FPGA circuits that operate in parallel. Lockwood's group has developed and implemented circuits that process the Internet protocol (IP) packets directly in hardware. They also have developed several circuits that rapidly scan streams of data for strings or regular expressions in order to find the signatures of malware carried within the payload of Internet packets.
"On the FPX, the reconfigurable hardware can be dynamically reconfigured over the network to search for new attack patterns," Lockwood said. "Should a new Internet worm or virus be detected, multiple FPX devices can be immediately programmed to search for their signatures.
Each FPX device then filters traffic passing over the network, so that it can immediately quarantine a virus or Internet worms within sub networks (subnets). By just installing a few such devices between subnets, a single device can protect thousands of users. By installing multiple devices at key locations throughout a network, large networks can be protected."
Commercial systems that use the FPX technology are being built. The systems can be installed in local-area and wide-area networks. The device itself integrates easily into the existing Gigabit Ethernet or Asynchronous Transfer Mode (ATM) networks.
The FPX itself fits within a rack-mounted chassis that can be installed in any network closet. When a virus or worm is detected, the system can either silently drop the malicious traffic or generate a pop-up message on an end-user's computer. An administrator uses a simple, web-based interface to control and configure the system.
Printer friendly
page
Send this article to Friends by
E-Mail
Sci Tech
