Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Hardware

Stopping Malware Before It Hits 163

SpudGunMan writes "John Lockwood, Ph.D, an assistant professor of computer science at Washington University, and the graduate students that work in his research laboratory, have developed a hardware platform called the Field-programmable Port Extender (FPX) that scans for malware transmitted over a network and filters out unwanted data."
This discussion has been archived. No new comments can be posted.

Stopping Malware Before It Hits

Comments Filter:
  • hah (Score:5, Funny)

    by mxn ( 562786 ) * on Sunday November 16, 2003 @05:42PM (#7489562)
    Belkin beat him to it.. Though, their system goes one step further: rather than filter out unwanted data it turns it into precious precious ad revenue.
  • mirror (Score:2, Interesting)

    by Anonymous Coward
    i predict they'll be slashdotted within 5 minutes...

    By Tony Fitzpatrick
    A computer scientist at Washington University in St. Louis has developed technology to stop malicious software - malware - such as viruses and worms long before it has a chance to reach computers in the home and office.
    John Lockwood, Ph.D, an assistant professor of computer science at Washington University, and the graduate students that work in his research laboratory have developed a hardware platform called the Field-programmable Por
  • Wow (Score:2, Interesting)

    by jonbryce ( 703250 )
    They've invented an Intrusion Detection System. Useful, but what's so special about this one?
    • Re:Wow (Score:2, Informative)

      by Anonymous Coward
      Well, it's not software based like every other IDS out there, but you'd only know that if you read the article.
    • They've invented an Intrusion Detection System. Useful, but what's so special about this one?

      I think you are being very generous to him. Personally, I think he just "invented" the managed switch. After all you could do exactly this:
      'Each FPX device then filters traffic passing over the network, so that it can immediately quarantine a virus or Internet worms within sub networks (subnets). By just installing a few such devices between subnets, a single device can protect thousands of users.

      With a Cisc
      • 1) Cisco switches are hardware, but the logic is (I believe) software based.

        2) I don't use Cicso IOS as much as I'd like, can Cisco IOS really scan for virus signatures in the traffic being passed through?
    • RTFA (Score:2, Informative)

      by JThundley ( 631154 )
      'Unlike existing network intrusion systems, the FPX uses hardware, not software, to scan data quickly. The FPX can scan each and every byte of every data packet transmitted through a network at a rate of 2.4 billion bits per second. In other words, the FPX could scan every word in the entire works of Shakespeare in about 1/60th of a second.'

      And:

      'The FPX itself fits within a rack-mounted chassis that can be installed in any network closet. When a virus or worm is detected, the system can either silently dr
    • Re:Wow (Score:1, Insightful)

      by Anonymous Coward
      Try reading the article first....or maybe even the paper if you're abitious.

      It's implemented in hardware and using FPGAs, which can be reprogrammed. Think of it as dynamic hardware based IDS. 2.4 Gigabit speeds...I'd love to see snort handle that.

      From the time you get a pattern of a new virus to the time it can be deployed to the system is ~ 10 minutes according to the paper. that is impresive considering it's all hardware based.
    • Re:Wow (Score:5, Interesting)

      by Megor1 ( 621918 ) on Sunday November 16, 2003 @09:33PM (#7490638) Homepage
      Actually is an Intrustion prevention system, not only does it identify the attack/virus it also blocks it.

      I'm waiting to see a nice open source/free IDS that would allow per protocol specifications so you could not only catch known viruses/exploits but also put in checks based on the protocol. For example you have an ftp server, you load up the ftp protocol module and it knows that the user field should be followed by a username, but that the username should be less than say 256 characters, so if someones tries to exploit some buffer overflow in the username for your ftp server the system would block it before it even got to the server. Also you could use them to remove identification information, so your service banner that identifies what is being run would be stripped for anything behind your IPS.
  • by thewiz ( 24994 ) * on Sunday November 16, 2003 @05:46PM (#7489588)
    Who does the reprogramming of the device; the end user or the company that make the device? For security, I'd rather it be the end user.
    Also, shouldn't they make a cheap version for home users since those are the machines that are most vulnerable?
    • by Anonymous Coward
      > Who does the reprogramming of the device;
      > the end user or the company that make the device?

      The virus writer.
    • You'd implement something like this with distribution level routers, not in the home.

      If you filtered connections individually you'd need millions of these things. Instead you filter at the upstream provider where a single unit can filter for thousands of individuals.
    • by LostCluster ( 625375 ) on Monday November 17, 2003 @12:44AM (#7491435)
      I think the concept is for it to be the device itself, making its decision based on patterns that just plain shouldn't appear in normal traffic. If people all over the world are sending the exact same long message into your network, something's up and it's likely not good.

      - If the same e-mail attachment comes through your network a few hundred times, it must be a virus.
      - If the same kilobyte-long web address keeps getting requested, it must be a worm.
      - If the same messages are headed to your NetBIOS ports, it must be the pop-up-message spam of the week. In fact, if somebody wants to deliver any message any kind to all of your ports one-by-one, it must be the exploit of the week.

      This seems to be all about patern matching... the device isn't meant to replace your firewall and antivirus systems, but to be faster than them and to take off the work load of having to identify this week's worm when it comes in for the 34,939th time. This might even be useful for ISPs to cut off D-DOS attempts before entering the major traffic exchages so that less of traffic makes it to the victim's bandwidth pipe.
      • If the same e-mail attachment comes through your network a few hundred times, it must be a virus.
        Or a chain letter... though I think many of us can agree that these are evil anyways...

        If the same kilobyte-long web address keeps getting requested, it must be a worm

        Kilobyte-long? I don't know if worms all use long addresses, but a lot of people (or even a given machine) requesting the same address could apply to update sites, like virus updates? Amend this into "during time frame X" cuts it down a bit,
      • - If the same e-mail attachment comes through your network a few hundred times, it must be a virus.

        - If the same kilobyte-long web address keeps getting requested, it must be a worm.


        The problem with this type of approach is that you won't recognize that "the same message keeps appearing" until you've seen it at least twice. That's too late since the first occurrence will infect the target machine. Once the virus is behind your IPS you may as well not have one.

        • Like I said, this is a supplement, not a replacement. It sacrafices accuracy in exchange for speed. If placed ahead of a conventional IPS, your IPS will have much less traffic to check during an attack, therefore preventing a potential clog in the network.
  • Nifty. (Score:5, Insightful)

    by MoriarGryphon ( 599643 ) on Sunday November 16, 2003 @05:48PM (#7489598)
    Sounds like a nifty piece of hardware. Put one at the front of your network, and reduce internal bandwidth wastage from propogation of virii/worms inward. Even if all your stuff is patched, this could help keep all your servers from having to listen to the worms and script kiddies several hundred times a second. ;>
    • Re:Nifty. (Score:2, Insightful)

      Put one at the front of your network, and reduce internal bandwidth wastage from propogation of virii/worms inward.

      Or you could carefully configure the router / firewall at the front of your network (like according to RFCs?!?). Everybody is looking for something to eliminate the burden of proper management / administration. Hows about people read the RFCs know their OSes and their limitations and create management strategies accordingly.
      • Not everyone can afford a firewall that does hardware based filtering AND a top of the line IDS. By putting the hardware scanner first in line you eliminate a lot of bandwidth hitting your firewall that (usually) needs to be dealt with in software.

        In other words, the FPX could scan every word in the entire works of Shakespeare in about 1/60th of a second.

        Yes, but how many Libraries of Congress can it scan per second?
    • Sounds like a nifty piece of hardware. Put one at the front of your network, and reduce internal bandwidth wastage from propogation of virii/worms inward....

      Yeah it would be amazing to have network traffic management, firewall functionality all in one handy box.... I can see a big multi billion $$$ market for this.... oh wait.....

  • by Dark Lord Seth ( 584963 ) on Sunday November 16, 2003 @05:48PM (#7489601) Journal

    I suggest enlightening the users about malware while they download it. Let's go for the Pavlov effect and hook the hardware platform up to a pellet gun, tazer and a program which mails the squid logs of the current day of said victim to his/her mother/SO. Users learn so much easier that way...

    • by Potor ( 658520 ) <farker1@gmai l . com> on Sunday November 16, 2003 @06:04PM (#7489681) Journal
      Indeed. Funny how malware does not seem to infest products we actually pay for. The desire to find free software leads us to download products that are more and more iffy. The key is not detecting malware, for malware will always be one step ahead. The key is carefully screening what we will download, searching out reviews, reading the EULA before the install, and basically being intelligent.

      I am not against freeware -- far from it. However, I would say that there is freeware addiction out there that opens the doors to malware. Moreover, I am not against this product; it will certainly be helpful. Yet, those who put their trust in yet another algorithm will certainly get bit again, albeit in some other way.

      cheers, potor

      • "The key is carefully screening what we will download, searching out reviews, reading the EULA before the install, and basically being intelligent."

        Try only running software without an EULA. It tends to work better, and in general it's less of a worry.

        When an installation program starts up, the first few words should be "GNU GENERAL PUBLIC LICENSE Version 2, June 1991", and you can be pretty sure that the software is good to install. (all we need now is GPL'd malware to really put people off, but for now
      • Exactly.

        I came across a 'freeware' app called TorrentSearch that is full of Malware. Additionally, the EULA has the user agreeing to allow the installation of ANY software at any later date by the software maker. So whoever installs TorrentSearch is volunteering her computer to be part of who-knows-what network of zombied computers controlled by the author.

        Here's a thread on the TorrentSearch site that contains the EULA [project0wned.com]. The thing I find a little odd is that the discussion board is hosted on a server

      • Malware includes viruses and worms, which certainly infest Microsoft Office programs - having just seen a friend spend almost $500 US on Office 2003, this is hardly freeware...

  • Some questions: (Score:2, Insightful)

    by Txiasaeia ( 581598 )
    1) Why is this useful? Why should we look at this product as opposed to AdAware, a good firewall and a good AV program? The article mentions DDOS attacks -- is that all it's good for?

    2) How do you plan to adapt your hardware once the creators of Malware adapt to yours?

    3) How much will this *really* slow down a LAN or Intranet? Not "it shouldn't slow it down at all" -- I mean real-world tests?

    • "Why should we look at this product as opposed to AdAware, a good firewall and a good AV program?"

      Because you don't always have control of the computers which will be running the virus?

      "How do you plan to adapt your hardware once the creators of Malware adapt to yours?"

      The article mentioned that it took less than 9 minutes for someone familiar with the web interface to add a new rule.

      "How much will this *really* slow down a LAN or Intranet?"

      Read the article (or the linked paper) for precise figures. I
    • Re:Some questions: (Score:5, Interesting)

      by gad_zuki! ( 70830 ) on Sunday November 16, 2003 @07:51PM (#7490154)
      >? Why should we look at this product as opposed to AdAware, a good firewall and a good AV program?

      Prevention, thats why.

      Killing the packets before they arrive means more signal within the noise (look at my apache log for all those code red machines on comcast's network for instance), saving time and money by having less sys admins fighting malware 24/7, helping the technoproles out by the fact that the less viruses they are able to get the less trouble they'll have in the long run.

      Lastly, because what you mentioned isn't working.

      >How do you plan to adapt your hardware once the creators of Malware adapt to yours?

      Same is true with the methods you mention that you suggest work just fine. The Ad Aware people and the AV people are always fighting the cold war too. So are the anti-spam people. Another piece of tech that helps is a win for the good guys.

      > How much will this *really* slow down a LAN or Intranet?

      If it works like its described it would actually speed up malware infested LAN and WAN connections.
      • Re:Some questions: (Score:3, Informative)

        by Txiasaeia ( 581598 )
        >>? Why should we look at this product as opposed to AdAware, a good firewall and a good AV program?

        >...because what you mentioned isn't working

        Perhaps because of the end user? How many joe sixpacks do you know with a properly configured firewall, an up-to-date AV program, and have even heard of AdAware?

        >>How do you plan to adapt your hardware once the creators of Malware adapt to yours?

        >Same is true with the methods you mention that you suggest work just fine. The Ad Aware people a

        • >Perhaps because of the end user? How many joe sixpacks do you know with a properly configured firewall, an up-to-date AV program, and have even heard of AdAware?

          Classic blame the victim mentality. How has the industry served "joe sixpack" pray tell? This game has gone on long enough, we're looking at 4-months before an MS patch reaches critical mass in corporate america and even longer times in the residential market. Instead of constantly berating the end-user, someone has come up with a better sol
        • "Perhaps because of the end user? How many joe sixpacks do you know with a properly configured firewall, an up-to-date AV program, and have even heard of AdAware?

          Seriously, all are available free: put them on your family's PCs and educate them in their usage. Kerio Personal Firewall's reasonably idiot-proof, AVG antivirus excellent, and AdAware 6 just works. All free for personal use...

          Now, all we need is the big OEM people to ship with their PCs and provide a quick tutorial.

    • Re:Some questions: (Score:2, Insightful)

      by hazzey ( 679052 )
      "The article mentions DDOS attacks -- is that all it's good for?" I'm pretty sure that even if that IS all that it is good for, it is worth its weight in gold. Wouldn't it be nice if every semi-large website could have one of those? Then we would never have to worry about all of the new reports of DDOS blackmail.
  • by utlemming ( 654269 ) on Sunday November 16, 2003 @05:51PM (#7489613) Homepage
    Did it verify that Windows is mal-ware?
    What about Windows-update?

    These are hard questions that we need to know...

    • When I read the title I thought, YAY! A filter to kill Gator and related scum before they're installed.

      But when I RTFA, I see that it's only good for worms and viruses. I'll take worms and viruses any day over Gator. You know, because GATOR IS SPYWARE [slashdot.org]. bwahaha.

      Which brings me to the question:
      Can you write your own virus def's? I'd like to see an app that edited your favorite virus scanner's defs and added signatures for Gator, WhenU, etc. That would be so cool.
      ----------------------
      VIRUS DETECTED!!

      Win32.
  • by Anonymous Coward
    hardware device will fail to notice it
    unless it has an update. Same problem
    for antivirus software. A new worm will
    get past it until they teach the device to see it. snake oil.
    • The difference is that this can be easily implemented at a single point in a network or ISP and protect numerous systems. It doesn't matter if joe user doesn't update his virus definitions if his service provider has one of these things plugged in just after the router.
      • It doesn't matter if joe user doesn't update his virus definitions if his service provider has one of these things plugged in just after the router.

        Or if his overpaid but cost-conscious (read that cheap) ISP hires a CCIE who can write ACLs and log ISPs sending deleterious traffic.
        Perhaps ISPs could behave like a community (like in the early 90s). Joe Routeradmin from abc.isp could notice inhis logs that xyz.isp is transmitting on port 135 constantly, instead of just blocking him, he could contact them.
  • ...one of my professors introduced me to Scott Savage, the creator of the OOPIC [oopic.com]. He wanted us to brainstorm on a security implementation for his device. I suggested something similar, but since the OOPIC is most often used in robotics, he wanted something for physical access security since that has been a hot topic since 9/11 and I work company whose primary business division is security guards. Unfortuneately, he didn't go for it and I ended up submitting a P2P security article to CACM [acm.org] which got accepte
  • May be useful... (Score:1, Insightful)

    by Anonymous Coward
    Lockwood is a smart guy. When I was an undergrad, I had him as a professor when he was at U of I [uiuc.edu] (I was surprised he wasn't there anymore). ECE 291 was one of the coolest classes offered. I haven't read his paper yet, but it looks like it's a two-edged sword that could be used to restrict transfer of any data, and someone still has to program the filter...
  • by Anonymous Coward on Sunday November 16, 2003 @05:54PM (#7489630)
    For non geeky types, here is how it works.

    As part of the TCP/IP connection specification, Each Ethernet Cable has 65,536 exactly small fibers. To send data, a prgoram must tell the network card to "pluck" the fibers 5000 tines a second to send data.

    Now Viruses pluck usually unused fibers to confuse the Network card. Once it is confused the virus can Execute it self by running on the firmware of the Ether, which sends rouge Assebly instructions to the GBX register on the CPU which is an illegal instruction. This disables the ECIR and RIF jumpers on the motherboard. Then it can pluck all the wires at the same time, which of course causes a D-DOS attack.

    Now you know how it works, get a Firewall to stop the wrong fiber being plucked.
  • by Mr Thinly Sliced ( 73041 ) on Sunday November 16, 2003 @05:54PM (#7489631) Journal
    They claim that the product is able to 'scan data quickly ... uses hardware, not software to scan quickly ...'.

    This product seems entirely built upon PHB fear of technology - its a rack mounted unit that scans network traffic looking for rogue packets/signatures. So to do this effectively, you'd need one of these devices in place _for every router, firewall and computer to computer connection_ - along with some way to travel into the future to obtain the signatures of the all the viruses of the future.

    I just don't see how this is securing a network against viruses and worms. The best thing corporates can do (who I guess this particular piece of IT jewelry is aimed at), is lock down the desktop as far as they can go, and have a sensible patch system in place to roll out automagically.

    I mean, when "Travelling Salesman Dixie" brings his laptop back from the wild of the Sales Conference and plugs it in, do they honestly think that having it in hardware, rather than software, will cover their asses?

    Full marks for receiving funding though. I'm probably just bitchy cos I didn't think of it.
    • Just attach it to your egress/ingress points and go from there. Or buy one and tell your ISP to install it upstream for you...
    • by Helter ( 593482 ) on Sunday November 16, 2003 @06:47PM (#7489863)
      Which is easier, trying to force thousands of people to practice network security, or installing a device that does it for them?

      Sure you need to update the thing as new viruses come out, but you need to do the same thing with your AV software, that doesn't make it worthless. This won't stop virus' and worms from being written, but it can stop them from spreading past day 2.
  • How is it "stopping malware before it hits" if the FPX is detecting current activity and filtering it? That's reacting to malware after it has already begun to spread.
  • by Anonymous Coward on Sunday November 16, 2003 @05:55PM (#7489633)
    Here. [apple.com]
  • Oh, great. (Score:5, Insightful)

    by volkerdi ( 9854 ) on Sunday November 16, 2003 @05:57PM (#7489647)
    While in theory this is a great idea, in practice it's likely to be less great. I commonly get sent reports that .ZIP files used in ZipSlack (which have never seen a Windows machine in handling by me), are infected with viruses. This is because "signatures" thought by virus scanning companies to be unique are a lot less unique than they imagined.

    If something like this is ever implemented on a wide scale, expect the system to refuse to allow random non-malware files to be used, transferred, or handled, in those cases where they happen to match a banned bit-pattern. Files and emails might even be silently dropped with no notification at all, depending on the implementation (and with an eye to history).
    • by KalvinB ( 205500 )
      I realize this was at the end of the article and reading the article at all is something not done much around here so:

      "When a virus or worm is detected, the system can either silently drop the malicious traffic or generate a pop-up message on an end-user's computer. An administrator uses a web-based interface to control and configure the system."

      So no, you don't have to worry about false positives making you miss something unless you tell it to not warn you before doing something.

      Ben
      • the system can

        either silently drop the malicious traffic or generate a pop-up message on an end-user's computer.

        That sounds, ummm, interesting. So all client machines have this program listening for pop-up messages, and some unknown box out in a middle layer somewhere on the network is configured to automatically open up these 'pop-up messages.'

        When you're not in lockstep running the software your ISP approves and running their little pop-up client (malware??) your messages just are silently dropped?

    • Re:Oh, great. (Score:4, Insightful)

      by rgmoore ( 133276 ) * <glandauer@charter.net> on Sunday November 16, 2003 @07:03PM (#7489915) Homepage

      It seems to me that this is just more evidence that computer systems will wind up looking like biology. First we had viruses and similar infectious things. Now people are trying to create the machine equivalent of an immune system. The problem is that in the process they're likely to rediscover all of the problems that our immune system causes as well as the benefits.

      This particular case is quite similar to allergies in the natural immune system. It's an overly aggressive response to an essentially harmless signal. The big problem is that virus and worm scanners are going to be succeptible to the computer equivalent of autoimmune disease; they'll start thinking that essential system files have been corrupted and try to wipe out something really important. I just hope they never develop the computerized equivalent of leukemia.

  • advantages (Score:5, Interesting)

    by BubbleNOP ( 688841 ) on Sunday November 16, 2003 @05:59PM (#7489660)
    Some advantages I can think of:
    1. Speed. Servers often are already too loaded to run more apps that check for signatures.
    2. A hardware device is usually harder to hack than the software platform doing checking. A clever piece of malware can compromise the checking machine itself.
    3. If checking is done by a secondary machine, by the time it detects the malware the infected machine may be significantly damaged already. A hardware device placed between the network and the machine, on the other hand, can stop things early enough.
    • Some advantages I can think of: ...
      A hardware device is usually harder to hack than the software platform doing checking. A clever piece of malware can compromise the checking machine itself.

      Nothing to stop a clever piece of malware fscking up the hardware (which after all, is ultimately a computer and vulnerable to algorithmic weaknesses just as your standard von neuman architecture general purpose processor).
      If checking is done by a secondary machine, by the time it detects the malware the infected mach
      • The whole point is that the hardware that does just filtering is *less* general purpose than a computer (e.g. it is impossible to alter its configuration at all, in the extreme case) and so it may be easier to close attack entry points on it and prove it to be non-vulnerable... and I didn't assume a bridging configuration. If you assume a bridging configuration then it can be compromised (when I said compromised I assumed compromised in such a way that malware goes through), leaving all machines bridged fro
      • "Ultimately I do not see how this machine is any different from a virus checker (except on the packet level). Its nothing new, its nothing clever, presumably its not that different to standard IDS schemes such as SNORT signatures, and its biggest weaknesses are going to be exactly the same as virus scanning. i.e. getting the signatures out to enough people quickly enough."

        Exactly right. The difference is that it shifts the burden from the clueless end user to a group of knowledgeable professionals who's
  • Sounds great. (Score:5, Insightful)

    by rune.w ( 720113 ) on Sunday November 16, 2003 @06:16PM (#7489744)

    Quoting from the abstract of the paper:

    FPGA logic is used to implement circuits that track the state of Internet flows and search for regular expressions and fixed-strings that appear in the content of packets.

    So apparently this hardware can only recognize patterns programmed beforehand (which makes a lot of sense). However, a problem would arise whenever an original piece of malware is released into the net. I mean, how do they plan to identify and program new strings into the machine before the systems behind it are infected? Worms tend to expand fairly quickly...

    Further insight is always welcome.

    R.
    • My assumption would be that they don't. New worms and virii will get through and infect new systems.

      However, once those new worms and virii are dissected, then they can take action. An FPGA is a exactly that -- Field Programmable Gate Array. I assume they choose FPGAs instead of ASICs because they intend to re-program in the field. Then this baby can sit on your network and squish the new problems along with the old, preventing further infection.

      I think that's the intended mode of operation. Kinda

  • by Bookwyrm ( 3535 ) on Sunday November 16, 2003 @06:17PM (#7489750)
    I am rather surprised at the commentary so far on this device, given the usual tone of responses made on slashdot that I have seen.

    This device appears to be, at heart, a box that is put in along side the routers to filter out content that the owner of the device does not want to be sent over the network. It is capable of looking for specific patterns of data and blocking the transfer of the data based on that in real time.

    Is this not precisely what one would use to filter out, say, unwanted political documents going in/out of China? To, say, spot a specific MP3 file being traded on a P2P network and stop it?

    Other comments seem to suggest people think this might actually be a workable, good idea -- guess folks are finally realizing that the Internet cannot route around all forms of censorship after all, if they think this will work.
    • Good point. I hadn't thought about this.

      However, I'm sure more people would complain if they couldn't download an MP3 than if they fail to receive a SoBig worm. (it's "legal" to download music here in Canada, after all)

    • by bedessen ( 411686 ) on Sunday November 16, 2003 @09:04PM (#7490476) Journal
      Right, this goes above and beyond simple port filtering or firewalling, in that it actively deletes material from the wire. It's kind of like the case with spam. If you reject the mail at delivery-time then at least the sender of a legitimate false-positive knows to resend. But if you silently delete things, no one is ever the wiser.

      I don't really like the notion of my ISP actively grepping every packet I send and selectively deleting some of them that match some rules. Sure, I don't care if it ONLY messes with malware, as that would never affect me since I keep a tight ship. But, what if someone programs a really sloppy or poorly written rule, and there are false positives? What if the ISP decides that it wants to start deleting other things, like p2p traffic that's taking up all that bandwidth? Again, this is different from blocking p2p ports outright, which, while still repulsive, would at least alert you to the fact that something's being blocked since you wouldn't be able to establish a connection on the blocked ports.

      Now, on a corporate/university LAN I can see a lot fewer issues. For one thing, it's a case of "their net, their rules" in that you really have no rights (in the case of the workplace) to complain about what's filtered and what isn't. But workplaces tend to already have some form of firewall or other preventative measures in place. Not that this wouldn't help, but the real case for something like this is a consumer broadband ISP, where a single installation could potentially isolate and neuter thousands of infected home boxes of people running a stock Windows 98 with no updates and no firewall.
      • When I got to work on a fairly big IDS system on a 50,000+ node network, the IDS vendor released an update to their ruleset.

        Someone goofed, and the rule to flag requests for things like /etc/passwd and /etc/shadow was really broadened. Every time the IDS detected a packet with the word "shadow" in it, bang! It flagged it.

        In our case, it was particularly annoying because the entire intranet used a webpage template that had dozens of references to "shadow.gif" (I think it was for bordering and layout). The
    • I bet it does on the fly decryption using keys pulled out of a quantum vortex too, so it doesn't miss anything even if for example, noone wanted to have people/machines spying ot their data and took steps to prevent that.

      Yeah, this won't merely raise the bar and get everyone using trivial fixed key encryption (or of all things, compression!).

      Sarcastic people aren't viciously mocking this.
    • Is this not precisely what one would use to filter out, say, unwanted political documents going in/out of China? To, say, spot a specific MP3 file being traded on a P2P network and stop it?

      I wish I saw this story when it first came out. If you check the PDF [wustl.edu] on page 6 you will see a sample image listing an entry for "Copyrighted movie" and that entry belongs to "Movie Company". On page 10 it says:

      A system has been developed that not only blocks the spread of Internet worms and computer viruses, but also
  • > prevent malware from reaching the network
    As an alternative solution, you can hire a big, fat, bald guy, whose job is to push the Microsoft and Oracle salesmen down the stairs.
  • Fantastic! (Score:3, Funny)

    by B2K3 ( 669124 ) on Sunday November 16, 2003 @06:40PM (#7489845)
    I hate programs that get stuck in infinite loops. Now, with this software, I'll just scan for these pieces of malware, and stop them from being sent over the network.

    Finally, a solution to my Halting Problem!
  • Don't they use something like this in China? I know some people want it here in the USA too. Selective filtering of network content is Carnivore. This new effort is just trying to get around holes in M$ junk. I say, let the shit burn rather than work on the next big thing in censorship.

    -what? is this thing live? I love Big Brother.

    • Conspiricay theories aside, Carnivore doesn't filter internet traffic. It merely records it all. There is a BIG difference between recording and filtering. Carnovire is also needs a search warrant, so even if they do use it w/o a warrant, it's useless in court.
  • by so sue mee ( 660717 ) on Sunday November 16, 2003 @06:45PM (#7489860)
    as malware? Say MS or any other abbreviation that is interested in declining access to competitive data just filter it. Adding a number of these devices to echelon or selling a few to repressive governments. You get the picture
    • I think a lot of people are confused about what this box does, and what it doesn't, do.

      By using FPGAs to scan network traffic (not a new idea, by the way), the device looks for fixed signatures much faster than an equivalent software solution can do so (yes, software may control it, but the actual "decisions" are made by hardware. Think level 3 switch). I'm guessing there's probably some sort of state engine implemented in the FPGAs (I haven't kept up on field-programmable logic), and optimization to lo

  • Let me see if I have this straight: The system is claimed to be much faster than comparable technology because it is running on "hardware", not software.

    Riiiiight.... So what exactly is controlling the hardware? Lemme guess... A few lines of code, some syntax, some commands... You know... Software.

    "Maybe if we put our system in a shiny box with cool LEDs instead of a rackable server like everyone else, we can call it breakthrough technology!"

    Step 1: Reinvent the wheel.
    Step 2: Patent it.......
    etc.

    • Do you use a graphics card on your computer.

      I think you get the point.

      Dedicated hardware is faster and uses less electricity. Yes , it uses software.
    • by morzel ( 62033 ) on Sunday November 16, 2003 @08:42PM (#7490367)
      "Maybe if we put our system in a shiny box with cool LEDs instead of a rackable server like everyone else, we can call it breakthrough technology!"
      This reminds me of an anecdote I heard from one the distributors of Watchguard firewalls over here:
      one of the major selling points of watchguard products when they were initially introduced was the fact that the appliance was bright red, and had a lot of blinky leds on the front plate :). Being a much 'sexier' package, the watchguard products were chosen instead of e.g. cisco PIX firewalls when the technical merits did not point to a clear winner.

  • ...with flexresp2, implemented in hardware? I confess I have not read the pdf, but I have read the article.

    http://cerberus.sourcefire.com/~jeff/archives/s n or t/sp_respond2/

    to quote:


    Active response is not guaranteed to sucessfully terminate connections. Snort is a passive
    system, except when used in 'inline' mode. In a passive configuration, the process of active
    response is a race between Snort and the endpoints in network communication. Depending
    on the CPU and/or bus speed of a system running Snort, av
    • This is similar to what I was thinking.. I never expected to get this far without anyone mentioning snort and Hogwash. Snort, being the open source IDS, and Hogwash, being an add-on that alters traffic as it passes through the IDS, based on customizable rules. It modifies the malware or just removes it before it gets passed onto the main part of the network, thus killing all virus infection attempts as they enter the network (and as any kind of unencrypted traffic -- web, smtp/pop3, etc) long before your us
  • Ok so he build a really fast sort of flashable memory hardward virus scanner. It will be lightning fast but will it not be extremly expensive? I can't see the speed benifit outwaying the cost of the unit. But I'm not an EE so can someone who is tell me if it can be done cheap?
    • i guess the point is that the isp could run it on it's stream of incoming and outgoing data. (to reduce the effects of virus storms&such..) so it would be cheap per user, even if it was hideously expensive as a device.
      • I guess, but considering that companies already sell such things(even if they be software only) that you can attach to your networks. So I still wonder if such a unit can be made cheap enough to be worth it.
  • An IDS on a FPGA (Score:3, Interesting)

    by dmiller ( 581 ) <djm@mindro[ ]rg ['t.o' in gap]> on Sunday November 16, 2003 @07:37PM (#7490082) Homepage
    It sounds like a traditional signature-matching IDS with most of it implemented on a FPGA. This isn't such a big deal - it won't "stop malware before it hits" because signatures still need to be installed on the device. An implementation on a FPGA is great for speed - which would make this device great for mitigating worm attacks, but the FPGA may constrain its utility as an IDS - it would probably lack capacity to perform some of the trickier IDS techniques (e.g. looking inside compressed or encoded content, traffic normalisation, etc.) The linked article was little more than a marketing blurb, so its hard to tell.
    • I'd say it's less like an IDS and more like a hardware accelerated iptables-meets-ngrep. If this is being done entirely in hardware I seriously doubt that it would work at the application level, as that would require a lot of processing, especially for the speeds claimed. I'm guessing that this knows how to reassemble basic sequences of packets and scan for certain patterns, perhaps with some form of wildcarding or regular expression matching. I would imagine that it simply drops the matching packets out
  • yah, right. (Score:1, Insightful)

    by Anonymous Coward
    no matter how much they put into this, someone will figure a way around it.
  • by Anonymous Coward
    This is typical of academia: they don't understand the problem, but they are quick to come up with a solution.

    Software-based products already can handle the 2.4-gbps rate this "hardware" solution claims. So there is nothing new there.

    Moreover, this solution doesn't handle important problems such as fragmentation of packets or polymorphic coding techniques -- both widely used by hackers, but handled by existing network intrusion detection systems.

    Most importantly, it doesn't handle the fact that most troj
  • I wonder if it can filter dupes and leftist banter from /. postings.
  • by mattbee ( 17533 ) <matthew@bytemark.co.uk> on Sunday November 16, 2003 @09:21PM (#7490568) Homepage
    After speaking to one of the chaps behind ddos.com I'm very excited by this kind of emerging technology: essentially ethernet/fibre "filters" which can scan and dump "unwanted" traffic without a noticeable lag on the network. I'm less excited by how much it costs at the moment: $18k list price for one of the 100Mb boxes at DDoS.com, but I suspect as competition opens up, the waffle about exciting and complicated patented technologies will give way to a decent and open discussion about the best algorithms for doing this.

    As an example of the current waffle on this topic, the white paper at ddos.com promises in one of their upcoming *cough* products a wire-speed spam filter which is 100% accurate and needs no training. Sure, sure... it's this ridiculous claim which calls into question the "zero training" aspect of their DDoS prevention-- I'm sure some configuration and known "signature" patterns of abusive traffic will help matters.

    I'm not here to pick on ddos.com, I'm sure they have an excellent and useful product. But since they are one of a very small number of people with such a product, they are prone to making wild claims and charging extortionate fees. I'm convinced a Linux/BSD kernel module could achieve the same effect and I'd be very interested to see the algorithms, training and so on needed to achieve it. But for the moment we're still subject to these pretty wild claims without much in the way of algorithmic detail.
  • FUD? (Score:2, Insightful)

    from article: Computer virus and Internet worm attacks, such as Nimba, Code Red, Slammer, SoBigF, and MSBlast have infected computers globally....Existing firewalls do little to protect against such attacks. Once a few systems are compromised, they proceed to infect other machines, which in turn quickly spread throughout a network.
    Maybe I'm misinformed but I thought that a worm like MSBlast and Co. attacks thru SMB/CIFS protocols by the 13x familily of ports. Any self-respecting netadmin blocks those from
    • As an example:

      Set up an XP laptop that had been offline for a few months, and thus was behind in security updates. Connected to broadband, modem-->switch-->machine, download patch from my own server where I had a cut+paste URL ready to go. Halfway through download, machine reboots, it's been infected. Total time, under 5 minutes.

      Setting up new machine with XP installed, same scenario as above.

      Setting up 2 machines behind linux box, no infections. Not just a linux solution, I believe even a cheap
  • I go to Wash U in St. Louis and actually know one the guys working on the project. I've also met Jon Turner, however I haven't met Lockwood. Him and some other professors sold some ATM technology to cisco back in the dot-com era and got crazy rich.

    Anyway, you can find out all about their project at the applied research labratory FRX website:

    http://www.arl.wustl.edu/arl/projects/fpx/ [wustl.edu]
  • You'll find additional references to the FPX on my blog, in "Stopping Computer Viruses Before They Reach You [weblogs.com]." And because some comments mentioned speed as an advantage of such a solution, here is a quick excerpt: "The FPX can scan each and every byte of every data packet transmitted through a network at a rate of 2.4 billion bits per second. In other words, the FPX could scan every word in the entire works of Shakespeare in about 1/60th of a second." My summary also contains a photograph of an FPX module.
  • This would be a neat way to watch for nasties on the wire. But most ISPs still don't use even the simplest form of filtering on their mail servers that would stop all viruses cold. The goddamn software is free; why can't ISPs use it? For filtering out viruses at mail servers:

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...