New Breakthrough in Worm Detection…Using Existing Technology???

docNetwork World is reporting that Penn State University researchers have created technology they say can nab computer worms more quickly than traditional signature-based systems. This is done by watching for anomalous traffic patterns such as increased traffic rates to or from individual hosts.

From the article:

The Proactive Worm Containment technology watches for a packet’s rate and diversity of connections to other networks to identify worms, rather than having to wait around for a signature to be generated to spot new malware.

This technique can cut the time from identifying and capturing a worm from minutes to milliseconds, allowing for only a handful of infected packets to spread, the research team claims. That makes a big difference when you consider that notorious worms such as Slammer could issue 4,000 packets a second when attacking Microsoft’s SQL Server.

I had to read this article twice to try and understand how this “new technology” is different from present day Network Behavior Analysis (NBA) technology from vendors like Q1 Labs, Arbor Networks, Mazu Networks, and Lancope. Forcing myself to read it a third time still hasn’t convinced me that their methods are newer than anything out there today.

Also from the article:

The technology, now in beta testing and in the midst of being patented, isn’t just fast. It’s also smart. In the event that a high connection rate turns out not to be the sign of a worm, the security system can do its version of a mea culpa and release the packets upon recognizing the mistake, the researchers say.

I guess I will wait to see description used in the patent as well as a final product before I make final judgment but I fail to see how the methods being used are new.

Scroll to top