Networking To Stop Malware

Pooling and analyzing data properly could help stop malware more effectively. Seems like a no-brainer but so far no one has a released a product to do it.

But maybe that will change soon. Researcher from University of California, Davis (UC Davis) and Intel Corporation have come up with the idea that if computers share information about anomalous activity then that information can be used to make management-level decisions such as shutting down a suspect computer to avoid having it spreading malware around the network.

The basic problem is the same old problem we've faced for decades: New strains of malware that aren't detected by existing software and/or related malware signatures. Those nuisances can enter a network and cause a lot of trouble before security software can be updated. But by detecting certain types of behavior, such as attempts to connect to other computers on the network or irregular network traffic in general, suspicion levels can be raised within monitoring software.

When those levels exceed a threshold then the computer under suspicion can be automatically isolated or completely shutdown. Of course cost is always a factor during a security breach or when a system is taken offline. So a solution like this would use an algorithm to weigh the associated costs in either condition and take whatever action the solution is configured to take based on the result of the algorithm.

"The computer used by a person working with online sales, for example, might be disconnected only when the threat of an attack is virtually certain; the benefit she provides by continuing to work during false alarms far outweighs the cost of infection. On the other hand, a computer used by a copywriter who can complete various tasks offline might disconnect whenever the probability of an attack rises above even a very low level," a spokesperson for UC Davis wrote.

All this thinking is the basis of a study published in the proceedings of "Recent Advances in Intrusion Detection, 2008" (RAID 2008), which was a symposium held in September 2008. The study is the work of John-Mark Agosta (of Intel), Jeff Rowe (research scientist at UC Davis), Karl Levitt and Felix Wu - both of whom are computer science professors at UC Davis.