More than a year after being launched by hackers on a campaign to infect computers running Microsoft Windows, the Conficker worm's effects are still being felt. England's Greater Manchester Police department, for example, has had to cut its computers off from a national criminal database since detecting Conficker on its network last week.
The reemergence of Conficker, which has infected millions of computers worldwide since first surfacing in November 2008, is a reminder of just how difficult it is to eradicate self-replicating worm programs once they penetrate a network.
A team of researchers at The Pennsylvania State University in University Park is developing an approach to finding and confining computer worms that relies on a computer's ability to detect suspicious network activity before it becomes a serious problem. Although there's already a market for this type of software—known as anomaly detection system (ADS)—the researchers think their new algorithm will improve on existing ADS, specifically protecting local networks (those run inside an organization's firewall) from the spread of worms.
The algorithm checks all of the devices (including computers, network routers and printers) connected to a local network to determine which of these are susceptible to a worm infection. (A printer, for example, would not be a target because it does not engage in two-way communications as a computer would). Because worms move from computer to computer by scanning victims for vulnerabilities, the algorithm informs the network's intrusion detection system to monitor for scanning within the network (some of which is legitimate) and initiate a lockdown if it sees more than the usual scanning activity or other suspicious behavior from a particular computer.
From Scientific American
View Full Article
No entries found