[ISN] Mutating software could predict hacker attacks

From: William Knowles (wk@private)
Date: Mon Feb 02 2004 - 02:36:19 PST

  • Next message: William Knowles: "[ISN] CFP - RAID 2004 - Call for Papers"

    http://www.newscientist.com/news/news.jsp?id=ns99994588 
     
    25 January 04
    
    Novel computer viruses and worms can sweep the world within hours, 
    leaving a trail of devastation, because firewalls and antiviral 
    software work by identifying the telltale signatures of known attacks. 
    They are useless against anything completely new. 
    
    But now software engineers at Icosystem in Cambridge, Massachusetts, 
    have developed a program that can predict what is coming next by 
    "evolving" future hacker and virus attacks based on information from 
    known ones. The company is testing the technique with the help of the 
    US Army's Computer Crimes Investigation Command in Fort Belvoir, 
    Virginia.
    
    The idea would be to generate these novel attack strategies centrally, 
    then remotely update the intrusion-detection software protecting PCs 
    and networks around the world. This would allow them to recognise 
    attack patterns before hackers have even developed them. 
    
    The first version of the system is geared to predict hacking - though 
    the technique is equally applicable to viruses. It works by mutating 
    the short programs or "scripts" that hackers use to invade computers 
    or which they plant on them for later activation.
    
    The result is artificially created hacking routines that security 
    systems could be taught to recognise, allowing them to defend networks 
    against previously unseen attacks.
    
    
    Self destruct 
    
    Most attacks target well-known bugs in commercial web server software. 
    By sending packets of data designed to exploit these flaws, an 
    attacker can gain remote control over a computer or force it to do 
    something self-destructive, like crashing after a certain number of 
    keystrokes.
    
    To defend against such attacks, today's computer networks use software 
    that analyses traffic for signs of malicious activity. For instance, 
    the arrival of data packets at an unusual input port may be a sign 
    that a hacker is trying to flood a section of memory with oversized 
    files in order to overwrite working memory and corrupt data.
    
    But the attack may be modified in some way to confuse such defences - 
    perhaps by combining a number of different attack routines. What is 
    needed is an intrusion detector that can predict hackers' future 
    strategies. And that is what Icosystem claims to have developed.
    
    Its attack prediction system takes known hacking software and 
    systematically mutates it to find the most deadly permutations. The 
    mutations are kept simple so that the code still runs - there is no 
    point in random mutations that render the software useless.
    
    [...]
    
     
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Feb 02 2004 - 05:48:23 PST