[ISN] Prof aims to improve Internet security

From: InfoSec News (alerts@private)
Date: Mon Jan 28 2008 - 00:16:13 PST


http://www.madison.com/wsj/home/local/269556

By Heather LaRoi
Wisconsin State Journal
JAN 26, 2008 

UW-Madison computer scientist Paul Barford doesn 't want to be alarmist, 
but he thinks you could be in danger of being attacked -- by a botnet.

Botnets (a term combining "robot " and the "Net ") are the biggest and 
baddest Internet villains out there these days, he said, combining other 
threats that have been around for years -- worms, viruses, spyware, and 
so on.

What takes the botnet threat to an even higher level is its potential 
for what Barford calls "command and control. "

That means someone sitting in an Internet cafe on the other side of the 
world could send commands to groups of compromised systems and send 
spam, gather personal information or use botnets for what 's called 
denial-of-service attacks.

The threat has the potential to go way beyond identity theft, Barford 
said, and could even have terrorist implications, which might partly 
explain why Barford 's research is supported by the National Science 
Foundation, the Army Research Office and the Department of Homeland 
Security.

"I don 't want to sugarcoat this at all, " Barford said. "The situation 
is bad, and it 's going to get way worse before it gets better. And here 
's the sad thing: it 's likely that all of us at some point are going to 
be affected by this. "

Barford and his colleagues at UW-Madison have developed a new approach 
to detecting such network intrusions by focusing on a slight 
vulnerability in such malicious traffic, the pattern or "signature " 
that it creates. What sets Barford 's technology apart from other 
security tools is its ability to be specific and general at the same 
time in detecting and identifying these signatures.

In being specific, it doesn 't rely on casting a wide net as most other 
tools do. That 's important because it means benign traffic isn 't 
misidentified as malicious, thereby generating the false positives that 
can rapidly bog down other security systems.

The technology is also general in that it can use a single signature to 
detect classes of attacks, something other systems don 't offer, 
according to Barford.

"If an attack is similar to something we 've already seen, we 're going 
to catch it, " Barford said. "That 's our mechanism for staying ahead. "

Jeffrey Savoy, of UW-Madison 's Office of Campus Information Security, 
said that where Barford 's product is probably most different is in 
reducing the false positives.

"Sometimes false positives can lead you to better understanding of your 
network, " Savoy said. "The problem is if you have hundreds of false 
positives and you have to weed through every one, the chance of you 
missing a real one is greatly increased. That 's the challenge that we 
have. "

The Internet threat landscape has changed dramatically in the past 
several years, according to Barford. Before about 2003, he said, the 
major motivation for malicious activity on the Internet was often just 
the challenge of doing it. Since then, however, economic profit -- huge 
profit -- is now driving what has become a major underground industry.

Countering these botnets is mostly a matter of damage control, Barford 
said.

"Make no mistake about it, this is an arms race. You 're always behind, 
you 're always catching up, " he said. "The attackers only have to find 
one means of attack. The defenders have to defend against all means of 
attack. "

Last June, Barford and colleagues, with the backing of the Badger Alumni 
Capital Network, opened a spinoff company at University Research Park 
called Nemean Networks. "Nemean " comes from the Herculean myth of the 
Nemean lion whose skin can 't be penetrated by anything.

Nemean is based on four distinct patents either filed or in process with 
the Wisconsin Alumni Research Foundation.

The technology Nemean will market isn 't something that individual 
consumers use but is rather something that 's installed and used by 
network service providers. Barford said there have already been 
conversations with several Fortune 100 companies about test deployments 
in the coming months.

"We believe what we offer is a paradigm shift that is going to have a 
significant impact, but we 're not solving the problem. We 're just 
raising the bar. We think we 're raising it a lot -- but the problem 
never is going to be solved, " Barford said.

"But if we can reduce the amount of overall malicious activity in the 
Internet, everybody benefits. "


BETTER SECURITY

The discovery: Paul Barford and his team identified a new methodology 
for transforming the "signatures " of Internet actions into a means of 
detecting malicious network intrusions.

What it means: Installed by network service providers, the new security 
technology helps to eliminate the false positives that can bog down 
other Internet security systems. It also can use a single signature to 
detect classes of attacks.

Why it 's important: Use of malicious botnets poses network risks that 
could run the gamut from personal identity theft to illegal control of 
infrastructure systems.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Mon Jan 28 2008 - 00:29:02 PST