Viral cure could 'immunise' the internet

New Scientist.com News service ^ | 12/1/2005 | Kurt Kleiner

[Neville72]

(via KurzweilAI.net)

A cure for computer viruses that spreads in a viral fashion could immunise the internet, even against pests that travel at lightning speed, a mathematical study reveals.

Most conventional anti-virus programs use "signatures" to identify and block viruses. But experts must first analyse a virus before sending out the fix. This means that rapidly spreading viruses can cause widespread damage before being stopped.

Some researchers have developed artificial "immune systems" that automatically analyse a virus meaning a fix can be sent out more rapidly. In practise, however, computer viruses still tend to spread too quickly.

Now Eran Shir, and colleagues at Tel-Aviv University in Israeli, have applied network theory to the problem, and believe they have come up with a more effective solution.

Part of the problem, the researchers say, is that countermeasures sent from a central server over the same network as the virus it is pursuing will always be playing catch-up.

They propose developing a network of "honeypot" computers, distributed across the internet and dedicated to the task of combating viruses. To a virus, these machines would seem like ordinary vulnerable computers. But the honeypots would attract a virus, analyse it automatically, and then distribute a countermeasure.

Healing hubs But the honeypots would be linked to one another via a dedicated and secure network. This way, once one has captured a virus, all the others will quickly know about the infection immediately. Each honeypot then acts as a hub of healing code which is disseminated to computers connected to it. The countermeasure then spreads out across the broader network.

Simulations show that the larger the network grows, the more efficient this scheme should be. For example, if a network has 50,000 nodes (computers), and just 0.4% of those are honeypots, just 5% of the network will be infected before the immune system halts the virus, assuming the fix works properly. But, a 200-million-node network – with the same proportion of honeypots – should see just 0.001% of machines get infected.

Security measures, such as encryption, would be needed to prevent viruses from exploiting the honeypot network.

"They've shown it is possible to use this epidemically spreading immune agent to good advantage," says Jeff Kephart, a computer scientist at IBM in Hawthorne, New York, US. "The next step would be to look more carefully at the benefits and costs of this approach. I see promise in it."

The paper only discusses the mathematical model, and there is no effective implementation as yet. But Shir plans to release a simple example program soon and hopes that volunteers or a company will eventually implement the real thing across the internet.

Journal reference: Nature Physics (DOI: 10.1038/nphys177).

[Terpfen]

Not this crap again.

Some hacker already tried this a couple of years ago. It wound up causing more headaches than the worm it was trying to eradicate.

[thoughtomator]

Ah the eternal question raises its ugly head again... Who decides (what is and isn't a virus)?

[ClearCase_guy]

Skynet.

[contemplator]

.4% of 200mil. is a LOT of machines acting as honeypots is still 800,000 machines. That's a bit impractical unless you are talking about using a donated distributed processing model similar to the Seti@Home project.

[contemplator]

Not this crap again.

Some hacker already tried this a couple of years ago. It wound up causing more headaches than the worm it was trying to eradicate.

Because someone tried and failed doesn't mean it's not a valid concept. If that were the case man would still be walking everywhere he wanted to go.

[Cold Heart]

It's what mathematicians do. They can't all be expected to chase ducks & calculate their waddle.

[Fester Chugabrew]

But the honeypots would attract a virus, analyse it automatically, and then distribute a countermeasure.

I'd like to see a countermeasure that wreaked instant havoc upon the virus creator's computer and the virus creator personally.

[Vn_survivor_67-68]

the ACLU will put a stop to it, LOL.

[Terpfen]

Er... yes, it means precisely that this isn't a valid concept.

The idea is to destroy a worm, which causes damage through overwhelming network activity, by... creating another worm to do the same thing!

It's a stupid idea, and practice has already shown that it doesn't work. There's a simpler way to save the internet: you, at home, on your computer, run virus scans once a week. Problem solved.

[MineralMan]

Yup. I have never...not once...had a virus on my system, and it's connected full time to a high speed connection. I've been computing since 1981 when I got my first IBM PC.

Caution is all that's required, along with keeping up with anti-virus technology.

This idea is a bad one.

[cripplecreek]

"Yup. I have never...not once...had a virus on my system, and it's connected full time to a high speed connection."


Same here. Ive been "connected" since about 97.

[billorites]

"Who decides (what is and isn't a virus)?"

I've got you covered!

[cloud8]

> There's a simpler way to save the internet: you, at home, on your computer, run virus scans once a week. Problem solved.

Sigh. Tell that to the wife and kids ("But I ran Norton last year!") Even as I type, I've got Spybot S&D running upstairs.

[contemplator]

You are certainly entitled to your opinion. However; your definition of a worm is nowhere near complete and is mischaracterizing. What you are descibing is a type of a denial of service attack which is only one small type of attack and is not unique to worms.

Calling something a name like 'stupid' isn't exactly a well reasoned argument.

As I pointed out in my earlier post and you saw fit to ignore and then restate your point again, "practice" does not disprove a concept it only proves that that particular approach was flawed. If that were the case, then after the botched attempt to launch a plane off the end of a pier by someone else, the Wright Brothers should never have tried to fly at all.

The concept itself is perfectly valid and has been proven to work quite well in the human body.

As a hand's off push method where the internet itself is reacting to viruses as opposed to a pull method where users pull in the fix themselves this is a great idea and should be used in conjunction with other available methods of protection and cures. No one is saying that users should not protect themselves with their own antivirus methods, just that an addtional approach is helpful. I'm sure you are thankful that you don't have to rely solely on the medications the pharmaceutical companies are able to provide and that you have an internal system working for you as well.

[Terpfen]

I'd rather tell it to the AV program's auto-scan function, or Windows' task scheduler.

Some computers just need regular attention from Kaspersky or NOD32, not Norton's system slowdown solutions...

[Terpfen]

You are certainly entitled to your opinion. However; your definition of a worm is nowhere near complete and is mischaracterizing. What you are descibing is a type of a denial of service attack which is only one small type of attack and is not unique to worms.

I'm describing the most well-understood and most detrimental effect of worms. The solution to a problem of a program type whose primary effect is to slow to the point of rendering inoperative every computer and network it can infect is not more of the same.

I'm calling it a stupid idea because it IS a stupid idea.

[Poser]

"There's a simpler way to save the internet: you, at home, on your computer, run virus scans once a week. Problem solved."

Any solution that requires the user to do anything but click on every link presented will not work. The vast majority of computer users will never be virus savvy. I work with college professors, generally smart people. When it comes to computers, they are Neanderthals.

[contemplator]

I'm calling it a stupid idea because it IS a stupid idea.

Your logic is overwhelming. It's good that you did'nt have to resort to characterizing to make your point. The detrimental effects of worms make up quite a large list, most of which are destructive in nature, the least of your worries is that your machine may slow down.

[Boundless]

> There's a simpler way to save the internet: you, at home,
> on your computer, run virus scans once a week. Problem solved.

Anyone sentient enough to do that is already at very low
risk of infection, particularly if they use a mail client
with a restricted or disabled preview pane. This does not
describe the average PC user, who will not be saved by
weekly scans.

Furthermore, once a week is not often enough. By the time
you discover and remove the latest keylogger, it's already
phoned-home with a week's worth of bank passwords. Even
live-updating and scanning daily won't protect the
otherwise careless from last night's new cracks.

Now, running Linux might provide a dramatic boost in
general immunity for the computationally inept, but that's
another thread fork.