In the future, PCs infected with worms or viruses may try to contain the plague by putting themselves in quarantine. Automatic Network Outbreak Containment was one of a number of future technologies shown off on the final day of the Intel Developer Conference in San Francisco.
To read all comments associated with this story, please click here.
Member since:2005-07-09
> High bandwidth outgoing traffic indicating a worm
> attempting to spread or conduct a DDoS attack would be
> a good met
Hmmm. High outgoing traffic could also mean that you're trying to upload content, so that wouldn't be a good idea.
IMO, I don't think it could work if it were done by simply analysing the usage. After all, the Linux OOM killer tries to do something like this and has a lot more information to work with, but it still doesn't alway get it right ( http://lwn.net/Articles/104179/ ). So it's not uncommon to just disable the OOM killer and just prevent the problem (by having enough swap space to begin with).
Member since:2005-07-06
I really think this is mostly aimed at corporate customers where the management of the hundreds or thousands of office-worker machines is a big overhead. In those environments you generally won't (or at least shouldn't ;-) be uploading stuff.
For a home machine, or even the workplace machine of a highly technical user I don't really see it doing anything but annoying people - it doesn't help the user, just the machines around him. When those machines are under common management, this could be very helpful to that management even though that user loses his 'net connection.
Member since:
2005-07-06
Well the article was rather light on specifics.
Here's one guess:
* The system works on traffic profiling, since it doesn't require virus signatures. What might signal a worm outbreak? High bandwidth outgoing traffic indicating a worm attempting to spread or conduct a DDoS attack would be a good metric. This would also not detect normal downloads. Statistic metrics can be devised to filter out "abnormal" patterns for a specific environment.
Here's a bit of technical speculation as to how I'd like to see it done:
* If Intel are into it, it sounds like it sits outside the operating system. You *could* implement this in hardware but this has a number of issues in the flexibility, cost and management aspects.
* A better place to put this would be in a virtual machine monitor: put the OS in a high performance virtual machine (probably using Intel's VT extensions) and have the VMM take care of this sort of maintenance.
* You could even use a separate "locked down" virtual machine to perform the "circuit breaking" for the user's virtual machine. The "circuit breaker" could be accessed remotely by IT staff to assess what's happened.
* Running the Intrusion Detection in a separate virtual machine also means you can use standard IDS systems such as Snort, potentially running several at once.
My 2 Euro cents ;-)
Mark