In the future, PCs infected with worms or viruses may try to contain the plague by putting themselves in quarantine. Automatic Network Outbreak Containment was one of a number of future technologies shown off on the final day of the Intel Developer Conference in San Francisco.
Intel Parades Self-Defending Hardware
About The Author
Follow me on Twitter @thomholwerda
2005-08-26 6:06 pmAnonymous
yes I know how it works but I’m not granted to tell it. (indeed I really know how it works because I developped myself the code and theory for them).
2005-08-26 6:09 pmAnonymous
Sorry, but I don’t get the point.
Is this some sort of secret handshake and I am supposed to meet you at the back alley so that we can all discuss the details?
2005-08-26 6:47 pmg2devi
The key thing is, in order to quarantine the computer, you need to detect the problem and if you could detect the problem, you can prevent it. Given that spyware and viruses still get by antivirus programs that are regularly updated, I really don’t see how can be any better.
Sounds interesting. I am sure the people who write the viruses and the worms will try to create a false alarm and make the system get kicked out to create some chaos, but neverthless it should be fun to see which group gets outsmarted!
I am not too thrilled about Hardware thinking it knows how to manage a given network. Expensive solution that will be obsolete in the time it takes to install it.
Well the article was rather light on specifics.
Here’s one guess:
* The system works on traffic profiling, since it doesn’t require virus signatures. What might signal a worm outbreak? High bandwidth outgoing traffic indicating a worm attempting to spread or conduct a DDoS attack would be a good metric. This would also not detect normal downloads. Statistic metrics can be devised to filter out “abnormal” patterns for a specific environment.
Here’s a bit of technical speculation as to how I’d like to see it done:
* If Intel are into it, it sounds like it sits outside the operating system. You *could* implement this in hardware but this has a number of issues in the flexibility, cost and management aspects.
* A better place to put this would be in a virtual machine monitor: put the OS in a high performance virtual machine (probably using Intel’s VT extensions) and have the VMM take care of this sort of maintenance.
* You could even use a separate “locked down” virtual machine to perform the “circuit breaking” for the user’s virtual machine. The “circuit breaker” could be accessed remotely by IT staff to assess what’s happened.
* Running the Intrusion Detection in a separate virtual machine also means you can use standard IDS systems such as Snort, potentially running several at once.
My 2 Euro cents 😉
2005-08-26 8:04 pmg2devi
> High bandwidth outgoing traffic indicating a worm
> attempting to spread or conduct a DDoS attack would be
> a good met
Hmmm. High outgoing traffic could also mean that you’re trying to upload content, so that wouldn’t be a good idea.
IMO, I don’t think it could work if it were done by simply analysing the usage. After all, the Linux OOM killer tries to do something like this and has a lot more information to work with, but it still doesn’t alway get it right ( http://lwn.net/Articles/104179/ ). So it’s not uncommon to just disable the OOM killer and just prevent the problem (by having enough swap space to begin with).
2005-08-26 8:11 pmMark Williamson
I really think this is mostly aimed at corporate customers where the management of the hundreds or thousands of office-worker machines is a big overhead. In those environments you generally won’t (or at least shouldn’t 😉 be uploading stuff.
For a home machine, or even the workplace machine of a highly technical user I don’t really see it doing anything but annoying people – it doesn’t help the user, just the machines around him. When those machines are under common management, this could be very helpful to that management even though that user loses his ‘net connection.
A nice-sounding idea, but I don’t see how this could ever be implemented in a functional manner that stays out of your way. I expect that if it is ever deployed, it will end up requiring more administration and hand-holding than systems without it.
2005-08-26 8:13 pmSphinx
here here, this should not be the job of hardware.
Actually I wouldn’t like it a bit if my hardware decided that I am infected or not. My ISP runs (and has more or less invented)
. It requires managable switches and a honeypot, and it just works. At the moment an infected a computer tries to infect the honeypot, it is thrown into a very limited network, that consists of the university homepage, windows update, and the virusscan definition update page. The client gets one chance to desinfect his PC and declare himself sane on a simple page (that is the default page the infected computer gets redirected to). Only if he gets reinfected after that, he will have to explain to a helpdesk what he has done to clean himself and only than they will reconnect him. No more easy buttons, but pure patience. This has helped to reduce the workload on the helpdesk significantly and has made it a lot easier for me to remain virus-free.
The conclusion: A smart, well-managed network works, don’t know how much PC hardware would help.
2005-08-26 8:31 pmJrezIN
That’s pretty interesting actually. Thanks for sharing!
About how hardware will perform a similar job… Maybe the system will just be monitoring computer and trying to relate a degraded performance with a system’s port traffic (probably not very good idea for popular webservers due processing usage…), execution code… and similar things… But some *real* information about it would help a lot to understand if it can actually work (or if it depends somehow of software cooperation) or it’s just another forgotten “feature” in the future…
Just thinking its not that hard to code a virus to use normal traffic patterns. I think the only reason they are not coded that way now is because Virus writers are lazy and or they don’t have too. I would bet there are quite a few Trojans/Virii out there now that does just that.
2005-08-27 12:06 amAnonymous
That’s precisely my train of thought. This is just going to cause a revolution in the way worms and virii are written. There is very little probability of success when your defense is a system running fixed analysis and the worm/virii can evolve in so many different directions.
Normal applications don’t create hundreds of outgoing connections per second.
Forcing worm authors to slow down their worms is good, because it gives people more time to react.
/me r3quir3 m0r3 ][nf0 to f1gh7 3v1l //1t|-| m0r3 l33t p0w3r!
…ju5t a l4me j0k3 dood! ;]
and seriouly, anyone knows how this actually work? because these articles always make these things look like “amazing-buy-it-now-and-even-does-our-laundry”… =]