Researchers examine worm throttling plan

Matt Williamson, the researcher spearheading the research, has released a paper on "virus throttling". It details the logic behind the new concept, and outlines some of the techniques that HP is currently researching and implementing.

The core logic of virus throttling hinges on the idea that a computer infected by a worm will often try to connect to as many different machines as possible within the shortest time-frame, whereas a computer under the control of a human will behave quite differently.

Human web browsing will result in a connection rate of less than two out-going Internet connection attempts per second. The Nimda and Code Red worms, on the other hand, would pump out up to 500 connection attempts per second.

No human interaction with a computer could cause such a high connection rate, so Williamson and his team are working out how to best choke off these rapid fire connection attempts, hence dramatically slowing down the spread of a given worm. Slowing down a worm can dramatically impair its ability to propagate.

"Since a machine that is infected, but throttled, isn't spreading the virus any more, the overall speed of infection is reduced. Also, since there will be fewer machines actively spreading the virus, the load on network infrastructure - routers for instance - will be reduced," Williamson said.

Although tests have already been conducted, that the research is still at an early stage.

"We have a number of ideas and new approaches to take it further". he said.

Williamson and the rest of his team have actually tested the early stage system on live viruses. They have used worms such as Nimda in a controlled environment at the Bristol laboratories.

They have found that although the system won't completely stop worms and viruses from spreading, it slows the rate at which they spread down to a controllable level.

The research group say the next step is to create custom worms designed to perform for test operations, such as varying propagation speed. Jonathon Griffin, a member of Williamson's research team, says they are seeking to create a "test virus" that they can deploy in a controlled environment.

"It will be like a cross between a virtual wind tunnel and an electronic test track for us," he said.

Eventually the system may prove to be very effective at detecting and possibly acting on worm infections.

• Related stories

• Alerts

Add your opinion

Look this will not work it wil ...Anonymous -- 11/12/02

Look this will not work it will just mean that future worms will act more like humans making them even harder to detect.

• Reply to comment
• Reply to story
• Report offensive content

It will at least have the effe ...Anonymous -- 11/12/02

It will at least have the effect of throttling the outbreak so that instead of a single server or machine infecting 30,000 every hour (or attempting to) if the virus writer has coded the virus to act like a human operator, then the potential for outbreak is reduced to something like 200/300 an hour.. That significantly reduces the speed at which a worm can infect hundreds or thousands of machines in a short period of time, which was the case with codered, sadmind, nimda etc...

• Reply to comment
• Reply to story
• Report offensive content

How about this for a plan? Rem ...MrDamage -- 12/12/02

How about this for a plan?

Remove Outbreak and Outbreak Express from all systems.
Use a non MS browser.
Kill html email.

Just steps 1 and 2 will do a lot to kurb the spread of virii and worms.
Step will put a large lid on it.

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials