By Heather LaRoi
Wisconsin State Journal
JAN 26, 2008
UW-Madison computer scientist Paul Barford doesn 't want to be alarmist,
but he thinks you could be in danger of being attacked -- by a botnet.
Botnets (a term combining "robot " and the "Net ") are the biggest and
baddest Internet villains out there these days, he said, combining other
threats that have been around for years -- worms, viruses, spyware, and
What takes the botnet threat to an even higher level is its potential
for what Barford calls "command and control. "
That means someone sitting in an Internet cafe on the other side of the
world could send commands to groups of compromised systems and send
spam, gather personal information or use botnets for what 's called
The threat has the potential to go way beyond identity theft, Barford
said, and could even have terrorist implications, which might partly
explain why Barford 's research is supported by the National Science
Foundation, the Army Research Office and the Department of Homeland
"I don 't want to sugarcoat this at all, " Barford said. "The situation
is bad, and it 's going to get way worse before it gets better. And here
's the sad thing: it 's likely that all of us at some point are going to
be affected by this. "
Barford and his colleagues at UW-Madison have developed a new approach
to detecting such network intrusions by focusing on a slight
vulnerability in such malicious traffic, the pattern or "signature "
that it creates. What sets Barford 's technology apart from other
security tools is its ability to be specific and general at the same
time in detecting and identifying these signatures.
In being specific, it doesn 't rely on casting a wide net as most other
tools do. That 's important because it means benign traffic isn 't
misidentified as malicious, thereby generating the false positives that
can rapidly bog down other security systems.
The technology is also general in that it can use a single signature to
detect classes of attacks, something other systems don 't offer,
according to Barford.
"If an attack is similar to something we 've already seen, we 're going
to catch it, " Barford said. "That 's our mechanism for staying ahead. "
Jeffrey Savoy, of UW-Madison 's Office of Campus Information Security,
said that where Barford 's product is probably most different is in
reducing the false positives.
"Sometimes false positives can lead you to better understanding of your
network, " Savoy said. "The problem is if you have hundreds of false
positives and you have to weed through every one, the chance of you
missing a real one is greatly increased. That 's the challenge that we
The Internet threat landscape has changed dramatically in the past
several years, according to Barford. Before about 2003, he said, the
major motivation for malicious activity on the Internet was often just
the challenge of doing it. Since then, however, economic profit -- huge
profit -- is now driving what has become a major underground industry.
Countering these botnets is mostly a matter of damage control, Barford
"Make no mistake about it, this is an arms race. You 're always behind,
you 're always catching up, " he said. "The attackers only have to find
one means of attack. The defenders have to defend against all means of
Last June, Barford and colleagues, with the backing of the Badger Alumni
Capital Network, opened a spinoff company at University Research Park
called Nemean Networks. "Nemean " comes from the Herculean myth of the
Nemean lion whose skin can 't be penetrated by anything.
Nemean is based on four distinct patents either filed or in process with
the Wisconsin Alumni Research Foundation.
The technology Nemean will market isn 't something that individual
consumers use but is rather something that 's installed and used by
network service providers. Barford said there have already been
conversations with several Fortune 100 companies about test deployments
in the coming months.
"We believe what we offer is a paradigm shift that is going to have a
significant impact, but we 're not solving the problem. We 're just
raising the bar. We think we 're raising it a lot -- but the problem
never is going to be solved, " Barford said.
"But if we can reduce the amount of overall malicious activity in the
Internet, everybody benefits. "
The discovery: Paul Barford and his team identified a new methodology
for transforming the "signatures " of Internet actions into a means of
detecting malicious network intrusions.
What it means: Installed by network service providers, the new security
technology helps to eliminate the false positives that can bog down
other Internet security systems. It also can use a single signature to
detect classes of attacks.
Why it 's important: Use of malicious botnets poses network risks that
could run the gamut from personal identity theft to illegal control of
Subscribe to InfoSec News