By Tom Simonite
NewScientist.com news service
14 February 2008
Microsoft researchers are hoping to use "information epidemics" to
distribute software patches more efficiently.
Milan Vojnovic and colleagues from Microsoft Research in Cambridge, UK,
want to make useful pieces of information such as software updates
behave more like computer worms: spreading between computers instead of
being downloaded from central servers.
The research may also help defend against malicious types of worm, the
Software worms spread by self-replicating. After infecting one computer
they probe others to find new hosts. Most existing worms randomly probe
computers when looking for new hosts to infect, but that is inefficient,
says Vojnovic, because they waste time exploring groups or "subnets" of
computers that contain few uninfected hosts.
Vojnovic's team have designed smarter strategies that can exploit the
way some subnets provide richer pickings than others.
The ideal approach uses prior knowledge of the way uninfected computers
are spread across different subnets. A worm with that information can
focus its attention on the most fruitful subnets infecting a given
proportion of a network using the smallest possible number of probes.
But although prior knowledge could be available in some cases a company
distributing a patch after a previous worm attack, for example usually
such perfect information will not be available. So the researchers have
also developed strategies that mean the worms can learn from experience.
In the best of these, a worm starts by randomly contacting potential new
hosts. After finding one, it uses a more targeted approach, contacting
only other computers in the same subnet. If the worm finds plenty of
uninfected hosts there, it keeps spreading in that subnet, but if not,
it changes tack.
Spreading the load
"After it fails to reach new uninfected hosts a fixed number of times in
a row, say 10, it moves on to find new groups using random sampling,"
explains Vojnovic. This approach performs almost as efficiently as the
strategies using prior knowledge.
Because no central server needs to provide and coordinate all the
downloads, Software patches that spread like worms could be faster and
easier to distribute because no central server must bear all the load.
"These strategies can minimise the amount of global traffic across the
network," Vojnovic says.
The research has a second potential benefit. "If we understand how
future worms might be capable of spreading, we can design better
countermeasures," says Vojnovic. For example, some of the new strategies
would flatten the usual spike in overall network activity that can give
away software worm attacks, but instead they would be revealed by spikes
in local traffic.
Chuanyi Ji at Georgia Tech, University, US, is also interested in
designing a "perfect worm". As well as revealing weaknesses of networks,
such a worm could rush out defensive software patches faster than an
attacking worm can spread, she says.
Ji has examined records of previous worm attacks, and says there is
evidence that some already use similar if less refined tricks to those
developed by the Microsoft team.
For example, the Blaster worm preferentially tries to infect local
computers, like one of Vojnovic's worms. "We may see improvements to
these kind of strategies appearing in future, so it is good to
investigate the worst they could do," says Ji.
A paper on the Microsoft research will be presented at the 27th
Conference on Computer Communications (INFOCOM) in Arizona, US, in April
Subscribe to InfoSec News