RealTime IT News

IBM Readies 'Virtual' Worm-Detection

IBM is planning to launch a new worm-detection solution on Monday that takes the "honeypot" technique of fighting worms to a new level, internetnews.com has learned.

The project, code-named "Billy Goat," assigns a server a large number of unused and unadvertised addresses, according to a document seen by internetnews.com.

Most traditional virus-fighting tools depend on signature-based technology. The problem now, according to Amrit Williams, research director for information security at Gartner, is that threats are becoming more difficult to detect.

"Traditional signature-based anti-viruses don't protect anyone anymore," Williams told internetnews.com.

The purpose of honeypot-type solutions is to lure new forms of malware so they can be identified and then disabled.

"A honeypot doesn't protect anything," said Williams. "It's like having a safe that's easily cracked and putting fake jewels to see how someone might crack the safe."

The feature responds to requests sent to unused IP addresses, presenting what looks like a network full of machines and services to the worm or virus. By feigning a whole network environment and recording connection attempts, however, the Billy Goat tricks worms into revealing their identities.

But the project is expected to offer more than features found in honeypots, a term referring to an Internet-attached server that acts as a decoy by luring in hackers and monitoring their activity.

Details are sketchy, but the feature is expected to offer more of the worm-fighting features "on demand" in how it entices a worm to attack by creating a virtual environment and then isolating the offending virus or worm.

According to the IBM document, the most important property of any intrusion-detection system is the ability to ignore false alarms.

According to the document, Billy Goat minimizes false alarms through the use of a novel architecture that combines an extensive view of the network and spoofed service interaction with potential attackers. The system focuses on detecting automated attacks.

The technology was developed by IBM's On Demand Innovation Services (ODIS), a partnership between IBM Research and Business Consulting Services (BCS).