Hardware stops viruses and worms; System halts their spreading before they reach end-user stage

A University computer scientist has developed technology to stop malicious software — malware — such as viruses and worms long before it has a chance to reach computers in the home and office.

John Lockwood, Ph.D., assistant professor of computer science and engineering, and graduate students in his research laboratory have developed a hardware platform called the “Field-programmable Port Extender” (FPX), which scans for malware transmitted over a network and filters unwanted data.

John Lockwood, Ph.D., assistant professor of computer science and engineering, displays the
John Lockwood, Ph.D., assistant professor of computer science and engineering, displays the “Field-programmable Port Extender,” which scans for viruses and worms transmitted over a network and filters unwanted data. Lockwood and his graduate students have approached the problem of stopping worms and viruses via hardware instead of software.

“The FPX uses several patented technologies in order to scan for the signatures of malware quickly,” Lockwood said. “Unlike existing network intrusion systems, the FPX uses hardware, not software, to scan data quickly.”

How quickly?

“The FPX can scan each and every byte of every data packet transmitted through a network at a rate of 2.4 billion bits per second,” he said. “In other words, the FPX could scan every word in the entire works of Shakespeare in about one-sixtieth of a second.”

Lockwood recently published his results in the journal Military and Aerospace Programmable Logic Device.

Computer-virus and Internet-worm attacks are aggravating, costly and a threat to our homeland security. Recent attacks by Nimba, Code Red, Slammer, SoBigF and MSBlast have infected computers globally, clogged large computer networks and degraded corporate productivity.

It can take weeks to months for information technology staff to clean up all of the computers throughout a network after an outbreak. The direct cost to recover from just the Code Red Version Two worm was $2.6 billion.

The United States has come to depend on computers to support its critical infrastructure. The nation’s power system, financial networks and military all rely on computers to operate.

As a form of terrorism, a foreign agent could introduce a malignant worm or virus disguised as benign data to attack computers throughout a network. Once deployed, terrorists could use this malware to bring down crucial components of our corporate infrastructure and military.

In much the same way that a human virus spreads among people who come into contact with each other, computer viruses and worms spread when computers come into contact with each other over the Internet.

Viruses spread when a computer user downloads unsafe software, opens a malicious attachment or exchanges infected computer programs over a network.

A worm spreads over the network automatically when malicious software exploits one or more vulnerabilities in an operating system, a Web server, a database application or an e-mail exchange system.

Existing firewalls do little to protect against such attacks. Once a few systems are compromised, other machines become infected and the problem quickly spreads throughout a network.

“As is the case with the spread of a contagious disease like SARS, the number of infected computers will grow exponentially unless contained,” Lockwood said. “The speed of today’s computers and vast reach of the Internet, however, make a computer virus or Internet worm spread much faster than human diseases.

“In the case of SoBigF, over 1 million computers were infected within the first 24 hours, and over 200 million computers were in-fected within a week.”

Today, most worms and viruses are not detected until after they reach an end-user’s personal computer. It is difficult for companies, universities and government agencies to maintain network-wide security.

“Placing the burden of detection on the end-user isn’t efficient or trustworthy because individuals tend to ignore warnings about installing new protection software and the latest security updates,” Lockwood said. “New vulnerabilities are discovered daily, but not all users take the time to download new patches the moment they are posted. It can take weeks for an IT department to eradicate old versions of vulnerable software running on end-system computers.”

The high speed of the FPX is possible because the logic on it is implemented as Field Programmable Gate Array (FPGA) circuits, Lockwood said. These circuits are used to scan and filter Internet traffic for worms and viruses using FPGA circuits that operate in parallel.

Lockwood’s group has developed and implemented circuits that process the Internet protocol packets directly in hardware. It has also developed several circuits that rapidly scan streams of data for strings or regular expressions in order to find the signatures of malware carried within the payload of Internet packets.

“On the FPX, the reconfigurable hardware can be dynamically reconfigured over the network to search for new attack patterns,” Lockwood said. “Should a new Internet worm or virus be detected, multiple FPX devices can be immediately programmed to search for their signatures. Each FPX device then filters traffic passing over the network, so that it can immediately quarantine a virus or Internet worms within sub-networks (subnets).

“By just installing a few such devices between subnets, a single device can protect thousands of users. By installing multiple devices at key locations throughout a network, large networks can be protected.”

St. Louis company Global Velocity is building commercial systems that use the FPX technology. Global Velocity is working with local companies, international corporations, universities and the government to make plans to install systems in both local-area and wide-area networks.

The device itself integrates easily into existing Gigabit Ethernet or Asynchronous Transfer Mode (ATM) networks.

The FPX itself fits within a rack-mounted chassis that can be installed in any network closet.

When a virus or worm is detected, the system can either silently drop the malicious traffic or generate a pop-up message on an end-user’s computer. An administrator uses a simple, Web-based interface to control and configure the system.

Leave a Comment

Comments and respectful dialogue are encouraged, but content will be moderated. Please, no personal attacks, obscenity or profanity, selling of commercial products, or endorsements of political candidates or positions. We reserve the right to remove any inappropriate comments. We also cannot address individual medical concerns or provide medical advice in this forum.