'Throttle' highly connected users and reduce instant messaging worms

A few users connected to popular instant messaging networks can spread worms - and restricting communications from "highly...

A few users connected to popular instant messaging networks can spread worms - and restricting communications from "highly connected" users with many contacts can slow them down, say computer researchers.

Traditional anti-virus technology is too slow to be effective against worms spread by highly connected users, some with hundreds of instant messaging correspondents, because the worms move with great speed, according to a study of worms that attack instant messaging systems.

Halting communications from such users may be one strategy for slowing or stopping the spread of the worms, according to Matthew Williamson, who conducted the research while working for Hewlett-Packard.

Williamson, who now works for Sana Security, discussed his work at the Virus Bulletin 2004 International Conference in Chicago last week.

Instant messaging networks are examples of a phenomenon known as "scale-free networks", a term used by epidemiologists to describe systems, including communities of animals or people, in which not all members are connected to each other, but that are highly susceptible to virus infections.

In computer systems the behaviour of such networks is dominated by "highly connected" nodes, which have connections to large parts of the network population, he said.

In instant messaging networks, highly connected nodes translate into users with many correspondents, just like highly social people in the real world.

"Instant messaging networks are just virtual manifestations of underlying physical relationships," Williamson said.

Worms infecting the computers of such users spread to their correspondents, and from those correspondents to other instant messaging users, according to Williamson's study of 700 users at HP.

The result is that traditional methods of virus protection, such as using anti-virus software to "immunise" users, become ineffective because most of them have only a few contacts and don't contribute greatly to the spread of viruses, Williamson said.

A better approach would be to immunise only highly connected users, but that can be difficult because of the speed with which instant messaging worms spread across an entire network - between 10 and 20 seconds in HP's tests, Williamson said.

Alternatively, network administrators can try to spot "worm-like" behaviour on instant messaging networks as it occurs - and restrict the rate at which machines can communicate with other machines.

The technique, which HP calls "virus throttling" is almost identical to a method the company has promoted - and is trying to patent - for stopping e-mail virus and worm outbreaks on corporate networks, Williamson said.

After unveiling plans for a virus throttling service in February, the company acknowledged in August that it is not practical for use in mixed networking environments and that it is looking for a way to use the technology in typical network environments.

Virus throttling works by limiting the number of instant messages infected users can send outside their "working set" - the small number of regular correspondents each has.

The technology is effective because even highly connected users with 100 or more "buddies" still have a small working set of people they talk to each day - typically about five, with two messages sent outside the working set each day, Williamson said.

With virus throttling, any messages sent to users outside of the user's working set will be placed in a queue and delayed slightly before they are delivered.

If the delay queue reaches a certain length, indicating a high volume of message traffic to atypical correspondents, instant messaging communications can be blocked or delayed for much longer periods of time, Williamson said.

Using throttling to take out the few, highly connected users can dramatically slow the spread of worms over instant messaging networks. At the same time, it does not affect the majority of users, he said.

Williamson is quick to say that the technology is untested on large networks such as the massive consumer instant messaging networks of America Online  or Microsoft's MSN service. The technology, which was tested on HP corporate instant messaging users, is also untested on one important user population - teenagers.

"It may be that the habits of teenagers are quite different - maybe they can sustain more simultaneous conversations," Williams said.

Still, the same principles that govern instant messaging use on corporate networks like HP's should apply to teenagers, allowing network administrators to detect worm-based, versus legitimate, instant messaging activity regardless of the profile of users on that network, he said.

Paul Roberts writes for IDG News Service

Read more on IT risk management