IBM has launched intrusion detection capabilities to help SMBs detect, prevent and analyse hacker attacks. The company’s researchers have designed a novel intrusion detection tool, codenamed Billy Goat, which provides early detection of worm attacks and also greatly reduces the false alarm rate.
The tool masquerades as a collection of servers on the network. Actual servers do not communicate with Billy Goat, but those who randomly attack servers are likely to stumble over it. As soon as Billy Goat gets attacked it identifies the attacking systems and fences them off, effectively isolating worms and viruses before they can propagate much further.
"Integrity of financial transactions, confidentiality within a virtual enterprise, privacy of customer data and availability of critical infrastructure all depend on strong security mechanisms," says Peggy Kennelly, vice-president of IBM's On Demand Innovation Services.
IBM proposes that due to the strain on systems administrators during attacks, the most important property of any intrusion detection system is that it is free from the high rate of false alarms produced by many other sensors. The Billy Goat system aims to minimise false alarms through the use of an architecture that combines a view of the network, spoofed service interaction with potential attackers, and a focus on detecting automated attacks.
"Billy Goat uses a unique approach to detect malicious software by responding to requests sent to unused IP addresses, presenting what from a worm's eye view looks like a network full of machines and services," says James Riordan, the lead designer of the system at IBM's Zurich Research Lab.
"In other words, Billy Goat creates a virtual environment for the worms. Such virtualisation, by providing feigned services as well as recording connection attempts, helps Billy Goat trick worms into revealing their identity. This method allows the system to reliably and quickly identify worm-infected machines in a network."
One of the greatest threats to security, says IBM, has come from automatic, self-propagating attacks such as viruses and worms. These attacks scan networked servers at random until they are able to place a harmful program on a server using a maliciously crafted request. The program uses the newly infected server as a base from which to attack other servers. The direct result is rapid exponential growth in the number of attacks leading to load-induced network failure.