Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP

hp.com home

Immune System for Computers
Throttles Viruses

Researchers Tested Technology Against "SQL Slammer" Bug That This Week Wreaked Havoc on the Internet

February 2003

printable version

HP Labs

» Research
» News and events
» Technical reports
» About HP Labs
» Careers @ HP Labs
» Worldwide sites
» Downloads
Content starts here

When we humans get ill, our defenses swing into action to fight off the invading microbes and the infections they cause.

But computer systems have nothing like the human immune response. If a malicious virus or worm -- such as this week's "SQL slammer"-- infects them, there's nothing to stop it from doing serious damage.

By the time it was brought under control on Monday, the SQL worm had snarled Internet traffic worldwide, caused some cash machines to stop issuing money and knocked most of South Korea offline.

immune system for computers

Researchers at Hewlett-Packard Laboratories in Bristol, UK, have developed a benign response to attacks that radically slows down the spread of malicious viruses -- in effect, an immune system for computers. This week, they tested it against the SQL Slammer worm, and found it reduced the bug's spread to a crawl in just two-tenths of a second.

"We were excited to find that the throttle worked even against a worm like Slammer, which it had not encountered before," said researcher Matt Williamson. "We hope this means the technique will be effective against other unknown threats in the future."

Called virus throttling because it chokes off attacks, the system was invented by Williamson, Jonathan Griffin, Andy Norman and Jamie Twycross.

how worms work

Worms attempt to spread by connecting to many different machines as fast as they possibly can. Slammer, for instance, attempts to connect to up to 850 new machines each second, while Nimda attempts to make 400 new connections a second.

In normal uninfected use, our computers don't behave like this. They tend to connect to only a few different computers at a time, and these will usually be to machines that your computer has already contacted before.

The researchers realized that they could slow down the spread of a virus from an infected machine by strictly limiting the number of connections it attempts to make. The result was the virus throttle, which restricts connections to just one new computer a second.

The technology does not prevent an individual machine from being infected, but it can keep the virus from spreading to many others.

Normal usage is unaffected by this rate limiter. When a virus attacks, it will attempt to make many connections at a high rate. These will be slowed by the rate limiter. The backlog of connections grows quickly, allowing the virus to be detected easily and further propagation stopped.

virus spread slowed

"The technology does not prevent an individual machine becoming infected, but it can keep the virus from spreading to many others," says Williamson. "Since a machine that is infected, but throttled, isn't spreading the virus any more, the overall speed of infection is reduced. Also, since there are fewer machines actively spreading the virus, the load on network infrastructure -- routers for instance -- is reduced."

So far there is no indication that the system slows down a computer that is acting normally. The researchers have run the throttle on their own computers for three months with no obvious effect on performance.

This is an altruistic approach to cyber disease control. Just as with the mass vaccination of children against common diseases, the aim is to protect the larger community from illness as much as the individual.

Griffin explained that another important benefit is that throttling does not trigger an alarm when there is actually no problem at all, so-called false positive responses. Continuous false positives can lead system administrators to ignore alarms, even when there may in fact be an attack in progress.

test ground for virus throttling

To test the technology the research team has to use 'live' viruses and worms to see how they spread between computers, without a throttle and then with one in place. So to make sure that a worm -- Nimda is being used at the moment -- cannot escape to HP's network the researchers are using a secure cyber disease control lab.

Only five people on HP's Bristol site have access to the lab, which is constantly scanned by security cameras, and none of the test computers are connected to external networks.

The group, Twycross explained, "is involved in running tests on the throttle using a specially developed test worm that is able to emulate different types of malicious attack."

The research is promising even though it's at an early stage. "We have a number of ideas and new approaches to take it further," Williamson says.

by Julian Richards

News and Events

» Resilient Infrastructure for Network Security (technical report)
» Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code (technical report)
» Archives
researchers Matthew Williamson and Johnathan Griffin
Privacy statement Using this site means you accept its terms Feedback to HP Labs
© 2009 Hewlett-Packard Development Company, L.P.