Putting a "Korset" on the Spread of Computer Viruses Tuesday, September 9, 2008
A TAU invention stays one step ahead of anti-virus software
Prof. Avishai Wool
Anti-virus companies play a losing game. Casting their nets wide, they catch common, malicious viruses and worms (known to the industry as “malware”), but it may take days before their software updates can prepare your computer for the next attack. By then it could be too late. And some insidious programs prove immune to anti-virus software, residing inside your computer for months or even years, collecting personal information and business secrets.
But Prof. Avishai Wool and his graduate student Ohad Ben-Cohen of Tel Aviv University’s Faculty of Engineering are taking a different approach. They recently unveiled a unique new program called the “Korset” to stop malware on Linux, the operating system used by the majority of web and email servers worldwide. Prof. Wool’s technology puts a new spin on Internet security, and once it reaches its full potential it could put anti-virus software companies out of business. The research was presented at the Black Hat Internet security conference in Las Vegas this summer.
Stopping the Virus Before It Starts
Prof. Wool and Ben-Cohen have built an open-source software solution for servers that run on Linux. “We modified the kernel in the system’s operating system so that it monitors and tracks the behavior of the programs installed on it,” says Prof. Wool. Essentially, he says, they have built a model that predicts how software running on a server should work.
If the kernel senses abnormal activity, it stops the program from working before malicious actions occur. “When we see a deviation, we know for sure there’s something bad going on,” Prof. Wool explains.
Prof. Wool also cites the problems with costly anti-virus protection. “Our methods are much more efficient and don’t chew up the computer’s resources,” he says. He adds that his motive is to make the Internet a safer place, not to open a new company to compete with current anti-virus software manufacturers.
Generally speaking, says Prof. Wool, anti-virus companies catch viruses “in the wild” and then send them to isolated computer labs for study. The companies then determine the unique patterns or “signatures” the malware creates. It is this signature that is sent as an anti-virus update to anti-virus subscribers. The problem is that updates take too much time to perfect and then distribute, leaving a wide window of opportunity for computer villains to attack.
“There is an ongoing battle between computer security experts and the phenomenal growth of viruses and network worms flooding the Internet,” he continues. “The fundamental problem with viruses remains unsolved and is getting worse every day.”
The Expert’s Tips on Secure Habits
Even if end-users do everything they can to protect their computers by using anti-virus programs and firewalls, there will always be a period when your computer is vulnerable to attack, says Prof. Wool.
How to stay protected? Never click on links purporting to be from PayPal, your bank or credit card company, he warns. “Most legitimate companies like banks never ask their clients to click on links in an email,” he says. “Be suspicious if a company asks you to do this -- access your account through bookmarks you’ve set up, or directly through the company’s homepage.”
Securing New Frontiers
Prof. Wool has built a number of useful technologies applicable to both today’s and tomorrow’s networked world. With his graduate student Danny Nebenzahl, he created a “vaccine” that can protect specific software programs like Microsoft’s Outlook against unseen attacks. The basic research published in 2006 is now making its way into mainstream products.
Prof. Wool is also collaborating with Prof. Jacob Scheuer, investigating the use of fiber optics and lasers to strengthen cryptographic tools used in banking and Internet security.