Intel Corp. is moving on multiple fronts to help keep businesses one step ahead of worms and viruses.
The chipmakers research arm has stepped up its security focus of late. Earlier this week, Intel researchers released to open source an early version of software called Autograph that helps to quickly identify Internet worms and curb their ability to spread.
Its Intel Capital arm, meanwhile, has invested in Grisoft, a security software maker based in Prague, Czech Republic.
Although on the surface the two moves appear separate—and Autograph as a technology is still in its early stages—theyre part of a broader focus on security at Intel, which has been renewed by the chipmakers recent shift to designing platforms around devices such as servers or desktop PCs.
Unlike when it sold chips individually, the platform design strategy has Intel creating add-ons, which include features such as virtualization and its Active Management Technology, which bolster server usability by allowing companies to divide them up to run different jobs or increase their manageability.
Building greater security into its platforms–by adding worm defeaters for example–is likely to be the next step as the increased efforts in research and investment could filter their way into Intel products or those of its close partners, including operating system and application vendors, or foster ideas from newcomers.
“This is important to Intel because when we went out and talked to people who use these platforms, the common problem we heard were viruses and worms were a huge challenge in productivity and cost to clean up,” said Dylan Larson, network security initiatives manager at Intels Communications Technology Lab, a part of the chipmakers Corporate Technology Group.
“So we said, What kind of things can we do to address these challenges? That has driven a lot of the platform thinking, whether its VT (Intel Virtualization Technology) or active management, and how all those things work together,” Larson said. “Weve had security expertise and lots of competency in this space for a long time. Now were looking at this even more from a platform level on how we can bring these things together to drive new value to customers.”
Intels security focus will bring direct returns—the Corporate Technology Group is now working to help add more security to Intels various platforms, Larson said—but it can also work in other ways. It could, in another example, bolster the ecosystem, inside which Intel, computer markers, software makers and businesses all operate.
Intels Grisoft investment, in which it put up $16 million for a minority equity stake in the firm, has more of an indirect affect of ensuring greater availability of anti-virus software in Eastern Europe, for example.
“Were continuing to look for key technologies and areas that Intel can help accelerate the security ecosystem,” said Chris Lawless, a senior investment manager at Intel Capital.
The chipmaker, which invested about $130 million worldwide over 110 deals in 2004, continues to look at other security companies, both inside and outside the U.S.—about 40 percent of its 2004 investments were international—that align with its interests.
“Were looking at Central Europe and Eastern Europe and looking at companies that can help us accelerate critical infrastructure there,” Lawless said. “Certainly there are much more opportunities for us to sell our chips” in less saturated markets than the U.S.
Worm Detection Gets More
Meanwhile, given its intentions to add security to its platforms, Internet worm prevention has become a major focus for Intel researchers, due to worms abilities to spread quickly and cause large amounts of damage to businesses.
Some more near-term research projects, which Intel demonstrated at its Fall Intel Developer Forum in August and could show up in its products in the relatively near future, can cut off worm-infected machines from computer networks.
Meanwhile, other projects are exploring ways to prevent large-scale worm infections altogether.
Autograph, worm detection software created at Intel Research Pittsburg, was released to open source earlier this week, said Brad Karp, a research manager at the lab, which is located on the campus of Carnegie Mellon University.
The worm detector, whose technology could some day be used in corporate networks, employs a combination of heuristics and good old sleuthing to track down worms and locate their signatures—or the unique pattern of data required for its particular exploit—and then notify other systems so that they can block the worm.
It watches for tell-tale signs such as multiple attempts by a system to connect to random Internet addresses as Worms attempt to infect other systems, then it eyes the specific data being transmitted. It keeps a log of both, from which it can build Worm signatures.
Because it does the work automatically it can eliminate lags, which often last days, between when a worm is detected and its signature manually mapped and then disseminated.
“Its well known that there are worms that can affect the entire Internet within minutes,” Karp said. “Compare that with how long it takes to generate a signature “now.” If youre goal is to stop worms before they spread, which is the real way to win this, the human approach is too cumbersome.”
Although the first few copies of a worm will get by Autograph, the vast majority of the Internet can be protected by the proactive sharing of signatures, Karp said. Autograph machines, which filter data at a network gateway, can communicate with each other, but are capable sharing signatures with others.
When measured by its ability to prevent broad worm infections, Karp said his tests showed Autograph would have published a signature for the Code-Red worm before two percent of the total number of machines vulnerable to the worm had become infected.
Thus, assuming there were enough Autograph monitors in place, it could have prevented 98 percent of infections, he said, saving huge amounts of money.
“Right now, if just one percent of edge networks on the Internet ran Autograph, the speed claims Ive made would be true” about Code Red, Karp said.
Code Red, which exploited vulnerability in Microsofts IIS Web server, spread quickly in 2001 and is estimated to have done about $2.6 billion worth of damage, most of which was the cost of cleaning affected computers.
While Autograph is now available, Karp and his team are also working on a Polygraph, a similar program which can sniff out so-called polymorphic worms, which change each time they replicate in an effort to cover up their signatures and thwart the defense used in Autograph.
Even polymorphic worms still have certain parts, related to their particular exploit, that cant change, he said. Thus the parts that dont change can be mapped and those maps shared.
Despite sounding promising, Autograph and Polygraph are a ways from prime time, Karp said.
“I dont claim its a product. Its a first important step toward building this kind of system,” he said. “Weve shown that it can be done. We believe that the research community and, increasingly, corporations will take up Autograph and begin to build more product-like systems” that draw on it.
Ultimately, the technology could be used on concert with the circuit breaker-like tools that detect worm and shut down PCs or servers.
“Intel is committed to making computer components and computing more secure,” Karp said. “Its self-evident how important that is.”