Microsoft Research is showing off prototypes for two security projects aimed at containing zero-day Internet worms and thwarting malicious code execution attacks.
At the companys annual TechFest event in Redmond, Wash., Microsoft Corp. engineers presented the first glimpse of a new technology code-named Vigilante that proposes a brand-new approach to automate worm containment.
The Vigilante project is specifically geared toward containing fast-spreading worms that exploit unknown software vulnerabilities.
Vigilante uses a “honey pot” architecture to trap malicious attacks and, once a network worm is detected, self-certifying alerts are generated with details on how to thwart the threat. The alerts, researchers say, eliminate the need for hosts to trust each other and enable hosts to run diverse detection engines and to spread detection load.
A network host can also generate filters or patches that block worm infection. “Our preliminary experimental results show that Vigilante can contain very fast spreading worms such as Slammer,” researchers wrote in a paper.
The Slammer worm, one of the fiercest cyber-attacks in recent memory, infected more than 90 percent of vulnerable hosts in just 10 minutes and Microsofts researchers believe the network-centric approach ultimately failed during that attack.
“The network centric approach has fundamental limitations because it is limited to heuristics that attempt to distinguish normal traffic from worm traffic. Since there is no information about the software vulnerabilities exploited by worms at the network level, these heuristics are prone to both false positives and false negatives,” the researchers wrote.
By contrast, Vigilante introduces collaborative worm detection at end hosts in the Internet but does not require hosts to trust each other. The hosts analyze attempts to infect applications and gather detailed information about the vulnerabilities exploited by worms to eliminate false positives.
Another project, dubbed Control-Flow Integrity, promises a new approach to dealing with arbitrary code execution attacks.