Sooner or later, someone will unleash a disabling attack on the Internet, said Karl Levitt, professor of computer science at UC Davis and one of the lab's principal investigators.
"It's a matter of when, not if," Levitt said.
Anticipating that threat, Richard Clarke, President Bush's special adviser on cyberspace security, will launch a national plan Sept. 18 to protect the Internet from malicious attacks. The plan is expected to include recommended steps that home and business users can take to prevent their computers being attacked or used by hackers.
Researchers at the UC Davis laboratory, which is recognized as a Center of Excellence by the National Security Agency, study areas including stopping Internet worms and computer viruses; detecting intruders in networks; and keeping information on the Internet safe and reliable.
Levitt's group recently began a new project, funded by the Defense Advanced Research Projects Agency, to find ways to detect and catch "worms," malicious programs that spread themselves across the Internet. In recent years, worms such as ILOVEYOU, Nimda and Code Red have spread around the world in hours, causing damage estimated at billions of dollars in lost productivity.
A worm is a program that uses networked computers to make copies of itself and spread to other machines. In contrast, a computer virus is a small program that hides itself inside another, legitimate program and is spread when those files are copied. Most so-called computer viruses are actually worms.
Worms mostly crash networks by creating more traffic than systems can cope with, like flooding the freeways with thousands of extra cars during rush hour. Computer scientists call this a "denial of service" attack. Attempts have already been made to launch denial of service attacks against computers run by U.S. companies and government. In August 2002, the FBI issued a warning about such an attack which eventually caused little damage.
However, computer scientists believe that much more dangerous attacks are on the horizon, such as a "flash worm" or "Warhol worm," which could infect a million computers within fifteen minutes.
Potentially, worms can also deliver a "payload" that damages a computer that receives it.
Levitt's research group is looking for ways to automatically detect worms, find out how they work and send warnings and protective software across the Internet.
Worms that spread fast are easy to detect, but hard to stop, Levitt said. In contrast, worms that are designed to spread slowly might be very hard to detect, but should be easy to stop once identified, he said.
To detect worms, you need to look for unusual behavior on the Internet. Typically a worm on one computer will test linked computers for vulnerability and spread to those it can, then test computers linked to that one. That creates a tree-like pattern, starting from the point of infection. But some other programs, for example file-sharing programs such as Napster, can create a similar pattern as they search users' computers for files. Any surveillance system needs to distinguish between traffic patterns caused by malicious and harmless programs.
Once you've spotted a worm, you need to study it. That means grabbing a snapshot of it in the few fractions of a second it takes to run on the infected computer. The worm may mutate -- change its characteristics -- as it spreads, in which case you would need to put together snapshots from different parts of the Web to find common characteristics, Levitt said.
Having found a worm and worked out how to stop it, you need to get that information out across the Internet. A centralized surveillance and warning system, on the lines of the Centers for Disease Control in the real world, probably wouldn't work because it would be a prime target for hackers, Levitt said. Furthermore, the source would have to be trusted by users around the world not to issue false alerts or damaging software.
Matt Bishop, associate professor of computer science, studies how networks can be protected from intruders and how unathorized intruders can be detected. Turning themselves into bad guys, his group uses a small network of computers, isolated from the rest of the Internet, to launch hacking attacks and probe systems for security weaknesses.
Bishop's group has written software for a vulnerability detector, which can be used to check other programs for security loopholes. Both commercially available software programs and custom-written software can contain unsuspected weaknesses that hackers can exploit. Sometimes, the patches issued by software manufacturers to repair security holes cannot be used without extensive testing in case they cause problems with custom-written software, Bishop said.
Bishop's group is also working on methods and tools to test programs for security problems and is maintaining a vulnerabilities database. The work is funded by NASA and the Jet Propulsion Laboratory.
Setting uniform standards for computer security may not be useful, because different users have different needs for openness versus privacy and protection, Bishop said. For example, a university network sets a much higher value on open access than that of a private corporation. It's more appropriate to set a policy on security and allow flexibility in how that is achieved, he said.
More information: http://seclab.cs.ucdavis.edu
Media contacts:
-- Karl Levitt, Computer Science, (530) 752-0832, levitt@cs.ucdavis.edu
-- Matt Bishop, Computer Science, (530) 752-8060, bishop@cs.ucdavis.edu
-- Andy Fell, News Service, (530) 752-4533, ahfell@ucdavis.edu