Conventional antivirus software can detect known viruses, but is ineffective against new malware, or so-called zero-day attacks.
The new technique involves logging suspicious activity in individual computers on a network, and matching it against other connected systems.
"The question is whether I should shut down the network and risk losing business for a couple of hours for what could be a false alarm, or keep it running and risk getting infected," said Senthil Cheetancheri, a UC Davis graduate student who led efforts to develop the strategy.
"One suspicious activity in a network with 100 computers can't tell you much. But when you see half a dozen activities and counting, you know that something's happening."
The second part of the system is an algorithm that rates the cost of shutting down a computer against the cost of letting malware run loose on the network. The software can either allow the IT manager to make a decision, or be configured to take action automatically.
The system can also evaluate the importance of individual machines. For example, the cost of taking down a network server is much higher than for a seldom used computer, so the algorithm would shut down the latter, less valuable, system first.
The team has developed an experimental detection engine and is now trying to make sure that it runs without hogging server time and bandwidth and interfering with other applications.
Software developed to stop zero-day attacks
By Iain Thomson on Jan 16, 2009 6:47AM