IEEE Spectrum December, 2007 - 34
44
IEEE Spectrum | December 2007 | NA
www.spectrum.ieee.org
IlluStrAtIoNS: hArry cAmpbEll; GrAph: bryAN chrIStIE DESIGN
Storm methodically infiltrates computers with dormant code cases unusable. A virus is a program that can copy itself and
that could be used to take down the entire network of a corporation, infect a computer without the knowledge of the user. It can, and
creating opportunities for blackmail or for profiting by selling the often does, damage a computer's files or the hardware itself.
company's stock short. And Storm's creators, whoever they are, A worm is, similarly, a self-replicating computer program that
continue to modify and refine their malevolent progeny even as it uses a network to send copies of itself from one computer, which
already stands as a dark cloud poised over the Internet.
we will call a "host" of the infection, to other computers on the
Network security software products on the market today network. Worms usually harm the network, if only by consumoffer only limited defense. They use firewalls, which simply ing bandwidth.
block access to unauthorized users, and software patches, which
An e-mail worm, the most common kind, spreads slowly,
can be created only after a worm or virus's unique bit pattern because users have to click on an attachment to become infected
is discerned. By the time this laborious process of hand or to propagate the worm. Storm is one example; it uses a variety
coding is complete, the infestation has had hours and hours of means to get installed on a host, but the most common one
to spread, mutate, or be modified by its creators.
is the e-mail attachment. Not all worms spread by e-mail; in
A new kind of answer is needed. Network
2004, an infamous worm called Sasser instead
security researchers-including ones at
exploited a Microsoft Windows network
our company, Narus, in Mountain View,
vulnerability, instructing infected systems
Calif.-are developing software that can
to download a viral code and then execute
rapidly detect a wide variety of intruit. Such an infestation can spread very
sions from worms, viruses, and other attacks
quickly indeed. Although there has
without the high rate of false alarms that
not been a catastrophic worm
plagues many conventional Internet
since Sasser, network secusecurity products. These new
rity systems still have to be
programs can detect anomalous
on guard against this sort
network behavior in seconds, as
of attack, because we never
opposed to hours or days-even on
know when the next one will
so-called backbone networks runswoop down on us.
ning at 10 billion bits per second.
Faced with attacks that
That means the software is fast
could occur too quickly
enough to block threats that can
for their firewalls to
span the globe in minutes, a rate
cope with, companies
that far outpaces what a fireand governments are now
wall can monitor.
depending on Internet and other
This new generation of
service providers from which they buy
algorithms is based on contheir communications bandwidth to "clean the
cepts related to the thermodynamic concept of entropy. Often
traffic" before it ever reaches their front doors. The
defined briefly as a measure of the disorder of a system, entropy
world's largest carriers, such as AT&T, BT, Korea Telecom,
as a cornerstone of thermodynamic theory goes back more than NTT, and Verizon, strive mightily to do that. They are the
a century and a half. But as a construct of information theory it backbone of the Internet; they carry most of the world's traffic
is only 60 years old, and its application to data communications every day. Yet their unique position, that of owning the largest,
began only in the last decade or so.
most complex networks in the world, also makes screening this
In essence, an entropy-based defense works because a worm's traffic no easy feat-for two reasons.
malicious activity changes, in subtle but unavoidable ways, the
First, these global networks have hundreds of entrances and
character of the flow of data on a network. Those data flow exits. BT Global Services, for example, operates in 170 different
changes alter, in clearly measurable ways, the entropy of the countries around the world, connecting to hundreds or thounetwork-a measure of the endlessly shifting ebb and flow sands of large corporations and service providers in each one.
between the predictability and randomness of the movement Yet firewalls and other security technologies are designed to
of data on the network.
protect a single "link" or connection to the Internet-the point
Researchers at Intel, Microsoft, Boston University, and the at which an organization's wide area network exchanges its data
University of Massachusetts are among those plumbing the mys- with the carrier. Second, firewall devices are designed to operteries of randomness and order in data flows to get a leg up on ate at the speeds of corporate networks, not backbone networks
network attackers. Although ours is the only company we know of the sort operated by AT&T, NTT, and so on. Corporate netof whose commercial products apply entropy to network security, works generally operate at speeds below 1 gigabit per second.
we are confident that the approach will find much wider favor Commercial firewall products designed for them simply cannot
in the next few years.
protect networks containing thousands of links that operate at
We'll have lots more to say about entropy and how algorithms core speeds 10 to hundreds of times that fast.
that measure changes to the order and disorder of a network can
Using principles of entropy to protect a network begins with
detect a worm outbreak long before traditional methods can. But knowing a great deal about how traffic moves around that netto get a grip on those algorithms, first consider how viruses and work, from hour to hour and minute to minute. Network secuworms attack.
rity systems, including ours, operate inside the data center of a
large Internet service provider or carrier. They run on standard
Virus or Worm? Security experts distinguish between them, off-the-shelf servers from, say, Dell or IBM, and collect data
but their differences are less important than their similarities. about traffic from a variety of key locations, called nodes, on
Either can render computers on a network unstable, and in many the network. To collect these data, the carrier has to properly
�
http://www.spectrum.ieee.org
Table of Contents for the Digital Edition of IEEE Spectrum December, 2007
IEEE Spectrum December, 2007 - Cover1
IEEE Spectrum December, 2007 - Cover2
IEEE Spectrum December, 2007 - 1
IEEE Spectrum December, 2007 - 2
IEEE Spectrum December, 2007 - 3
IEEE Spectrum December, 2007 - 4
IEEE Spectrum December, 2007 - 5
IEEE Spectrum December, 2007 - 6
IEEE Spectrum December, 2007 - 7
IEEE Spectrum December, 2007 - 8
IEEE Spectrum December, 2007 - 9
IEEE Spectrum December, 2007 - 10
IEEE Spectrum December, 2007 - 11
IEEE Spectrum December, 2007 - 12
IEEE Spectrum December, 2007 - 13
IEEE Spectrum December, 2007 - 14
IEEE Spectrum December, 2007 - 15
IEEE Spectrum December, 2007 - 16
IEEE Spectrum December, 2007 - 17
IEEE Spectrum December, 2007 - 18
IEEE Spectrum December, 2007 - 19
IEEE Spectrum December, 2007 - 20
IEEE Spectrum December, 2007 - 21
IEEE Spectrum December, 2007 - 22
IEEE Spectrum December, 2007 - 23
IEEE Spectrum December, 2007 - 24
IEEE Spectrum December, 2007 - 25
IEEE Spectrum December, 2007 - 26
IEEE Spectrum December, 2007 - 27
IEEE Spectrum December, 2007 - 28
IEEE Spectrum December, 2007 - 29
IEEE Spectrum December, 2007 - 30
IEEE Spectrum December, 2007 - 31
IEEE Spectrum December, 2007 - 32
IEEE Spectrum December, 2007 - 33
IEEE Spectrum December, 2007 - 34
IEEE Spectrum December, 2007 - 35
IEEE Spectrum December, 2007 - 36
IEEE Spectrum December, 2007 - 37
IEEE Spectrum December, 2007 - 38
IEEE Spectrum December, 2007 - 39
IEEE Spectrum December, 2007 - 40
IEEE Spectrum December, 2007 - 41
IEEE Spectrum December, 2007 - 42
IEEE Spectrum December, 2007 - 43
IEEE Spectrum December, 2007 - 44
IEEE Spectrum December, 2007 - 45
IEEE Spectrum December, 2007 - 46
IEEE Spectrum December, 2007 - 47
IEEE Spectrum December, 2007 - 48
IEEE Spectrum December, 2007 - 49
IEEE Spectrum December, 2007 - 50
IEEE Spectrum December, 2007 - 51
IEEE Spectrum December, 2007 - 52
IEEE Spectrum December, 2007 - Cover3
IEEE Spectrum December, 2007 - Cover4
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1217
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1117
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1017
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0917
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0817
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0717
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0617
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0517
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0417
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0317
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0217
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0117
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1216
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1116
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1016
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0916
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0816
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0716
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0616
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0516
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0416
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0316
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0216
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0116
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1215
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1115
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1015
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0915
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0815
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0715
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0615
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0515
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0415
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0315
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0215
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0115
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1214
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1114
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1014
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0914
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0814
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0714
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0614
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0514
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0414
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0314
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0214
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0114
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1213
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1113
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1013
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0913
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0813
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0713
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0613
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0513
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0413
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0313
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0213
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0113
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1212
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1112
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1012
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0912
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0812
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0712
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0612
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0512
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0412
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0312
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0212
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0112
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1211
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1111
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1011
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0911
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0811
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0711
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0611
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0511
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0411
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0311
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0211
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0111
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1210
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1110
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1010
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0910
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0810
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0710
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0610
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0510
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0410
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0310
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0210
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0110
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1209
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1109
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1009
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0909
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0809
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0709
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0609
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0509
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0409
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0309
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0209
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0109
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1208
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1108
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1008
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0908
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0808
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0708
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0608
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0508
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0408
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0308
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0208
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0108
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1207
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1107
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1007
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0907
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0807
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0707
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0607
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0507
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0407
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0307
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0207
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0107
https://www.nxtbookmedia.com