Scientists find way of protecting computers against virus

Code Red, a virulent computer virus, wreaked havoc, infecting more than 350,000 machines in 14 hours in 2001, besides causing a worldwide loss of $2.6 billion.

Now techies at Ohio State University have discovered a way to contain worms like Code Red, which blocked network traffic to subway stations and 911 call centres in the US, and also sought to target the White House website.

"We wanted to find a way to catch infections in their earliest stages, before they get that far,' said Ness Shroff, who led the team that worked on the project.

'These worms spread very quickly. They flood the net with junk traffic, and at their most benign, they overload computer networks and shut them down,' said Shroff.

The key, Shroff and his colleagues found, is software to monitor the number of scans that machines on a network send out. When a machine starts sending out too many scans - a sign that it has been infected - administrators should take it off line and check it for viruses.

This would help network administrators to isolate infected units and sequester them for repairs.

In the simulations pitted against the Code Red worm, they were able to prevent the spread of the infection to less than 150 hosts on the whole Internet, 95 percent of the time.

The strategy sounds straightforward enough. A scan is just a search for Internet addresses like we do on Google.

The difference is that a virus sends out many scans to many different destinations in a very short period of time, as it searches for machines to infect. 'The difficulty was figuring out how many scans were too many,' Shroff said.

Shroff was working at Purdue University in 2006 when doctoral student Sarah Sellke suggested making a mathematical model of the early stages of worm growth.

With Saurabh Bagchi at Purdue they developed a model that calculated the probability of the virus spread, depending on the maximum number of scans allowed before a machine was taken off line.

In simulations, they pitted their model against the Code Red worm, as well as the SQL Slammer worm of 2003, limiting the number to 10,000 because it is well above the number of scans that a typical computer network would send out in a month.

'An infected machine would reach this value very quickly, while a regular machine would not,' Shroff explained. 'A worm has to hit so many IP addresses so quickly in order to survive.'

These findings have been described in current issue of IEEE Transactions on Dependable and Secure Computing.