Techno News

IN THE MATRIX, the famous "bullet time" effect showed how Keanu Reeves's character Neo was able to sway out of the path of incoming bullets, as time appeared to slow. Now the film has inspired engineers to develop a way to cope with cyber attacks on crucial infrastructure, such as electricity grids, water utilities and banking networks.

The idea, from security engineers at the University of Tulsa in Oklahoma, is to slow down internet traffic, including malicious data, to give networks time to deal with attacks. To do this, when a cyber attack has been sensed, an algorithm sends hyper-speed signals accelerating ahead of the malicious data packets to mobilise defences.

"Slowing the malicious traffic by just a few milliseconds will let the hyper-speed commands activate sophisticated network-defence mechanisms," says Sujeet Shenoi at Tulsa (International Journal of Critical Infrastructure Protection, DOI: 10.1016/j.ijcip.2012.02.001).

Such measures are needed because cybercriminals increasingly seem to target crucial industrial infrastructure. In 2010, for example, the Stuxnet worm infected Iran's nuclear programme. It was shown to be not so much a typical computer virus as a multifunctional weapon that can be reprogrammed to target any crucial industry. As industrial systems generally go for many years without software upgrades or password changes, they can often be vulnerable to such attacks.

Such measures are needed because cybercriminals increasingly seem to target crucial industrial infrastructure. In 2010, for example, the Stuxnet worm infected Iran's nuclear programme. It was shown to be not so much a typical computer virus as a multifunctional weapon that can be reprogrammed to target any crucial industry. As industrial systems generally go for many years without software upgrades or password changes, they can often be vulnerable to such attacks.

Hyper-speed signalling could help, says Shenoi, although it would not be cheap to convert an existing network into one that can run the Tulsa team's algorithm.

The reason? First, a data pathway has to be reserved for the use of hyper-speed command-and-control signals during an attack – and that could be seen as an expensive waste of capacity. And, when an attack is sensed by a scanning firewall-like sensor and the tainted data traffic is slowed down, more buffers and storage will be needed to cache the slowed data packets now swilling around on the network, otherwise crucial data could be lost.

Finally, new defence mechanisms need to be programmed into the network's routers, including the ability to inspect, tag and track suspicious packets, quarantine the risky ones and protect targeted devices on the network (like power grid relays, pump controllers or even hole-in-the-wall cash machines).

But hyper-speed signalling is only as good as its threat sensors. The system might sense malware program code disguised as text files, say, but only if it has prior knowledge of the virus or worm signatures. That opens the door to variants it has never seen before – potentially allowing a Stuxnet-style attack to be initiated.

One way around this, says Shenoi, is to keep the network in hyper-speed mode at all times during, say, a period of international tension when cyber attacks could be launched in an initial bout of sabre-rattling at any moment. But slowing network speeds is not a great idea for telecoms networks who sell their services on the back of their speed capabilities, he says.

Another sensing option has been developed, however – with funding from the US Department of Energy and Department of Homeland Security – by computer scientists at Dartmouth College in New Hampshire and the University of Calgary in Alberta, Canada. Led by Dartmouth's Jason Reeves, they have developed a way for infrastructure to effectively monitor itself (International Journal of Critical Infrastructure Protection, DOI: 10.1016/j.ijcip.2012.02.002). The system is designed to raise a flag when out-of-the ordinary processor behaviour occurs – such as running a motor too fast, just as Stuxnet did in 2010.

The team's software monitors the kernel – a chunk of code that mediates between the software on one side and the processor and memory on the other. "We detect changes in the sequence of code the program runs, ones often introduced by malicious programs," Reeves says. "We can also verify the operating system code to see if it has been modified by malware."

Their system, currently set up for power-grid-embedded computers running the Linux operating system, could feasibly trigger the Tulsa team's hyper-speed algorithm. "Our system detects the presence of untrustworthy behaviour and leaves the response up to the administrator," Reeves says.

souce : New Scientist