CyberattacksSlowing time as a way to counter cyberattacks

One of the striking special effects in the film The Matrix occurs during the scene in which Keanu Reeves’ character Neo, sways and bends to dodge bullets as time appears to slow to a crawl. Now, that scene has inspired researchers to develop a way to deal with cyberattacks on critical infrastructure, like power and water utilities and banking networks.

The idea, developed by University of Tulsa engineers, is to slow down Internet traffic, including the malicious code, when an attack is suspected. This would allow networks time to deal with the attacks.

This is accomplished by having an algorithm send hyper-speed signals ahead of the malicious data packets in order to mobilize defenses. “Slowing the malicious traffic by just a few milliseconds will let the hyper-speed commands activate sophisticated network-defence mechanisms,” according to Sujeet Shenoi of Center for Information Security at U Tulsa.

The core defensive capabilities offered by hyper-speed signaling include distributed filtering, teleporting packets, quarantining network devices, tagging and tracking suspicious packets, projecting holographic network topologies, and transfiguring networks.

Hyper-speed signaling would help thwart cyberattacks, but it is likely to be expensive to implement. The reason for the expense, and anticipated resistance to the countermeasure, is that hyper-speed signaling would require a reserved, exclusive data path for the command and control signals, something that could be seen as an expensive waste of capacity.

Added to this is the need for more buffers and storage. When an attack is sensed, and tainted traffic is slowed down, that data needs to be held somewhere or crucial data may be lost.

Lastly, the core defensive measures offered by hyper-speed signaling would require additional programming to install the countermeasures into the routers, and to protect targeted devices on the network, such as pump controllers, power grid relays, and cash machines.

Hyper-speed signaling is only as good as the threat sensors on which it depends. The sensors might detect malware disguised as legitimate traffic if the virus signature is known, much the way typical anti-virus programs work now. It will fail, however, to identify variants or new malicious code it has never seen before.

This presents a problem in itself. For the hyper-speed signaling paradigm to be effective, it may mean slowing Internet traffic permanently. This is not likely to be a well-received option.

Another detection option, funded by the U.S. Department of Energy and DHS, has been developed by researchers at Dartmouth College in New Hampshire in conjunction with the University of Calgary, in Alberta, Canada. Led by Jason Reeves of Dartmouth, the team has developed a way for infrastructure to monitor itself.

Dubbed Autoscopy, the monitor is an experimental host-based intrusion detection mechanism that operates from within the kernel and leverages its built-in tracing framework to identify control-flow anomalies, which are most often caused by rootkits that hijack kernel hooks.

Autoscopy monitors the kernel, which is the core code of a computer operating system. “We detect changes in the sequence of code the program runs, ones often introduced by malicious programs,” Reeves says. Autoscopy can also run verification on the operating system code to determine wehether it has been altered by malware.

Autoscopy could also trigger the hyper-speed signaling countermeasures.

— Read more in Daniel Guernsey et al., “Implementing novel reactive defense functionality in MPLS networks using hyperspeed signaling,” International Journal of Critical Infrastructure Protection 5, no. 1 (1 March 2012): 40–52 (DOI: 10.1016/j.ijcip.2012.02.001); andJason Reeves et al., “Intrusion detection for resource-constrained embedded control systems in the power grid,” International Journal of Critical Infrastructure Protection (in proofs; available online 10 February 2012) (DOI: 10.1016/j.ijcip.2012.02.002)