 THE
VIRUS GUY
Researcher
gains notoriety for approach to computer security
By Alana
Mikkelsen
Catching
spam and computer viruses has always been a cat-and-mouse
game. Tricksters come up with a new method of assault, then software
manufacturers
scramble to create patches for the newly-discovered holes
in our defences. In a matter of hours or days, new software updates
are released that
protect us from the latest threat. But meanwhile, hundreds,
thousands, or even millions of computer users experience anything
from nuisance
slow-downs in their computers’ operating speed to full-fledged
wipeout of their most important data.
John Aycock
hopes to change that scenario by conducting research that anticipates,
rather than follows, the tricksters’ next moves.
In a research program begun in 2003, Aycock and his students
test computer programs that mimic or anticipate potential computer
threats in the
hopes of better understanding their inner workings and mounting
a defence.
It’s an approach that attracted backlash when Aycock’s
first course on computer viruses was introduced. Detractors, mostly
from the antivirus software industry, were horrified that Aycock would
dare to actually teach students how to create computer viruses.
“
Like anything in computer science, in order to know how to undo
it, you have to know how to do it,” says computer science department
head Ken Barker, who tapped Aycock to jump-start a U of C concentration
in computer security.
The goal
of the research is to eventually automate responses to known and potential
computer threats. Such an approach would
remove the “human element” in today’s virus-anti-virus war,
a factor that creates large windows of opportunity for damage. Antivirus
companies, for example, generally take at least four hours to develop
defences to newly detected attacks. Inexperienced computer users may
fail to immediately install newly updated antivirus software, once
it’s released. And at some companies, due diligence policies
mandate that IT professionals wait 48 hours to implement any new defence.
“Some of these threats spread in a matter of five minutes,” Barker
says. “We’d like to know how we can create systems that
detect suspicious activity and respond immediately.”
Aycock has expanded the program to create a spam and spyware
course, and his approach to hands-on learning is still the
same.
“The
analogy I use is this: I can tell you how to play a violin and you
can watch someone play the violin. But it’s not until
you actually pick up that violin and try to play it that you
start to really understand it,” he says.
His latest
research finding anticipates a threat that, by Aycock’s
own admission, experts haven’t yet observed in the wild. But
Aycock isn’t worried about crying wolf. Nor are he and Barker
worried that a graduate of the program might one day use their knowledge
for harm rather than for good.
“That’s
true of any discipline,” Barker says. “Most
of this information is available over the Internet. And the
truth is, most 10th grade students could figure out this stuff if
they wanted
to. What our program does is formalize the treatment of this
material so that students gain a thorough understanding of it. We’re
training them to fight the viruses.”
The first
graduates of the program are just beginning to enter the workplace,
and early indications are that potential employers
are impressed with the training. “Our graduates are moving into industry
and research and even into defence,” Aycock says.
Tight restrictions
for entry into the class require that students be fourth year or graduate
computer science students, so that
their foundations in the discipline are solid. A subcommittee
reviews the
academic record of each applicant, and exit and entry into
the computer lab is tightly controlled. Students must also meet certain
ethical
requirements. New class
of weapons
needed for
war on spam
Next generation
of junk email could be
camouflaged
as email from your friends
Today’s
spam filters are highly effective, but they may be no match for spammers
seeking new ways to fool people into visiting
commercial websites or downloading rogue software-carrying
viruses, worms, spyware,
or other dangerous applications, says John Aycock, an assistant
professor of computer science at the University of Calgary.
Aycock
and his student Nathan Friess conducted new research that shows it
is possible to create a new type of spam, or
bulk email, that would likely bypass even the best spam filters
and trick experienced
computer users who would normally delete suspicious email
messages. “Two
things typically distinguish today’s spam,” says Aycock,
who monitors potential computer hazards in an effort to
block harmful effects. “It comes from an unknown source and
contains content that is easily recognizable as spam because of obvious
advertising,
outrageous wording or gibberish.”
The next
generation of spam, however, could be sent from your friends’ and colleagues’ email
addresses—and even mimic patterns that mark their messages as
their own (such as common abbreviations, misspellings, capitalization
and personal signatures)—making you more likely to click on a
web link or open an attachment that could harm your computer,
spy into your hard drive, or steal your personal information.
Aycock
and Friess are to present these findings—and some new solutions—on
April 30 at the 15th annual conference of the European Institute for
Computer Anti-Virus Research, being held in Hamburg, Germany. The aim
of the research is to raise awareness of the potential threat so that
anti-spam software can be written that anticipates spammers’ next
moves and protects business and personal computers.
“
We want to look at potential threats and see what we can do
about them right now, as opposed to getting to the point where we’re
forced to react, ” says Aycock.
In the
past, spammers have tried to increase their effectiveness by sending
huge volumes of email, in the hopes that a few messages
would inevitably sneak past automated spam filters. Spammers’ ultimate
success, however, depends upon their ability to trick people
into clicking on links or downloading attachments.
Most spam
is now sent from so-called zombie computers—vast networks
of remote computers that have been infected by rogue software, called “malware,” which
can be used to automatically send bulk email messages or spy into an
infected computer. Based on the new research, Aycock thinks that spammers
could soon use zombie computers in a totally new way, creating more
believable —and therefore more dangerous—spam.
Instead
of housing only spam-generating software, infected zombie computers
could also house programs that spy into a
person’s
email, mine it for information, and send realistic-looking reply messages
to trusted colleagues and friends. The rogue software could also reconstruct
social relationships and use a person’s own email settings to
create fake messages that meet a recipient ’s expectations.
Such a
specific, targeted approach has previously been viewed as too complex
to be worth spammers’ efforts. But Aycock and Friess
tested one part of this hypothetical new approach, showing
that it is not only possible but relatively easy to automatically generate
this
new type of spam.
They used
two pools of email—one which they generated manually
and another that came from publicly available Enron databases that were
released after the company ’s collapse.
A computer
program mined the data in both email pools, finding statistically
significant patterns of abbreviation, capitalization
and signatures. A second program used these patterns to automatically
transform
a standard, one-line spam message into convincing, individualized
replies.
The new
approach hasn’t been used by spammers yet, but Aycock
says it’s only a matter of time before they begin to exploit resources
already at their fingertips.
“All
the pieces are in place right now,” he says. “And what
we’re talking about is very simple data mining. At some point,
the other shoe has to drop. ”
If the
weapons are within reach, so are some solutions. “They’re
all within technical reach right now, ” says Aycock.
|