Defending Laptop from zombie attack

Researchers at Intel have developed laptop-based security software that adjusts to the way an individual uses the Internet, providing a more dynamic and personalized approach to detecting malicious activity. The software is aimed at corporations that pass out laptops and mobile devices to employees, since IT departments usually install the same one-size-fits-all security software on all their hardware. The homogenous security approach is quick and easy, says Nina Taft, a researcher at Intel Research Berkeley, but because standard software doesn't take into account different people's patterns of computer use, it can produce false positives and entirely miss some attacks.




"One reason security breaches are so rampant is that most of our machines look the same," says Taft. They have the same operating systems, same applications, same protocols, and same Internet traffic thresholds in the security settings, she says. "When a hacker breaks into one machine, he can break into all of them . . . We're trying to inject diversity into computers."

The type of security software deployed by most IT departments has a component that looks at Internet traffic coming in and out of a computer. When traffic exceeds a preset threshold, the software suggests that the computer is infected. It might, for instance, have been recruited as part of a "botnet," in which it is remotely controlled by a malicious computer that instructs it to communicate with other infected machines. (Much spam is sent from botnets.) Some people, however, habitually send out large amounts of information, which can trigger the security alarm, while others who stay well below the threshold can unknowingly harbor malicious activity.

As part of a project called Proteus, Intel researchers have developed several algorithms that can make more nuanced judgments. One algorithm uses standard statistical and machine-learning techniques to monitor a person's Internet use and create individualized traffic thresholds. A second algorithm gauges how people's Internet use changes throughout the day. Taft has found that people's habits are significantly different when they use company laptops to log in to networks other than the company's. "Ninety percent of people have quite a different behavior when they're at work than when they're at home," she says. Tying different traffic thresholds to different location profiles could improve security software's ability to detect compromised machines.

"I think the basic takeaway is, if you can be really precise in capturing user behavior, you can make the work of the attackers much harder," Taft says. In order to successfully infect a machine that maintained a number of different usage profiles, a malicious hacker would need to know when each applied and what its traffic threshold was. "You limit the range of possibilities they have for succeeding," Taft says.



A third set of Proteus algorithms uses the same behavioral principles to examine communication between laptops and other machines on the Internet. Botnets are coordinated by a central host with which each infected machine communicates. One way to detect botnets is to eavesdrop on these communications. "We developed algorithms that check for this calling-home activity with some regularity," Taft says. Infected machines usually call home at 6-, 12-, or 24-hour intervals. Taft's team has shown that by listening for periodic calls to the same location, the software can determine whether a machine has been recruited by any of three different botnets, including Storm, a pervasive network that controls hundreds of thousands, and possibly millions, of machines worldwide.

Taft says that the idea of using behavioral data to make security software more accurate is not new, but that for the most part its application has been limited to routers that monitor network activity. Proteus is the first such system designed for laptops.

Taft isn't yet sure how the final version of Proteus will affect the performance of the device it runs on. Initially, when the software is just monitoring behavior, it will run constantly in the background, she says. After that, it has a much lower level of activity. One possibility might be to hardwire Proteus into a computer's circuitry. "Intel is interested in getting as much [security] into hardware as possible," Taft says. "It's a good use of [processing] cores, and when things are in hardware, they're harder to tamper with."

Nick Feamster, a professor of computer science at the Georgia Institute of Technology, says that the behavioral approach to security hasn't been applied to laptops in the past because there wasn't an automated way of developing personalized rules. But behavioral botnet protection is "very well suited for machine learning," he says.

So far, the researchers have tested the system with 350 people and are in the middle of discussions with Intel's IT department to do a wider deployment. In the end, however, Proteus won't be enough to keep all computers safe all the time, according to Taft. "There are so many different ways to break in," she says. "One will need many security checks on a computer."

IBM Atlas

The social graph--an image of a person's connections to friends, family, and colleagues--has been in the news since Facebook founder Mark Zuckerberg suggested earlier this year that this information could be invaluable to businesses looking to spread their products to a large audience. (See "Building onto Facebook's Platform.") Now IBM is exploring how different visualizations of the social graph could be useful within businesses, as a way of helping people work more efficiently and make better connections. Last week the company, which launched its social-software platform, Lotus Connections, earlier this year, released a tool called Atlas that uses the data in Connections to help users analyze their relationships with business contacts.

"As people start using social software and expanding their professional networks, there's actually a lot of value in the relationships that you can determine from statistical analysis of that data," says Chris Lamb, senior product manager for Connections.

Atlas and other Connections tools are based on IBM research into social computing that began in 2002, says product manager Suzanne Minassian. Aimed at helping workers organize around common goals, the research focused on adapting popular social tools such as bookmarking and blogging for business purposes, and integrating them with each other. The larger Connections suite allows workers to create profiles, blog, form communities around common interests, share bookmarks, and plan and track projects as a group. Each component of Connections is integrated with the others, so a user can move seamlessly between tools. IBM has been using features included in Connections for several years internally, and Minassian says that there are more than 400,000 profiles in the system.

Atlas's most powerful features rely on the data available through Connections, Lamb explains. It collects information about professional relationships based not only on job descriptions and information readily available through the corporate directory, but also through blog tags, bookmarks, and group membership. Atlas can be configured to look at e-mail and instant-message patterns, and to weigh different types of information more or less heavily. The result, Lamb says, is a set of tools that go beyond the simple networks that are clear from a corporation's structure.

Atlas's four features are Find, Reach, Net, and My Net. Find and Reach are both focused on finding experts in particular fields. Through Find, a user enters search terms and receives a list of experts, ranked based on information gleaned from social data, the level of the expert's activity in the community, and any connections he may have to trusted associates of the user. Reach then helps the user plot the shortest path to make the connection, suggesting people the user already knows who could put him in touch with an expert. Net and My Net are primarily meant to help people analyze their existing networks. Net shows patterns of relationships within particular topic areas at a company-wide level. For example, it might analyze data on people interested in social computing and produce a map of how those people connect with each other through blog readership and community involvement. My Net allows individuals to analyze their own networks, showing them who they are connected to and how frequently they stay in touch with those people.

Lamb says that executives might want to use Atlas's Net component to see, for example, how well two companies are integrating after a merger. Alternatively, he says, a salesperson might want to use My Net to make sure that she has good connections across the company to people familiar with the products it sells.

Rob Koplowitz, an analyst with Forrester Research, says that employing social-computing features within a business is as important as using these tools for informal relationships. One key feature of social software designed particularly for businesses is its ability to protect sensitive data, he says: "I'm able to generate relationships and content that might not be appropriate outside of my enterprise. In the consumer space, you assume that the information is public, and that's what you have access to." But with software designed for large corporations, he says companies can assume that access is more secure, and they have the option to make more information available. While Koplowitz thinks that companies will have to be careful about how they choose to configure Atlas and what information they choose to use to build the social graphs, he also says that Connections' integration of social tools is potentially very useful, and something that might eventually become part of more casual networking tools.

Atlas is now being sold through IBM Software Services for Lotus, in part because it requires configuration based on how a business wants to access and analyze information.

Intel introduced one of the smallest flash-memory-based hard drives on the market. The chip, also known as a solid-state hard drive, competes with similar chips from Samsung, which store data in gadgets such as Apple's iPod nano and iPhone. But the Intel chip comes with a standard electronics controller built in, which makes it easy and inexpensive to combine multiple chips into a single, higher-capacity hard drive.

The move highlights Intel's effort to establish itself as a leader in flash-memory chips and to make them a replacement for the bulky and conventional magnetic hard drives that store data on most of the world's computers. Smart phones and so-called ultramobile computers will require some kind of dense, durable storage system in order to bring the power of desktop computers to handheld devices.

A new wireless cardiac "patch" could allow doctors to continuously monitor patients' hearts and record electrocardiograms (EKGs) while they are on the go. Such highly portable continuous monitors could help doctors treat cardiac patients, and they may soon become crucial tools in diagnosing conditions in otherwise healthy people, say the device's developers.

Developed by researchers at the Interuniversity Micro-Electronic Centre (IMEC), an independent nanotechnology research institute in Eindhoven, the Netherlands, the flexible stick-on device is a variation of a Holter monitor, a portable EKG tool currently used by cardiologists to help assess and diagnose their patients. But Holter monitors require a number of electrodes to be stuck to the body and connected, via a tangle of wires, to a bulky recording device worn at the hip.

In contrast, the new device just sticks onto the patient's chest and wirelessly sends electrical signals detected from the heart to a credit-card-like receiver. These signals can be analyzed and used to sound an alarm as an early warning when dangerous heart rhythms, or arrhythmias, are detected, says Bert Gyselinckx, the director of IMEC's Wireless Autonomous Transducer Solutions program. For example, the device could be used to alert emergency services to problems suffered by elderly cardiac patients who live alone.

The new device consists of a flexible circuit board just 60 millimeters long and 20 millimeters wide that contains all the circuitry to detect and transmit the EKG signal up to 10 meters. The flexible board slips into a Lycra patch with three sticky points of contact that act as the EKG electrodes. Short wires within the pouch connect the contact points to the circuit board via snap-on sockets. "This makes it easier to attach the electrodes," says Gyselinckx.

The signal is sent to the receiver using an off-the-shelf wireless transmitter, which uses technology similar to Bluetooth but at much lower power, says Gyselinckx. The receiver is a smart card--a pocket-sized card with an integrated circuit embedded in it--that also incorporates a thin battery. "It looks and feels like a credit card," Gyselinckx says. The card can store the EKG data on an embedded two-gigabyte flash-memory device, or it can be hooked up to a handheld computer or cell phone to relay the data to a clinic.

There is a general trend to make heart-monitoring devices wireless because they are so much easier to use, says Mike Kingsley, director of exercise-physiology laboratories at Swansea University, in Wales.

Already, consumer products are available that monitor the heart and send the signal wirelessly to a watch. But these products only detect heart rate, in terms of beats per minute, says Kingsley. "An EKG gives you a lot more information about the way the electrical current is traveling through the heart," he says. A cardiologist can use this data to determine the morphology and behavior of the heart, both of which are vital to making a diagnosis.

Many hospitals have started installing wireless EKG patient-tracking systems, says Gyselinckx, as a way of keeping tabs on their patients and locating them if they get into trouble. But such systems amount to little more than Holter monitors hooked up to a central hospital tracking system that monitors the patients' whereabouts and EKGs.

The IMEC device does have limitations: in its current form, it can't record as much of the heart's electrical activity as a clinical EKG can. "It doesn't give you an overall picture of the heart--only a snapshot," Kingsley says.

Even so, it is still very useful because it allows all arrhythmic events to be detected, says Hans Stromeyer, chief medical officer of Monebo, in Austin, TX, which has developed a wireless EKG device that is worn like a belt. "And continuous monitoring can pick up events that the patient will not be aware of," he says. This has huge potential in preventative medicine because it can help doctors detect and treat serious heart conditions before they progress and cause irreparable damage.

Indeed, the IMEC team is developing the heart patch as part of a larger project, called Human++, aimed at designing telemedicine technologies for preventative health. Continuously monitoring the vital signs of otherwise healthy people in the general population could make it possible for doctors to preempt a variety of serious illnesses through early detection, Gyselinckx says.

Wireless home-based monitoring and diagnosis is already beginning to happen, says Stromeyer. It has demonstrated its usefulness in long-term recovery and is much cheaper than hospital rehabilitation.

There is also a lot of interest in using portable heart monitors to assist in drug trials. This is because one section of the EKG trace, known as the QT segment, has been shown to be a good indicator of changes in heart activity caused by drug toxicity, says Stromeyer. Highly portable monitors such as the IMEC device could be particularly useful in such an application.

But for now the IMEC team is working to enable the device to record as much data as a clinical EKG can. The team is also working to make the patch more pliable with a combination of flexible organic electronics and thin-film silicon electronics, with the aim of licensing the technology.