At its recent TechFest event, it described how its Vigilante project is using “honeypots” to automatically spot and remove worms as they enter networks. Microsoft added that this is a research project, and it has not decided if or when such tools should be built into Windows.
A computer honeypot is a server with an unpublished IP address. Honeypots are usually connected to the internet rather than a LAN, and the use of otherwise redundant IP addresses virtually guarantees that any attempts to access the server are from a worm or other unauthorised activity. Worms often select random IP addresses to attack, so are just as likely to attack a honeypot server as they are a genuine server. Monitoring tools running on the honeypot inspect the incoming TCP/IP connections and can automatically produce signature files that would allow a suitable firewall to filter out any such packets sent to production servers.
Honeypots are popular with security experts, but Microsoft would be the first major software vendor to build such tools into mainstream computer software. It is well placed to do so because honeypot systems are best deployed using server virtualisation tools.
Microsoft detailed the Vigilante project in a paper written by two Microsoft researchers with Manuel Costa and Jon Crowcroft from the University of Cambridge. In a section examining the scale of the problem, the authors note, “Worms can spread too fast for people to respond. For example, the Slammer worm infected 90 percent of vulnerable hosts in 10 minutes.”
The report concludes that honeypots can deal with the problem. “Our preliminary results show that Vigilante can effectively contain fast-spreading worms that exploit unknown vulnerabilities.”
Lab data from the Vigilante project indicates that a small number of honeypot systems could protect a large network of servers. “[Our data] shows that a very small fraction of detectors, 0.001, is enough to contain [infection from a worm like Slammer] to less than 10 percent of the vulnerable population.” The researchers noted, “Dynamic dataflow analysis is able to detect an attack even when it does not overwrite program data structures. Dynamic dataflow analysis can also be used with self-modifying code and dynamically generated code. Furthermore, access to the source code is not required.”
In addition to the honeypot project, Microsoft is developing a protective architecture that can re-write software as it is being run, to add new checks to prevent hackers from hijacking servers by exploiting buffer overflows.
http://www.vnunet.com/news/1161845