For the last few months, a PC loaded with the new software, code-named Billy Goat, has kept watch over IBM's corporate network from the company's large research lab outside Zurich. The system uses a unique approach to detecting malicious software by looking at traffic flowing to Internet addresses that aren't assigned to specific computers, trying to isolate computers on a network that attempt to infect others. IBM is also testing the system at Bluewin, the Internet service provider unit of Swisscom AG, the Swiss national telephone company.
The software could cut down on the number of false alarms generated by commercial intrusion-detection software that tries to analyze the behavior of traffic on computer networks, says Andreas Wespi, a manager in IBM's Global Security Analysis Lab in Zurich. "Worms are spreading so quickly in the first place that only a behavior-based approach has a chance to detect them," he says. The Slammer worm that wreaked havoc on the Internet in January spread around the world within 15 minutes of release. The Sobig worm released this month also spread rapidly.
To be sure, several companies have developed software products that analyze networks' behavior to ward off new attacks, in addition to dectecting the "signatures" of documented viruses and worms. Cisco Systems in January bought Okena Inc., a maker of behavior-based intrusion-detection tools. Network Associates has acquired technology in the area as well.
IBM says its prototype combines the strength of analyzing traffic directed at IP addresses assigned to computers on a network with the ability to look at the unassigned addresses worms also target. It also can sniff out the signatures of known attacks. By testing the software at a large ISP, IBM can collect more data on worm traffic and help decide how to bring Billy Goat to market, says Adrian Schlund, a manager at IBM Global Services. "We have quite a big business potential for Billy Goat," he says. The company is considering bringing the technology to market in its Tivoli software products, or as part of a security service sold to companies by IBM.
Every little bit could help at a company that's had difficulty commercializing technology from its security labs, says John Pescatore, an analyst at market research company Gartner. "There's definitely room for improvement in intrusion detection," he says. Companies need systems with faster response times, and fewer false alarms. "If IBM is doing stuff that can run at the [ISP] level, that's where we need the help."