Intel researchers have demonstrated a new hardware system designed to rapidly and automatically quarantine PCs infected with worms of viruses.
Announced at this week’s Intel Developer Forum (IDF), the Manageability Engine technology — internally referred to as “Circuit Breaker” — is designed to monitor the number of connections being made by a PC, and assess the integrity of the machine’s security software.
If it detects a higher than normal number of external connections being made, and this can be related to other software anomalies, the PC is then automatically disconnected to stop it becoming a platform from which to infect further machines.
“Worms and viruses propagate so quickly that if you are not able to respond in a matter of minutes, the situation is completely out of control,” said Justin Rattner, director of Intel corporate technology, who directed the on-stage demonstration of the system.
Rattner used the example of the Witty worm of 2004 to highlight the reactive limitations of current security methods. The worm spread around the world in only ten minutes and “there was not enough time for human intervention and not enough time for machine intervention,” he said.
The Manageability Engine would have been able to stop such a rapidly-spreading worm before it got out of hand because protection was in the same place as the initial infection, rather than monitoring it from a distance as it spread.
“It is looking at changes in traffic pattern behaviour. It doesn’t have anything to do with how the virus was coded. It also does a good job avoiding false positives. If your system was disconnected from the network because of a suspected virus on a regular basis, you would be very unhappy,” Rattner was reported as saying.
The demonstration used a hardware-based add-in card that the company claimed was also able to detect previously unknown types of infection using pattern analysis. On commercial systems, the implication is that it would be added to a network interface card, most likely as a single chip.
Rattner indicated that the technology was not meant to replace security software, rather to complement it as a way of limiting the damage in the event that it had been compromised.