"I think the Mydoom worm once again focused everyone's attention on the problem of invasive critters," observed Greg Brown, director of network security products at accelerator vendor Tarari Inc. (San Diego). Yet, MyDoom proved relatively easy to detect. "It had about seven or nine keywords, one of which always appeared as the name of an executable attachment," Brown said. It was simple to write a scanning routine to detect it.
But simple scans for a single fixed pattern aren't the problem. These can be done today, often in software, at only moderate cost in throughput if they are performed close to the network termination. The problem comes from a number of factors: compounding, uncertainty and concealment.
Evil fragments
Compounding is easy. Mydoom, for instance, isn't the only thing for which anti-virus screens must scan. There is myriad evil fragments, each with its own characteristic pattern or patterns. When the scanning is done in software, it is extremely difficult to keep the scanning time from growing at least linearly with the number of patterns to be matched. But by stating the patterns as regular expressions, it is possible to compile a set of regular expressions into a single-pass scan algorithm that reduces the rate of growth.
Uncertainty is less easy to deal with. Some objects of detection don't contain a single unambiguous pattern, but must be detected by a sequence of inferences based on partial patterns. Here again the power of regular expressions comes into play, but with less ease. As anyone who wrestled with Grep in a Unix class can attest, finding a regular expression to cover a range of disjointed possible patterns is not trivial. And again, with many scanning solutions, even if it's possible to handle something more than a simple match, the search time rises rapidly with the complexity of the pattern.
And the patterns can be exceedingly subtle. "One of the big markets right now is in the servers of European cellular service providers," said Tarari vice president of marketing John Bromhead. "Now that they have deployed handsets with graphics capability, spammers are sending pornographic images to people's cell phones. There's a rather urgent project to figure out how to scan packet data for flesh tones."
Discover the benefits of scalable backbone and network services for application and cloud providers.
Network automation is gaining momentum. Here's how you can drive this powerful technology to its full potential.
Subsea cable alternatives can provide a level of comfort for those concerned about disruptions. Realistically, they will continue to play a small, but critical role in the short term.
