What's New
''You've Got a Goat !''
Posted on March 27, 2006

IBM researchers have designed a novel intrusion detection tool, code named ''Billy Goat,'' which masquerades as a collection of computers on the network. Actual computers do not communicate with Billy Goat, but criminals who randomly attack servers are likely to stumble over it.

One of the greatest threats to security has come from automatic, self-propagating attacks such as viruses and worms. These attacks scan networked servers at random until they are able to place a harmful program on a server using a maliciously crafted request. The program uses the now-infected server as a base from which to attack other servers.

Billy Goat creates a virtual environment of hundreds or thousands of computers, depending on your IP space, and compiles information on what kinds of messages are sent to these fictional computers. Traffic that goes to these non-existent computers is likely to be from sources that are either misconfigured or malicious. As soon as Billy Goat gets attacked it quickly identifies the attacking systems and fences them off.

"Billy Goat uses a unique approach to detect malicious software by responding to requests sent to unused IP addresses, presenting what from a worm's-eye view looks like a network full of machines and services," says Dr. James Riordan, the lead designer of the system at IBM's Zurich Research Lab.

"In other words, Billy Goat creates a virtual environment for the worms. Such virtualization, by providing feigned services as well as recording connection attempts, helps Billy Goat trick worms into revealing their identity. This method allows the system to reliably and quickly identify worm-infected machines in a network," Riordan says.

The technology is being made available through IBM's On Demand Innovation Services.
SOURCE: IBM