Posted June 17th, 2009
Nasir Memon, Polytechnic Institute of NYU professor of computer science and engineering, has developed a network-based infection detection system (referred to as “INFER”) that lets CIOs deal with what he thinks is a missing piece of enterprise network security: infected computers.
"Intrusion prevention is not enough,” said Professor Memon at the Cyber Infrastructure Protection Conference held at City College of New York on June 4. “You have to be watching inside your network very carefully and looking for infections.”
NetworkWorld reported on Professor Memon’s conference remarks and his commercialization of INFER through Vivic, a company located in NYU-Poly’s BEST business incubator. Professor Memon created Vivic with his students. Its first client is the U.S. Army Research Laboratory.
Below are excerpts from “CIOs: Your networks have already been compromised,” reprinted in Macworld and InfoWorld.
INFER doesn't look for known malware or attacks, nor does it seek the signatures or behavior patterns associated with them. Instead, INFER looks for hosts displaying symptoms that an infected machine would exhibit, regardless of the infection. INFER checks PCs for a dozen symptoms such as slowdowns, frequent reboots, DNS reconnections and hosts acting like relays or proxies.
"The moment the attacker starts doing things with a compromised machine, it will start showing footprints on the network. That's what we want to focus on," Memon said. "It's like a surveillance camera recording everything that's going on in the network."
INFER represents a "difference in mindset," Memon says. "Network managers wake up and think how do I keep the bad guys out, but they ignore the bad guys that are already inside."