Public Release: 

How to second guess hack attacks

New Scientist

NOVEL computer viruses and worms can sweep the world within hours, leaving a trail of devastation, because firewalls and antiviral software work by identifying the telltale signatures of known attacks. They are useless against anything completely new. But now software engineers at Icosystem in Cambridge, Massachusetts, have developed a program that can predict what's coming next by "evolving" future hacker and virus attacks based on information from known ones.

The company is testing the technique with the help of the US Army's Computer Crimes Investigation Command in Fort Belvoir, Virginia. The idea would be to generate these novel attack strategies centrally, then remotely update the intrusion-detection software protecting PCs and networks around the world. This would allow them to recognise attack patterns before hackers have even developed them.

The first version of the system is geared to predict hacking- though the technique is equally applicable to viruses. It works by mutating the short programs or "scripts" that hackers use to invade computers or which they plant on them for later activation. The result is artificially created hacking routines that security systems could be taught to recognise, allowing them to defend networks against previously unseen attacks.

Most attacks target well-known bugs in commercial web server software. By sending packets of data designed to exploit these flaws, an attacker can gain remote control over a computer or force it to do something self-destructive, like crashing after a certain number of keystrokes.

To defend against such attacks, today's computer networks use software that analyses traffic for signs of malicious activity. For instance, the arrival of data packets at an unusual input port may be a sign that a hacker is trying to flood a section of memory with oversized files in order to overwrite working memory and corrupt data. But the attack may be modified in some way to confuse such defences- perhaps by combining a number of different attack routines.

What's needed is an intrusion detector that can predict hackers' future strategies. And that's what Icosystem claims to have developed. Its attack prediction system takes known hacking software and systematically mutates it to find the most deadly permutations.

The mutations are kept simple so that the code still runs- there's no point in random mutations that render the software useless. Mutations might involve renaming a file or folder created by hacker code. A small change like this could be enough to foil today's intrusion detection systems.

Icosystem's software could also combine portions of different hacker programs to see any more complex attacks that evolve. "It tries a lot of different mutations and recombinations, but they are all grammatically and syntactically correct," says Eric Bonabeau, chief information officer at Icosystem. "The idea is to continue to evolve scripts and new forms of attacks will undoubtedly emerge."

Chris Wysopal, a consultant with Boston-based computer security firm Stake, says the approach may lead to a new, smarter generation of intrusion-detection systems. But he predicts significant performance problems if networks routinely have to search for thousands of modified scripts. "That many signatures would probably slow a detection system down considerably," he warns.


New Scientist issue: 24th January 2004


"These articles are posted on this site to give advance access to other authorised media who may wish to quote extracts as part of fair dealing with this copyrighted material. Full attribution is required, and if publishing online a link to is also required. Advance permission is required before any and every reproduction of each article in full - please contact Please note that all material is copyright of Reed Business Information Limited and we reserve the right to take such action as we consider appropriate to protect such copyright."


UK CONTACT - Claire Bowles, New Scientist Press Office, London: Tel: 44-0-207-331-2751 or email

Disclaimer: AAAS and EurekAlert! are not responsible for the accuracy of news releases posted to EurekAlert! by contributing institutions or for the use of any information through the EurekAlert system.