The Economist reports on a new anti-virus technique that’s quite clever. The technique, developed by HP Labs research Matthew Williamson, exploits the behavior of a virus to cause it to reveal its presence. The technique involves monitoring for the rate of network connection activity to previously unknown distant computers. If a flurry of that kind of activity is being attempted, odds are very high that it’s being done by a virus.
Throttling viruses in this way is such a simple idea that it raises the question of why it has not been thought of before. According to Dr Williamson, part of the reason is that most people think of computer security in a binary˜ie, „on‰ or „off‰˜fashion. Throttling merely slows things down, making a system resilient rather than completely resistant. People also, not unnaturally, think mainly about protecting themselves from attack. Yet, like vaccinating children, much of the benefit of throttling accrues to others˜ie, those to whom the virus is not transmitted, even if those others have not taken the trouble to protect themselves. In fact, it is in some ways worse than vaccination, since at least a vaccinated individual is also protected (albeit at the small risk of an adverse reaction to the vaccine). With throttling, all the benefit accrues to others.