A network of 'honeypot' computers could one day keep an eye out for viruses. Credit: © Getty

Malicious computer viruses could be stopped in their tracks by immunity software that spreads faster than the virus itself, says a team of computer experts from Israel.

Their proposal relies on setting up a network of shortcuts through the Internet that only antiviral programs can use, allowing them to immunize computers before a virus arrives.

Eran Shir of Tel Aviv University began thinking about the problem when the infamous Blaster worm spread across the Internet in 2003. "It really got me annoyed," he recalls. "Conventional antivirus software just couldn't keep up with its spread."

Antivirus software aims to stop attacks on healthy computers, and to clean up those already infected. Teams work around the clock to look for new viruses and build software 'patches'. These patches are distributed to computer users to install on their machines, hopefully before the virus arrives. But the strategy means that some viruses stay one step ahead for days, wreaking havoc as they spread.

"The software companies just regard the Internet as a sophisticated FedEx service," Shir says. "Our focus is to immunize the whole network, not to clean individual computers or fix what is already broken." This means using the malicious code's own techniques to distribute immunity.

Honeypots and wormholes

Shir and his colleagues propose a system in which a few 'honeypot' computers lie in wait for viruses. These computers run automated software that first identifies the virus, and then sends out its 'signature' across the Internet. This enables a sentinel program on all the other computers in the network to identify the virus and bar it before it can attack them.

The real trick is to make sure that the antiviral signature travels faster through the Internet than the virus itself, so that whenever a malicious program arrives it finds a sentinel blocking the way. "You need to build extra links into the network that only the immune agent can use," says Shir. "They're like wormholes through cyberspace."

These wormholes would form a parallel network connecting the honeypot computers. Assuming that the shortcuts can be set up and made secure, the antiviral signature should be able to stay one step ahead.

The team's simulations show that surprisingly few honeypots are needed to protect large networks. There are roughly 200 million computers in the United States; just 800,000 of them acting as honeypots would restrict a viral outbreak to 2,000 machines.

"And as the network grows, the same proportion of honeypots, around 0.4%, gives you even better protection," says Shir. He and his team present their proposal in this month's edition of Nature Physics1.

Building the matrix

It's an intriguing plan, but would it work? "That's the million-dollar question," says Alessandro Vespignani, an informatics expert from Indiana University in Bloomington.

"All the ingredients are already there, or could be worked out in a short time," Vespigiani says. He says that some company intranets already run programs that automatically detect the arrival of a new virus, and the architecture of the Internet is sufficiently well understood to position the honeypot computers strategically.

However, he points out that someone would still need to run the honeypot computers, and it is not clear how to secure the wormholes so that only antiviral agents can use them. "These virus writers are smart guys, and they could find a way to attack the parallel network itself," he cautions.

Shir does not have any plans to commercialize the idea. He hopes that people will realize the scheme in an open-source project, freely available to all computer users who want to get involved. "But even if a company takes the idea and makes it happen, we'd all have a better defence against viruses," he says.