The software would interact with existing personal firewalls and intrusion detection systems to gather data about anomalous behavior, says Senthil Cheetancheri, the lead researcher on the project he undertook as a grad student at UC Davis from 2004 to 2007. He now works for SonicWall. (.)
The software would share this data with randomly selected peer machines to determine how prevalent the suspicious activity was, he says. If many machines experience the identical traffic, that increases the likelihood that it represents a new attack for which the machines have no signature.
The specific goal would be to detect self-propagating worms that conventional security products have not seen before.
"It depends on the number of events and the number of computers polled, but if there is a sufficient number of such samples, you can say with some degree of certainty that it is a worm," Cheetancheri says. For that decision, the software uses a well-established statistical technique called sequential hypothesis testing, he says
The detection system is decentralized to avoid a single point of failure that an attacker might target, he says.