AT&T developing early warning tool

AT&T Labs is developing a new kind of traffic analysis tool - dubbed Internet Protect - that is designed to provide corporate customers with earlier indications of network attacks.

Although Internet Protect is being kept under wraps, AT&T confirmed that it is conducting an early test of this tool with several large corporations. With Internet Protect, AT&T has set up a special Web portal to provide a steady stream of information about anything out of the ordinary that AT&T's network operators see, particularly on the Internet.

"Worms don't always fire off and work perfectly. We see all the test attempts. We see the fizzled versions of stuff in advance,'' says Ed Amoroso, chief information security officer at AT&T. "We're trying to change the nature of our relationship with customers so when we see . . . indicators of something that fizzled, we tell everybody.''

AT&T officials would not say when Internet Protect will be commercially available or whether it would be offered under the Internet Protect brand. But they did say it would be complementary to intrusion-detection systems.

"We're trying to take this internal technology and extend it to CIOs in the enterprise . . . . It's a technology that's very promising," Amoroso says.

Internet Protect is part of a larger initiative across AT&T Labs to improve the security and reliability of AT&T's increasingly IP-based network infrastructure.

"Network attacks are clearly on the rise,'' says Hossein Eslambolchi, AT&T CTO, CIO and president of AT&T Labs in a recent conference call with the media. "We have seen more attacks in the last six months than we've seen in the last 10 years.''

Eslambolchi says security is one of six strategic areas of research for AT&T Labs.

"We are looking at innovations'' related to network-based security, Eslambolchi says. "We need a lot better ways to do forensic analysis of viruses and worms.''

As an example, Eslambolchi points to the MS-SQL Slammer worm, which was reported on the Internet in January. AT&T saw anomalies in its network three to four weeks before that worm hit and was able to take certain precautions. "When the worm actually happened, AT&T's network did not take a hit,'' Eslambolchi said.

Amoroso says the rise in network attacks AT&T is seeing can be attributed to the growing number of vulnerabilities in commercial operating systems and applications that can be exploited easily by writing worms.

"Network security has become a process of hunting down the latest and greatest information on vulnerabilities and trying to patch like crazy to beat the worms,'' Amoroso says.

With Internet Protect, AT&T will use internally developed traffic analysis tools to look for anomalies such as traffic spikes, traffic drop-offs and unusual protocols in use.

"We do [traffic analysis] better than anybody,'' Amoroso says. "By traffic analysis, I mean pulling information from the network such as statistics and routing information. . . . It turns out that building security tools around traffic analysis is as good a theme as any.''

Amoroso uses the analogy of highways and truck bombs to explain Internet Protect.

"As highway people, we say [focus on] delivering all the traffic. . . . But that's a bittersweet victory if what we're delivering is the equivalent of truck bombs,'' he says. "Maybe there's something we could do on the highway to filter out the truck bombs."