Shape-Shifting Software ‘Defends Against Botnet Hacks
The Silicon Valley firm has several high-profile backers including Google.
But one expert said hackers might still be able to work round the defence.
However, Ron Austin – a senior lecturer on computer security at Birmingham City University – said that it would probably take them longer than previously.
Shape says the “look and feel” of the sites that use its tech remains unchanged to legitimate visitors.
It adds that several companies have already trialled its product, including Citigroup bank and the ticket seller StubHub.
Shape describes its product as a being a “botwall” – a reference to it being a barrier against automated software tools known as bots that recognise and exploit vulnerabilities in a site’s code.
These can be used for malicious purposes, such as carrying out DDoS (distributed denial of service) attacks – forcing a website server to crash by flooding it with traffic – or to hijack a site, allowing the hacker to modify its contents, steal private details and spread malware.
Many products try to prevent such breaches by identifying bots by their signatures – the name they use when registering themselves – and the internet and email addresses they send data to.
Hackers have tried to counter detection by using a technique called “real-time polymorphism” – making their bots rewrite their own code every time they infect a new machine to make them harder to recognise.
Shape says its product reverses this advantage.
“The website looks and feels exactly the same to legitimate users, but the underlying site code is different on every page view,” wrote the firm’s founder, Sumit Agarwal, on its blog.
“Ultimately, the ShapeShifter aims to stop non-human visitors from executing large-scale automated attacks. This may help break the economics of breaches like the one Target experienced in late 2013, by eliminating the monetisation path.
“Without automated scripts, many of today’s attacks cease to be economically viable.”
Shape had raised $26m (£15.7m) from investors ahead of its product’s launch.
- Google Ventures, the search firm’s venture capital fund
- Google chairman Eric Schmidt’s personal investment company TomorrowVentures
- Kleiner Perkins Caufield & Byers, an early investor in Amazon and Facebook
- Enrique Salem, the former chief executive of security firm Symantec
One security expert from the University of Oxford’s Internet Institute said the innovation sounded promising.
“It’s an interesting additional tool for making it harder for attackers to break into systems, and one that can’t be trivially circumvented by attackers changing their behaviour,” Dr Ian Brown told the BBC.
But Ron Austin added that given enough time, a dedicated hacker should still be able to achieve their goal.
“The caveat to this approach would be looking for parts of the polymorphic code within the software that does not change,” he explained.
“This would then give the attacker a point of reference into the system and possibly allow a new attack to be created. This is difficult and would take time as the attacker would have to monitor the software.”