On January 26, 2006, at approximately 8:00 a.m. EST, several U.S. security specialists sighted a new computer worm attached to e-mails coming from Russia. In what would turn out to be a prescient act, they dubbed the worm "MyDoom." By noon, the propagating MyDoom worm accounted for one-tenth of the e-mail traffic on the global Internet, eating up bandwidth and causing significant delays in data exchange. Two days later, 1 in 5 circulating e-mails were progeny of MyDoom. It wasn't until February 1, with an estimated 1 million computers infected, that MyDoom unleashed the second phase of its assault - an orchestrated denial-of-service attack against a specific high-tech firm.

Since MyDoom, there have been successive waves of highly contagious, pernicious malware designed to wrest control of residential and corporate computers and recruit them into botnets. The botnets - extensive, distributed networks of as many as 3,500,000 "zombie" computers - are then used by criminals to capture personal information, send e-mail spam, and steal digital records and passwords, among other illegal activity.

The cost of cyber crime to businesses is enormous. A 2009 survey of 800 chief information officers carried out by the computer security firm McAfee estimated a 4.6-billion dollar price tag attributable to data lost through malware infections, with an additional $600 million required to clean up after the security breaches. It is for precisely this reason, says Dr. Mathieu Couture, a network security researcher with CRC's Broadband Network Technologies group, that landing two prestigious cyber security conferences here in Canada is a major coup for the Canadian business and IT security communities.

This autumn, the Communications Research Centre (CRC) and Defence Research and Development Canada-Ottawa (DRDC-Ottawa) will co-host the 7th International Symposium on Visualization for Cyber Security (VizSec) on September 14, followed by the 13th International Symposium on Recent Advances in Intrusion Detection (RAID) from September 15 to 17, 2010. The conferences will be held in downtown Ottawa, and will bring together leading researchers along with security personnel in charge of computer and network security, and technical staff looking for the latest in security solutions. A planned technology-showcase will also give Canadian and international companies an unprecedented opportunity to display the newest developments in cyber security.

"RAID alone usually draws over 150 academic, industrial and governmental participants from around the world," says Frédéric Massicotte, CRC network security researcher and general chair of RAID 2010. This size, combined with the academic / industry mix, gives all participants the opportunity to make connections and seek out collaborations and partnerships with leaders in the cyber security field.

Traditionally, the location of RAID alternates between Europe and the U.S. This year's RAID 2010 will be the first time that the conference has been held in Canada.

"We were truly honoured," says Massicotte, "to have been chosen to host the conference." Research laboratories, he says, compete to play host, and past hosts include MIT, Carnegie Mellon University, and IBM. Putting CRC and DRDC in such illustrious company, however, doesn't come as a complete surprise.

CRC, explains Massicotte, became widely known for intrusion detection research when the lab developed a tool called the Automatic Experimentation System (AES). CRC researchers used the tool to generate a data set of computer-attack "traffic traces." These traffic traces record the network activity that occurs when an "exploit" is in the process of assaulting a computer. Exploits are essentially hacker tools, small pieces of open-source computer code designed to take advantage of some vulnerability in the computer or network software. Like a hammer used by a burglar to break a basement window, exploits are tools used to gain access though a vulnerable route. They then allow the virus or malicious code to enter the system and carry out its intended goal.

CRC's traffic traces, says Massicotte, have been used worldwide by research teams studying intrusion detection, providing them with invaluable information on how software products react when under attack, and therefore what can be done to detect these attacks. And the traces developed in the initial AES work are still in use today.

The laboratory's current work, says Couture, builds upon the initial traffic-trace work, but now focuses on the more complex and rampant problem of malicious software, also known as malware.

"The difference between working with exploits and malware is that with exploits, you know what you're downloading. You know what they're designed to do. With malware, you have no idea. You just know that it's probably going to be really nasty."

One of the challenges in working with malware, he says, is to provide it with a network environment rich enough to let it "show its stuff" while at the same time, ensuring the infected machines and network are fully isolated from any external computers or external network access that could allow the malware to spread.

"To carry out its attack a piece of malware may need, for example, an IRC [Internet Relay Chat] server, or it may need access to Twitter or Facebook. It's hard to mimic that on an enclosed, isolated system, but because of the destruction malware can cause, we have to protect other computers and the network from being infected by this code."

To get around the problem, the laboratory is using the AES tool to simulate a real network made up of virtual computers and virtual connections. With over one-million malware programs to study, the virtual network will provide researchers with invaluable information on malware attacks. It will also, says Massicotte, help industry security specialists deal with malware infections.

"If we can use AES to rapidly analyze malware samples, this will help network security companies reduce their reaction time when a new piece of malware makes its appearance," says Massicotte.

More information on RAID can be found at www.raid2010.org.

For VizSec see www.vizsec.org/vizsec-2010.

Frédéric Massicotte can be contacted at frederic.massicotte@crc.gc.ca or (613) 613-998-2843.