Signing up the competition - have digital signatures met their match?

Digital signatures may have hit the headlines for securing ecommerce transactions, but in more traditional security fields, they are already passé.

Take hacker detection, which has become a crucial business issue as more money is made online and corporate Web sites become targets for political activism. Here, the signature does not refer to the electronic equivalent of a hand-written signature, but to the typical trace a hacker leaves behind.

Until now, the only way to spot when a hacker had attacked your system was to build up a database of known attacks, or 'signatures', and use them to spot when a similar hack was taking place. This method is still used in Network Associates' CyberCop range, whose latest version includes 520 signatures of known hacks. CyberCop scans user activity on a network by comparing it to the database of attacks. If it finds a signature that matches, it sounds a hacker alert.

There are around eighteen other hacker detection products on the market, and they are all based on signatures. But IBM's Zurich research labs are developing a new model which ignores digital signatures altogether - despite the general public's growing respect for them.

Marc Dacier, manager of IBM's Global Security Analysis Laboratory in Zurich, explained: "We have developed a prototype called Daemon-Watcher, using IBM's Teiresias algorithm. It compares user behaviour to normal software usage, rather than to a list of known attacks."

By turning the model on its head and looking at the norm, not the exceptions, IBM avoids the need to update its databases with profiles of every new attack. "It's extremely difficult to update signature-based software quickly enough with the latest attacks," added Dacier.

Security Product Specialist at Network Associates UK, Martin Brown, disagreed: "We don't regard the upgrade angle as being an issue for our signatures. CyberCop Scanner 2.5 delivers its updates online, so you don't need to keep buying new software." But Brown could not say how long it takes for a new attack to be added to the update.

It certainly takes longer to detect a hack than a virus, because viruses are spread between machines and they usually crash them. Sooner or later someone will report the fault - sometimes just a few hours after its invention. But hacks can steal information from a single system remain undetected.

IBM's Daemon-Watcher learns patterns of normal behaviour by monitoring processing activity, until it has extracted every possible combination of normal use. These strings are stored in a database. When in detection mode, any behaviour that is not in the table triggers a security alert.

The field of behavioural research has been around for fifteen years, despite its novelty as a commercial product. In particular, it has been assessed for military use by scientists at Stanford Research Institute, with their Nides prototype.

But Dacier stressed that even within behavioural research, Daemon-Watcher forges new ground. "Military applications have focussed on the behaviour of users, but in a war situation, people's behaviour changes and you get false alerts. Daemon-Watcher gets around this by looking at software behaviour, not human behaviour."

Dacier is convinced that using the combined properties of the Teiresias algorithm is a unique approach to the problem.

But despite IBM's efforts, digital signatures will remain the norm for the time being, as they are the only technology for detecting intruders currently on the market. US start-up, FutureVision, which boldly asserted earlier this year that network attacks of the future would be based on quantum theory, has gone underground. Its idea was largely ridiculed by the IT industry and, six months later, FutureVision is no longer contactable. Even Daemon-Watcher will not launch for a year or two.

"We haven't yet decided on our ideal market," said Dacier. "It could be packaged in a number of ways."

So for the moment, compiling signatures from previous attacks looks like being the only way to stop your systems being hacked. But even though governments have embraced digital signatures as the answer to all their ecommerce dilemmas, don't be blinded into thinking that they are an ideal form of security.

Digital signatures are merely the best we can do at the moment - both as an encryption tool for ecommerce and for detecting hackers.

Keep your eyes open, as a model for greater efficiency is already appearing on the horizon.