methods may spot intruders
Technology Research News
The key to detecting uninvited visitors
is recognizing them.
This gets difficult in crowded situations, like large networks,
because there is a lot of normal traffic, or noise, that can cover an
intruder's comparatively quieter signal. What's even more difficult, however,
is detecting a new type of intrusion the first time it happens. Essentially
what's needed is a way to detect what you don't know you're looking for.
Researchers from the University of South Carolina have tapped the methods
of nuclear experiments to map network traffic and extract patterns of
typical network behavior. When scientists looking into the makeup of matter
cause nuclear particles to collide, hundreds of detectors monitor every
facet of the complicated reaction to capture any slight derivation that
may point to an unknown phenomenon.
Analyzing network traffic data this way makes it easier to tease out derivations
that point to known network intruders, said Vladimir Gudkov, a physics
research professor at the University of South Carolina. "If... almost
complete monitoring and data collection [of nuclear events] is possible
in physics, why not try to find a way to do similar things in network
monitoring?" he said.
The research could also eventually be adapted to the really difficult
problem of detecting new methods of intrusion as they are happening, said
Gudkov. "We have an opportunity to detect even unknown intrusions in the
reconnaissance stage of an attack," he said.
When a file is transmitted over a network it is first broken up into many
small packets, which traverse the network using whatever route is available
and are reassembled when they arrive at their destination.
To closely monitor a network, the researchers track all the properties
of these packets, including how they change over time. Routers, the specialized
computers the control traffic around the Internet, put time stamps and
other marks on the packets. The advantage of using this time-dependent
information is it provides a complete description of the process. "This
is exactly what we need for reliable numerical analysis," Gudkov said.
The researchers translate this information into mathematical functions
in order to use the complex systems theory that physicists use to extract
information from large, changing sets of data, said Gudkov.
The method captures raw data from a network node, then on a separate system
plots the mathematical functions in two or three-dimensional imaginary
space, and uses pattern recognition to find deviant signals. The result
is an "ability to optimize signal-to-noise ratio and to analyze signals
in real-time," Gudkov said.
This makes the faint tracks of an intruder more apparent. "The basic idea
is to define the normal network behavior using the complete network monitoring.
The deviation from the normal traffic behavior will give an alert for
possible... intrusions," he said.
In plotting the signals the researchers also found something surprising:
some of the ways information flows in these imaginary spaces are independent
of how a network is laid out and what system software the computers are
running. "This looks natural [to] me now, but some months ago we did not
even suspect that... characteristics like the dimension of information
flow in the parameter space are... not sensitive to network topology [or]
operating systems," Gudkov said.
The researchers are working on a test model of a system that will detect
known intrusions as they are happening, said Gudkov. If the research goes
as expected, a model for detecting unfamiliar types of intrusions could
be available within a year, and a practical working system a couple years
after that, Gudkov said.
The researchers are also working on finding a way to detect unfamiliar
intrusions by analyzing all the data rather than just looking for known
intrusion patterns. The challenge is finding a method of pattern recognition
that will work in real-time data plotted in imaginary spaces that have
more than three dimensions, according to Gudkov. "The next step for this
is the study of multidimensional pattern recognition methods based on
wavelet analysis," he said. Wavelets are a form of compressed data.
The researchers' idea of modeling network traffic characteristics as functions
is an interesting one, but "the question of whether such a view is meaningful,
or if it would lead to useful results," cannot be answered without testing
the method on real networks, said R. Sekar, an assistant professor of
computer science at the State University of New York at Stony Brook.
It is also difficult to predict whether it will be possible to find unfamiliar
intrusions this way, according to Anita Jones, a professor of engineering
and applied science at the University of Virginia. "Any mathematical approach
depends upon detecting some properties that distinguish the intrusive
traffic from normal traffic. Just as in real life, what is harmful can
often be masked to appear benign. Such traffic can sometimes be very hard
to distinguish from normal traffic," she said.
Gudkov's research colleague is Joseph E. Johnson of the University of
South Carolina. The research was funded by the Defense advanced research
projects agency (DARPA) and the Air Force Research Laboratory.
Timeline: 3 years
TRN Categories: Networking; Internet
Story Type: News
Related Elements: Technical paper, "New Approach for Network
Monitoring and Intrusion Detection," posted on the arXiv physics archive
Nerve-chip link closer
Inside-out gem channels
Computer follows video
may spot intruders
Research News Roundup
Research Watch blog
View from the High Ground Q&A
How It Works
News | Blog
Buy an ad link