PNNL-13501 - Pacific Northwest National Laboratory
PNNL-13501 - Pacific Northwest National Laboratory
PNNL-13501 - Pacific Northwest National Laboratory
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Study Control Number: PN00060/1467<br />
Interactive Network Traffic Modeling<br />
Newton Brown<br />
The Department of Energy has an urgent requirement for technology to protect its computer networks and information<br />
systems. Neither current technology nor the computer security industry offers adequate capabilities for the level of cyber<br />
protection expected of DOE.<br />
Project Description<br />
The computer and network intrusion detection research<br />
field is in its infancy. This field is driven by the emerging<br />
electronic commerce, the Internet, and highly publicized<br />
and ever increasing computer hacker attacks. A total<br />
intrusion protection capability does not exist and is<br />
unlikely in the near future. Most, if not all, commercial<br />
and shareware intrusion detection solutions provide data<br />
on a small percentage of the total network transactions for<br />
external sources. These systems require highly skilled<br />
computer system administrators to configure, operate, and<br />
analyze the massive logs that they can generate. They are<br />
labor-intensive, expensive, rigid, and slow. Network<br />
traffic is dynamic and the rate of increase in volume is<br />
accelerating. Today’s intrusion detection technology in<br />
the current architecture of static, signature-based<br />
configuration cannot adapt to change in an automated<br />
way. To adequately respond to these conditions, the<br />
system administrator needs to study massive logs, then<br />
reconfigure the tools for change.<br />
The interactive network traffic modeling hypothesis seeks<br />
to enhance the infrastructure for the next generation of<br />
intrusion detection capabilities that will include the realtime<br />
display of sniffer data in the form of interactive<br />
visual and textual models. These models will have the<br />
capability to dynamically adjust sniffer collection<br />
parameters based on network conditions and the decisions<br />
made by analysis tools running on top of the models. The<br />
capability to dynamically alter collection parameters<br />
based on model changes will allow for greater detection<br />
granularity, number of incidences, and efficient use of<br />
skilled system administrators, who are costly and in short<br />
supply.<br />
The most important aspect of intrusion detection is the<br />
ability to capture compromising threats at the time of<br />
occurrence. In today’s environment, organizations<br />
assume significant risk by letting any single intrusion<br />
event go undetected. Security breaches can have a<br />
160 FY 2000 <strong>Laboratory</strong> Directed Research and Development Annual Report<br />
profound effect on a company’s bottom line and<br />
reputation. In the case of DOE, the event could be a<br />
compromise of national security information associated<br />
with nuclear weapons.<br />
Introduction<br />
Within the domain of intrusion detection sensors, this<br />
research focuses on new technologies to improve the<br />
collection of data, both in quality and in quantity. First,<br />
automated control of dynamic sensors provides the<br />
capability to alter collection parameters on the fly in<br />
reaction to events. Second, for the information display<br />
component, the research focus is on displaying more data<br />
rapidly in a means readily comprehensible by the analyst.<br />
Third, for real-time capture component, the research<br />
investigates detection methods conducive to real-time<br />
processing. Integration of these three components will<br />
form a tightly coupled system that operates during the<br />
data collection process. Thus, this project is creating<br />
interactive intelligent models that will control the<br />
collection and dissemination of data for intrusion<br />
detection sensors systems and other analysis tools.<br />
For intrusion detection sensors, the goal was to<br />
encapsulate standard network sniffers with intelligent<br />
agent technology created in the Internet Technology<br />
Library for the Internet characterization tool, presentation<br />
server, and the flash ROM projects. Advances in<br />
software agent technology specific to intrusion detection<br />
sensors were used to interface with network sniffers, to<br />
create those that can be modified, moved, and controlled<br />
at run time. This will allow for a small window of the<br />
data that we can see and process to be moved around<br />
dynamically and adjusted directly in response to certain<br />
events and thresholds. The agent event engine can allow<br />
for automated focusing on specific events based on<br />
actions or stimuli that it detects or that are defined by the<br />
analyst. Agent technology will also allow for more<br />
complex filters that can weed out noise and allow for<br />
more targeted data collections.