|
Posted 10/15/01
Two Ph.D. candidates at Dartmouth's Thayer School of Engineering are working with the Institute for Security Technology Studies at Dartmouth to help computer network administrators better assess risks to the security of their networks, and defend against those risks. While Daniel Bilar tries to create a computer program that will determine a computer network's weaknesses, Daniel Burroughs is concentrating on detecting simultaneous attacks on multiple networks, and responding to the attacks.
The new tool Daniel Bilar is working on will assess a computer network's risk of falling prey to security leaks, internet service attacks and other exploitations.
"When engineers design a nuclear power plant, they have formulas to calculate the probability that a certain type of accident, like a core meltdown, will happen, given the design of the reactor. They adjust their contingency plans and resources accordingly. This does not exist in computer networks," said Bilar. Corporate executives and city managers deploy networks without realizing the risks they incur by running different machines with various software programs. With Bilar's proposed software, which is still being designed, risk will be expressed in quantifiable terms, such as the expected loss, in dollars and in down time, and in other values of interest to the network manager.
Most computer network research is reactive: it concerns tackling problems after an intrusion has taken place or files have been deleted. Bilar's program, called a Delphic Tool after the Oracle of Delphi, is predictive. "It provides a status report on the network, and it's in place before an attack occurs. Ideally, this should help you prevent going to the reactive state."
For his research, Bilar brings together the principles of risk analysis, network security and software reliability. The fusion creates a concept he calls QRSA, Quantitative Security Risk Analysis. It evaluates vulnerability and risk, and then proposes a strategy to minimize that risk with its associated costs.
"My work consists mainly of implementing mathematical, probability and statistical algorithms and of building a comfortable user interface through software."
Bilar thinks that the risk management component might be the most valuable, because it provides risk-reducing options. "You can say 'I have this amount of money to spend, how should I invest it in order to optimally reduce the risk?' If you have 20 networks to take care of - and you're in charge of allocating resources - up till now, you had to do it by the seat of your pants. With this tool, you can go to your boss and say 'here's how we should spend our money and this is why.' "
In December, Bilar will present his groundbreaking work at the annual meeting of the Society of Risk Analysis in Seattle, Wash. The society previously concerned itself with risks to human health and the environment. According to Bilar, his presentation at the conference will mark the first time computer network risk analysis will be on the program. He hopes to have a preliminary version of his program ready for testing by mid-December, and he will defend his dissertation next spring to earn his Ph.D.
Bilar's research is supported by the U.S. National Institute of Justice and the Defense Advanced Research Projects Agency, the central research and development organization for the U.S. Department of Defense. Originally from Switzerland, he received his undergraduate degree in computer science from Brown University. He earned a masters in Operations Research at Cornell University.
Daniel Burroughs is working to create a program that will monitor intrusion attempts in a group of computer networks, collect and analyze the reports generated, and detect the activities of trespassers.
"On networks, there are intrusion detection systems that look at what's happening on your network, and try to figure out either if someone is trying to break in or has already broken in," said Burroughs. "I'm taking the reports generated from these intrusion sensors and comparing the data across many different networks to find patterns of activity." From this, he will be able to find evidence of attacks before problems escalate.
Why is this coordinated strategy useful? The Internet has been prone to "distributed denial of service" attacks, where a person gains control of hundreds or thousands of computers. Then these "zombie" computers are triggered to clog an Internet site at a pre-determined time or with a pre-programmed command. It's difficult to notice this mischievous or malicious activity in advance because it's spread out over time and over many computers on many networks.
"One of the goals of my work is to detect the zombie collecting phase when the person is initially going in to get control of the computers, long before they launch the distributed denial of service," said Burroughs.
Burroughs thinks that the most significant aspect of his research is the general shift from a network-centered view of security to an attacker-centered view across many networks. This provides a broader picture of the activities of an attacker moving across many networks.
"It's all about pattern recognition. We design a model of what we think an attacker's behavior would look like depending on their motivation - what they're going after - and then look for the pattern in the reports." Burroughs program will be most effective with large groups of related networks, like those used by international corporations, government or municipal infrastructure.
Two related methods of information gathering and interpreting, both with roots in the military, are instrumental in Burroughs' research. The first is the Information Warfare Theory where individual battlefield reports contribute to the overall picture, and this information then circles back to adjust the initial information gathering strategy. The second is called Bayesian Multiple Hypothesis Tracking, which is based on radar systems. Because radar sweeps only provide periodic, patchy information over time, predictions about what's happening are continually refined as information comes in.
"So, when interpreting the reports from your sensors in the networks, you can apply the two concepts in order to develop better situational awareness of your computer security, and you will be able to quickly detect when there is an anomaly."
Burroughs hopes to have a preliminary version of his program ready for testing when he defends his dissertation next spring to earn his Ph.D. He is supported by the National Science Foundation and the U.S. National Institute of Justice.
|
