A computer system designed by UCSB researchers may make computer network intrusion as easy to detect as computer viruses – once it is implemented in the next five to 10 years.
Giovanni Vigna, Richard Kemmerer and Kevin Almeroth have developed an intrusion detection system for computers and networks at the Department of Defense. The product remains unpolished for now, but a commercial version of the program may be available in the near future.
The system – based on research done by Kemmerer in 1990 on State Transition Analysis Technique (STAT) – models computer attacks as a series of steps, Vigna said
“By modeling an attack, you can also recognize them. It’s like a recipe, only, instead of following the recipe, you’re watching somebody doing something,” he said. “If it matches your recipe, ‘Oh, this guy is doing a chocolate cake,’ and instead of doing that you say ‘Oh, this guy’s breaking into my system,’ because they’re following the classic steps one would follow to break into a system.”
Built around this concept is a system of “sniffers,” that watch activity in the network or computer and gather data.
“All of these little pieces of evidence are put together,” Vigna said. “And the system tries to recognize ‘Oh, look, the fact that she opened the e-mail message, the e-mail message started a Java program that actually went to the address book and started sending e-mail to the weirdest people, that’s probably a virus.”
The program itself, however, is not anti-virus and catches different types of attacks, Kemmerer said.
Network attacks, Almeroth said, are somewhat like viral infections or warfare.
“The offensive side develops new techniques for which our current defenses don’t work so well. We react and improve the defenses. They react and improve the offensive techniques or develop new ones,” he said. This cycle is repeated forever.”
The project has been funded for the past six years by the Department of Defense through a program known as the Advanced Research Projects Agency (ARPA), Kemmerer said. Although the military is funding the research, the program is available for free on the Web.
“If someone is using it, we don’t know, because they can download it from the network and use it. I have no idea how many downloads there have been,” Vigna said.
The team released several pieces of software last September that could be used for an intrusion detection system, Kemmerer said, but they are not ready.
“They’re still not products, in the sense that they’re packaged and people can go out and buy them,” he said.
Almeroth said the two main stages to create a viable piece of software are getting it to work, and then developing a piece of software that can work broadly and meet a variety of conditions.
Those conditions have been changing rapidly, Vigna said.
“One big problem that wasn’t a problem even a year ago is people with DSL and cable connections,” he said. “When you connect through the phone, no one would care about your system and try and break in, because the advantage would be almost nothing.”
The faster connection also makes it more difficult to monitor, Kemmerer said.
“Once you start sending [data] much faster, the problem becomes hard,” he said. “One of these research problems is how we can deal with a pipe that’s this big when before it was a pipe that’s that big.”
The program may be standard relatively soon, Kemmerer said.
“I think a reasonable guess would be probably five, 10 years,” he said. “Five years ago, it wasn’t standard to have virus software, but now everybody has it. Intrusion detection software will be the same. It will come packed with your system, just like anti-virus software is now.”
