Enhancing Bro for Operational Network Security Monitoring in Scientific Environments

Principal Investigator(s): 
Robin Sommer, Vern Paxson, Adam Slagell

Bro logoIn collaboration with the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign, researchers are improving the Bro Intrusion Detection System, an open-source network monitoring framework originally developed by Networking Group researcher and UC Berkeley Professor Vern Paxson. Development of the system is led jointly by Paxson and Robin Sommer. It monitors networks at major universities, large research labs, supercomputing centers, and open–science communities around the country. Many of these networks have tens of thousands of systems each, and some have up to 100,000. In this project, researchers are working to unify and modernize the Bro code base, to improve its performance capabilities to deal with large-scale networks, and to improve its integration into operational deployments.

Bro provides users with a custom domain-specific scripting language to express their local monitoring policy. It differs from other systems in that it performs deep, semantic analysis and examines the development of a network over time — for example, tracking the Web sites a host has contacted. Bro is not restricted to any particular analysis approach, as most other systems are. Traditionally, signature-based systems compare observed activity against a set of low-level patterns known to indicate malicious activity; and anomaly detection systems compare new activity against an automatically learned profile of benign traffic, flagging what does not match as potentially malicious. Such systems have difficulty protecting large networks, in which traffic is diverse and the characteristics of both attacks and normal activity are constantly changing. Bro addresses this challenge by enabling users to tailor its analysis to the specifics of the local environment.

Bro has been in use at the Lawrence Berkeley National Laboratory since the late 1990s, and is now used in a growing number of networks, particularly in scientific environments.

Funding provided by NSF grant 1032889, SDCI Sec Improvement: Enhancing Bro for Operational Network Security Monitoring in Scientific Environments.