Featured Research: Tailoring Internet Security

With relentlessly growing Internet traffic, it has never been more difficult to detect and stop malicious network incursions. Networking Group researcher Robin Sommer works to secure networks from attacks — a concern that President Obama recently described as among the "the most serious economic and national security challenges we face as a nation."

Sommer's work spans the gap between academic research and the protection of real computer networks through programs like Bro, an open-source network monitoring framework that helps defend networks against attacks.

BRO

Bro was originally developed by Networking Group researcher Vern Paxson, and the project is now led jointly by Paxson and Sommer. Bro provides users with a custom domain-specific scripting language to express their local monitoring policy. It differs from other systems in that it performs deep, semantic analysis and examines the development of a network over time — for example, tracking the Web sites a particular host has contacted. Bro is not restricted to any particular analysis approach, as most other systems are. Traditionally, signature-based systems compare observed activity against a set of low-level patterns known to indicate malicious activity; and anomaly detection systems compare new activity against an automatically learned profile of benign traffic, flagging what does not match as potentially malicious. Such systems have difficulty protecting large networks, in which traffic is diverse and the characteristics of both attacks and normal activity are constantly changing. Bro addresses this challenge by enabling users to tailor its analysis to the specifics of the local environment.

Bro has been in use at the Lawrence Berkeley National Laboratory since the late 1990s, and is now used in a growing number of networks, particularly in scientific environments. Last year, it was downloaded by about 5,000 unique IP addresses, and it now monitors networks at major universities, large research labs, supercomputing centers, and open–science communities. Many of these networks have tens of thousands of systems each — and some have as many as 100,000.

PUBLICATION AND PRACTICE

But, Sommer points out, often there is a gap between the systems that are effective in large, practical settings and the findings that are published in academic papers. Sommer believes this may be because many research groups lack ties to practical operations — at universities, network administration "is usually a totally different part of the university, and it can be challenging to build a fruitful relationship." Collaborations between researchers and operations take time to develop, and researchers sometimes underestimate the impact of operational reality on their work.

"Generally, I'm always trying to bridge that gap between laboratory research and real-world operations," he says.

As an undergraduate at the University of Paderborn in Germany, Sommer worked as a systems administrator in the computer science department. He then worked in Professor Anja Feldmann's networking research group, initially at the University of Saarbrüand later at the Technical University of Munich, where Sommer and his colleagues collaborated closely with network administrators, who provided context about the network's traffic and crucial feedback on their research. In exchange, the group helped improve security.

"There is a give and take that is important," Sommer said. "That usually works well for both sides."

Sommer has continued to work with operations departments while at ICSI, where Networking Group researchers led by Paxson work closely with systems administrators to monitor the Institute's network. In addition, Paxson's long-standing ties to operations at the Lawrence Berkeley National Laboratory have been an asset for the group — Sommer works with the Lab's cyber-security group on a daily basis. Bro monitors the Lab's network, allowing the group to use the data gathered from monitoring for research and to try out improvements to the system.

IMPROVING PERFORMANCE

For example, the lab was the first to use Bro on a cluster of computers to monitor its network traffic. A custom high-performance frontend system looks at all network traffic and then divides it across several standard PCs so that a large volume of traffic can be analyzed simultaneously. The process allows networks with tens of thousands of systems to be monitored by inexpensive machines.

In order to divide traffic without sacrificing performance, the researchers had to find a way to flag attacks that span more than one machine. In other words, each machine in the cluster has to share not just alerts of attacks, but also the underlying analysis leading to the alert.

The cluster approach was first proposed in 2007 by Sommer and several colleagues from ICSI, LBNL, and the Technical University of Munich. It has since become a standard method for network intrusion detection systems, like Bro, in research environments.

The next step for Sommer is to make Bro more user-friendly. "[Bro] is turning into a product in that it's becoming much more widely used," he said.

But Bro is decidedly not a commodity product; it was designed as a research platform. Users need to have a high level of technical expertise in order to define their policies in Bro's scripting language — and widespread use can become problematic to support for a small group from a non-profit research institute. "We had trouble keeping up with users' demands," said Sommer.

He recently began working with the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign to increase Bro's capacity and make it more user-friendly. NCSA plans to use Bro to monitor its Blue Waters supercomputer, a machine that will be able to perform 10 quadrillion calculations every second and that will be housed in an 80,000 square foot building in Champaign, Illinois.

The three-year, $3 million NSF project will work to provide Bro users with easier access to the system's capabilities and a detailed documentation. The work with NCSA is a major step forward, Sommer says: "For the first time, we have resources for engineering that go beyond our core research projects."

HILTI

Sommer is also leading an effort to simplify the implementation of network security programs, such as firewalls or intrusion detection systems. To build such a program, one often ends up writing a lot of low-level code that is difficult to get right — code that has already been written many times for other applications. "We keep reinventing the wheel," Sommer says. His new work is "an attempt at bundling low-level functionality that is needed over and over again into a high-level platform others can build on."

HILTI — a "high-level intermediary language for traffic analysis" — and the accompanying process provide high-level abstractions specific to the network monitoring field, such as tailored support for managing the memory that a program uses to remember observed activity. It also aims to provide a suitable concurrency model for running an analysis simultaneously on many processors. For an application like Bro, this has the potential to replace today's cluster installations with a single-machine setup. Multicore processing will allow the different security analyses to "communicate faster and more directly" than they do in the distributed system.

GEO-TAGS AND GLOBAL INFERENCE

For the past year, Sommer has worked with Speech Group researcher Gerald Friedland to examine how much people unintentionally reveal about themselves through their online activity. In a technical report published last May, the two explained how a criminal might use geo-tags — geographical information embedded in photos by certain cameras and smartphones — to easily locate where the photos were taken with startling accuracy, as close as a few feet. Sommer and Friedland looked at how a criminal might use information from multiple online sources — say, a photo of someone's bike posted to a classified ads site like Craigslist, along with the information that the seller is home only after 6 p.m. — to mount an attack in real life.

Sommer will continue to work with Friedland on understanding the risk of potential inference chains that correlate personal information across independent Web sites. Work is planned to incorporate speech and image recognition to link, for example, YouTube videos and online photos.

Sommer is also involved in monitoring the traffic of residential networks in Europe and rural India. He looks at broad trends like how many homes are infected and how many lines are browsing at any one time.

Monitoring networks in India has been particularly demanding because not only is the infrastructure so different from that in the U.S., but other unforeseen challenges have arisen. Internet service providers supply some customers with Internet service; these customers, in turn, supply other customers. In one area examined by Sommer and his colleagues, Internet service is occasionally interrupted by a group of monkeys that take down the line.