Hasta la vista, attacks
- By William Jackson
- Mar 17, 2004
Therminator program managers John McEachen, left, and David Ford say StealthWatch+Therminator visualization makes it easier to understand network traffic.
Government-bred Therminator melds physics and network monitoring
'We've been doing intrusion detection basically the same way for the last 20 years.'
A traffic analysis tool conceived by the National Security Agency and born at the Naval Postgraduate School has come of age in a commercial application.
Lancope Inc. of Alpharetta, Ga., has incorporated the government's Therminator tool into its flagship StealthWatch intrusion detection product.
Therminator applies thermodynamics principles to network traffic flow to identify anomalous behavior that might indicate an attack.
The Naval Postgraduate School in Monterey, Calif., licensed the technology to Lancope.
'They wanted to see it commercialized,' Lancope chairman John A. Copeland said. 'We're just going into evaluations' of the StealthWatch+Therminator product with government and commercial testers. 'We have had it since last spring on a number of government networks.'
Therminator applies the thermodynamic rules governing energy and equilibrium to the state of network traffic, as a physicist might analyze the state of a volume of gas.
'We're looking at communications on a network, and communications involves a source and a sink' much like energy in a gas, said John McEachen, director of the school's Reconfigurable Intrusion Detection and Deception Laboratory. 'Once you map it into that paradigm, it ports pretty directly.'
The new technique is necessary to keep up with more sophisticated attacks against networks, McEachen said. 'We've been doing intrusion detection basically the same way for the last 20 years,' looking for known signatures or anomalous traffic patterns.
Modern attacks, however, can change their spots and blend into acceptable traffic patterns, which makes them difficult to identify.
'We just can't use the same approaches today,' McEachen said.
Former NSA mathematician Dave Ford conceived the new approach and has since been assigned to the Naval Postgraduate School.
'I saw Dave's idea and thought it was ingenious,' McEachen said. 'I wanted to get some of my students involved.'
Ford had been working on the idea since 1998 and met McEachen in September 2000.
By that December three students'Navy lieutenants Stephen Donald and Daniel Ettlich and Marine Capt. Robert MacMillan'were developing the software at the school's Cebrowski Institute for Information Innovation and Superiority.
'In a matter of three months, they took Dave's idea from theory to application,' McEachen said.
In thermodynamics, the relationship of entropy'or unavailable energy'to temperature defines the state of a closed system. When that system is a network, entropy can be seen as an equilibrium of traffic between classes of senders and receivers. The volume of traffic replaces temperature. Using those principles, Therminator analyzes changes in the network's state.
'In a way, we're doing thermodynamics backward,' McEachen said, by absorbing large amounts of detail into a macro-level view. 'We're doing intelligent data reduction.'
It took another year of refinement before the school approached Lancope in early 2002 about commercializing Therminator.
'We spent the next year recoding and integrating it into StealthWatch,' Copeland said.
Therminator adds visualization to the traditional StealthWatch elements, which log network activity and do flow and packet analysis to show administrators what exactly is happening when suspicious changes in state occur.
StealthWatch+Therminator costs $35,000 for copper Ethernets with speeds up to 100 Mbps, and $50,000 for fiber Ethernets.Hunt goes on
Work on Therminator continues at the Cebrowski Institute.
'It's not necessarily restricted to IP networks,' McEachen said. Any communication medium has underlying exchange mechanisms that could be analyzed the same way.
'One of the things we're looking at is networks of intelligence resources,' he said. 'What would the effect be on the remaining resources if one was removed?'