Navy researcher has novel security visualization technique

A researcher at the Naval Postgraduate School in Monterey, Calif., has published a paper describing a visualization technique that can simplify detection of security breaches. The technique borrows ideas from the field of thermodynamics.

'We need to do a better job of using basic engineering to understand computer attacks, to push things to a more mature scientific foundation,' said David Ford, a senior research coordinator for the Defense Information Systems Agency.

Last month, Ford posted his findings, entitled 'Application of Thermodynamics to the Reduction of Data Generated by a Non-Standard System', in Cornell University's electronic repository for scientific papers. Ford said he hopes the ideas will be picked up by both agencies and vendors of security appliances.

The paper itself describes a method of visualizing activity on a network. Part of the problem with intrusion detection systems is that they overwhelm security administrators with information.

Although some companies have released security software that visually portrays the state of a network at any given time, what makes this approach novel is that is borrows from a formal scientific field to characterize data traffic.

'There are a lot of ways to look at traffic, to cluster things. We're trying to apply established science to the data sets,' Ford said.

Thermodynamics has a long history of making mathematical sense of complex environments.

'The basic idea is that a computer network is a complex system, and people know how to deal with complexity from a mathematical point of view,' Ford said, A computer network, with its packets of data moving back and forth, exhibits similar behavior to the molecules in a cup of coffee or the electromagnetic charge of a magnet, Ford said.

Ford said the paper formally explains a number of concepts that he and a Defense Department team used to build prototype software that visualizes the state of a network. The software, called Therminator, characterizes the normal activity, highlighting any unusual occurrences.

'When a packet does something that is not within the intended flow, then it stands out like a sore thumb,' Ford said.

Security appliance vendor Lancope Inc. of Atlanta, offers a commercial version of Therminator as an add-on to its StealthWtch intrusion detection system.








About the Author

Joab Jackson is the senior technology editor for Government Computer News.

inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group