Navy researcher has novel security visualization technique
- By Joab Jackson
- Mar 04, 2004
A researcher at the Naval Postgraduate School in Monterey, Calif., has published a paper describing a visualization technique that can simplify detection of security breaches. The technique borrows ideas from the field of thermodynamics.
'We need to do a better job of using basic engineering to understand computer attacks, to push things to a more mature scientific foundation,' said David Ford, a senior research coordinator for the Defense Information Systems Agency.
Last month, Ford posted his findings, entitled 'Application of Thermodynamics to the Reduction of Data Generated by a Non-Standard System'
, in Cornell University's electronic repository for scientific papers. Ford said he hopes the ideas will be picked up by both agencies and vendors of security appliances.
The paper itself describes a method of visualizing activity on a network. Part of the problem with intrusion detection systems is that they overwhelm security administrators with information.
Although some companies have released security software that visually portrays the state of a network at any given time, what makes this approach novel is that is borrows from a formal scientific field to characterize data traffic.
'There are a lot of ways to look at traffic, to cluster things. We're trying to apply established science to the data sets,' Ford said.
Thermodynamics has a long history of making mathematical sense of complex environments.
'The basic idea is that a computer network is a complex system, and people know how to deal with complexity from a mathematical point of view,' Ford said, A computer network, with its packets of data moving back and forth, exhibits similar behavior to the molecules in a cup of coffee or the electromagnetic charge of a magnet, Ford said.
Ford said the paper formally explains a number of concepts that he and a Defense Department team used to build prototype software that visualizes the state of a network. The software, called Therminator, characterizes the normal activity, highlighting any unusual occurrences.
'When a packet does something that is not within the intended flow, then it stands out like a sore thumb,' Ford said.
Security appliance vendor Lancope Inc. of Atlanta, offers a commercial version of Therminator as an add-on to its StealthWtch intrusion detection system.
Joab Jackson is the senior technology editor for Government Computer News.