Bruce Gordon Barnett

Network attack visualization and response through intelligent icons

Determination of appropriate response to information system attack is jointly determined by confidence of classification, nature (type) of attack, and confidence in effectiveness of response. In this paper we present a technique to rapidly assess similarity of observed behavior to attack or normal models: displaying the similarity of observed data to learned Minimum Description Length Models for normal and attack behaviors using “intelligent icons”. These icons provide a visual indication of similarity to normal and attack signatures and can alert human operators to the key motifs and signatures that affect confidence in classification and indicated response.

Data Provenance architecture to support Information Assurance in a Multi-Level Secure Environment

We describe a framework for capturing Data Provenance information to support Information Assurance attributes like Availability, Authentication, Confidentiality, Integrity and Non-Repudiation. Our approach is applicable to Multi-Level Secure systems where it is not always possible to directly provide data source and data transformation information. We achieve this by combining the subjective and objective trust in data as a “Figure of Merit” value that can cross security boundaries.

High level traffic analysis of a LAN segment

A data collection and analysis study of packet traffic over a local area network is reported. The objectives of this study are to develop analysis tools to isolate the effect of each protocol, and eventually each application. The measurements of the LAN are made using a raw Ethernet packet capture program (tcpdump) running on a Sun workstation. The analysis was accomplished using a PERL script and the ACE/gr data analysis program. The contribution of each protocol and host is isolated, and the higher-level application mix is examined. The characteristics of the protocol traffic are examined, and it is shown that the lower-rate traffic protocol characteristics, while not Poisson, are similar to a proposed two-state Markov chain model, while the higher-rate protocol/application traffic exhibits correlation and periodicity that are more difficult to model analytically.<<ETX>>

Network Intrusion Detection: Using MDLcompress for deep packet inspection

We apply MDL compress, a grammar inference engine, to network intrusion detection (NID). We specifically target HTTP payload analysis of deep packet inspection (DPI) utilizing the DARPA 1999 data sets for our normal network traffic base and create modern attack traffic using Nessus. Our approach accurately detected over 98% of the attacks compared with literature reports of approximately 95% accuracy rate on HTTP attacks.

Towards modeling and detection of polymorphic network attacks using grammar based learning with Support Vector Machines

Polymorphic attacks threaten to make many intrusion detection schemes ineffective [15] . In order to address the threat of advanced attacks, model based techniques are required. In this paper we improve our Grammar Based Modeling techniques [1]–[5] to be more resilient to attacks that change in form by using advanced classification techniques. Similarity distances from known models are input as features input to Support Vector Machines and other advanced classification techniques to provide improved classification performance. Results indicate promise for intrusion detection and response against polymorphic attack with minimal false alarms.

An expert fault manager using an object meta-model

This paper describes the design and implementation of an expert fault management (EFM) system, based on an object-oriented meta-model, which can isolate causes of performance problems in a distributed environment. Error diagnosis can integrate application, system, and network related causes and identify the root cause, as well as affected applications. Diagnosis can be proactive or reactive. The implementation is based on the GEN-X expert system, and intelligent agents written in PERL. It is self-configuring, and has demonstrated its ability to detect problems earlier and more accurately than humans.

High Level Analysis of Medical Imaging Traffic

Medical network traffic is characterized by the mix of modalities and applications on the network. Since different modalities or applications have different characteristics on the network, understanding the mix of traffic loads is important in analyzing network activity. Although many commercial products can analyze network traffic at the packet level, they do not capture higher level modality load characteristics or isolate the impact of large image transfers. More insight can be obtained through a high-level analysis of this packet data in which network traffic is examined at an application level. In this paper we report on data collection and analysis of medical network traffic over a local area network. The measurements of the LAN are made using a raw ethernet packet capture program (tcpdump) running on a Sun workstation, and the analysis was accomplished using a PERL script and the ACE/gr data analysis program. The contribution of each modality is isolated and the network protocol performance is examined in detail.

Addressing uncertainty and conflicts in cross-domain data provenance

Data Provenance is multi-dimensional metadata that can be used to determine Information Assurance attributes like Confidentiality, Authenticity, Integrity, and Non-Repudiation. Traditionally, these Information Assurance attributes have been specified probabilistically as a belief value (or corresponding disbelief value). In this paper, we introduce a framework based on Subjective Logic that directly incorporates uncertainty by representing values as a triple of <belief, disbelief, uncertainty>. This framework allows us to work with uncertainty as well as conflicting pieces of information that may arise from multiple views of an object. We also develop a formal semantic model for specifying and reasoning over Information Assurance properties in a workflow. This model uses a controlled English representation which facilitates the dialogue with domain experts to capture and vet domain knowledge. Since Data Provenance information can grow substantially as the amount of information kept for each object increases and/or as the complexity of a workflow increases, we show how this information can be summarized. This summarization can also generate a trust value in the data so that it can cross security boundaries with user-controllable covert channel implications. Finally, we discuss a range of visualizations ranging from attention-directing high-level visualization to finer-level contextual visualization.

Using Data Provenance to Measure Information Assurance Attributes

Data Provenance is multi-dimensional metadata that specifies Information Assurance attributes like Confidentiality, Authenticity, Integrity, Non-Repudiation etc. It may also include ownership, processing details and other attributes. Further, each Information Assurance attribute may itself have sub-components like objective and subjective values or application security versus transport security. Traditionally, the Information Assurance attributes have been specified probabilistically as a belief value (or corresponding disbelief value) in that Information Assurance attribute. In this paper we introduce a framework based on Subjective Logic that incorporates uncertainty by representing values as a triple of . This framework also allows us to work with conflicting Information Assurance attribute values that may arise from multiple views of an object. We also introduce a formal semantic model for specifying and reasoning over Information assurance properties in a workflow. Data Provenance information can grow substantially as the amount of information kept for each object increases as well as the complexity of a workflow increases. In such situations, it may be necessary to summarize the Data Provenance information. Further, the summarization may depend on the Information Assurance attributes as well as the type of analysis used for Data Provenance. We show how such summarization can be done and how it can be used to generate trust value in the data. We also discuss how the Information Assurance values can be visualized.

Satellite teleradiology test bed for digital mammography

Teleradiology offers significant improvement in efficiency and patient compliance over current practices in traditional film/screen-based diagnosis. The increasing number of women who need to be screened for breast cancer, including those in remote rural regions, make the advantages of teleradiology especially attractive for digital mammography. At the same time, the size and resolution of digital mammograms are among the most challenging to support in a cost effective teleradiology system. This paper will describe a teleradiology architecture developed for use with digital mammography by GE Corporate Research and Development in collaboration with Massachusetts General Hospital under National Cancer Institute (NCI/NIH) grant number R01 CA60246-01. The testbed architecture is based on the Digital Imaging and Communications in Medicine (DICOM) standard, created by the American College of Radiology and National Electrical Manufacturers Association. The testbed uses several Sun workstations running SunOS, which emulate a rural examination facility connected to a central diagnostic facility, and uses a TCP-based DICOM application to transfer images over a satellite link. Network performance depends on the product of the bandwidth times the round- trip time. A satellite link has a round trip of 513 milliseconds, making the bandwidth-delay a significant problem. This type of high bandwidth, high delay network is called a Long Fat Network, or LFN. The goal of this project was to quantify the performance of the satellite link, and evaluate the effectiveness of TCP over an LFN. Four workstations have Suns HSI/S (High Speed Interface) option. Two are connected by a cable, and two are connected through a satellite link. Both interfaces have the same T1 bandwidth (1.544 Megabits per second). The only difference was the round trip time. Even with large window buffers, the time to transfer a file over the satellite link was significantly longer, due to the bandwidth-delay. To compensate for this, TCP extensions for LFNs such as the Window Scaling Option (described in RFC1323) were necessary to optimize the use of the link. A high level analysis of throughput, with and without these TCP extensions, will be discussed. Recommendations will be made as to the critical areas for future work.