Vincent H. Berk

Using sensor networks and data fusion for early detection of active worms

Identification of an Internet worm is a manual process where security analysts must observe and analyze unusual activity on multiple firewalls, intrusion-detection systems or hosts. A worm might not be positively identified until it already has spread to most of the Internet, eliminating many defensive options. In this paper, we present an automated system that can identify active worms seconds or minutes after they first begin to spread, a necessary precursor to halting the spread of a worm, rather than simply cleaning up afterward. Our implemented system collects ICMP Unreachable messages from instrumented network routers, identifies those patterns of unreachable messages that indicate malicious scanning activity, and then searches for patterns of scanning activity that indicate a propagating worm. In this paper, we examine the problem of active worms, describe our ICMP-based detection system, and present simulation results that illustrate the speed with which it can detect a worm.

Implementing Large-Scale Autonomic Server Monitoring Using Process Query Systems

In this paper we present a new server monitoring method based on a new and powerful approach to dynamic data analysis: process query systems (PQS). PQS enables user-space monitoring of servers and, by using advanced behavioral models, makes accurate and fast decisions regarding server and service state. Data to support state estimation come from multiple sensor feeds located within a server network. By post-processing a systems state estimates, it becomes possible to identify, isolate and/or restart anomalous systems, thus avoiding cross-infection or prolonging performance degradation. The PQS system we use is a generic process detection software platform. It builds on the wide variety of system-level information that past autonomic computing research has studied by implementing a highly flexible, scalable and efficient process-based analytic engine for turning raw system information into actionable system and service state estimates

Process query systems

Sensors produce large streams of raw events while instrumenting environments such as computer systems, communications networks, physical spaces, and human organizations. Extracting meaningful and actionable information from these events, however, remains a challenge. Process query systems, a new algorithmic and software paradigm, offer a powerful and generic way to address event-processing challenges

Data exfiltration and covert channels

Within an organization, the possibility of a confidential information leak ranks among the highest fears of any executive. Detecting information leaks is a challenging problem, since most organizations depend on a broad and diverse communications network. It is not always straightforward to conclude which information is leaving the organization legitimately, and which communications are malicious data exfiltrations. Sometimes it is not even possible to tell that a communication is occurring at all. The set of all possible exfiltration methods contains, at a minimum, the set of all possible information communication methods, and possibly more. This article cannot possibly cover all such methods; however, several notable examples are given, and a taxonomy of data exfiltration is developed. Such a taxonomy cannot ever be exhaustive, but at the very least can offer a framework for organizing methods and developing defenses.

Practical Autonomic Computing

Autonomic computing generally refers to future information processing and networking technologies that are capable of self-awareness for the purposes of self-optimization, self-healing and self-protection. This paper is an overview of the goals, motivations and current status of this technical area, with specific focus on the technical and deployment challenges. Our conclusion is that, while the imperative to develop autonomic computing capabilities is indisputable, the technical and business obstacles are extremely significant. Those obstacles are not being coherently or adequately addressed by the R&D and business communities

Rapid detection of worms using ICMP-T3 analysis

Identification of an active Internet worm is a manual process where security analysts must observe and analyze unusual activity on multiple firewalls, intrusion-detection systems or hosts. A worm might not be positively identified until it already has spread to most of the Internet, eliminating many defensive options. In previous work, we developed an automated system that can identify active worms seconds or minutes after they first begin to spread, a necessary precursor to halting the spread of the worm rather than simply cleaning up afterward. The system collects ICMP Destination Unreachable messages from instrumented network routers, identifies those patterns of unreachable messages that indicate malicious scanning activity, and then searches for patterns of scanning activity that indicate a propagating worm. In this paper, we compare the performance of two different detection strategies, our previous threshold approach and a new line-fit approach, for different worm-propagation techniques, noise environments, and system parameters. These techniques work for worms that generate at least some of their target addresses through a random process, a feature of most recent worms. Although both being powerful methods for fast worm identification, the new line-fit approach proves to be significantly more noise resistant.

Online Behavioral Analysis and Modeling Methodology (OBAMM)

This paper introduces a novel method of tracking user computer behavior to create highly granular profiles of usage patterns. These profiles, then, are used to detect deviations in a users’ online behavior, detecting intrusions, malicious insiders, misallocation of resources, and out-of-band business processes. Successful detection of these behaviors significantly reduces the risk of leaking sensitive data, or inadvertently exposing critical assets.

Target tracking and localization using infrared video imagery

One of the significant problems in visual tracking of objects is the requirement for a human analyst to post-process and interpret the data. For instance, consider the task of tracking a target, in this case a moving person, using video imagery. When this person hides behind an obstruction, and is therefore no longer visible by the camera, conventional tracking systems quickly lose track of the target and are no longer able to indicate where the target is or where it was headed. A human interpreter is then needed to conclude that the person is hiding, and probably (with certain probability) is still there. A Process Query System (PQS) is able to track and predict the path of arbitrary objects, based only on a description of their dynamic behavior, thus eliminating the need for precise identification of each object in every frame. The PQS is therefore able to draw human-like conclusions, allowing the system to track the person even when he/she is out of view. Additionally, using dynamic descriptions of tracked objects allows for low-quality video signals, or even infrared video, to be used for tracking. In this paper we introduce a novel way of implementing a video-based tracking system using a Process Query System to predict the position of objects in the environment, even after they have disappeared from view. Although the image processing pipeline is trivial, tracking accuracy is remarkably high, suggesting that overall performance can be improved even further with the use of more sophisticated video processing and image recognition technology.

Process detection in homeland security and defense applications

Process detection is a fundamental problem arising in a variety of homeland security, national defense and commercial applications, including network security, sensor network data fusion, dynamic social network analysis and video tracking of kinematic objects. Our approach to process detection is based on a generic algorithmic approach called Process Query Systems which has been developed at Dartmouth over the past 3 years. This paper surveys the general area of process detection, its applications and recent progress made in various implementations.

Generating realistic environments for cyber operations development, testing, and training

Training eective cyber operatives requires realistic network environments that incorporate the structural and social complexities representative of the real world. Network trac generators facilitate repeatable experiments for the development, training and testing of cyber operations. However, current network trac generators, ranging from simple load testers to complex frameworks, fail to capture the realism inherent in actual environments. In order to improve the realism of network trac generated by these systems, it is necessary to quantitatively measure the level of realism in generated trac with respect to the environment being mimicked. We categorize realism measures into statistical, content, and behavioral measurements, and propose various metrics that can be applied at each level to indicate how eectively the generated trac mimics the real world.