New Net Monitoring Technology Detects Computer Hackers

March 6, 1998

By Jon Bashor and Monica Friedlander

Thanks to Vern Paxson of the Network Research Group, Big Brother is watching at Berkeley Lab. Not to worry, however: Only computer hackers monkeying with Internet security have anything to fear from "Bro" -- the new system developed by Paxson to monitor traffic into the Lab and unveil security breaches.

For its development, Paxson was recognized with the best paper award at the recent Usenix Security Symposium in San Antonio, Texas. Entitled "Bro: A System for Detecting Network Intruders in Real-Time," Paxson's paper describes the stand-alone system he developed, which has already been credited with detecting 85 cases of security breaches at the Lab. The award further validates the importance of Paxson's contribution to the cutting-edge field of network security.

"This recognition of Vern's outstanding work by others in the computer security field again demonstrates the valuable contributions of the Network Research Group," said Stu Loken, director of the Information and Computing Sciences Division. "Working behind the scenes in a field that truly benefits all users of the Internet, this group has helped make scientific networking the successful tool that it is today."

Because of the sensitive nature of Internet security and the desire of security system providers to protect their products, Paxson said there is little public information available on this subject. Flaws in security systems, he said, are an especially sensitive subject. As Paxson designed the Lab's security monitor, he sought out flaws and attempted to correct them. "If you know the flaws, you can evade the system," he said. "It takes an extra level of deviousness to look for these flaws, and I enjoy trying to be devious."

Bro is a layered system that seeks out certain types of network traffic. The first layer is a general packet filter, which decides which data packets should be examined. The second layer is an "event engine," which takes the first level packets and pieces them together into "events," such as the beginning or end of a connection, or -- for some applications, such as FTP -- high-level events, such as identifying user names. Above that is the policy layer, which interprets scripts, written in a specialized language, that define how to respond to different events. Should the policy layer detect information amounting to an attempted security breach, the system notifies computer security people in real time. It also archives summaries of the network traffic into and out of the Lab in a permanent record.

The system has been monitoring network traffic at the Lab continuously since April 1996. Some of the formal security incidents Bro detected during this time have resulted in law enforcement action. When security breaches are discovered, the Lab alerts the Department of Energy's Computer Incident Advisory Center at Lawrence Livermore Lab and the Computer Emergency Response Team at Carnegie Mellon University, which in turn follow up with appropriate action.

Vern Paxson's paper can be found on the web at

Search | Home | Questions