Thanks to Vern Paxson of the Network
Research Group, Big Brother is watching at Berkeley Lab. Not to
worry, however: Only computer hackers monkeying with Internet
security have anything to fear from "Bro" -- the new
system developed by Paxson to monitor traffic into the Lab and
unveil security breaches.
For its development, Paxson was recognized with the best paper
award at the recent Usenix Security Symposium in San Antonio,
Texas. Entitled "Bro: A System for Detecting Network
Intruders in Real-Time," Paxson's paper describes the
stand-alone system he developed, which has already been credited
with detecting 85 cases of security breaches at the Lab. The award
further validates the importance of Paxson's contribution to the
cutting-edge field of network security.
"This recognition of Vern's outstanding work by others in
the computer security field again demonstrates the valuable
contributions of the Network Research Group," said Stu Loken,
director of the Information and Computing Sciences Division.
"Working behind the scenes in a field that truly benefits all
users of the Internet, this group has helped make scientific
networking the successful tool that it is today."
Because of the sensitive nature of Internet security and the
desire of security system providers to protect their products,
Paxson said there is little public information available on this
subject. Flaws in security systems, he said, are an especially
sensitive subject. As Paxson designed the Lab's security monitor,
he sought out flaws and attempted to correct them. "If you
know the flaws, you can evade the system," he said. "It
takes an extra level of deviousness to look for these flaws, and I
enjoy trying to be devious."
Bro is a layered system that seeks out certain types of network
traffic. The first layer is a general packet filter, which decides
which data packets should be examined. The second layer is an
"event engine," which takes the first level packets and
pieces them together into "events," such as the
beginning or end of a connection, or -- for some applications,
such as FTP -- high-level events, such as identifying user names.
Above that is the policy layer, which interprets scripts, written
in a specialized language, that define how to respond to different
events. Should the policy layer detect information amounting to an
attempted security breach, the system notifies computer security
people in real time. It also archives summaries of the network
traffic into and out of the Lab in a permanent record.
The system has been monitoring network traffic at the Lab
continuously since April 1996. Some of the formal security
incidents Bro detected during this time have resulted in law
enforcement action. When security breaches are discovered, the Lab
alerts the Department of Energy's Computer Incident Advisory
Center at Lawrence Livermore Lab and the Computer Emergency
Response Team at Carnegie Mellon University, which in turn follow
up with appropriate action.
Vern Paxson's paper can be found on the web at http://www-nrg.ee.lbl.gov/nrg-papers.html.