This effort pursues research in network intrusion detection where the research is tied to large-scale operational settings in an exceptionally strong manner. The central component the work builds upon is the "Bro" network intrusion detection system previously developed by the PIs. The PIs participate in Bro's deployment for 24x7 operational cybersecurity monitoring at the Lawrence Berkeley National Laboratory (LBNL), the Berkeley campus of the University of California, and the Technical University of Munich.
The theme of the research is to develop advances in technology for security monitoring of network traffic where the approaches are directly grounded in the pragmatics of network security at large institutes. The advances under investigation span a range of themes: (1) developing new ways of detecting attacks (detecting network "triggers" used by automated exploit software and by worms; drawing upon LBNL's immense archive of logs of past network traffic to devise robust anomaly detection algorithms; identifying possibly unknown malware by re-executing suspicious flows against a fully instrumented honeypot system); (2) new approaches to protocol analysis (exploiting dynamic analysis of protocols that avoid identification via standard ports; extending an abstract protocol description language for specifying analyzers that are then compiled into C++ classes); (3) integrating new sources of information into analyses (distributed monitors; flow records; honeynets; historic behavior; host-based context); and (4) addressing challenges in monitoring very high-speed, high-volume links (transparent load-balancing and cluster operation; hardware support for filtering, state management, normalization, and enabling intrusion prevention).
