In this article, Computerworld describes several of the projects currently under way at Carnegie Mellon University's CyLab. For instance, CyLab just received "a $6.4 million grant from the National Science Foundation for an initiative called Security Through Interaction Modeling (STIM), which studies complex interactions between people, the computers they use and attacks from the outside." CyLab is also looking at self-healing or autonomic computer systems. And in its Coral project, CyLab is developing network defense mechanisms for virus and worm attacks. But here I just want to focus on the Seurat project, named after the French impressionist painter Georges Seurat who invented the technique of pointillism. The goal of this project is to monitor network anomalies caused by buffer overloads or corrupted systems. The project was called Seurat because like his paintings, the Web has so many layers or points where a possible attack might occur. Read more...
Please read the article mentioned above or this page to know more about the research projects at CyLab.
And now, here are some specific details about the Seurat project as provided by Computerworld.
Another CyLab project takes the name of the French impressionist painter Georges Seurat, who painted vast canvasses with many tiny dabs, or "points," of paint, a process dubbed pointillism. The Seurat team at CyLab is developing methods to monitor anomalous behavior that may be induced by buffer overloads and other glitches.
The Seurat technique compares a precomputed profile of how a system should be performing to the combination of all the application interactions with the operating system. "So it looks at a profile of what this system should be doing and says maybe this thing has been corrupted," explains Mike Reiter, technical director of CyLab and a professor of computer engineering and science. "It can track accesses and changes across many machines all at once or in a short time period."
The diagram above describes the pointillist approach to anomaly detection. Normal points are clustered by the dashed circle. The appearance of a new cluster consisting of three points suggests anomalous events on host A, B, and D. (Credit: Seurat team at CMU's CyLab).
The Seurat project is so named because there are many layers, points or places where one might measure what is going on in a system in order to see evidence of an attack, much the same way the 19th century painter discovered that what we see comprises many points of color and light.
The Seurat technique is a broad-brush approach to security, and indeed, the overall scope of CyLab's $10 million annual research mission is broad, says Pradeep Khosla, dean of the Carnegie Mellon College of Engineering and co-director of CyLab.
Here is a more detailed description of the Seurat project, coming directly from CyLab.
The goal of the project is to detect compromised or misconfigured hosts by correlating file system changes across different machines. Most of the current intrusion techniques result in modification, insertion, or deletion of system configuration files, binary files, libraries, log files, or system kernel.
However, as the operation system and application software become more and more complex, users, even system administrators usually lose track of the up to date machine configuration status and file system updates.
We propose a new approach to detect aggregated anomalous events automatically based on host file system updates. Our approach is based on a key observation that many host state transitions of interest have both temporal and spatial locality. Abnormal state changes, which may be hard to detect in isolation, become apparent when they are correlated with similar changes on other hosts.
Based on this intuition, we have developed a prototype system, called Seurat, to detect similar, coincident changes to the patterns of file updates that are shared across multiple hosts. Our evaluation shows that Seurat can successfully detect worm attacks with a low false positive rate.
For each alarm, Seurat identifies the suspicious hosts and files for further investigation, greatly facilitating root cause diagnosis and false alarm suppression.
For even more information, you can visit the Seurat Project home page.
The researchers have published their work which appears in the Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID2004), held in September 2004 in Sophia Antipolis, France, under the title "Seurat: A Pointillist Approach to Anomaly Detection."
Here is a direct link to the full paper (PDF format, 20 pages, 717 KB). The above diagram was extracted from this paper.
And for those of you who are also interested by Georges Seurat's works, here is what Wikipedia says about him, and a link to a picture of his "Grey weather, Grande Jatte" painting from 1888.
Sources: Matt Hamblen, Computerworld, November 22, 2004; and various websites
Related stories can be found in the following categories.
6:29:54 PM
Permalink
|
|
