In this article, Computerworld describes several of the projects currently under way at Carnegie Mellon University's CyLab. For instance, CyLab just received "a $6.4 million grant from the National Science Foundation for an initiative called Security Through Interaction Modeling (STIM), which studies complex interactions between people, the computers they use and attacks from the outside." CyLab is also looking at self-healing or autonomic computer systems. And in its Coral project, CyLab is developing network defense mechanisms for virus and worm attacks. But here I just want to focus on the Seurat project, named after the French impressionist painter Georges Seurat who invented the technique of pointillism. The goal of this project is to monitor network anomalies caused by buffer overloads or corrupted systems. The project was called Seurat because like his paintings, the Web has so many layers or points where a possible attack might occur. Read more.
Please read the article mentioned above or this page to know more about the research projects at CyLab.
And now, here are some specific details about the Seurat project as provided by Computerworld.
Another CyLab project takes the name of the French impressionist painter Georges Seurat, who painted vast canvasses with many tiny dabs, or "points," of paint, a process dubbed pointillism. The Seurat team at CyLab is developing methods to monitor anomalous behavior that may be induced by buffer overloads and other glitches.
The Seurat technique compares a precomputed profile of how a system should be performing to the combination of all the application interactions with the operating system. "So it looks at a profile of what this system should be doing and says maybe this thing has been corrupted," explains Mike Reiter, technical director of CyLab and a professor of computer engineering and science. "It can track accesses and changes across many machines all at once or in a short time period."
The diagram above describes the pointillist approach to anomaly detection. Normal points are clustered by the dashed circle. The appearance of a new cluster consisting of three points suggests anomalous events on host A, B, and D. (Credit: Seurat team at CMU's CyLab).
The Seurat project is so named because there are many layers, points or places where one might measure what is going on in a system in order to see evidence of an attack, much the same way the 19th century painter discovered that what we see comprises many points of color and light.
The Seurat technique is a broad-brush approach to security, and indeed, the overall scope of CyLab's $10 million annual research mission is broad, says Pradeep Khosla, dean of the Carnegie Mellon College of Engineering and co-director of CyLab.
Critics of visual arts and of music describe in words—that is to say, a system of signs other than those made by brushes on canvas or chisels into stone or notes of music—those characteristics of painting or sculpture or music which can be described or analysed. Visual artists and composers can disregard critics on the ground that the medium of verbal criticism bears so indirect a relation to the medium in which they make something. Poets are in a different situation. With the development of so-called scientific methods of criticism they are made ever conscious that criticism of poetry is in the same medium of work as the art which they practise. “Close analysis” is useful to critics and readers. But for the poet there is the danger of disintegration of poetry into paraphrase, examination of technique, influences, all analysed in the language of criticism.
—Stephen Spender (1909–1995)
Here is a more detailed description of the Seurat project, coming directly from CyLab.
The goal of the project is to detect compromised or misconfigured hosts by correlating file system changes across different machines. Most of the current intrusion techniques result in modification, insertion, or deletion of system configuration files, binary files, libraries, log files, or system kernel.
However, as the operation system and application software become more and more complex, users, even system administrators usually lose track of the up to date machine configuration status and file system updates.
We propose a new approach to detect aggregated anomalous events automatically based on host file system updates. Our approach is based on a key observation that many host state transitions of interest have both temporal and spatial locality. Abnormal state changes, which may be hard to detect in isolation, become apparent when they are correlated with similar changes on other hosts.
Based on this intuition, we have developed a prototype system, called Seurat, to detect similar, coincident changes to the patterns of file updates that are shared across multiple hosts. Our evaluation shows that Seurat can successfully detect worm attacks with a low false positive rate.
For each alarm, Seurat identifies the suspicious hosts and files for further investigation, greatly facilitating root cause diagnosis and false alarm suppression.
For even more information, you can visit the Seurat Project home page.
The researchers have published their work which appears in the Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID2004), held in September 2004 in Sophia Antipolis, France, under the title "Seurat: A Pointillist Approach to Anomaly Detection."
One of its [James A. Garfield’s assassination] lessons, perhaps its most important lesson, is the folly, the wickedness, and the danger of the extreme and bitter partisanship which so largely prevails in our country. This partisan bitterness is greatly aggravated by that system of appointments and removals which deals with public offices as rewards for services rendered to political parties or to party leaders. Hence crowds of importunate place-hunters of whose dregs [the assassin] Guiteau is the type. The required reform [of the civil service] will be accomplished whenever the people imperatively demand it, not only of their Executive, but also of their legislative officers. With it, the class to which the assassin belongs will lose their occupation, and the temptation to try “to administer government by assassination” will be taken away.
—Rutherford Birchard Hayes (1822–1893)
Here is a direct link to the full paper (PDF format, 20 pages, 717 KB). The above diagram was extracted from this paper.
And for those of you who are also interested by Georges Seurat's works, here is what Wikipedia says about him, and a link to a picture of his "Grey weather, Grande Jatte" painting from 1888.
Sources: Matt Hamblen, Computerworld, November 22, 2004; and various websites
Related stories can be found in the following categories.
Arts
Networking
Security
Software.