Smart Software Sniffs Out Trouble

July 2001
By Henry S. Kenyon

Intelligent agents ease user’s job, speed responses to cyberattacks.

A security management system allows administrators to track computer network threats by providing near-real-time alerts from remote sensors on the network. Software agents, tailored to be expert monitors of specific programs and devices, use rules sets to sift through data before sending reports to a central management engine that tracks and correlates the information. Thousands of potential alerts then are analyzed and reduced to one or two dozen incidents that require immediate attention.

Network defense is an imperfect science. Much of the effort to detect and respond to intrusions and attacks is often done manually by system administrators searching through hundreds of incident report pages. Multiple intrusion detection products compound this confusion because they cannot interact, resulting in high numbers of false alerts. Few currently available systems can sift through large amounts of information from disparate sources to create an accurate, real-time security picture, system security specialists say.

While attempts to create a framework that allows network defense devices to communicate are underway, they are still in the development phase (SIGNAL, November 1999, page 63). Recent research, however, has resulted in software that is poised for wide-scale deployment.

The CyberWolf enterprise security management system, developed by Mountain Wave Incorporated, Falls Church, Virginia, collects intrusion reports from sensors, software and computers and condenses them to several meaningful instances that warrant an administrator’s attention. These alerts are generated in plain English sentences that can be understood by personnel without specific network training.

According to Jack Beavers, Mountain Wave’s vice president of engineering, CyberWolf evolved from a Defense Advanced Research Projects Agency (DARPA) program that began in 1997. The project’s goal is to create a distributed intelligent system comprising specialized software agents residing in host machines across a network. Each device is programmed to analyze and resolve issues concerning a specific type of intrusion detection system (IDS) or firewall. For example, software assigned to Gauntlet or Raptor firewalls would analyze and report only data pertaining to those programs. The device agents can operate anywhere in a network or they can be managed from a central computer.

These expert devices monitor their local data stream and report only important incidents to the central management program. This function is key to system scalability because the agents otherwise remain silent, Beavers says. A measured response also allows a single management program to monitor many more data sources in real time without affecting system resources, he explains. Pilot programs currently are underway with the Federal Emergency Management Agency (FEMA), the U.S. Air Force and the U.S. Navy.

CyberWolf is written in Java, and its knowledge bases are represented in proprietary rule formats developed by Mountain Wave. The rule engines use only a small amount of code, freeing the host machine’s processors. This economy is important for the software agents because they reside remotely on PCs, servers or laptops, Beavers explains.

However, reduced processor time is not a necessity for the management software, as it is usually located in a dedicated host server. Additional computational power is necessary because the software manager must be able to access an Oracle database to record and track incidents. “When you are talking about protecting a military installation, dedicating a single Windows 2000 1-gigahertz machine is nothing,” he observes.

The service is designed to work hand-in-hand with an IDS. CyberWolf can quickly interface with existing software and equipment while remaining flexible enough to adapt to new technologies. “From the beginning of the DARPA research, our basic thought was that we wanted this service to leverage all the clever, brilliant things people are doing out there as quickly as possible,” he says.

The intelligent agent’s architecture is designed to interface with other sensors—usually without any code. This is accomplished by writing a translation table to interpret external material into an internal format and rules or into data representing knowledge. In this way information is represented in both rules and data, Beavers explains. Because it is written in Java, CyberWolf is also operating system-independent and can run in WINTEL, Linux, Solaris and AIX environments.

Beavers notes that many Internet security companies field products that produce and escalate alarms depending on the urgency of the perceived attack. However, a major problem with contemporary IDS technologies is that they produce numerous false alarms. The sheer number of these false positives can overwhelm staff at large facilities. “All too often, the information is not correlated into a form that can be quickly assembled into a coherent picture of an incident. How many incidents do we have? What’s happened with each of these, and how do I develop a plan to deal with them?” he asks.

System administrators often have to manually sift through thousands of alerts to find a significant incident. The effort is time-consuming and takes place after an attack has occurred, Beavers says. CyberWolf automates this process by recording all of the incoming incident data, sifting through them for relevant information then presenting only the most important alerts to network operators.

The CyberWolf manager oversees all of the data coming in from the software agents and often runs on a central server, Beavers says. It can also operate from a PC or a laptop computer, but it usually resides on a server to use the Oracle database designed to record intrusion data. The manager also utilizes a rules engine to prioritize information, with the attached Oracle database serving as a long-term memory. This function is significant to address issues such as low-intensity attacks and probes that may take place over several weeks. To detect and counter such intrusions, the system must be able to remember events occurring over a long period of time, he points out.

System administrators monitor the network through a thin-client, World Wide Web-based graphical user interface (GUI). Notices of security incidents appear on what Beavers calls “trouble tickets” on the GUI. He notes that the firm’s experience at FEMA over the past two years has proven to be invaluable in this area because alpha and beta versions of CyberWolf have been deployed at the agency. The resulting data and feedback greatly improved the current version of the technology, he says.

The incident tickets are constantly updated, allowing administrators to track and react to an incident as it is taking place. The software manager interprets the data from the agents and logs its conclusions about the nature and the extent of the attack on the tickets. “If we’ve done our job right and put in the proper knowledge bases, a security administrator  has to look at only a page or two of the incident ticket to get a pretty good picture of what’s going on without having to manually paw through a bunch of different alarms that may not be related to the trouble,” Beavers says.

Another important feature of the software is that it can record and maintain a system administrator’s choices for alert settings and system requirements. For example, in certain military applications it would be inappropriate to shut down a field commander’s computer if an irregularity is detected. Instead of deactivating the computer, the response may be set to only deny Internet access, he explains.

Once these parameters are set, they remain in the system, even when the administrator leaves. This allows for greater flexibility with replacement personnel because they do not have to be as skilled as the original administrator was; they only have to be trained to deal with the system’s conclusions about an incident, Beavers states.

The system is also scalable. CyberWolf managers can report to other software managers across a large network. In theory, this would allow separate network reports to be sent to a central CyberWolf manager in a computer emergency response center, he says.

Beavers believes that Mountain Wave had an advantage while it was developing the software because its programmers had previously developed air traffic control systems. The developers knew how to create fault-tolerant systems such as those successfully deployed by the Federal Aviation Administration. This big-system view was valuable. It allowed engineers to handle issues such as creating reliable communication between the software experts and the manager, he says. Robust design methodology also meant that if an expert malfunctions or is disabled, the system is alerted and will attempt to restart the software.

At FEMA, CyberWolf protects the agency’s network perimeter by monitoring seven firewalls, more than 200 routers, identification and authentication servers, more than 100 modems, three IDS systems, and more than 24 file-transfer-protocol domain-name system servers and Web servers. CyberWolf can scan through 1.3 gigabytes of data per day in real time, which allows one person to administer the entire agency, Beavers says.

Mountain Wave is also working with the Air Force Research Laboratories. The firm is primarily contracted to develop methods to automatically correlate network management with security label information. For example, the system would be able to identify false alarms coming from a malfunctioning IDS or other security device. Instead of reporting a potential incident, it would classify it as a failure in the device. Beavers explains that eliminating these software- and equipment-related false alarms reduces the number of actual alerts a system must consider.

The Navy is working on a pilot project to use CyberWolf to monitor systems aboard its ships. Currently, researchers are exploring ways to monitor a ship’s computer network to detect configuration changes. One goal is to automatically undo such changes almost as quickly as they are made and to discern other security problems. “They want to know if somebody is using a modem or changing the hardware,” Beavers explains.

The CyberWolf service also has applications beyond government areas. Beavers notes that commercial organizations face the same sort of security challenges as the federal sector, and he is hopeful that the near future will see a large-scale deployment in the business world. However, he predicts the first large applications will be in government and military markets.

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.