Intrusion Detection Technology Closes in on Hackers

August 2000
By Christian B. Sheehy

Federal agency, company team up to detect, track and negate network system attacks across multiple boundaries.

Protecting the average business computer from a barrage of malicious network intrusions is high on the priority list of many of today’s World Wide Web-based organizations. In a move to step up research in network security technology, the U.S. Navy is contracting out a three-year effort to pursue security systems development.

The framework for the research is the Defense Advanced Research Projects Agency’s (DARPA’s) active networks program, which since 1996 has focused on transforming existing networks into more dynamic and programmable entities. Now, the program has expanded its scope to include research on new types of intrusion detection.

The objective of the $6.5 million contract between the Navy and Network Associates Incorporated (NAI), Santa Clara, California, is to develop a new networking platform that can accommodate rapid evolution and deployment of networking technologies. These ultimately will help the military and many commercial organizations combat service attacks before they can compromise network confidentiality.

“What we are trying to achieve is a marriage between active networks technology and the new intrusion detection and response technology that Network Associates has been working on,” Dr. Douglas Maughan, program manager for DARPA’s information technology office, states. “In doing so, we hope to move the intrusion detection capability out into the networks where it can stop systems attacks before they reach their hosts,” he explains.

“By exploiting the power of known solutions to create more adaptive forms of intrusion detection and response capabilities, we can increase network self-sufficiency,” Daniel Sterne, manager of adaptive network defense research for NAI Labs, reports. “Using the existing framework of intrusion detection coordination technology called intrusion detection interactive protocol (IDIP), we can add or replace previously used components with the latest in active networks research.”

Modifying existing infrastructures to make them compatible with the latest inventions in software design is more cost-effective for both manufacturers and consumers. This approach first uses already functional equipment before producing new hardware. Once installed, IDIP technology will increase network robustness in the area of protection systems, improving the defenses of old networks without necessarily having to build new ones.

“One idea we are currently pursuing is called rate limiting, which reduces problems associated with information flooding or denial-of-service attacks,” Sterne explains. “Using a piece of mobile code as a rate limiter, we can send it through a network from the intended target toward the source of the intrusion, and it will not only mitigate a flooding attack there but also at any nearby networks as well.”

The recent outbreak of network service interruptions has pushed administrators of active networks to develop a counterresponse that can be deployed quickly and efficiently. Using IDIP technology, a series of routers and detectors that work cooperatively can trace a multiple network attack to its source. A querying protocol can enable designated components to recognize the presence of potentially malicious traffic going through pathways of the network.

“Up until now, our ability to locate the source of a system attack has been limited by a network’s boundaries,” Sterne continues. “When introduced, trace-back technology will allow us to determine the origin of system attacks even when they’ve hopped from one network to another.” Once the source of the attack is pinpointed, a firewall is set up, preventing any further damage to targeted components. With IDIP, firewalls will be installed prior to an attack, effectively cutting off an attack.

In the past, network response capabilities have relied, to a great degree, on manual manipulation. Technological advances in systems automation have not come easily in program threat prevention. Adapting network defenses to be more independently mobile in protecting vulnerable programs has been one of the industry’s biggest challenges. “As advanced designs are developed, they require equally advanced methods of keeping them out of harm’s way,” Sterne emphasizes. “New systems are only effective if they are not rendered useless by the lack of protective monitoring.”

Early intrusion detection is only the first step in determining the source of an attack and subsequently blocking further assaults. After an offender has been located and stopped by firewall implementation, the key becomes tracing the hot path back to its starting point. The problem is that many attacks do not originate in the network where they ultimately do their damage. This tendency to hop from network to network is the main problem with antiviral programs that are simply unable to trace the attack source back farther than the boundary of the affected network.

“We are currently working on the trace-back area of IDR [intrusion detection response] technology to try to develop methods by which an attack path can be followed all the way back to its source, even when the point of attack origination is in another network,” Sterne explains. “The idea is to bridge the gap between networks using the attack path as a link back to the source so that a multiple network attack becomes as easy to rout as a single network one.”

Aside from the positive aspects that increased programmability can afford a network, greater system versatility also can open the door to more threats from foreign networks. Although most network security systems are based on code authentication, the ease with which outside code can be executed successfully within a receiver network is magnified with each new program option. Rather than limiting the growth of new system capabilities, accompanying protective programs are designed to meet the security needs of the latest software while at the same time keeping pace with the new technology.

As networks become more complex, the proper management of these technologically advanced systems is one of the biggest challenges facing the active networks program. “Today, you’re getting many more instances of multiple-code execution on the same network,” Maughan remarks. “Being able to manage each variation of downloaded code, often within multiple network domains, is important if you want to keep tabs on the code entering and exiting the system.”

Code authentication is a commonly used means of managing code traveling throughout a network. Ensuring that the individuals or processes issuing code on a given network have the proper authorization to do so is fundamental to the security architecture of active networks. Since networks are connected by necessity, the integrity of many is often compromised by the lax security of one. In the future, any code violations will be communicated using IDIP. Along with responding and tracing back to the site of an attack, IDIP will notify network personnel of an intrusion so that they can take action.

In researching ways to make network systems programming more dynamic, the active networks program is also taking overall performance into account. “Bandwidth requirements may be high for the new application, leaving little for other programs,” Maughan relates. “Rather than getting rid of older but still useful programs, we can increase bandwidth availability by drawing on the resource needs of certain programs dynamically across numerous networks.” Active networks research is exploring ways to maximize the efficiency of existing bandwidth while tapping other network resources.

As a growing number of network users execute code at specific locations throughout shared networks, ensuring that resources are equally available to all who need them is an essential part of good network management. Resource allocation is one way that the active networks program is helping to maintain order in the chaotic world of networking. “You have to make sure that everybody is getting a fair share of the resources at a given information node,” Maughan remarks. “We are studying ways of guaranteeing equal share resource allocation on everything from central processing unit time, to disk space, to communications bandwidth.”

Along with enhanced resource management, the active networks program involves improving existing techniques for routing information to and from network destinations. Data transfer is fundamental to active networking and is at the core of active networks technology. Determining the best route for the movement of information through a network is an ongoing part of active networks research, Maughan notes.

Some projected capabilities that could make active networking more recognizable to the public in the near future are in the areas of video application and server propagation. Before active networks technology, if the recipient of a video application was not satisfied with the picture resolution, the individual would have to return a network-routed request back to the sender asking for the parts of the visual that were lost in transmission. If the sender was more than one network removed from the receiver, the request would have to go through multiple networks before it reached the sender. This process would take time to complete, delaying the full execution of the application. “With active networking, the receiver’s request would only have to travel back to the previous network before a connection could be re-established with the sender, decreasing the period of latency between a partial video picture and a completed one,” Maughan adds.

Active networks technology research is developing ways for independently constructed server sites to be made receivable automatically by networks that would otherwise not link to the server. “Rather than relying on manual formatting by other users, active networking will allow someone to propagate a server instantly throughout any network,” Maughan explains. “In the same way, active networking will also enable the deployment of network defense measures across multiple boundaries without the need for individual intervention at each network.” The active networks principle in both of these situations will be a future ability to bypass today’s Internet constraints in the interest of bringing more services to people in less time and for less money.

Aside from detection and trace-back capabilities, active networking researchers are studying methods to repair and recover infected files or programs damaged by virus-related attacks. “The idea will be to send in programs that can locate infected or malicious files and delete or isolate them depending on needs at the time,” Sterne indicates. “The final task would be resetting the necessary controls so that the system could be brought back online and put back into normal operating mode.”

Although DARPA has not had a large military requirement for active networking to date, commercial interest has grown steadily. “This is a technology that more and more businesses are seeing as an absolute necessity,” Maughan declares. “As applications get bigger, requiring larger amounts of bandwidth to operate, we see a greater implementation of active networking by the military on the basis of its need for commercial products.” Finding more applications for active networking in the military services, he adds, will likely come as commercial demand grows.