05:06 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly

Pacific Northwest National Laboratory Creates New Sensor To Stop Attackers In Their Tracks

Tool determines which applications are communicating with external network

RICHLAND, Wash. - The good guys have a new, innovative tool to help them identify and understand cyber attacks.

Developed by a researcher at the Department of Energy’s Pacific Northwest National Laboratory, the new Hone cyber sensor determines how network activity on a computer is related to an application such as Internet Explorer or any running process. Finding these relationships enables cyber security experts to more quickly identify a potential problem and dissect how it works.

Currently, system and security administrators spend a lot of their time looking for unusual communication patterns between their computer systems and the external network. When they find suspicious communication, it isn’t immediately obvious which program is doing the communicating. So the administrators closely watch the computer in the hopes of seeing the program work again. But there’s no guarantee they’ll find it, as many dangerous programs only show up for a few seconds at a time and can be silent for days or months. Hone eliminates these time-consuming investigations by keeping a record of all communications that applications make. If an administrator later finds a program, the administer of the computer system will be able to immediately understand how the two are connected with Hone’s help.

Hone is unique because it doesn’t just observe communications between computers on a network. It also determines from which specific programs – such as web browsers, system updates or even malicious program – those communications are coming.

“Hone makes monitoring and understanding web-based attacks faster and easier,” said its inventor, PNNL computer scientist Glenn Fink. “The sensor isn’t a firewall or antivirus program that protects the host computer. Instead, it identifies the relationship between programs and their network activities, allowing system and security administrators to more quickly identify – and hopefully solve – problems such as cyber attacks.”

The sensor isn’t limited to investigating cyber attacks. Computer programmers could also use Hone to debug new networked applications they’re developing and firewall administrators could adapt Hone data to verify that only certain processes on their system can communicate to the network. And security researchers could use it to monitor what their machines are doing and identify threats such as computer viruses, spyware and stealthy rootkits, which are programs that attackers use to maintain covert access to a computer system.

Fink initially developed Hone’s rough framework as a postdoctoral researcher at Virginia Tech. PNNL researchers are currently using Hone to analyze computer traffic in a project that is examining how attackers use a scheme called “pass the hash” to break into computer systems.

Hone is available to for the Linux operating system in kernels 2.6.32 and later. Other versions are also being developed for Windows 7 and Windows XP. And a MacOS X version is planned. The data that Hone collects is provided in the PCAP-NG (Packet Capture-Next Generation) format, which can be viewed in the Wireshark network analysis program. In addition, PNNL is developing a way to visualize Hone’s date, which the lab hopes to license in the future.

Hone is essentially in the beta-testing stage, and has some room for minor tweaks and improvements. Fink and his collaborators are asking computer industry professionals to help them improve it by cloning the tool’s Linux version, which is available as an open source code online at Technical questions can also be directed to Fink at glenn.fink @ pnnl .gov.

# # #

Pacific Northwest National Laboratory is a Department of Energy Office of Science national laboratory where interdisciplinary teams advance science and technology and deliver solutions to America's most intractable problems in energy, the environment and national security. PNNL employs 4,800 staff, has an annual budget of nearly $1.1 billion, and has been managed by Ohio-based Battelle since the lab's inception in 1965. Follow PNNL on Facebook, LinkedIn and Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.