Analytics
4/11/2012
05:06 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Pacific Northwest National Laboratory Creates New Sensor To Stop Attackers In Their Tracks

Tool determines which applications are communicating with external network

RICHLAND, Wash. - The good guys have a new, innovative tool to help them identify and understand cyber attacks.

Developed by a researcher at the Department of Energy’s Pacific Northwest National Laboratory, the new Hone cyber sensor determines how network activity on a computer is related to an application such as Internet Explorer or any running process. Finding these relationships enables cyber security experts to more quickly identify a potential problem and dissect how it works.

Currently, system and security administrators spend a lot of their time looking for unusual communication patterns between their computer systems and the external network. When they find suspicious communication, it isn’t immediately obvious which program is doing the communicating. So the administrators closely watch the computer in the hopes of seeing the program work again. But there’s no guarantee they’ll find it, as many dangerous programs only show up for a few seconds at a time and can be silent for days or months. Hone eliminates these time-consuming investigations by keeping a record of all communications that applications make. If an administrator later finds a program, the administer of the computer system will be able to immediately understand how the two are connected with Hone’s help.

Hone is unique because it doesn’t just observe communications between computers on a network. It also determines from which specific programs – such as web browsers, system updates or even malicious program – those communications are coming.

“Hone makes monitoring and understanding web-based attacks faster and easier,” said its inventor, PNNL computer scientist Glenn Fink. “The sensor isn’t a firewall or antivirus program that protects the host computer. Instead, it identifies the relationship between programs and their network activities, allowing system and security administrators to more quickly identify – and hopefully solve – problems such as cyber attacks.”

The sensor isn’t limited to investigating cyber attacks. Computer programmers could also use Hone to debug new networked applications they’re developing and firewall administrators could adapt Hone data to verify that only certain processes on their system can communicate to the network. And security researchers could use it to monitor what their machines are doing and identify threats such as computer viruses, spyware and stealthy rootkits, which are programs that attackers use to maintain covert access to a computer system.

Fink initially developed Hone’s rough framework as a postdoctoral researcher at Virginia Tech. PNNL researchers are currently using Hone to analyze computer traffic in a project that is examining how attackers use a scheme called “pass the hash” to break into computer systems.

Hone is available to for the Linux operating system in kernels 2.6.32 and later. Other versions are also being developed for Windows 7 and Windows XP. And a MacOS X version is planned. The data that Hone collects is provided in the PCAP-NG (Packet Capture-Next Generation) format, which can be viewed in the Wireshark network analysis program. In addition, PNNL is developing a way to visualize Hone’s date, which the lab hopes to license in the future.

Hone is essentially in the beta-testing stage, and has some room for minor tweaks and improvements. Fink and his collaborators are asking computer industry professionals to help them improve it by cloning the tool’s Linux version, which is available as an open source code online at https://github.com/HoneProject. Technical questions can also be directed to Fink at glenn.fink @ pnnl .gov.

# # #

Pacific Northwest National Laboratory is a Department of Energy Office of Science national laboratory where interdisciplinary teams advance science and technology and deliver solutions to America's most intractable problems in energy, the environment and national security. PNNL employs 4,800 staff, has an annual budget of nearly $1.1 billion, and has been managed by Ohio-based Battelle since the lab's inception in 1965. Follow PNNL on Facebook, LinkedIn and Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web