Developed by a researcher at the Department of Energy’s Pacific Northwest National Laboratory, the new Hone cyber sensor determines how network activity on a computer is related to an application such as Internet Explorer or any running process. Finding these relationships enables cyber security experts to more quickly identify a potential problem and dissect how it works.
Currently, system and security administrators spend a lot of their time looking for unusual communication patterns between their computer systems and the external network. When they find suspicious communication, it isn’t immediately obvious which program is doing the communicating. So the administrators closely watch the computer in the hopes of seeing the program work again. But there’s no guarantee they’ll find it, as many dangerous programs only show up for a few seconds at a time and can be silent for days or months. Hone eliminates these time-consuming investigations by keeping a record of all communications that applications make. If an administrator later finds a program, the administer of the computer system will be able to immediately understand how the two are connected with Hone’s help.
Hone is unique because it doesn’t just observe communications between computers on a network. It also determines from which specific programs – such as web browsers, system updates or even malicious program – those communications are coming.
“Hone makes monitoring and understanding web-based attacks faster and easier,” said its inventor, PNNL computer scientist Glenn Fink. “The sensor isn’t a firewall or antivirus program that protects the host computer. Instead, it identifies the relationship between programs and their network activities, allowing system and security administrators to more quickly identify – and hopefully solve – problems such as cyber attacks.”
The sensor isn’t limited to investigating cyber attacks. Computer programmers could also use Hone to debug new networked applications they’re developing and firewall administrators could adapt Hone data to verify that only certain processes on their system can communicate to the network. And security researchers could use it to monitor what their machines are doing and identify threats such as computer viruses, spyware and stealthy rootkits, which are programs that attackers use to maintain covert access to a computer system.
Fink initially developed Hone’s rough framework as a postdoctoral researcher at Virginia Tech. PNNL researchers are currently using Hone to analyze computer traffic in a project that is examining how attackers use a scheme called “pass the hash” to break into computer systems.
Hone is available to for the Linux operating system in kernels 2.6.32 and later. Other versions are also being developed for Windows 7 and Windows XP. And a MacOS X version is planned. The data that Hone collects is provided in the PCAP-NG (Packet Capture-Next Generation) format, which can be viewed in the Wireshark network analysis program. In addition, PNNL is developing a way to visualize Hone’s date, which the lab hopes to license in the future.
Hone is essentially in the beta-testing stage, and has some room for minor tweaks and improvements. Fink and his collaborators are asking computer industry professionals to help them improve it by cloning the tool’s Linux version, which is available as an open source code online at https://github.com/HoneProject. Technical questions can also be directed to Fink at glenn.fink @ pnnl .gov.
# # #
Pacific Northwest National Laboratory is a Department of Energy Office of Science national laboratory where interdisciplinary teams advance science and technology and deliver solutions to America's most intractable problems in energy, the environment and national security. PNNL employs 4,800 staff, has an annual budget of nearly $1.1 billion, and has been managed by Ohio-based Battelle since the lab's inception in 1965. Follow PNNL on Facebook, LinkedIn and Twitter.