Security Sensor Visualises Network Attacks

A new security tool called Hone, developed by engineers at the US government’s Department of Energy, is designed to give security and IT administrators the ability to more quickly identify and respond to an issue on the network.

Hone is the brainchild of Glenn Fink, a senior research scientist with the Secure Cyber Systems Group at the DOE’s Pacific Northwest National Laboratory (PNNL) in Richland, Washington. Hone is what Fink calls a “cyber-sensor” that essentially discovers and monitors the relationship between network activity on a computer and the applications – such as Microsoft’s Internet Explorer – and processes running on it.

Visibility

By putting greater visibility into those relationships, IT professionals will be able to more quickly understand and deal with cyber-attacks. In addition, IT administrators can use the tool for a host of network- and security-related tasks, according to Fink.

In developing Hone, he said he “wanted to help people see what’s on their networks”.

“I want people to understand what’s really happening on these very complex machines,” Fink said in an interview with eWEEK.

He initially created the framework of what would become Hone as a postdoctoral researcher at Virginia Tech. Fink said he saw what visualisation technology was doing elsewhere, and asked why people didn’t use it in security. Such deep visualisation into the system and the network would be hugely beneficial to security administrators, he said.

Fink took his ideas with him when he went to work for PNNL, where he was able to secure the internal funding and collaboration needed to get going on work on what eventually turned out to be Hone.

“It’s really easy to get people to say, ‘Yeah, that’s cool,'” he said. “It’s another thing to get people to say, ‘And here’s the money.'”

Security inefficiency

The problem is what he sees as an inefficient way of dealing with security issues. Right now, security and system administrators spend much of their time searching for unusual patterns in communications between computer systems and the network, Fink said.

The problem is that once such a pattern is found, there’s nothing to say which program is doing the communicating, so the administrators closely watch the system hoping to see the program work again and allowing them to get a better read on the situation.

They may never see the dangerous program again. However, Hone creates an ongoing record of the communication, not only showing the communications between systems on a network, but also which specific programs – including web browsers, system updates and malicious programs – are involved in the communication.

If a systems administrator sees a problem with a system or on the network – unusual communications patterns or systems running slowly – they can immediately determine how the system and any programs are connected. That is the kind of information that will give administrators the ability to better monitor, understand and respond to attacks, and information they can’t get from firewalls.

Hone gives users a “‘glanceable’ type of view of what’s happening on the network and what’s happening on the machine”, he said.

Hone also is a tool that has uses beyond understanding and responding to attacks, Fink said. It can be used to help programmers debug new networked applications being developed. In addition, security administrators can use data from Hone to ensure that only certain processes on their systems can communicate with the network, and to monitor what their systems are doing, which would help them identify such threats as viruses, spyware and rootkits.

Development plans

Hone currently is in the beta stage, Fink said. It’s available for Linux operating systems in kernels 2.6.32 and later, and he is hoping that tech professionals will clone the Linux version and give it a good run. Hone is available as an open-source code.

At PNNL, researchers are using Hone to analyse computer traffic as part of a project looking at how attackers use a scheme called “pass the hash” to break into systems.

Information collected by Hone is provided in the Packet Capture-Next Generation (PCAG-NG) format, which can be viewed in the Wireshark network analysis program.

PNNL engineers also are developing a way to visualise the information collected by Hone, with hopes of licensing it in the future. Fink said it was too early to talk about spinning off a product from the Hone project, though he could envision licensing the visualisation technology.

While Hone currently works with Linux, versions for Windows XP and Windows 7 are both being developed, and a version for Apple’s Mac OS X also is being planned, Fink said.

Are you an expert on social networks? Take our quiz.