skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: LINEBACKER: LINE-speed Bio-inspired Analysis and Characterization for Event Recognition

Abstract

The cyber world is a complex domain, with digital systems mediating a wide spectrum of human and machine behaviors. While this is enabling a revolution in the way humans interact with each other and data, it also is exposing previously unreachable infrastructure to a worldwide set of actors. Existing solutions for intrusion detection and prevention that are signature-focused typically seek to detect anomalous and/or malicious activity for the sake of preventing or mitigating negative impacts. But a growing interest in behavior-based detection is driving new forms of analysis that move the emphasis from static indicators (e.g. rule-based alarms or tripwires) to behavioral indicators that accommodate a wider contextual perspective. Similar to cyber systems, biosystems have always existed in resource-constrained hostile environments where behaviors are tuned by context. So we look to biosystems as an inspiration for addressing behavior-based cyber challenges. In this paper, we introduce LINEBACKER, a behavior-model based approach to recognizing anomalous events in network traffic and present the design of this approach of bio-inspired and statistical models working in tandem to produce individualized alerting for a collection of systems. Preliminary results of these models operating on historic data are presented along with a plugin to support real-world cybermore » operations.« less

Authors:
; ; ; ; ; ; ; ;
Publication Date:
Research Org.:
Pacific Northwest National Lab. (PNNL), Richland, WA (United States)
Sponsoring Org.:
USDOE
OSTI Identifier:
1334880
Report Number(s):
PNNL-SA-115629
400904120
DOE Contract Number:
AC05-76RL01830
Resource Type:
Conference
Resource Relation:
Conference: IEEE Symposium on Security and Privacy Workshops, May 23-25, 2016, San Jose, California, 88-95
Country of Publication:
United States
Language:
English
Subject:
biosequence model; cybersecurity; leaky buckets

Citation Formats

Oehmen, Christopher S., Bruillard, Paul J., Matzke, Brett D., Phillips, Aaron R., Star, Keith T., Jensen, Jeffrey L., Nordwall, Douglas J., Thompson, Seth R., and Peterson, Elena S. LINEBACKER: LINE-speed Bio-inspired Analysis and Characterization for Event Recognition. United States: N. p., 2016. Web. doi:10.1109/SPW.2016.44.
Oehmen, Christopher S., Bruillard, Paul J., Matzke, Brett D., Phillips, Aaron R., Star, Keith T., Jensen, Jeffrey L., Nordwall, Douglas J., Thompson, Seth R., & Peterson, Elena S. LINEBACKER: LINE-speed Bio-inspired Analysis and Characterization for Event Recognition. United States. doi:10.1109/SPW.2016.44.
Oehmen, Christopher S., Bruillard, Paul J., Matzke, Brett D., Phillips, Aaron R., Star, Keith T., Jensen, Jeffrey L., Nordwall, Douglas J., Thompson, Seth R., and Peterson, Elena S. Thu . "LINEBACKER: LINE-speed Bio-inspired Analysis and Characterization for Event Recognition". United States. doi:10.1109/SPW.2016.44.
@article{osti_1334880,
title = {LINEBACKER: LINE-speed Bio-inspired Analysis and Characterization for Event Recognition},
author = {Oehmen, Christopher S. and Bruillard, Paul J. and Matzke, Brett D. and Phillips, Aaron R. and Star, Keith T. and Jensen, Jeffrey L. and Nordwall, Douglas J. and Thompson, Seth R. and Peterson, Elena S.},
abstractNote = {The cyber world is a complex domain, with digital systems mediating a wide spectrum of human and machine behaviors. While this is enabling a revolution in the way humans interact with each other and data, it also is exposing previously unreachable infrastructure to a worldwide set of actors. Existing solutions for intrusion detection and prevention that are signature-focused typically seek to detect anomalous and/or malicious activity for the sake of preventing or mitigating negative impacts. But a growing interest in behavior-based detection is driving new forms of analysis that move the emphasis from static indicators (e.g. rule-based alarms or tripwires) to behavioral indicators that accommodate a wider contextual perspective. Similar to cyber systems, biosystems have always existed in resource-constrained hostile environments where behaviors are tuned by context. So we look to biosystems as an inspiration for addressing behavior-based cyber challenges. In this paper, we introduce LINEBACKER, a behavior-model based approach to recognizing anomalous events in network traffic and present the design of this approach of bio-inspired and statistical models working in tandem to produce individualized alerting for a collection of systems. Preliminary results of these models operating on historic data are presented along with a plugin to support real-world cyber operations.},
doi = {10.1109/SPW.2016.44},
journal = {},
number = ,
volume = ,
place = {United States},
year = {Thu Aug 04 00:00:00 EDT 2016},
month = {Thu Aug 04 00:00:00 EDT 2016}
}

Conference:
Other availability
Please see Document Availability for additional information on obtaining the full-text document. Library patrons may search WorldCat to identify libraries that hold this conference proceeding.

Save / Share:
  • Abstract—One essential component of resilient cyber applications is the ability to detect adversaries and protect systems with the same flexibility adversaries will use to achieve their goals. Current detection techniques do not enable this degree of flexibility because most existing applications are built using exact or regular-expression matching to libraries of rule sets. Further, network traffic defies traditional cyber security approaches that focus on limiting access based on the use of passwords and examination of lists of installed or downloaded programs. These approaches do not readily apply to network traffic occurring beyond the access control point, and when the datamore » in question are combined control and payload data of ever increasing speed and volume. Manual analysis of network traffic is not normally possible because of the magnitude of the data that is being exchanged and the length of time that this analysis takes. At the same time, using an exact matching scheme to identify malicious traffic in real time often fails because the lists against which such searches must operate grow too large. In this work, we introduce an alternative method for cyber network detection based on similarity-measuring algorithms for gene sequence analysis. These methods are ideal because they were designed to identify similar but nonidentical sequences. We demonstrate that our method is generally applicable to the problem of network traffic analysis by illustrating its use in two different areas both based on different attributes of network traffic. Our approach provides a logical framework for organizing large collections of network data, prioritizing traffic of interest to human analysts, and makes it possible to discover traffic signatures without the bias introduced by expert-directed signature generation. Pattern recognition on reduced representations of network traffic offers a fast, efficient, and more robust way to detect anomalies.« less
  • A multiparameter data-acquisition program is described that is highly flexible and yet provides optimum machine code for each individual set of sorting conditions. An Event Analysis Language (EVAL) compiler allows the user full control over the handling of events and produces code which runs 4 to 6 times faster than a generalized program. This technique has been integrated into the Los Alamos Physics Division data acquisition system for high-speed sorting of a wide variety of input data from CAMAC or magnetic tape. The EVAL compiler is written in FORTRAN for MODCOMP computers, but can be easily modified for other systems.