Vern Paxson Honored for Best Paper at USENIC Security Symposium

NOTE: This archived news story is made available as-is. It may contain references to programs, people, and research activities that are no longer active at Berkeley Lab. It may include links to web pages that no longer exist or refer to documents no longer available.

Vern Paxson of the Network Research Group was honored for presenting the best paper at the 7th USENIX Security Symposium held January 26-29, 1998,  in San Antonio, Texas. In his paper entitled “Bro: A System for Detecting Network Intruders in Real-Time,” Vern described the stand-alone system he set up to monitor network traffic into the Lab as a means of stopping security breaches. Because of the sensitive nature of Internet security and the desire of security system providers to protect their products, Vern said there is little information in the open literature about such monitoring systems. Especially sensitive is any discussion of flaws in the security systems. As Vern designed the Lab’s security monitor, he sought out the flaws and corrected for them. “If you know the flaws, you can evade the system,” he said. “It takes an extra level of deviousness to look for these flaws, and I was pretty devious in my thinking as I put our system together.”

The Lab’s system, call “Bro” in a reference to George Orwell’s ever-watching Big Brother, is a layered system that seeks out certain types of network traffic. The first layer is a general packet filter, which decide which data packets should be examined. The second layer is an “event engine,” which takes the first-level packets and pieces them together into “events,” such as the beginning or end of a connection. The next layer looks for application level events, such as an FTP (file transfer protocol), or search for a user name. Above that is a policy layers, which has special scripts which are invoked for certain events. Should the various layers detect information amounting to an attempted security breach, the system notifies computer security people in real time.

Bro has been running continuously, monitoring network traffic at the Lab since April 1996. In that time, it has detected 85 formal security incidents, some of which have resulted in law enforcement action. When such incidents are found, the Lab also notifies DOE’s Computer Incident Advisory Center (CIAC) at Lawrence Livermore and the Computer Emergency Response Team at WHERE for follow-up as appropriate.

Stu Loken, director of the Information and Computing Sciences Division, said “This recognition of Vern’s outstanding work by others in the computer security field again demonstrates the valuable contributions of the Network Research Group. Working behind the scenes in a field that truly benefits all users of the Internet, this group has helped make scientific networking the successful tool that it is today.”