Vern Paxson Honored for Best Paper at USENIC Security Symposium
February 6, 1998
Vern Paxson of the Network Research Group was honored for presenting the best paper at the 7th USENIX Security Symposium held January 26-29, 1998, in San Antonio, Texas. In his paper entitled “Bro: A System for Detecting Network Intruders in Real-Time,” Vern described the stand-alone system he set up to monitor network traffic into the Lab as a means of stopping security breaches. Because of the sensitive nature of Internet security and the desire of security system providers to protect their products, Vern said there is little information in the open literature about such monitoring systems. Especially sensitive is any discussion of flaws in the security systems. As Vern designed the Lab’s security monitor, he sought out the flaws and corrected for them. “If you know the flaws, you can evade the system,” he said. “It takes an extra level of deviousness to look for these flaws, and I was pretty devious in my thinking as I put our system together.”
The Lab’s system, call “Bro” in a reference to George Orwell’s ever-watching Big Brother, is a layered system that seeks out certain types of network traffic. The first layer is a general packet filter, which decide which data packets should be examined. The second layer is an “event engine,” which takes the first-level packets and pieces them together into “events,” such as the beginning or end of a connection. The next layer looks for application level events, such as an FTP (file transfer protocol), or search for a user name. Above that is a policy layers, which has special scripts which are invoked for certain events. Should the various layers detect information amounting to an attempted security breach, the system notifies computer security people in real time.
Bro has been running continuously, monitoring network traffic at the Lab since April 1996. In that time, it has detected 85 formal security incidents, some of which have resulted in law enforcement action. When such incidents are found, the Lab also notifies DOE’s Computer Incident Advisory Center (CIAC) at Lawrence Livermore and the Computer Emergency Response Team at WHERE for follow-up as appropriate.
Stu Loken, director of the Information and Computing Sciences Division, said “This recognition of Vern’s outstanding work by others in the computer security field again demonstrates the valuable contributions of the Network Research Group. Working behind the scenes in a field that truly benefits all users of the Internet, this group has helped make scientific networking the successful tool that it is today.”
Vern’s paper is on the Web and a link to it can be found at: http://www-nrg.ee.lbl.gov/nrg-papers.html
About Computing Sciences at Berkeley Lab
The Computing Sciences Area at Lawrence Berkeley National Laboratory provides the computing and networking resources and expertise critical to advancing Department of Energy Office of Science research missions: developing new energy sources, improving energy efficiency, developing new materials, and increasing our understanding of ourselves, our world, and our universe.
Founded in 1931 on the belief that the biggest scientific challenges are best addressed by teams, Lawrence Berkeley National Laboratory and its scientists have been recognized with 13 Nobel Prizes. Today, Berkeley Lab researchers develop sustainable energy and environmental solutions, create useful new materials, advance the frontiers of computing, and probe the mysteries of life, matter, and the universe. Scientists from around the world rely on the Lab’s facilities for their own discovery science. Berkeley Lab is a multiprogram national laboratory, managed by the University of California for the U.S. Department of Energy’s Office of Science.
DOE’s Office of Science is the single largest supporter of basic research in the physical sciences in the United States, and is working to address some of the most pressing challenges of our time. For more information, please visit energy.gov/science.