Users login

Create an account »


Users login

Home » Hacking News » Profiling software provides new security against hackers

Profiling software provides new security against hackers

by Nikola Strahija on January 20th, 2003 A suspected crooked insider at a New York software company sells consumer-credit reports to identity thieves at roughly $30 a pop in a high-tech scam that victimizes at least 30,000 people.

An unemployed British computer administrator fights extradition to face federal charges in Virginia and New Jersey that he hacked into 92 separate U.S. military and government networks, often getting past easy-to-guess passwords to download sensitive data.

These and other recent computer-network intrusions, perpetrated by hackers, moles or tricksters intent on theft, sabotage or cyber-terrorism, have given rise to a promising profiling-and-reasoning strategy aimed at preventing online break-ins as they happen.

Just as police use profiling to guard against criminals at ports and borders, researchers in upstate New York are developing software that can generate highly personalized profiles of network users by analyzing the sequences of commands entered at each computer terminal.

The system — a prototype is likely to be ready for intensive testing this summer — could provide a high-grade layer of protection for military installations and government agencies as well as banking or other commercial networks that require especially tight monitoring.

The "user-level anomaly detection" software draws up regularly updated profiles by closely tracking over time how each person performs an array of routine tasks, such as opening files, sending e-mail or searching archives.

Designed to tell if someone has strayed into an unauthorized zone or is masquerading as an employee using a stolen password, the program keeps watch for even subtle deviations in behavior. Alerted to anomalies, network administrators then begin monitoring more aggressively to assess whether pilferage is in progress.

"The ultimate goal is to detect intrusions or violations occurring on the fly," said chief researcher Shambhu Upadhyaya, who directs the Center of Excellence in Information Systems Assurance Research and Education at the State University of New York at Buffalo.

"There are systems that try to do this in real time, but the problem is it results in too many false alarms. The system tries to make a quick decision and it may not be an intrusion at all."

Keeping false alarms to a manageable minimum is key, but extremely difficult to achieve, said Bruce Schneier, cryptography expert and author of Secrets & Lies: Digital Security in a Networked World.

"These systems live and die on false alarms," he said. "You see this problem in facial recognition, trying to catch terrorists by recognizing faces in airports. All those trials failed miserably."

The Buffalo school is one of 36 research and teaching centers designated by the National Security Agency since 1998 to help safeguard America's information technology systems.

Aided by doctoral student Ramkumar Chinchani and Kevin Kwiat of the Air Force Research Laboratory in Rome, N.Y., Upadhyaya began examining in 1999 whether monitoring simple user commands instead of network traffic might produce faster, more effective monitoring.

Some computer-security products that feature user-profiling seek out deviations on the basis of huge amounts of data flowing through entire networks. They're typically 60% to 80% reliable whereas simulation tests indicated the new software would be up to 94% reliable, he said.

Borrowing from risk-analysis economic models, the researchers draw on dynamic reasoning and engineering methodologies to assess security threats based on the sequence of operations performed and the rate at which the cost of operations is building.

"When these costs fall in that window of uncertainty, the user will be placed under higher scrutiny to determine whether it is an intrusion or a benign act," he said.

Even if it proves successful, the software would be just one tool in a computer-security arena that requires multilayered defenses, Upadhyaya said.

"Hackers are a step ahead of you always," he said, noting that the military "is especially worried about the insider who's been there a long time and learned all the loopholes."

Mike Kurdziel, an information security specialist at Harris, which makes tactical military radios, thinks Upadhyaya has "constrained the problem" by installing various thresholds to curtail false alarms.

"Other intrusion techniques require something like looking at audit logs after the damage has already occurred," Kurdziel said. "The advantages offered by this approach is an intruder with malicious intent can be identified very early and a system operator can contain the damage, repair it in real time and shut out the intruder.

"This really is an advance," he said. "This means that systems that have been attacked by an intruder maliciously might not necessarily be brought down."

- article available at -

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »