A Canadian researcher employed by CA and working out of Dalhousie University in Halifax has been commissioned by the U.S. Department of Homeland Security to develop a framework for visualizing security threats in computer networks.
The framework will focus on ways of visualizing traffic flows in order to identify potential threats and, when completed, will be offered to the Eclipse open source community so that other organizations could develop products based on it. The Department of Homeland Security (DHS) gave CA Labs US$815,000 to collaborate with Dalhousie University on the project through its Science and Technology Directorate program.
Dr. Carrie Gates is a Dalhousie Alumnus who works for CA in New York and will be the principal investigator on the project. She said the research will not make extensive use of any particular CA products but will instead tap into the System for Internet-Level Knowledge, or SILK, developed by the CERT program at Carnegie-Mellon University.
“It’s like Cisco NetFlow, but a bit more specialized,” she said. “It offers tools to filter or sort on any of the flow form fields. That will be the back end.” The actual visualization software will likely be developed from scratch, Gates said.
The idea is to create a way of illustrating network traffic flows so that those monitoring for security risks can easily pinpoint specific pieces of information, Gates said. Although such visualization would be a powerful feature for many organizations, she said the DHS represents a unique kind of user.
“One (issue) is scalability – you’re dealing with U.S. government data, so it’s huge,” she said. “Among the benefits of visualization is the ability to take all that traffic information and break it down by sub-organizations.” At CA, for example, Gates was once responsible for monitoring all network traffic and was able to carve that up by geography, focusing on the North American or EMEA offices.
DHS spokesperson Amy Cudwa said the Science and Technology Directorate funds both specific projects as well as broad research initiatives or creating centres of excellence. Its “customers” include both the operational components of various government departments as well as first responders, she said.
“Sometimes it may be the case that we want to have research in this area, but don’t dictate what research is conducted,” she said. “We recognize that we don’t have a monopoly on all the good ideas in the department. We’re looking to capitalize on all the research that has potential value.”
Gates said her goal is to offer a framework that will make it easy for other organizations to write the code they need to create their own security visualization tool.
“In some cases it will depend on who is deploying it and in what environment it’s in,” she said. “If it’s a large enterprise, even if they drop a few percentage points of those flows, you’re probably getting enough information to be able to recognize different events.”
The money from DHS, which will mostly go towards finding research staff with the right mix of skills, is to cover a 30-month period ending in September 2010.
“It sounds so far away right now,” she laughed. Dalhousie and CA are not alone in pursuing an open source security visualization framework. Greg Conti, a professor at the U.S. Military Academy in West Point, N.Y. has developed RUMINT, which can handle up to 30,000 packets in a high speed RAM buffer and offer 20 different views of the network data.