Navy's Therminator Fights Computer Attacks

By Roland Piquepaille

David Ford, a researcher at the Naval Postgraduate School in Monterey, California, is using ideas coming from the field of thermodynamics to visualize computer networks and detect security breaches, says Government Computer News (GCN) in "Navy researcher has novel security visualization technique." Thermodynamics equations have long been used to describe complex environments, so Ford applied them to computer networks. The result is the Therminator software, which helps Navy system administrators to detect and react to network attacks.

Below are screenshots of the Therminator software. Both images and legends are extracted from this article from CHIPS, a magazine of the Navy, "Therminator... A transformational enabler for FORCEnet."

	Here is a generic snapshot of the primary Therminator display. The top portion of the graph is a display of average bucket sizes associated with conversation groups. The lower portion of the graph illustrates the "thermal canyon" -- the relationship of various network states -- over time (indicated from left to right). (Credit: DISA).
	And this is a snapshot of the Code Red attack in progress. The display highlighted by the red circles is associated with the Code Red worm entering the NPS campus. The area highlighted by the yellow circles is associated with the firewall administrator shutting down the firewall in response to notification of the arrival of the worm. Compare the display associated with the intrusion of the Code Red worm with that of the actions taken by the firewall administrator shortly thereafter. (Credit: DISA).

Let's go back to the GCN article.

"We need to do a better job of using basic engineering to understand computer attacks, to push things to a more mature scientific foundation," said David Ford, a senior research coordinator for the Defense Information Systems Agency (DISA).

Last month, Ford posted his findings, entitled "Application of Thermodynamics to the Reduction of Data Generated by a Non-Standard System," in Cornell University's electronic repository for scientific papers. Ford said he hopes the ideas will be picked up by both agencies and vendors of security appliances.

If you like mathematical equations, you can read this paper here (PDF format, 18 pages, 600 KB).

In plain English, here is what he did.

"The basic idea is that a computer network is a complex system, and people know how to deal with complexity from a mathematical point of view," Ford said, A computer network, with its packets of data moving back and forth, exhibits similar behavior to the molecules in a cup of coffee or the electromagnetic charge of a magnet, Ford said.

Ford said the paper formally explains a number of concepts that he and a Defense Department team used to build prototype software that visualizes the state of a network. The software, called Therminator, characterizes the normal activity, highlighting any unusual occurrences.

"When a packet does something that is not within the intended flow, then it stands out like a sore thumb," Ford said.

It is worth noting that the Therminator software is now incorporated in a commercial solution from Lancope, based in Atlanta, Georgia. You'll find more details about this software, including screenshots, on this page.

Sources: Joab Jackson, Government Computer News, March 4, 2004; and various websites