Physics methods may spot intruders

By Kimberly Patch, Technology Research News

The key to detecting uninvited visitors is recognizing them.

This gets difficult in crowded situations, like large networks, because there is a lot of normal traffic, or noise, that can cover an intruder's comparatively quieter signal. What's even more difficult, however, is detecting a new type of intrusion the first time it happens. Essentially what's needed is a way to detect what you don't know you're looking for.

Researchers from the University of South Carolina have tapped the methods of nuclear experiments to map network traffic and extract patterns of typical network behavior. When scientists looking into the makeup of matter cause nuclear particles to collide, hundreds of detectors monitor every facet of the complicated reaction to capture any slight derivation that may point to an unknown phenomenon.

Analyzing network traffic data this way makes it easier to tease out derivations that point to known network intruders, said Vladimir Gudkov, a physics research professor at the University of South Carolina. "If... almost complete monitoring and data collection [of nuclear events] is possible in physics, why not try to find a way to do similar things in network monitoring?" he said.

The research could also eventually be adapted to the really difficult problem of detecting new methods of intrusion as they are happening, said Gudkov. "We have an opportunity to detect even unknown intrusions in the reconnaissance stage of an attack," he said.

When a file is transmitted over a network it is first broken up into many small packets, which traverse the network using whatever route is available and are reassembled when they arrive at their destination.

To closely monitor a network, the researchers track all the properties of these packets, including how they change over time. Routers, the specialized computers the control traffic around the Internet, put time stamps and other marks on the packets. The advantage of using this time-dependent information is it provides a complete description of the process. "This is exactly what we need for reliable numerical analysis," Gudkov said.

The researchers translate this information into mathematical functions in order to use the complex systems theory that physicists use to extract information from large, changing sets of data, said Gudkov.

The method captures raw data from a network node, then on a separate system plots the mathematical functions in two or three-dimensional imaginary space, and uses pattern recognition to find deviant signals. The result is an "ability to optimize signal-to-noise ratio and to analyze signals in real-time," Gudkov said.

This makes the faint tracks of an intruder more apparent. "The basic idea is to define the normal network behavior using the complete network monitoring. The deviation from the normal traffic behavior will give an alert for possible... intrusions," he said.

In plotting the signals the researchers also found something surprising: some of the ways information flows in these imaginary spaces are independent of how a network is laid out and what system software the computers are running. "This looks natural [to] me now, but some months ago we did not even suspect that... characteristics like the dimension of information flow in the parameter space are... not sensitive to network topology [or] operating systems," Gudkov said.

The researchers are working on a test model of a system that will detect known intrusions as they are happening, said Gudkov. If the research goes as expected, a model for detecting unfamiliar types of intrusions could be available within a year, and a practical working system a couple years after that, Gudkov said.

The researchers are also working on finding a way to detect unfamiliar intrusions by analyzing all the data rather than just looking for known intrusion patterns. The challenge is finding a method of pattern recognition that will work in real-time data plotted in imaginary spaces that have more than three dimensions, according to Gudkov. "The next step for this is the study of multidimensional pattern recognition methods based on wavelet analysis," he said. Wavelets are a form of compressed data.

The researchers' idea of modeling network traffic characteristics as functions is an interesting one, but "the question of whether such a view is meaningful, or if it would lead to useful results," cannot be answered without testing the method on real networks, said R. Sekar, an assistant professor of computer science at the State University of New York at Stony Brook.

It is also difficult to predict whether it will be possible to find unfamiliar intrusions this way, according to Anita Jones, a professor of engineering and applied science at the University of Virginia. "Any mathematical approach depends upon detecting some properties that distinguish the intrusive traffic from normal traffic. Just as in real life, what is harmful can often be masked to appear benign. Such traffic can sometimes be very hard to distinguish from normal traffic," she said.

Gudkov's research colleague is Joseph E. Johnson of the University of South Carolina. The research was funded by the Defense advanced research projects agency (DARPA) and the Air Force Research Laboratory.

Timeline:   3 years
Funding:   Government
TRN Categories:  Networking; Internet
Story Type:   News
Related Elements:  Technical paper, "New Approach for Network Monitoring and Intrusion Detection," posted on the arXiv physics archive at


December 5, 2001

Page One

Nerve-chip link closer

Inside-out gem channels light

Computer follows video action

Environment may dictate intelligence

Physics methods may spot intruders


Research News Roundup
Research Watch blog

View from the High Ground Q&A
How It Works

RSS Feeds:
News  | Blog  | Books 

Ad links:
Buy an ad link


Ad links: Clear History

Buy an ad link

Home     Archive     Resources    Feeds     Offline Publications     Glossary
TRN Finder     Research Dir.    Events Dir.      Researchers     Bookshelf
   Contribute      Under Development     T-shirts etc.     Classifieds
Forum    Comments    Feedback     About TRN

© Copyright Technology Research News, LLC 2000-2006. All rights reserved.