Featured Research: Defending the Internet

Internet security is an issue of worldwide concern, as malicious hackers continue to invent new ways to steal personal information, infect computers with viruses, and otherwise use the Internet for nefarious purposes. Scientists at ICSI are fighting back, studying how malware is created and distributed, and developing methods to keep the Internet safe in a rapidly changing environment.

Security work at ICSI includes practical applications to prevent malware from infecting computers, as well as the more theoretical study of malware to better understand how it works, and thus inform the development of future security software.

The ICSI security team is led by Vern Paxson, also Associate Professor in the Electrical Engineering and Computer Science (EECS) Department at UC Berkeley and Staff Scientist at Lawrence Berkeley Laboratory (LBL). Current ICSI scientists are Mark Allman, Nicholas Weaver, Robin Sommer, and Christian Kreibich. Visiting scientists, student research assistants, and summer interns also contribute to ICSI security work. The team's overall goal is to make the Internet safer for all users. Progress toward this goal is made through targeted research projects, each focusing on a specific security problem. Many of these projects at ICSI are interrelated, building on each others' success, while a few look at the problem from completely new angles. This research, both past and on-going, has been supported by funds and donations from the National Science Foundation (NSF), the Department of Homeland Security (DHS), the Department of Energy (DOE), Cisco, Intel, ESnet, Microsoft Research, VMware, and HP. The following project descriptions summarize several of the current Internet security projects at ICSI.


The ICSI Honeyfarm project was designed as a way to study the spread of malware without contributing to the infection epidemic in the real world. The Honeyfarm lures Internet attackers to its "Honeypots", computers and virtual computers designed to be vulnerable to attacks. This network of Honeypots isolates the malware, allowing researchers to study how it spreads and how it goes about causing damage under laboratory conditions. The Honeyfarm prototype that was created by Weidong Cui, a researcher at Microsoft (and this issue's featured alum), now has an entirely new implementation developed by Christian Kreibich and former intern Steve Hanna that addresses key changes in the threat landscape. One such change is that spam has become a common method of spreading malware. The new implementation exploits spam feeds (sources of substantial spam traffic) by carefully studying the traffic, luring malware, and executing it in a controlled fashion to study its behavior.


While worms and viruses are the kinds of malware most familiar to the public, the spread of "bots" represents a more significant problem today. Bots are stealthier than worms, as they don't inflict any obvious damage when they infect a computer. Running in the back­ground, they use the infected machine for all kinds of malicious activities, including stealing credit card and other personal information, sending out spam email, or overloading a web server by sending multiple requests to the server from many infected machines at once (termed a denial-of-service attack). Some bots simply observe everything happening on a computer - every keystroke made by every user - and are able to stealthily inflict damage by (for example) adding items to an order while a user is logged into an e-commerce site.

Kreibich and the ICSI team are also working with scientists at UCSD led by Professor Stefan Savage to study botnets - networks of machines infected by bots. Spammers look for a topic of interest to get users to read an infected email. Early last year a huge storm in Europe provided them with a perfect subject line; the bot known as "Storm" spread very quickly and quietly without noticeably causing any problems, spreading to many (some experts estimate over a million) machines before anyone realized there was a problem. With such wide distribution, Storm could be quite damaging if it were used maliciously. Its scope and threat have generated a lot of concern, and this concern has produced media attention that is often unverified or even inaccurate. Kreibich and the UCSD team are studying Storm to combat it and make sure that the information regarding it is accurate and useful.


Bro, developed by Vern Paxson, is a network intrusion detection system currently in use at Lawrence Berkeley Laboratory (LBL) and UC Berkeley. It detects and logs hostile activity by filtering network traffic and analyzing relevant events against a set of rules to interpret and describe the network activity. Based on the information Bro detects, it can either create alerts of potentially troublesome activity, or execute programs to terminate malicious connections and block traffic from hostile hosts. A particular advantage of Bro is that its more analytical features allow it to detect network behaviors manifested by novel forms of attacks.

Nicholas Weaver and Robin Sommer are both refining Bro. Weaver has been incorporating hardware acceleration and improving the rules by which Bro recognizes and analyzes connections. This polishing of Bro's detection methods along with the hardware acceleration will improve Bro's efficiency in detecting attacks.

To achieve high performance, Bro currently operates on a cluster of machines. Sommer's work with Bro will enable it to run on a multicore parallel processor, which will decrease its latency of communication and keep it capable of continuing to scale its performance with future technology. He also works closely with the cybersecurity operations staff at LBL in their ongoing use of Bro and its associated technology.


The VAST project is improving network activity logs to help determine how/why network attacks succeed. It also seeks to standardize the way logs are recorded so that logs from different networks can be compared to each other when similar problems have occurred. This will improve the ability of a network's operators to detect problems such as intrusions. With improved and standardized logs, network administrators can study past network traffic and flag certain types of events to see if they have occurred on different sites, what happened as a result, and even trigger a response if it happens in the future. Automated analysis of these logs allows problems to be tracked very quickly. VAST can be used in conjunction with a network intrusion system such as Bro to analyze and track the data seen by the intrusion detection system. This synthesis of ICSI activities improves Bro's ability to detect intrusions and determine when and how they happened.


While projects such as Bro and VAST depend on detailed logging and analysis to identify and prevent network intrusions, a new project at ICSI seeks to incorporate troubleshooting as an essential element in designing network architecture. The scope of Troubleshooting is not limited to one particular domain, but aims to be evolvable and applicable across architectures. In order to accomplish this, events found with Bro and VAST will be distilled and used in communication between system components. Even further, distilled repositories of these logs will be made available to parties not involved in a given transaction; this will facilitate cooperative trouble-shooting while still protecting user privacy and competitive information. ICSI's work will lay the groundwork for both a new graduate-level course in troubleshooting and provide material for undergraduate labs to prepare students for practical issues in networking.

Although the troubleshooting effort is a relatively new direction at ICSI, the team has already had success in this area. In collaboration with scientists at the University of Washington, ICSI's security team developed a method to detect insertions onto web pages by ISPs. They found that some ISPs are inserting ads and other modifications to the web pages seen by their viewers, and that some of these modifications include vulnerabilities. By creating more ways to determine when things like this are happening, and studying which are benign and which are malicious or cause vulnerabilities, scientists can improve overall security for users.


Weaver is also currently in the process of designing a security-related Grand Challenge competition. These competitions, such as robot-driven car races, offer significant prizes for the most successful solution to a problem. These prizes often attract people with wide-ranging skills and approaches to a challenge. Thus, Grand Challenge competitions can be an effective way to get lots of people working on a scientific obstacle and get interesting results quickly. Using NSF funding, Weaver is planning a conference, tentatively scheduled for summer 2008, where competitors would assume control of a server for 24 hours and defend it against attacks from the judges as well as from autonomous teams of hackers. The results of this competition can potentially inform other security efforts at ICSI by illustrating the efficacy of novel attack and defense methods.


Paxson, former ICSI intern Jason Franklin, and scientists at CMU and UCSD are fighting back against the Internet black market. Many illegal items, such as spamming services, toolkits for building fishing sites, and laundered money are available online. Criminal investigators need better tools to combat the spread of these markets. The researchers are looking at the problem of Internet attacks from a completely new perspective. By observing the commercial ecosystem online, the team is measuring and cataloging activities of users who profit from illegal online activities, and are searching for potential vulnerabilities of the market.

Vendors on the black market can have reputation ratings, not unlike those found on eBay. Potential countermeasures reported by the group could employ these ratings. The first technique involves slandering the users' reputations so that potential buyers are less able to find vendors of illegal goods that appear reliable. The second is to create a large number of false vendor identities, and to use these false identities to legitimize each other. These "verified" vendors get business as if they were genuine and fail to deliver the goods and services. Techniques like these would create a lack of trust among potential buyers of black market services, so that they are less likely to feel comfortable buying products and services from sellers. Countermeasures such as these initial ideas could undercut the reliability of the existing market, turning it into a lemon market. The researchers are still exploring how the black market functions and identifying ways in which it is vulnerable.