Security for the Common Man, 10-R8106Printer Friendly Version
Inclusive Dates: 09/29/09 09/28/10
Background - Computer security must provide a balance between protection and usability. This is especially true in home and small office environments where users have neither the time nor the expertise to manage complex security software, yet where the risk of infection is great. This project developed a new approach for detecting infected computers and for interacting with users in terms of human knowledge rather than low-level network data.
Approach - SwRI's detection approach is based on monitoring outbound communication sessions rather than looking for malware in network traffic. This is an entirely new tactic. Instead of looking for malware or for behavior indicative of malware, SwRI is attempting to determine the cause for communication sessions initiated by the local computer. The approach is based on two premises. First, infected computers must communicate with a remote site for command and control purposes and to perform assigned tasks. Second, legitimate outbound sessions are usually associated with a prior event such as visiting a web site, sending a database query or playing an online video game. Malicious software will generate communication that cannot be accounted for by either the monitoring system or the human user. To determine if an initiated session is legitimate, forward references were extracted from incoming traffic such as embedded uniform resource locators (URLs) in Web pages or host lists in peer-to-peer protocols. The forward references are used to build causal reference chains that establish the reason and context for a subsequent outbound connection. In addition to causal information, human-understandable information about each session is provided, such as the geographic location of the remote site, its reputation and the type of data involved.
The second innovation is a visual interface that leverages human knowledge and pattern recognition abilities. SwRI adapted the nova 2-D radial visualization metaphor to the display of communication sessions. The radial characteristic of the nova makes it easy to simultaneously identify overall patterns and to spot unusual individual points. Highlighted lines allow a human to quickly detect sessions without a known cause, sessions to a foreign location, encrypted sessions, or any combination.
Because this method is based on external network monitoring, it cannot be subverted by a rootkit, has no impact on performance and is independent of the target hardware and software. A second advantage is the data reduction resulting from analyzing in terms of communication sessions rather than data packets or network flows. Compared to packets and flows, sessions reduce the data load by several orders of magnitude. Moreover, sessions are a more intuitive concept for humans and help bridge the gap between human information and network data.
- The project produced a proof-of-concept software tool called Security for
the Common Man (SCM). SwRI evaluated SCM experimentally using three
personas: worker, shopper and teenager. Results showed strikingly different nova
patterns for the three personas, demonstrating how the nova pattern can quickly
convey information to users. Experiments did not explicitly include malware
tests; however, the SCM visualizations did alert SwRI to a real-world case of
hidden software acting in an unexpected and illegitimate manner.