Scalable Cyber Security: Berkeley Lab to Demo Intrusion Detection Cluster

Striking a balance between the openness needed for scientific research and the requirements for strong cyber security is an ongoing challenge, made even more difficult by ever-increasing bandwidth. But Lawrence Berkeley National Laboratory has developed a comprehensive approach to cyber security that allows the open exchange of scientific knowledge while simultaneously protecting critical resources from attacks — the Bro intrusion detection system. And now, Bro is Big Bro in the form of a scalable cluster which will demonstrate its effectiveness on a 10 gigabit network connection during the SC06 conference to be held Nov. 11-17 in Tampa. The demo will be featured in LBNL’s booth, number 1812. First developed by Vern Paxson at LBNL in 1996, Bro is an open-source, UNIX-based network intrusion detection system that passively monitors network traffic and looks for suspicious activity. Since 2001, Bro has also been deployed at SC conferences, monitoring incoming and outgoing traffic. At SC03, the “Spinning Cube of Potential Doom” debuted, providing attendees with a graphical representation of the scanning attempts on network connections at the conference. Bro detects intrusions by first parsing network traffic to extract is application-level semantics and then executing event-oriented analyzers that compare the activity with patterns deemed troublesome. Bro's power comes from its semantically high-level, rich contextual analysis engine, which allows it to detect complex patterns of behavior and test for compliance with sophisticated, site-specific policies. In today's high-speed environments, it becomes less feasible to monitor traffic using a single system as network bandwidth increases. The idea behind the Bro cluster is to partition traffic flows across multiple systems. Each worker node parses the flows assigned to it and performs preliminary application-level analysis. It then submits distillations of the network activity to a single high-level node for global analysis, such as detecting network scans. Higher bandwidth loads can be handled by simply adding additional worker nodes. Bro has been successfully used on operational, high-speed networks at LBNL and elsewhere. Bro has detected hundreds of intrusions in complex, real-world environments – intrusions that would have otherwise gone unnoticed. Logs generated by Bro have also been used by law enforcement agencies in tracking and apprehending hackers. Bro was named after the ever-watching Big Brother in George Orwell’s novel, “1984.” Learn more about Bro and download the latest version from: its Web site. Berkeley Lab is a U.S. Department of Energy national laboratory located in Berkeley, California. It conducts unclassified scientific research and is managed by the University of California. Learn more at its Web site.