Zeroing In

The world of computer security can be summed up as an escalating contest of wills between the white hats and the black hats. The black hats, once thought of as meddlesome but manageable hacks, now attack with such frequency and severity that they've become a major drain on business efficiency. And in the aftermath of Sept. 11, they look like a potential national security threat as well.

But the white hats aren't sitting by helplessly. While the occasional successful attack such as this summer's Code Red worm grabs headlines, researchers in labs around the country are quietly building novel approaches to protecting and collecting digital information that will challenge the way we think of security for our computers and ourselves. Some strain the imagination, such as atomic-size computers that float in the air like dust motes, invisibly recording and tracking the movements of suspected criminals, or electronic messages sent in unbreakable code based on quantum physics. While these may be a decade or more away, other innovations are likely to emerge in just a few years, such as a project to use automated data-mining techniques to sniff out com-puter attack and fraud patterns across the entire financial industry.

The effort is fueled by growing collaboration among academic, industry, and government researchers focused on the security of computer networks and digital assets. Their individual goals are varied: to better identify the source of cyberattacks, to develop strategies for repelling intrusions, to contain attacks before they spread and cause widespread damage, and to anticipate future attacks by analyzing past events. Researchers at places ranging from the University of California to the Department of Defense to companies such as IBM and Microsoft are applying the latest advances in physics, applied mathematics, and computer science to security.

New techniques will challenge the approach taken by many companies that treat security as largely an internal issue. Researchers at Columbia University, Georgia Tech, and the Florida Institute of Technology are developing tools that will require industrywide collaboration in return for better protection. Columbia computer-science professor Salvatore Stolfo and his team are developing a distributed data-mining system that can operate over large-scale networks spanning several companies for use in fraud and intrusion detection to guard, for example, financial institutions engaged in E-commerce. While credit-card companies today use custom or proprietary fraud-detection software, Columbia's Intrusion Detectors project seeks to create a global data-mining system that will let organizations share information about attackers as a countermeasure to future breaches. The system, which Stolfo says will be viable within about five years, creates computer models by analyzing vast amounts of data from many companies about past attacks to anticipate security problems. Agent software scans the cooperating companies' networks and servers, looking for problems and relaying data about possibly fraudulent activities by inspecting and classifying financial transactions.

Getting companies interested in these types of leading-edge projects may be easier in the aftermath of the terrorist attacks on the World Trade Center and the Pentagon. While companies often paid lip service to the importance of security before Sept. 11, implementation was inconsistent. Now, companies are reassessing their security policies and hiring third parties to test their network perimeters. Those that don't like what they see may be more willing to invest further.

Still, companies aren't in the habit of collaborating on security; they've primarily emphasized keeping systems closed through limited access, virtual private networks, and firewalls (see story, p. 39). The latest research takes a different approach: accept that the black hats will get in, but limit the damage by boxing them into areas where they can't do much harm--and be able to strike back. "We have this fixation on walls. But walls don't work. We erect them, and the enemy finds a way around them," says Matt Bishop, a computer-science professor at the University of California at Davis. Bishop is creating mathematical models to assess system and network vulnerabilities and using predictive-analysis techniques to anticipate where future attacks will come from. Future systems will be better able to take a hit and recover from attacks by containing them to small areas of a system, he says.

The threat is far from theoretical. This past summer, the Code Red worm spread faster than any bug in Internet history, exploiting a flaw in Microsoft's server software, Internet Information Server, to infect more than 760,000 computers. The worm spread by self-replicating, transmitting itself to other machines, and was used to launch denial-of-service attacks--a barrage of data aimed at one Web site in an effort to overwhelm it.

The effort to improve computer security is driven by two truths that aren't likely to change: Networks need to be open, and software is essentially imperfect--both of which mean hackers will find their way in. What's changing is the ability of software to take on security-monitoring tasks previously performed by people: watching for, analyzing, and reacting to security threats. In the future, expect security systems to anticipate where problems are likely to occur and move resources into place to address the potential threat. "As Wayne Gretzky once said, skate to where the puck is going, not to where it is now," says Christopher Darby, CEO of Boston security consulting firm @Stake Inc. Agents and sensors will become crucial solutions to the manpower problem associated with computer security.

At the Defense Advanced Research Projects Agency, or Darpa, researchers are trying to build security systems that are less like a moat around a castle and more like a nice, safe sandbox. That's one of the ideas behind the Darpa Oasis project (Organically Assured and Survivable Information Systems), which is charged with making computer systems more likely to survive a cyberattack, says Jaynarayan Lala, Oasis' program manager. The technology being developed by Darpa takes two basic approaches to keep applications safe: putting applications inside a wrapper so their actions can be monitored, or keeping them in a contained area where their actions can be observed and only safe behavior is allowed. Lala's goal is to produce a lightweight, open, and cost-effective technology that can be used by the government and licensed to the private sector. The four-year project is nearly at the halfway point, and Lala expects commercial products in a couple of years.

If these techniques had been in place this summer when Code Red struck, Lala says, the software would have detected each of the phases of the worm and stopped it before it could propagate. That could be important for network managers who have difficulty keeping up with every flaw and patch. The flaw that Code Red exploited in Microsoft's software was well-known, and a patch was readily available almost a month before the worm spread across the Internet.

Raytheon Corp. also has been looking at the network side of the security equation. Raytheon researchers created a 3-D visualization tool for inspecting network perimeters under a grant from the Defense Department. SilentRunner, which is commercially available, is forensic software that lets network administrators navigate through a virtual network, looking for unusual usage patterns and intruders. The system's analytic component then lets administrators make sense of what they've seen and detect suspicious activity coming from inside or outside the network.

These concepts could extend beyond computer networks to the real world with sensors that automatically collect information without human data entry. Lucian Hughes, an associate partner in Accenture's Technology Laboratories, says the Smart Dust project being conducted at the University of California at Berkeley is just one of many research initiatives that will lead to what he terms "silent commerce": smart tags, tiny embedded databases, active batteries, and micromotes that can automatically collect data, relay it to other systems, and monitor environmental conditions. Smart Dust are tiny computers the size of dust particles, equipped with various types of sensors, including a camera and voice recorder.

Hughes doubts that privacy concerns will hold back the effort, because people regularly give up personal data in return for discounts and convenience.

Most businesses aren't ready for automated security and surveillance, but not because of privacy concerns--they simply don't trust it. One scenario involves the use of analytic software to make intelligent assumptions about system vulnerabilities and attack patterns. Already, security companies such as Symantec Corp. have basic automation technology built into their security software, but many customers opt not to use it. "They may let the software identify the problem, but they still want an administrator to make the call and implement the fix," says Rob Clyde, Symantec's chief technology officer.

Will networks remain as open as they've been, given the rising level of hacking and growing threat of cyberterrorism? Whitfield Diffie, a distinguished engineer at Sun Microsystems and the inventor of public key encryption, predicts they will. People and businesses demand ever-greater connectivity, and the notion of boundaries--both real and virtual--is fading, leaving nations and networks more open than ever, he says. Just as national boundaries have become less distinct, so, too, will network boundaries, driven by economic globalization, workforce mobility, and the growing complexity of trade relationships.

Yet there's no doubt that cybersecurity threats are increasing. Symantec's Clyde notes there are now so many free tools on the Internet that hackers needn't be experts to cause problems; all they have to do is run readily available scripts. And with 97% of the world's money supply in digital form, hacking as an intellectual exercise will rapidly give way to cybercrime for profit, he predicts. Researchers are pursuing ways to enable frictionless, secure E-commerce while protecting the security and privacy of individuals and institutions.

Researchers at IBM's Zurich, Switzerland, lab have developed prototype network sensors that can detect passive intruders, those that break in and observe what's going on without stealing or doing damage. The Sniffer Detector simulates network traffic using bogus information as bait for the intruder. The intruder can be identified when he or she attempts to use this information to gain access to the system.

Microsoft also has an eye toward providing secure E-commerce with digital watermarking techniques to protect digital content from theft and corruption. Microsoft researchers are working on algorithms to attach watermarks to digital content such as photographs, works of art, or electronic currency.

MIT's Media Lab is working on a project to let organizations conceal information within various forms of media that help prevent theft and misuse of copy-protected material. Two projects focus on preventing counterfeiting on high-quality printers--the Patchtrack technology lets ink-jet printers hide a serial number in a printed image, so a counterfeiter won't know to re-create it; the Tartan Thread initiative embeds digital signatures into documents such as stock certificates that tell a printer not to copy them.

All these initiatives are possible in the short term. Push the horizon out further--say, 10 to 20 years--and businesses can expect radical new approaches to security using quantum mechanics, photons, and micromachines to encrypt and transmit data safely. Scientists at Los Alamos National Laboratory in New Mexico have demonstrated the use of single photons to send cryptographic keys in the open air and over fiber-optic links, says Richard Hughes, quantum information team leader at the lab. Quantum particles are subject to the Heisenberg uncertainty principle, which stipulates that the mere act of observing a quantum particle changes it. This is what renders a quantum key virtually unbreakable--if a hacker looks at it, it's rendered useless.

Researchers still need to figure out how to enable quantum bits to interact with each other in the real world--how to get the bits to survive random interference such as light, yet remain sensitive to corruption by adversaries trying to intercept the communication. Los Alamos has a patent for this technology and an application pending, Hughes says. Several companies have made moves to license the technology, and he says the right resources could make a product commercially viable in a few years.

The lab is also working on the development of quantum computers capable of cracking any type of existing encrypted code. But such a machine--microscopic in size--is a couple of decades away from reality. Most quantum machines today have single quantum bits; a code-breaking device would need tens of thousands of quantum bits to crack large cryptographic sequences of numbers, Hughes adds.

In many ways, these advanced efforts are the exception. Security hasn't been considered one of the sexiest or most exciting research areas, and in recent years, federal, academic, and industry funding for security research has fallen, says UC Davis' Bishop. Even the number of computer-science degrees issued in the security field has declined in recent years.

The attacks of Sept. 11 have focused a spotlight on the need for better computer security for the systems that run our banks, phone companies, power plants, and airports. Greater financial backing will follow the growing interest in security, says Tom Longstaff, a manager at the CERT security center at Carnegie Mellon University. With that added support and renewed emphasis on security, who knows--maybe one day, the white hats won't have to constantly look over their shoulders.