Free Redacted Document - District Court of Delaware - Delaware

Case 1:04-cv—01199-SLR Document 425-2 Filed 07/17/2006 Page 1 014

Case 1 :04-cv-01199-SLR Document 425-2 Filed 07/17/2006 Page 2 of 4
O I
Live Traffic Analysis of TCP/IP Gateways
Phillip A. Porras Alfonso Valdes
¤[email protected].§n_ [email protected]:i.com
Computer Science Laboratory Electromagnetic and Remote
Sensing Laboratory
SRI International SRI International
333 Ravenswood Avenue 333 Ravenswood Avenue
Menlo Park, CA 94025 Menlo Park, CA 94025
The work presented in this paper is currently funded by
DARPA/ITO under contract number F30602-96-C·0294.
Point of Contact: Phillip A. Porras
Phone: (415) 859-3232
Fax: (415) 859-2844
August 1 1997
ABSTRACT
We enumerate a variety of ways to extend both statistical and
signature-based intrusion-detection analysis techniques to monitor
network trafic. Specfically, we present techniques to analyze
TCP/IP packet streams that flow through network gateways for
signs of malicious activity, nonmalicious failures, and other
exceptional events. The intent is to justqy, by example, the expense
(in computational resources and human oversight) of introducing
network surveillance mechanisms to monitor network trafic. We
present this discussion of gateway surveillance modules as
complementary to the filtering mechanisms of a large enterprise
network, and illustrate their utility in directly enhancing the
security and stability ofnetwork operations.

Case 1 :04-cv-01199-SLR Document 425-2 Filed 07/17/2006 Page 3 of 4
1. Introduction
Significant progress has been made toward the development of mechanisms to parse
and filter hostile extemal network traffic, and thus prevent it from entering intemal
network environments [Firewalls94,Chapman95]. Mechanisms for preventing such
traffic from reaching intemal network services have become widely accepted as
prerequisites for limiting the exposure of intemal network assets, while providing
interconnectivity with extemal networks. The encoding of filtering rules for packet
or transport—layer communication should be enforced at key entry points between
internal networks and extemal traffic. Developing filtering rules that strike an
optimal balance between the restrictiveness necessary to suppress the entry of
unwanted traffic, while allowing the necessary flows demanded for user
functionality, can be a nontrivial exercise.
In addition to intelligent filtering, there have also been various developments in _
recent years in passive surveillance mechanisms to monitor network traffic for signs
of malicious or anomalous (e. g., potentially erroneous) activity. Such tools attempt
to provide network administrators timely insight into noteworthy exceptional
activity. Realtime monitoring promises an added dimension of control and insight
into the flow of traffic between the intemal network and its external environment.
The insight gained through fielded network traffic monitors could also aid sites in
enhancing the effectiveness of their firewall filtering rules.
However, traffic monitoring is not a free activity-—·especially live traffic
monitoring. Our discussion of network analysis techniques are presented fully
realizing the costs they imply with respect to computational resources and human
oversight. For example, obtaining the necessary input for surveillance involves the
deployment of instrumentation to parse, filter, and format, event streams derived
from potentially high-volume packet transmissions. Complex event analysis,
response, and management of the units also introduce cost. Clearly, the introduction
of network surveillance components on top of already deployed protective traffic
filters is an expense that requires justification. In this paper, we outline the benefits
of our techniques and seek to persuade the reader that these costs can be
worthwhile.
[This paper will appear in the Proceedings ofthe
1998 Symposium on Network and Distributed System Security.
A final version will appear on this web page by November 1997.
Please check back then if you would like a copy. Thank you]
http://webarchi veorg/web/l 9980 l 24003236/http:/www.csl.sri.com/emerald/traffic-

Case 1:04-cv-01199-SLR Document 425-2 Filed 07/17/2006 Page 4 of 4
sh0rt.html