John Zachary, an assistant professor in the Department of Computer Science and Engineering, is head of the Distributed Systems Security and Cryptography Laboratory. Together with collaborators from the Naval Postgraduate School (NPS) in Monterey, Calif., he recently helped install the system on certain networks of the Executive Office of the President. Therminator creates a three-dimensional visualization of traffic patterns on large computer networks, allowing technicians to spot anomalies often associated with attacks by computer hackers. The Department of the Navy supports Zachary’s research in this area.

“Therminator gives you an intuitive three-dimensional model of network activity, which means that a human analyst has a color-coded representation of how much activity is happening and where it’s occurring,” Zachary said. “Therminator can give you an idea of what looks normal and what’s an anomaly in terms of network traffic. The bottom line for humans is that it’s much easier and faster to interpret a picture than a large set of numbers.”

Therminator was first developed two years ago by mathematicians at the National Security Agency. Zachary and his collaborators at NPS have refined the capabilities of the model and the software, making it even more useful for monitoring large-scale networks such as the one mounted at the White House, whose computer system is a frequent target of hackers.

The need for new network monitoring and anomaly detection software is driven by the immense complexity of networks and by the growing threat of international computer hackers, Zachary said.

“Network hackers have the advantage,” he said. “They need only to find a single point of vulnerability to exploit, whereas defenders must protect all points of access and vulnerability. It is not dissimilar to the asymmetry of the modern terrorist threat.

The problem with some network security programs has been that they frequently send out many false alarms, spotting problems that don’t really exist. This causes network administrators to waste time and effort chasing ‘ghosts’ in their network. Therminator doesn’t just sound an alarm; it gives a human administrator the ability to visualize what’s happening and to respond appropriately.”

The software can also be used to spot weaknesses in a network’s configuration that frequently are targeted by hackers.

Zachary refers to Therminator’s operational capability as conversational exchange dynamics (CED), an approach that may be applicable to other security-related problems. He is currently developing a similar model for intelligence collection and analysis. Because of the sheer volume of global e-mail traffic and other computer-based communication, finding and tracking communiqués between terrorists is as difficult as “finding a needle with a particular head in a haystack of needles,” Zachary said.

But a model like conversational exchange dynamics can perform intelligent data reduction to give analysts a clearer picture of what is happening over large networks. In effect, CED helps analysts discover the dots they should focus on connecting.

Zachary earned his Ph.D. in computer science at Louisiana State University and joined USC’s College of Engineering and Information Technology last year. In addition to the Therminator project, Zachary has a grant from the National Institute of Standards and Technology (NIST) to study wireless sensor network security and to analyze mobile software code used in remote probes.

Sensors and actuators connected by wireless networks are increasingly used in buildings to monitor energy usage, security, and other utility functions. The standards for them are based on the same standards as the Internet, which makes them susceptible to attacks originating from the Internet. However, because they communicate over wireless channels, they also are vulnerable to new kinds of attacks as well. Zachary’s work on mobile code systems could have implications for transmission of data by deep space probes that send data to earth over millions of miles.

03/04