DARPA's EMERALD Proves Worth in Cyberdefense

[William Knowles <wk () C4I ORG>]

http://www.defenselink.mil/news/Aug2000/n08142000_20008144.html

By Jim Garamone

American Forces Press Service

WASHINGTON, Aug. 14, 2000 -- EMERALD is a gem in the world of
cyberdefense.

This EMERALD is not a green jewel, but the Event Monitoring Enabling
Responses to Anomalous Live Disturbances.

Developed by SRI International and the Defense Advanced Research
Projects Agency, EMERALD's ability to detect computer hackers and
other intruders surpasses current technology, said Michael Skroch,
program manager of the DARPA information assurance program.

The new technology is needed. "We're seeing an increase in the number
of attacks and the severity of attacks in the cyberdomain," Skroch
said. The recent "ILoveYou" virus and the denial of service attacks
are just two examples of the threats facing DoD and computer users
worldwide.

DARPA has long been involved in combating cyberattacks. "We're
currently focusing on integrating technologies into systems that can
defend against a broader range of attacks and (provide) a broader set
of capabilities that the warfighter depends upon,"  Skroch said.

He called EMERALD a quantum leap improvement over "signature- based"
technology. "Signature-based detectors are those that are currently on
most computers," he said. "They are able to detect things they have
seen before, but not things that are new."  Because EMERALD is
anomaly-based, it can detect "novel attacks that the computer system
has never seen before," he said.

"EMERALD is not focused on just one computer system," Skroch said. "It
can be deployed among many systems in the network and correlate that
information on one display, so the warfighter can see the effect of an
attack on the entire network."

Skroch compared EMERALD to the security at a military base. A guard at
the "front gate," such as a firewall, can stop intrusions coming in
that way, he said. EMERALD, however, also implements sensors or
detectors around the computer network on different machines -- all can
detect anomalous behavior, misuse or other incoming attacks.

"By having all those sensors come to one central point, you are able
to see a coordinated attack much more easily," he said.  Because
system administrators can see the whole scope of a cyberattack in real
time -- as it happens -- they can better defend against it.

Skroch said network administrators or security personnel alerted by
EMERALD could, for instance, block a specific attack or turn off the
targeted service rather than pull the plug completely."

EMERALD allows a more flexible response, but doesn't respond itself.
It would share information with responders. "In the future, we'll be
able to use EMERALD to detect and another system to provide automated
response," he said.

Tested with an operational command, EMERALD perform 10 times better
than similar technologies being evaluated, Skroch said.  "It was able
to perform about 20 times better than commercial products available
today," he said.

For more information, visit the DARPA Web site at www.darpa.mil and
search on EMERALD. SRI International offers a free, downloadable
evaluation edition of EMERALD, called eXpert-BSM at its Web site; use
a search engine for the company address.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".