14 Computer Published by the IEEE Computer Society INDUSTRY TRENDS T raditional network-based security examines traffic for code patterns or signatures that have been part of past intrusions or virus attacks. If known malicious code is found, secu- rity systems stop the suspect trans- mission. Although this approach can be effective, it also has limitations. For example, signature-based se- curity frequently has trouble recog- nizing new types of attacks or older kinds in which known code strings have been altered somewhat, an ap- proach many hackers use. Behavior-based security, on the other hand, learns the normal be- havior of traffic and systems and then continually examines them for potentially harmful anomalies and for behavior that frequently accom- panies incidents. This approach rec- ognizes attacks based on what they do, rather than whether their code matches strings used in a specific past incident. “It stops traffic that is not mali- cious on its face but that will do ma- licious things,” said Allan Paller, director of research for the SANS Institute, an information-security re- search and training organization. In the past, behavior-based secu- rity has been too expensive and too unfamiliar to most IT workers to be widely adopted. Instead, only large organizations or those with special security needs employed it. But now, behavior-based security costs have dropped, IT staffs have begun to work with and accept the technology, and networks and their security have become complex enough to require the approach’s use, said Edward Moyle, manager of information-security services at Computer Task Group Inc., an in- formation-technology services firm. Several vendors are thus beginning to make behavior-based security widely available to organizations via services, appliances, and software products. And some ISPs are pro- tecting their entire networks via be- havior-based services. However, widespread adoption of behavior-based security faces numer- ous obstacles, including complexity and a higher number of false positives than signature-based systems. ON GOOD BEHAVIOR Signature-based security has been widely used in antivirus and intru- sion-prevention and -detection sys- tems (IPSs and IDSs) since the early 1990s, said associate professor Doug Jacobson, director of Iowa State University’s Information Assurance Center. These systems have become pop- ular largely because they are rules based and thus can be automated, although they need human inter- vention to deal with the occasional false positives. Also, said Jacobson, signature-based products require lit- tle or no configuration. If configured properly, they will recognize specific machines’ vulner- abilities. However, without proper configuration, a system could yield false positives for attacks to which a machine is not susceptible. In addi- tion, users can become vulnerable as they wait for security providers to update their attack signatures. Behavior-based network-security research began in earnest in the mid- 1980s at research organizations such as SRI International. Early work was done by Dorothy Denning, now a professor at the US’s Naval Post- graduate School. The US military was one of the first users of behavior- based security. Behavior-based security Behavior-based products start by studying behavior and traffic pat- terns for a given system and deter- mining which are normal. Some products adapt over time to learn new normal behaviors. Generally, the products’ two- pronged approach compares system behavior and actual traffic to nor- mal patterns to detect anomalies. For example, they’ll look for traffic flowing from one IP address to many others, indicating a worm might be sending itself from one e-mail client to people listed in a victim’s address book. Upon identifying potential prob- lems, the systems further analyze traffic to verify whether an attack is occurring, such as by comparing anomalies with entries in a dictio- nary of harmful behaviors. Vendors can update systems when, for example, they identify be- haviors that new types of attacks cause. Additionally, many behavior- based security systems expand their capabilities by also using signature- based approaches. Arbor Networks, Lancope, Mirage Networks, and Q1 Labs are among Behavior-Based Network Security Goes Mainstream David Geer