NET NEWS: Policing the Computer Underworld

Science  13 Nov 1998:
Vol. 282, Issue 5392, pp. 1223b
DOI: 10.1126/science.282.5392.1223b

A computer algorithm first employed to decipher the code of life—DNA and protein sequences—is now finding an unforeseen use in the digital world: as a promising tool for detecting Internet hackers.

The algorithm is called Teiresias, after the blind seer of Greek mythology. Developed in 1996 at IBM's T. J. Watson Research Center in Yorktown Heights, New York, it finds and analyzes patterns in streams of data without resorting to a brute-force search that would tax even the fastest computers. So far, Teiresias has been used mainly in bioinformatics: for example, to correlate common sequences of nucleotides with the function of genes. But on a visit to the Yorktown Heights lab in late 1996, Marc Dacier, manager of IBM's Global Security Analysis Lab in Zurich, learned that he could use Teiresias to comb data from a network server for signs of hackers. His group described their new intrusion detection system at the First International Workshop on Recent Advances in Intrusion Detection (RAID '98) in Belgium in September.

The new system first sifts through data logs for the patterns in a server's normal behavior. This primes the program to watch over the computer's future activities and to spot new patterns caused by attempted hacks. That's a departure from commercial detection products, which rely on recognizing already-known patterns of attack—such as causing part of the computer's memory to overflow with data. With Teiresias's behavior-based analysis, “you don't have to keep learning about new attacks and programming them in,” Dacier says. Teiresias successfully detected eight types of attack in a lab test and is on trial on a real-world network. Computer scientist Roy Maxion of Carnegie Mellon University in Pittsburgh says the system “may be a tremendous boon,” but a final verdict awaits rigorous performance data.

Related Content

Navigate This Article