Visual Correlation of Network Traffic and Host Processes for Computer Security
|dc.contributor.author||Fink, Glenn Allen||en_US|
Much computer communications activity is invisible to the user, happening without explicit permission. When system administrators investigate network communications activities, they have difficulty tracing them back to the processes that cause them. The strictly layered TCP/IP networking model that underlies all widely used, general-purpose operating systems makes it impossible to trace a packet seen on the network back to the processes that are responsible for generating and receiving it. The TCP/IP model separates the concerns of network routing and process ownership so that the layers cannot share the information needed to correlate packets to processes. But knowing what processes are responsible for communications activities can be a great help in determining whether that activity is benign or malicious.
My solution combines a visualization tool, a kernel-level correlation engine, and middleware that ties the two together. My research enables security personnel to visually correlate packets to the processes they belong to helping users determine whether communications are benign or malicious. I present my discoveries about the system administrator community and relate how I created a new correlation technology. I conducted a series of initial interviews with system administrators to clarify the problem, researched available solutions in the literature, identified what was missing, and worked with users to build it. The users were my co-designers as I built a series of prototypes of increasing fidelity and conducted usability evaluations on them. I hope that my work will demonstrate how well the participatory design approach works.
My work has implications for the kernel structure of all operating system kernels with a TCP/IP protocol stack and network model. In light of my research, I hope security personnel will more clearly see sets of communicating processes on a network as basic computational units rather than the individual host computers. If kernel designers incorporate my findings into their work, it will enable much better security monitoring than is possible today making the Internet safer for all.
|dc.rights||I hereby certify that, if appropriate, I have obtained and attached hereto a written permission statement from the owner(s) of each third party copyrighted matter to be included in my thesis, dissertation, or project report, allowing distribution as specified below. I certify that the version I submitted is the same as that approved by my advisory committee. I hereby grant to Virginia Tech or its agents the non-exclusive license to archive and make accessible, under the conditions specified below, my thesis, dissertation, or project report in whole or in part in all forms of media, now or hereafter known. I retain all other ownership rights to the copyright of the thesis, dissertation or project report. I also retain the right to use in future works (such as articles or books) all or part of this thesis, dissertation, or project report.||en_US|
|dc.title||Visual Correlation of Network Traffic and Host Processes for Computer Security||en_US|
|thesis.degree.grantor||Virginia Polytechnic Institute and State University||en_US|
|dc.contributor.committeechair||North, Christopher L.||en_US|
|dc.contributor.committeemember||Midkiff, Scott F.||en_US|
|dc.contributor.committeemember||Arthur, James D.||en_US|
|dc.contributor.committeemember||Tatar, Deborah Gail||en_US|
|dc.contributor.committeemember||Marchany, Randolph C.||en_US|
Files in this item
This item appears in the following Collection(s)
Doctoral Dissertations