LINEBACkER: bio-inspired data reduction toward real time network traffic analysis

One essential component of resilient cyber applications is the ability to detect adversaries and protect systems with the same flexibility adversaries will use to achieve their goals. Current detection techniques do not enable this degree of flexibility because most existing applications are built using exact or regular-expression matching to libraries of rule sets. Further, network traffic defies traditional cyber security approaches that focus on limiting access based on the use of passwords and examination of lists of installed or downloaded programs. These approaches do not readily apply to network traffic occurring beyond the access control point, and when the data in question are combined control and payload data of ever increasing speed and volume. Manual analysis of network traffic is not normally possible because of the magnitude of the data that is being exchanged and the length of time that this analysis takes. At the same time, using an exact matching scheme to identify malicious traffic in real time often fails because the lists against which such searches must operate grow too large. In this work, we propose an adaptation of biosequence alignment as an alternative method for cyber network detection based on similarity-measuring algorithms for gene sequence analysis. These methods are ideal because they were designed to identify similar but non-identical sequences. We demonstrate that our method is generally applicable to the problem of network traffic analysis by illustrating its use in two different areas based on different attributes of network traffic. Our approach provides a logical framework for organizing large collections of network data, prioritizing traffic of interest to human analysts, and makes it possible to discover traffic signatures without the bias introduced by expert-directed signature generation. Pattern recognition on reduced representations of network traffic offers a fast, efficient, and more robust way to detect anomalies.