We’ve just posted a paper titled “Effective statistical physics of Anosov systems” that details the physical relevance of the techniques we’ve used to characterize network traffic. The idea is that there appears to be a unique well-defined effective temperature (and energy spectrum) for physical systems that are typical under the so-called chaotic hypothesis. We’ve demonstrated how statistical physics can be used to detect malicious or otherwise anomalous network traffic in another whitepaper also available on the arxiv through our downloads page. The current paper completes the circle and presents evidence indicating that the same ideas can be fruitfully applied to nonequilbrium steady states.
“there is now a significant body of work showing how to break conventional quantum cryptography systems based on various practical weaknesses in the way they are set up…while the known loopholes can be papered over, it’s the unknown ones that represent threats in the future…[researchers have shown that it's easy] with a little malicious intent to bend the assumptions behind perfect quantum cryptography.”
“[An IPv4 address space] black market already exists, albeit on a small scale…[currently] IPv4 addresses are still relatively easy to get…[some believe] that regional registries such as ARIN should head off a potentially deleterious black market by creating a “white market” with established rules for trading IPv4 addresses at market-established costs…But the opportunity to cleanly switch from IPv4 to IPv6 passed many years ago. The current transition strategy, called “dual stack,” requires businesses to remain connected to both IPv4 and IPv6 networks until most of the Internet gets to “the other side” — a process expected to take at least five years.”
“The 605-page [NSA IAD] PDF document reads like a listing of the pros and cons for a huge array of defensive and counterintelligence approaches and technologies that an entity might adopt in defending its networks…[one] section delves into the challenges of attributing the true origin(s) of a computer network attack”
“A low-complexity approach for reconstructing average packet arrival rates and instantaneous packet counts at a router in a communication network, where the arrivals of packets in each flow follow a Poisson process”
“[A researcher] gave a talk on his then current project to prove a certain OS kernel was secure…they hoped in two years to have a proof of the OS’s correctness. What struck me during his talk was he could write down on the board, a [formula that] captured the notion of data security: if a certain function f had this property, then he would be able to assert his OS could not leak any information…At the end of his talk I asked him if he wanted a proof now that his function f satisfied the formula. He looked at me puzzled, as did everyone else. He pointed out his f was defined by his OS, so how could I possibly prove it satisfied his formula—the f was thousands of lines of code. He added they were working hard on proving this formula, and hoped to have a full proof in the next 24 months…I walked to the board and wrote out a short set theory proof to back up my claim—any f had his property…I thought he would be shocked. I thought he might be upset, or even embarrassed his formula was meaningless. He was not at all. [He] just said they would have to find another formula to prove.”
Ryan Singel’s cri de coeur about cyberwar hype is too juicy to merely provide a link. A few choice excerpts:
The Washington Post gave [former DIRNSA and DNI] McConnell free space to declare that we are losing some sort of cyberwar…But that’s not warfare. That’s espionage…Those enamored with the idea of “cyberwar” aren’t dissuaded by fact-checking…[if the DoS attack on Estonia] was cyberwar, it’s pretty clear the net will be just fine. In fact, none of [the commonly cited examples] demonstrate the existence of a cyberwar, let alone that we are losing it. But this battle isn’t about truth. It’s about power…
the problem with developing cyberweapons…is that you need to know where to point them…The military needs targets…Never shy of extending its power, the military industrial complex wants to turn the internet into yet another venue for an arms race. And it’s waging a psychological warfare campaign on the American people to make that so. The military industrial complex is backed by sensationalism, and a gullible and pageview-hungry media…There is no cyberwar and we are not losing it. The only war going on is one for the soul of the internet. But if…self-interested exaggerators dominate our nation’s discourse about online security, we will lose that war — and the open internet will be its biggest casualty.
On the opposite end of the nuance spectrum: more than 41% of the zeros of the zeta function are on the critical line.
“Understanding what normalcy looks like on your network so you can pinpoint abnormality is what is really important in the current threat environment,” he says. “Don’t trust only your existing security controls, and get eyes on your network.”
“IT security has evolved into a classic broken windows business. It exists to repair things that shouldn’t break in the first place. Furthermore, every dollar that a business spends on Security subtracts a dollar from expenditure on more worthwhile alternatives—product innovation, improved public services, higher salaries, dividends to investors, etc.”
“US analysts believe they have identified the Chinese author of the critical programming code used in the alleged state-sponsored hacking attacks on Google and other western companies, making it far harder for the Chinese government to deny involvement.”
“[Researchers have designed] a true random number generator that uses an extra layer of randomness by making a computer memory element, a flip-flop, twitch randomly between its two states 1 or 0. Immediately prior to the switch, the flip-flop is in a “metastable state” where its behaviour cannot be predicted. At the end of the metastable state, the contents of the memory are purely random.”
“Cyber ShockWave…featured a number of former US government officials who played the part of senior members of the NSC. The exercise sought to examine how the NSC would react to a major cyber attack in real time…the source of the attack remained unclear during the event…The mock NSC even discussed potentially nationalizing power companies and service providers if they failed to act in the national interest. Ultimately, in the several hours that the war game lasted, the US was increasingly beset by attack with little knowledge of who perpetrated it.” More reaction from Richard Bejtlich.
In an earlier series of posts the emerging inhomogeneous Poissonian nature of network traffic was detailed. One implication of this trend is that not only network flows but also individual packets will be increasingly well described by Markov processes of various sorts. At EQ, we use some ideas from the edifice of information theory and the renormalization group to provide a mathematical infrastructure for viewing network traffic as (e.g.) realizations of inhomogeneous finite Markov processes (or countable Markov processes with something akin to a finite universal cover). An essentially equation-free (but idea-heavy) overview of this is given in our whitepaper “Scalable visual traffic analysis”, and more details and examples will be presented over time.
The question for now is, once you’ve got a finite Markov process, what do you do with it? There are some obvious things. For example, you could apply a Chebyshev-type inequality to detect when the traffic parameters change or the underlying assumptions break down (which, if the model is halfway decent, by definition indicates something interesting is going on–even if it’s not malicious). This idea has been around in network security at least since Denning’s 1986-7 intrusion detection article, though, so it’s not likely to bear any more fruit (assuming it ever did). A better idea is to construct and exploit martingales. One way to do this to advantage starting with an inhomogeneous Poisson process (or in principle, at least, more general one-dimensional point processes) was outlined here and here.
Probably the most well-known general technique for constructing martingales from Markov processes is the Dynkin formula. Although we don’t use this formula at present (after having done a lot of tinkering and evaluation), a more general result similar to it will help us introduce the Girsanov theorem for finite Markov processes and thereby one of the tools we’ve developed for detecting changes in network traffic patterns.
and indicates the formal adjoint or reverse time-ordering operator. Thus, e.g., an initial distribution is propagated as (NB. Kleinrock‘s queueing theory book omits the time-ordering, which is a no-no.)
Let be bounded and such that the map is Write and Now
and the Markov property gives that
The notation just indicates the history of the process (i.e., its natural filtration) at time The transition kernel satisfies a generalization of the time-homogeneous formula
so the RHS of the previous equation is times
plus a term that vanishes in the limit of vanishing mesh. The fact that the row sums of a generator are identically zero has been used to simplify the result.
Summing over and taking the limit as the mesh of the the partition goes to zero shows that
is a local martingale, or if is well behaved, a martingale.
This can be generalized (see Rogers and Williams IV.21 and note that the extension to inhomogeneous processes is trivial): if is an inhomogeneous Markov process on a finite state space and is such that is locally bounded and previsible and for all then given by
is a local martingale. Conversely, any local martingale null at 0 can be represented in this form for some satisfying the conditions above (except possibly local boundedness).
To reiterate, this result will be used to help introduce the Girsanov theorem for finite Markov processes in a future post, and later on we’ll also show how Girsanov can be used to arrive at a genuinely simple, scalable likelihood ratio test for identifying changes in network traffic patterns.
Snowstorm round-up edition…