To overcome this, we designed a fuser that lets you run Snort instances in parallel. This is an experimental capability only though.

Frankly I am surprised that more people outside Sourcefire haven’t built Snort preprocessors (there are only very few, and fewer serious tools). It provides a good substrate.

We had participated in feasibility studies for sensors operating with full storage and maximum throughput at 10 to 40/100 Gbps. Some promising prototypes were built by another firm but unfortunately the code is not available.

Anyway, Anosov systems aren’t used at all. The idea of studying them was to bolster the physical legitimacy of and elaborate the theory of the effective temperature more generally. Equilibrium Networks owes a lot to theoretical work done with the practical problem of network defense in mind. And it is the topic of my dissertation work in physics, so there’s that.

When we were characterizing (not modeling) networks using temperature etc, the Bose gas framework was always used. However a couple of months ago we terminated a NSA license to use effective temperatures and energies to characterize network traffic. The reason is simple: as promising as the idea appears (and it did work quite well on the tests we were able to perform), there are much simpler ways to close the loop with actionable information, and it didn’t make sense for us to keep developing or marketing the capability.

In more detail: having (e.g.) a work rate or power component spike doesn’t give you anything more than a general alert. For practical purposes, it’s totally infeasible to have a continuous buffer of packet information (too many flops, too much storage space for numerical data structures, etc), and instead it’s necessary to collect information in cycles (say at a nominal 1 Hz). That kills the time resolution of any time series and when all you have is a “something happened last second” it’s not much help. If we could keep perfect time resolution, we could use the timestamp as a hash to pull up the packet triggering the alert and get to flows or sessions without too much more effort…but we can’t.

This sort of “alert to information” problem was addressed in a general context by [Filho, F. J. S. Unsupervised Diagnosis of Network Traffic Anomalies. PhD thesis, Université Paris VI (2010)].

That said, one could in principle try something that is more manifestly physically interesting as follows. Let transmission or reception on a network correspond to creation/annihilation operators on a Fock space of directed edges. In a continuum limit, we’d expect to get a field theory. Its parameters are the energies of single- particle eigenstates, which could be specified through partial observation of network activity (e.g., with Bayesian methods) and the effective temperature framework. This would suggest a stochastic analogue of the renormalization group and probably require considerable work.

BTW, have you actually tried out our system? I’m always interested to hear about it.

Thanks again and sincerely

Steve Huntsman