A firewall protects a computer by filtering out suspicious content.
"So the state of the art," says Celeste Matarazzo. "Would be 'I know this computer with this name is bad. It's doing bad things. So I'll block that.'"
Likewise, anti-virus software searches a computer for suspicious content. Now researchers at Lawrence Livermore Lab have devised a new way. Instead of monitoring content, they monitor behavior. If a computer starts to behave suspiciously, they pull its plug to the network.
The heart of the technology is an agent on every desktop -- a tiny, almost invisible app that takes up almost no memory and acts as a digital psychiatrist. It uses techniques developed by Matarazzo and fellow scientists, on a Livermore supercomputer, to do something impossible a few years ago: build a software model of the activity of all the Lab's 40,000 unclassified computers.
Here's an example of how it works. They know that computers in the travel department talk to airlines, they talk to employees, they talk to finance, "But," Matarazzo interjects, "they don't talk to the supercomputers. So, if we start seeing the computers in the travel department start communicating with the supercomputers in this room, we would say, 'that's unusual.'"
The same supercomputers simulate nuclear weapons for defense. They simulate weather. For cyber security, the next step is to simulate the Internet.
"I think it may need supercomputing to do that. So, I think we have to start somewhere, and I think we can at least do simple operations modeling the Internet," said Matarazzo.
If unusual behavior is detected, nobody can pull the plug on the web, but this will make it possible to detect suspicious behavior that doesn't show up on anyone's radar yet. The lab is sharing its app with the private sector for use by the public.
