DARPA's EMERALD Proves Worth in Cyberdefense
By Jim Garamone
American Forces Press Service
WASHINGTON, Aug. 14, 2000 EMERALD is a gem in the world of cyberdefense.
This EMERALD is not a green jewel, but the Event Monitoring Enabling Responses to Anomalous Live Disturbances.
Developed by SRI International and the Defense Advanced Research Projects Agency, EMERALD's ability to detect computer hackers and other intruders surpasses current technology, said Michael Skroch, program manager of the DARPA information assurance program.
The new technology is needed. "We're seeing an increase in the number of attacks and the severity of attacks in the cyberdomain," Skroch said. The recent "ILoveYou" virus and the denial of service attacks are just two examples of the threats facing DoD and computer users worldwide.
DARPA has long been involved in combating cyberattacks. "We're currently focusing on integrating technologies into systems that can defend against a broader range of attacks and (provide) a broader set of capabilities that the warfighter depends upon," Skroch said.
He called EMERALD a quantum leap improvement over "signature- based" technology. "Signature-based detectors are those that are currently on most computers," he said. "They are able to detect things they have seen before, but not things that are new." Because EMERALD is anomaly-based, it can detect "novel attacks that the computer system has never seen before," he said.
"EMERALD is not focused on just one computer system," Skroch said. "It can be deployed among many systems in the network and correlate that information on one display, so the warfighter can see the effect of an attack on the entire network."
Skroch compared EMERALD to the security at a military base. A guard at the "front gate," such as a firewall, can stop intrusions coming in that way, he said. EMERALD, however, also implements sensors or detectors around the computer network on different machines -- all can detect anomalous behavior, misuse or other incoming attacks.
"By having all those sensors come to one central point, you are able to see a coordinated attack much more easily," he said. Because system administrators can see the whole scope of a cyberattack in real time -- as it happens -- they can better defend against it.
Skroch said network administrators or security personnel alerted by EMERALD could, for instance, block a specific attack or turn off the targeted service rather than pull the plug completely."
EMERALD allows a more flexible response, but doesn't respond itself. It would share information with responders. "In the future, we'll be able to use EMERALD to detect and another system to provide automated response," he said.
Tested with an operational command, EMERALD perform 10 times better than similar technologies being evaluated, Skroch said. "It was able to perform about 20 times better than commercial products available today," he said.
For more information, visit the DARPA Web site at www.darpa.mil and search on EMERALD. SRI International offers a free, downloadable evaluation edition of EMERALD, called eXpert-BSM at its Web site; use a search engine for the company address.