NSA Patent on Network Tampering Detection

The NSA has patented a technique to detect network tampering:

The NSA's software does this by measuring the amount of time the network takes to send different types of data from one computer to another and raising a red flag if something takes too long, according to the patent filing.

Other researchers have looked into this problem in the past and proposed a technique called distance bounding, but the NSA patent takes a different tack, comparing different types of data travelling across the network. "The neat thing about this particular patent is that they look at the differences between the network layers," said Tadayoshi Kohno, an assistant professor of computer science at the University of Washington.

The technique could be used for purposes such as detecting a fake phishing Web site that was intercepting data between users and their legitimate banking sites, he said. "This whole problem space has a lot of potential, [although] I don't know if this is going to be the final solution that people end up using."

Posted on December 30, 2008 at 12:07 PM • 28 Comments

Comments

Franky B.December 30, 2008 12:36 PM

There's a lot of talk that the purpose of patenting it is to stop anyone from using the technique to detect NSA's own wiretapping...

TomDecember 30, 2008 1:30 PM

@Franky But it's a technique, an algorithm. It's like the LZW Patent - it'll stop corporations like MSFT and Cisco from using it because they're big targets; but some open source software that spreads through bittorrent can't be stopped. I don't think them patenting it will protect them from being detected (if that were the objective/was possible).

I'm pretty meh towards the idea of patenting algorithms and techniques anyway.

EricDecember 30, 2008 1:55 PM

So..... its a packet sniffer that throws up a red flag based on delta time?

Dont we already have this technology?

RowanDecember 30, 2008 1:58 PM

@mike:

There are no restrictions on Patents. You may be thinking of copyright thought - the gov't cannot hold copyright in materials it generates.

ChrisDecember 30, 2008 2:06 PM

I wonder how the NSA plans to deal with false positives due to poorly written apps or broken database queries.

Franky B.December 30, 2008 2:09 PM

@Tom,

I'm not all that convinced that this is the intended purpose myself, but if it was, I think it would be more of a legal tool to use in the aftermath that an all-out preventative tactic.

@shftleft, it wouldn't AFAICT, but very few taps in use today are all that passive...

RandallDecember 30, 2008 2:29 PM

In a world with unicorns and faeries where NSA actually did what we wanted, unclassified security research is a big service they could provide.

Team AmericaDecember 30, 2008 2:37 PM

Your Tax-dollars at work!

Take a network with an eavesdropper and compare to a network without an eavesdropper. If the same differences appear in your network compared to a clean network, there could be an eavesdropper!

Wow! Genius! An algorithm even Winograd missed!

What does it cost to patent trivialities like this?

GlennDecember 30, 2008 2:45 PM

The government holding patents at all is ridiculous. We're the ones paying for the research.

Of course, if they couldn't, they'd just contract a private company to patent it for them...

shftleftDecember 30, 2008 3:17 PM

@Frankie B

Do you have an example of an "active" network tap in use? It would defeat the purpose of eavesdropping if latency was readily detectable.

If you read the patent the thresholds in which the sensor detects a MitM or anomaly are user defined. So it's really up to the implementer of the device to know what constitutes a minimal route change or latency issue on a network between the peers.

It would seem to me that this technology really doesn't have a place in a world where administrators, engineers, and management are putting emphasis on securing endpoints vs. the network itself, which may be the right way to go anyway.

David WDecember 30, 2008 3:18 PM

Hate to burst the bubble, but this doesn't sound new at all. I remember talk of detecting network adapters running in promiscuous mode using latency from my late teens, which is 6 or 7 years ago now.

I'm pretty sure a thorough scouring of the archives of http://www.packetstormsecurity.org/ will show up something, either as a text file or even a perl script.

vaderDecember 30, 2008 6:23 PM

"a fake phising website"? That would mean as opposed to "real phising website"?

What's the use of detecting a site that is only pretending "to phish"?

;-)

Clive RobinsonDecember 30, 2008 7:25 PM

Err what is new in this idea?

It has been used in the past to amongst other things enumerate a statefull firewall rule set.

Further it is a transfer of an anologe methodology into the digital relm.

Around 30 years ago a journolist investigating various UK comms networks felt they where under survalence and developed a method of Time Domain Reflection (TDR) measuring which very reliably showed the presence of taps on the line (by their time/frequency charecteristics or more correctly impulse response).

The UK security forces raided his office and found the device and took it away for investigation. They then developed their own version which they then marketed through a favourd UK company.

In essence TDR sends a narrow pulse down the line and any tap has a different impulse (time/frequency) response to the transmission line and therefore a little of the pulses energy gets bounced back to the generator. This returned energy can be displayed on a storage display and any odd returns can be investigated and any changes in the display indicate the line has been changed in some way.

This patent works in a similar way, in that packets going through an active device that ignores packet content should be treated uniformaly (constant transmission line). Any packets that have differing time delays are probably being inspected in some way (dependant load on transmission line).

Using timing differences to detect packet related activity is not new, firewall rules and the network behind can be enumerated, and as has been demonstrated the CPU cache of a PC can be examined in this way and crypto keys revealed.

Finally it is a method that has been considered as a way to detect trafic flows in low latency anonymous networks such as TOR.

As such it is just a method of traffic analysis which is often way more powerfull than cryptoanalysis when determaning the activities of an adversery. And as such it is something you would expect the likes of the UK GCHQ and NSA to be well versed in...

But new it is not and the prior art is fairly well established...

RichardDecember 30, 2008 8:25 PM

TDR has been very common in fiber communications from ten years ago. However, it's a little more difficult to do the same way in ethernet. Because the trip time has much more fluctuations than the laser signal in fiber.

J CDecember 31, 2008 1:22 AM

I can't believe that the federal government can patent things. How is this justified? What purpose does this serve? As noted by another commenter, basically everything the federal government does is financed by taking wealth from the American people.

BF SkinnerDecember 31, 2008 7:51 AM

Well if the Government didn't patent a method/procedure or invention that was developed using tax dollars, once known there's nothing to prevent a private entity from patenting it. You don't have to be the first to invent it ... only the first to file the paper.

So here we pay the government to do basic research on our behalf, but prevent them from controlling the product through patent. So along comes a private firm patents the research - based - on - our - tax - funded - research. Profiting from it. Profiting from our tax investment. and Paying us back nothing.

With a patent in hand the Gov't can license the technology to private firms and recover the research costs maybe a profit.

(hmmm I'm begining to think the whole cant "government doesn't create anything" is religious bunk)

rvdhDecember 31, 2008 8:47 AM

Clever idea, but there is one problem. data is always corrupted and latency measurements would not solve that, what if you can increase or decrease latency as attacker and raise false positives/negatives while blending in a corrupted data stream with the correct latency? And what's wrong with TCP/IP datagram checksums? that is what they are for.

NostromoDecember 31, 2008 10:09 AM

@BF Skinner: No, you're wrong. In the US, a patent is awarded to the first to invent, not the first to file. Many other countries have a "first to file" patent rule, but not the US.

PeterDecember 31, 2008 11:51 AM

@David W:"Hate to burst the bubble, but this doesn't sound new at all. I remember talk of detecting network adapters running in promiscuous mode using latency from my late teens, which is 6 or 7 years ago now.

I'm pretty sure a thorough scouring of the archives of http://www.packetstormsecurity.org/ will show up something, either as a text file or even a perl script."


I remember seeing this as well, I think it was L0pht that had developed it as a commercial product.

AnuragDecember 31, 2008 3:04 PM

Note that the NSA has the ability to file patents that are not publically visible and do not expire - they convert to ordinary patents once some one else files for a patent that largely overlaps.

wkwillisDecember 31, 2008 8:00 PM

"I read somewhere" that half the few hundred patent applications that were 'submarine patents' being delayed to let them become valuable as a small market developed into a big market were actually government patents.
There was controversy over whether patents should expire seventeen years after they were granted or after they were applied for.
It's a mixed problem. There were submarine patents that took a long time to be granted and gave people large financial gains.
The Ron Ziolo patent that Xerox owned for core and shell nanoparticle generation was granted in two parts, one seventeen years after the other. But some patents had spent six months being worked on and rewritten by the inventors and twenty years sitting in a pile in the government patent examiner's office.
Or consider the laser patent. That guy lived most of his life and raised a family without millions of dollars. Then he got the patent and suddenly was rich. He would have preferred millions of dollars in the sixties over hundreds of millions in the eighties.
So would I. I'm fifty two. I would cheerfully trade a billion dollars now for a million dollars when I was young enough to get into lots of trouble, instead of old enough to be endowing chairs at universities.

J CJanuary 1, 2009 8:12 PM

@BF Skinner:

As another commenter pointed out, the patent system in the US is first-to-invent, not first-to-file. Also, we have the notion of "prior art." If the government made information about a non-classified government invention publicly available (as it should do), it would become part of the prior art, rendering it unpatentable. This is what I believe should happen.

As for the idea that government does not create anything, it depends on what you mean. The argument is based on opportunity cost (in this case, what the private sector would have done with the wealth if not taken by the government) and/or how economically the government spends the money compared to the private sector. It seems to me that the argument is that the government does not create anything on net, which seems at least plausible to me.

Clive RobinsonJanuary 2, 2009 2:37 AM

@ wkwillis,

"So would I. I'm fifty two. I would cheerfully trade a billion dollars now for a million dollars when I was young enough to get into lots of trouble, instead of old enough to be endowing chairs at universities."

But for which would you prefer to be remembered, raising hell and being dead of liver failier having not achived your potential, or being a (socialy) responsable man of stature providing oportunities for others to advance them selves and setting up a fine legacy for your heirs?

The reason to ask is Patent Trolls...

They buy up Patents from those who have failed (for whatever reason) to capitalise on their Patents. The Troll then uses those to extort royalties out of companies on the basis that it will be cheeper than to be bankrupted by legal action.

Then having amassed large amounts of (questionably derived) money, they then buy themselves the veneir of social acceptability by endowing chairs etc at universities...

I guess life is full of choices/regrets but either way you will end up with both 8)

Having been responsable for a number of inventions that others (my employers) chose not to Patent (or not to patent properly) I could say I have been cheated of both wealth and fame.

But I'm now old enough to realise that Patents are not the way IP should be held as it alows monopolistic activity which other laws say is wrong.

A better way would be a licence market, where anybody is can use the ideas but pay a small licence fee on each use, these are collected by one or more agencies...

Sound familier (think entertainment rights, and RIAA etc).

So that's no good either.

It looks like at the end of the day the minute you get a legal protection you end up with a racket and the ones realy getting rich are those in the legal proffession....

John WatersJanuary 3, 2009 6:58 AM

I seem to remember one of the L0pht or CDC guys writing code that did this over 10 years ago. Or was it route? I think that the details were lost in the midst of the "mid-90's con thing", can someone refresh my memory?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..