Therminator 2: a thermodynamics-based method for real-time patternless intrusion detection

A novel system for conducting nonsignature based, or patternless, intrusion detection of computer networks is presented. The initial prototype has been installed at USA Pacific Command and Army Signal Command. This system uses principles of thermodynamics to model network conversation characteristics. Observing the properties of entropy, energy and temperature within the system develops a notion of baseline operating conditions. Perturbations in these properties are considered potential intrusions for further investigation. System functions are decomposed into a network sensing device, a real-time processing component and a forensics component. State definitions for a variety of conditions are discussed. Finally, examples of valid intrusions and other network perturbations in real traffic collected in network operation center backbones are presented. Preliminary results indicate this system has significant potential for revealing anomalies in large network systems.