Ever since peer-to-peer file-sharing programs became popular in the late 1990s, college campuses have been perceived as a Wild West of profligate bandwidth use and lax security—a perfect digital incubator for viruses, spyware, and illegal downloads of copyright-protected material. Although many elements contributing to this perception remain ingrained in the culture of higher education, university-based networking experts say the reality behind the perception is changing. One reason is that some of these elements, such as high-performance networks and a philosophical dedication to the open exchange of information and ideas, are also being touted as critical foundations of a new research-driven economy with regional, national, and global bases.

Yet little hard data is available to help campus officials or their prospective government and enterprise partners pinpoint the scope and origins of possible attacks on college networks. To address this lack, a team of networking researchers is undertaking the first distributed intrusion-detection project to compile network traffic data specific to the higher-education sector.

The Information Security in Academic Institutions (http://www.infosecurityresearch.org/index.html) research project, funded by a $200,000 grant from the US National Institute of Justice, is analyzing the unique vulnerabilities of higher education's networks and their impact on public safety. Besides collecting survey and interview data, ISAI has partnered with DShield.org (http://www.dshield.org) to create a sector-specific intrusion-detection system. The pilot program launches with three universities, aggregating anonymous firewall and intrusion-detection data tocorrelate attacks and identify commonalities. Participants get a login to a dashboard that displays the threat data across participating institutions and provides an in-depth view of their own network.

Steffani Burd, ISAI executive director, says the project is actually a three-pronged effort to ascertain the scope of campus network vulnerabilities. First, approximately 100 IT directors will complete an online survey exploring the issues, challenges, and approaches involved in securing academic institutional systems and information. Second, researchers will also interview 15 IT directors via a semistructured protocol to obtain textured data and real-life scenarios. Finally, the three universities will provide firewall and intrusion-detection logs, and one will provide granular-level network activity data.

The research team will publish its results early in 2006. The researchers hope the project will establish the groundwork for quantifying academia's security risks, challenges, objectives, and approaches.

"The idea was to compare and contrast survey data, which is self-reported, with the actual objective data, which nobody's done," Burd says. An additional step will assess the objective data's relevance to vulnerabilities that might affect critical infrastructure beyond university campuses.

Scott Cherkin, ISAI's director of strategic development, says the project not only will help give visibility to the ISAI initiative itself but also might diffuse some strongly held opinions.

"There are a lot of hypotheses from people who firmly believe higher education is disproportionately vulnerable to IT security threats," Cherkin says, "and a good amount of people have also pushed back on that idea. But there's not a ton of data available."

Cherkin says the most quantifiable information goes back to the Code Red worm, which slowed much Internet traffic to a crawl with distributed denial-of-service attacks in July 2001. Code Red's origin was traced to a server at Foshan University in China, although the tracenever confirmed the responsible hacker came from there.

Even though ISAI is collecting and analyzing the pilot data anonymously, one institution—Arizona State University—agreed to go public with its choice to participate. Lois Lehman, information assurance coordinator for ASU's College of Liberal Arts and Sciences, says her motivation to take part in the ISAI project was both philosophical and practical.

"I've always thought anything on the network required cooperation," Lehman says. "I've always wanted to be able to notify others of anomalous network activity. When I saw the research project, I thought it looked like a good resource for a university."

Specifically, Lehman says the pilot will give network administrators real-time information about possible attacks that might be scanning several campuses simultaneously, in real time.

"I was only seeing what was happening here in three buildings on campus from our Snort log," she says. "When I would see something suspicious, I wasn't sure if it was some new attack happening. I could send email to other administrators, but I couldn't always be sure of when I'd get any information back."

The ISAI study results will let her see what's happening at several universities all at once.

DShield is a free attack-correlation engine that lets firewall users share intrusion information. The customized ISAI DShield installations will let participants monitor both incoming and outgoing network traffic for anomalous activity by revealing the top 10 internal target addresses and ports being probed by external entities, as well as the top 10 targets being probed by computers on the participants' networks. The global DShield database provides the information.

Johannes Ullrich launched DShield.org in November 2000 under the banner of Euclidian Consulting, which still owns the code base behind DShield. DShield received substantial support from the SANS Institute (www.sans.org) beginning in 2001, and it has become the data collection engine behind the SANS Internet Storm Center, which serves as an early warning center of suspected attacks. SANS currently provides all DShield'shardware and bandwidth. Ullrich is a fulltime SANS employee.

Ullrich hopes the new ISAI pilot will broaden the reach of the DShield reporting network. While he estimates DShield installations worldwide at between 10,000 and 20,000, only about 2,000 users submit daily data. He has begun to rewrite some of the original DShield code in hopes that it will be less complex to install. Ullrich says the current version requires fairly sophisticated development skills, including Unix knowledge, which might be hindering more widespread use of the technology. He says Burd did quite a bit of work in tailoring DShield for her project.

"I hope with collaborations like Steffani's, we'll get more eyeballs looking at our code, working on it. We have, for the past couple years, worked with the University of Wisconsin-Madison to help us find new ways to look at our data, and now this project with Steffani will help to look at the code and perhaps find ways to improve it."

When Ullrich developed DShield, he envisioned firewall log data culled worldwide to help users of small networks aggregate and determine the most dangerous source IP addresses and target ports. He also included a notification function to inform network administrators when attacking addresses originated from their servers.

Ullrich called DShield an Information Sharing and Analysis Center "for the little guy," referring to the ISAC model mandated for sector-specific critical infrastructure protection in Presidential Decision Directive 63, issued by President Clinton in 1998. Ullrich's characterization of DShield as an ISAC ironically highlights the absence of real-time academic-sector security information in the national infrastructure model.

ISAI's Cherkin says the focus of the Research and Education Networking ISAC (http://www.ren-isac.net/), higher education's sector within the national ISAC infrastructure, has been oriented more toward future than present threats.

"We've had some conversations with people involved with REN-ISAC at Indiana University," Cherkin says. "Right now its purpose, as I understand it, is to look at next-generation networking and monitor its behavior. A lot of what it's doing is working with Internet2. We can learn a lot [from that] and get ahead of next-generation networking standards, but there are a lot of schools that are not of that next generation, that have vulnerabilities that pertain to the networking environment at this point in time. We can learn something from that, too."

REN-ISAC directors did not respond to a request for comment.

Ullrich says network administrators could use DShield for higher-level information gathering in concert with Snort, another popular open source network intrusion application, for more granular network traffic analysis. The combination could save time for university IT staffs with few spare resources.

"In a particularly large network like an .edu, you can only focus on certain areas or certain attacks," he says. "Basically, DShield tells you what these areas are. It will tell you traffic might be spiking on a certain port, and then you can use Snort to examine traffic through this port in more detail."

Even without the resources available via the DShield project, university IT administrators have, for the most part, taken steps to secure their networks from the threats inherent via lax regard for security on university campuses. For example, Lehman says ASU separated its students' residential network from the university's other networks some time ago. Many campuses have done the same, using a firewall. This configuration can isolate attacks such as distributed denial-of-service attacks emanating from a student computer that malware has turned into a zombie.

Many universities have also instituted formal network access policies that forbid students from using unauthorized P2P networks that not only opened up potential intellectual-property issues but also loaded down networks with spyware, adware, and other bandwidth-draining applications that could also contain worms, viruses, or Trojan horses. The 2005 National Survey of Information Technology in US Higher Education, conducted by the Campus Computing Project (http://www.campuscomputing.net/), reported that 81 percent of 501 two- and four-year colleges and universities had defined formal appropriate-use policies. The CCP's founding director, Kenneth Green, says the entertainment companies have vastly overhyped much of the popular perception of colleges as hotbeds of illegal activity.

"The Recording Industry Association of America has gone out of its way to portray college students as digital pirates," Green says. "In fact, aggregating numbers from their own monthly releases, college students represent less than 4 percent of the more than 8,400 John Does targeted as part of the lawsuit they filed over illegal downloading."

Such statistics might suggest it's time for university administrators to insist on more attention paid to the next generation of threats to campus networks—malware running underneath whatever application infected computers are running, communicating and infecting multitudes of other unprotected network nodes through botnets. Common attack vectors that botnets employ include using compromised machines to forward spam, participate in a denial-of-service attack against a particular IP address or group of addresses, or log keystrokes of anyone using a compromised computer. Campus networks are believed more susceptible to botnet attacks because so many computers attached to them belong not to the institution but to students, faculty, or staff, and might not have the latest anti-virus protection.

In November 2004, a Multistate ISAC (MS-ISAC) presentation (http://security.utah.gov/prodserv/documents/Botnets.pdf) showed that automated botnets had successfully infiltrated at least three university networks. In one case, an infected computer had 7,200 connections to other compromised computers worldwide. The student who owned the infected machine, which was acting as a zombie botnet controller, had no idea the computer was infected.

"We have botnets all over campus, and I'm not sure anyone wants to know that's really the case," ASU's Lehman says.

Those charged with leveraging university-based networks for greater economic and intellectual reach say distributed technology like the ISAI-DShield project could be a critical asset in pinpointing botnet attacks, both those targeting a campus and those using university-based computers to launch attacks.

"Interuniversity collaboration is only going to increase in the future, officially sanctioned or not," says Shiu-Kai Chin, director of the New York State Center for Advanced Technology at Syracuse University, which leverages university computing resources as a regional economic driver. "I think anything in terms of resources that helps universities better secure their systems is welcome."

Chin might be particularly attuned to new security measures. The Information Directorate of the US Air Force's Research Lab is in Rome, New York, approximately 30 miles east of the university's campus. The area surrounding Syracuse is home to a legion of both established companies and startups specializing in security technology. Chin says potential partners are extremely security savvy, and such clusters of academic and industrial expertise might turn up the safest and, paradoxically, most open security solutions.

"The academy has a major role to play, not only in terms of our expertise but also in network assurance," Chin says. "We're not the primary targets, but we can be an intermediate target to get to somebody else. We have to contribute to public safety."