Vincent Berk

Contact Information

45 Lyme Road, Suite 308
Hanover, NH 03755
USA

Email: Firstname.Lastname@dartmouth.edu
Phone: +1 603 646 0746
Fax: +1 603 646 0666
Web: www.pqsnet.net/~vince
Projects: www.pqsnet.net/projects.php

Research

Since Auguest 2000 I've been working as a lecturer and research scientist at the Thayer School of Engineering at Dartmouth College in Hanover, New Hampshire. There I work on Process Query Systems, a new data processing paradigm where user queries are expressed as process descriptions. This allows a PQS to solve large and complex information retrieval problems in dynamic, continually changing environments where sensor input is often unreliable. The system can take input from arbitrary sensors and then forms hypotheses regarding the observed environment, based on the process queries given by the user. Over the past two years this concept has been developed and tested in various application fields at Dartmouth and elsewhere. For example, the same underlying system that is able to track network security events, and correlate multi-stage attacks, is also used to track fish swimming through an aquarium. The only difference between the applications of PQS to different domains is the model that is used for each application (these models are only a few lines in size) and the sensors that provide the PQS engine with real-time data. This means that a PQS can be quickly applied to an application area, with very little tweaking and tuning, allowing the programmer more time to refine the model(s).

Recently we started development of a combined heuristic, probablistic system to correlate network flows into activities, and to identify these activities into groups of activities. This vastly reduces the amount of traffic that an administrator has to inspect to achieve network auditing tasks. For instance, IDS security alerts are quickly linked to other related activity, such as the download of rootkits, or remote administration traffic, thus presenting all relevant security data together to the user. These techniques are equally useful to identify the leaking of sensitive information from an organisation, such as customer data, or intellectual property.

Additionally, I do a lot of work in internet epidemiology, worms, virusses, multistage network attacks, and computer forensics. The main focus of my work is on Autonomous Active Worms, that propagate without any interaction. The single major factor that governs the severity of an Internet Worm event is the availability of vulnerable targets. This factor determines both the speed at which an epidemic will spread, as well as the number of hosts that will be infected. Through building mathematical models of Internet epidemics we aim to improve our real time worm detection system, named DIBS. These models are based on biological epidemiology applied to past Internet worm events. By drawing this parallel, we gain a better understanding of how new worm events can be slowed down, or even prevented. We fit traditional epidemiological models (such as the Kermack-McKendrick equation system) to the Internet of today and tomorrow, by formulating new ways to calculate the infection and removal parameters.

Finally, at Dartmouth I teach Computer Architecture (ENGS116 and COSC107) to graduate students (course information).

My PhD degree is in Computer Science from Leiden University on Process Query Systems and their applications.
I obtained my M.Sc. degree in Computer Science at Leiden University in 2001 in the field of high performance computing (hardware design, compiler optimization, parallel computing, 3D computer graphics).

Files

NTee TGZ
This is a small program that will sniff trafic from one network wire and copy it to another. Handy if you want to monitor multiple networks with just one IDS.

Publications

NOTE: my most recent publications are also available through our project website: http://www.pqsnet.net/publications.php

Annarita Giani, Ian Gregorio De Souza, Vincent Berk, and George Cybenko
Network Flow Evaluator for Security Analysis PS PDF
Proceedings of the Flocon, Vancouver Washington, October 2006
In this paper we apply the Process Query System (PQS) infrastructure to build a complex network flow analyzer capable of attribution and aggregation of different flows into single activity events for the purpose of identifying illegitimate "activities".
George Cybenko and Vincent Berk
Process Detection in Defense and Homeland Security PS PDF
Proceedings of the SPIE Defense and Security Symposium Vol. 6201, Orlando Florida, April 2006
This paper discusses the fundamental problem arising in a variety of homeland security, national defense and commercial applications, including network security, sensor network data fusion, dynamic social network analysis and video tracking of kinematic objects.
Alex Barsamian and Vincent H. Berk and George V. Cybenko
Target tracking and localization using infrared video imagery PS PDF
Proceedings of the SPIE Defense and Security Symposium Vol. 6231, Orlando Florida, April 2006
In this paper we introduce a novel way of implementing a video-based tracking system using a Process Query System to predict the position of objects in the environment, even after they have disappeared from view. Although the image processing pipeline is trivial, tracking accuracy is remarkably high, suggesting that overall performance can be improved even further with the use of more sophisticated video processing and image recognition technology.
Ian Gregorio- de Souza and Vincent H. Berk and Annarita Giani and George Bakos and Marion Bates and George Cybenko and Doug Madory
Detection of Complex Cyber Attacks PS PDF
Proceedings of the SPIE Defense and Security Symposium Vol. 6201, Orlando Florida, April 2006
In this paper, we discuss the benefits of implementing such a multistage cyber attack detection system using PQS. We focus on how data from multiple sources can be combined and used to detect and track comprehensive network security events that go unnoticed using conventional tools.
Annarita Giani and Vincent H. Berk and George V. Cybenko
Data Exfiltration and Covert Channels PS PDF
Proceedings of the SPIE Defense and Security Symposium, Orlando Florida, April 2006
This article introduces an taxonomy of the majority of all possible exfiltration methods. Such a taxonomy cannot ever be exhaustive but at the very least gives a framework for organizing methods and develop defenses.
Vincent Berk and George Cybenko and Annarita Giani
Detection of Covert Channel Encoding in Network Packet Delays PDF
Proceedings of the Flocon, Pittsburg Pennsylvania, September 2005
In this paper we use traffic analysis to investigate a stealthy form of data exfiltration. We present an approach to detect covert channels based on a Process Query System (PQS), a new type of information retrieval technology in which queries are expressed as process descriptions.
Vincent H. Berk and George Cybenko and Robert S. Gray
Early Detection of Active Internet Worms PS PDF
in Managing Cyber Threats, pages 146-180, Springer 2005
This bookchapter gives a taxonomy of internet worms and worm epidemics, and presents the DIB:S and its detection results. This is our most complete work on this topic.
Vincent Berk and Naomi Fox
Process Query Systems for Network Security Monitoring PS PDF
Proceedings of the SPIE Defense and Security Symposium, Orlando Florida, April 2005
In this paper we present the architecture of our network security monitoring inf descriptions that are submitted as queries. In this case the data streams are familiar network sensors, such as Snort, Netfilter, and Tripwire. The process queries describe the dynamics of network attacks and failures, such as worms, multistage attacks, and router failures.
Christopher Roblee and Vincent Berk and George Cybenko
Implementing Self-Awareness in Large-Scale Server Farms PS PDF
Proceedings of the 2005 IEEE International Conference on Autonomic Computing
In this paper we present a new server monitoring method based on a new and powerful approach to dynamic data analysis: Process Query Systems (PQS). PQS enables user-space monitoring of servers and, by using advanced behavioral models, makes accurate and fast decisions regarding server and service state.
George Cybenko and Vincent H. Berk and Valentino Crespi and Robert S. Gray and Guofei Jiang
An Overview of Process Query Systems PS PDF
Proceedings of the SPIE Defense and Security Symposium, Orlando Florida, April 2004
This paper gives a technical background of the PQS approach.
Robert S. Gray and Vincent H. Berk
Rapid Detection of Worms using ICMP-T3 Analysis PS PDF
Proceedings of the SPIE Defense and Security Symposium, Orlando Florida, April 2004
Performance analysis of the DIB:S system, speed and accuracy of detection.
Michael Liljenstam and David M. Nicol and Vincent H. Berk and Robert S. Gray
Simulating Realistic Network Worm Traffc for Worm Warning System Design and Testing PS PDF
ACM Workshop on Rapid Malcode, Washington DC, Orlando Florida, Oktober 2003
This paper discusses the use of Process Query Systems for use in detection and tracking of arbitrary events. Focus is on the easy development of tracking algorithms based on the properties of the process.
Vincent Berk and Wayne Chung and Valentino Crespi and George Cybenko and Robert Gray and Diego Hernando and Guofei Jiang and Han Li and Yong Sheng
Process Query Systems for Surveillance and Awareness PS PDF
Proceedings of the Systemics, Cybernetics and Informatics (SCI2003) conference, Orlando Florida, July 2003
This paper discusses the use of Process Query Systems for use in detection and tracking of arbitrary events. Focus is on the easy development of tracking algorithms based on the properties of the process.
Vincent H. Berk and Robert S. Gray and George Bakos
Using Sensor Networks and Data Fusion for Early Detection of Active Worms PS PDF
Proceedings of the SPIE Aerosense conference, Orlando Florida, April 2003
Description of the TRAFEN system used for processing the Alerts generated by DIB:S. Estimates for router coverage are based on our mathematical worm model used in a network simulation environment.
Vincent Berk and George Bakos and Robert Morris
Designing a Framework for Active Worm Detection on Global Networks PS PDF
Proceedings of the IEEE International Workshop on Information Assurance, Darmstadt Germany, March 2003
This paper describes the processing framework as well as some initial results obtained from the correlation system.
George Bakos and Vincent Berk
Early Detection of Internet Worm Activity by Metering ICMP Destination Unreachable Messages PS PDF
Proceedings of the SPIE Aerosense 2002
The initial proof of concept of our DIB:S Active Worm tracking system. See: here

NOTE: Not all my work is currently available through this site. If there is a publication that you are looking for and cannot find, please email me at: Firstname.Lastname@dartmouth.edu

Technical Whitepapers

Vincent Berk and George Cybenko
File Sharing Protocols: A Tutorial on Gnutella PS PDF
Inventorisation of file sharing protocols, in-depth description of the Gnutella architecture.
Vincent Berk
Improving Security, Accessability and Maintainability of Websites using Modified Reverse Proxy servers: A Design and Implementation PS PDF
Techinical overview of the webserver tool that stopped both Code Red v2 and NIMDA during their initial propagations. See: here
Vincent Berk
Improved Network Security through a Combined Ethernet Bridge, Firewall and IDS: A Design and Implementation PS PDF
The network ``Melting Fuse''. Traffic will transparently traverse this system until the IDS flags and IP address as malicious. The firewall will then disallow any communication to and from that IP address. See: here

NOTE: This is my private website and thus NOT part of the Institute for Security Technology Studies website.