Saturday, August 19, 2006

Airport Security: Meatspace Intrusion Detection

I flew last week for the first time since the "Hair-gel Bombers" news broke and greatly enjoyed the new additions to the security theater that TSA has so lovingly rolled out for the fall season. BWI had new signs up all over declaring that the threat of a terrorist attack was currently high. HIGH!! You had a good chance of having to fight terrorists to the death by getting on a plane last week, according to TSA. Enjoy your flight!

Imagine my surprise when I got home yesterday and found my 1/6th oz bottle of contact lens rewetting drops in one of the pockets on my laptop bag. I sailed through 2 security check points with this highly dangerous contraband too, this wasn't a one time event. Imagine the damage I could have done if that was filled with binary explosive liquids, I probably could have blown off a few fingers with it and suffered some temporary hearing loss.

Let's face facts people, airport security screening lines are the physical world equivalent of a classic intrusion detection system. We have traffic (people and luggage) analyzers (xray machines, metal detectors, explosive residue detectors) which use deterministic sets (bad things: guns, knives, gel bras) to produce information continuously about things that may or may not be bad which then must be contextualized by humans. Humans are notoriously lousy at doing this unless you can constrain the data set heavily or can somehow automate the contextualization process (like we do at Sourcefire). Guess what? The dedicated individual manning the xray machine has a life span of attentiveness when they're looking at bag after bag going buy on the screen. Has anyone else notice the ergonomic purgatory that xray screeners have to endure? Sit on an armless, backless stool and look up at a 20-45 degree angle at item after item sailing through the machine. How long before neck, back or shoulder pain affects the screener's attentiveness?

What are we to suppose is the duty cycle of a baggage screener in a typical American airport with a rate of data flow of 172 passengers per hour with two shoes and two carry-ons per passenger? The screener gets a whopping 5.2 seconds to pattern match for the entire set of bad things per item per passenger. I'm not taking account of time spent in spool up/spool down periods for starting/stopping the belt either, so we're probably talking about half that effectively. 2.6 seconds. My laptop bag currently contains a PowerBook, Airport Express, digital camera, airplane power adapter, iPod, EVDO PCMCIA card, cell phone, two laptop batteries, 80GB portable firewire hard drive, laptop power adapter and a bag filled with various wires and other widgetry to make it all plug together. Not to mention books, pens and other business stuff. 2.6 seconds to positively identify all of that as non-dangerous. Let's be generous and call it 3 seconds. If the set of things that need to be detected (signatures) is constrained to guns, knives and bomb materials, I'd say grudgingly that a motivated screener could maintain alertness through their entire period manning the machine to have a reasonable probability of detection of the things in the set of threats. Once you extend that signature set to, well, pretty much everything that's not paper or cloth you're going to have an analysts nightmare because you just did the equivalent of "alert ip any any -> any any (msg: "Something bad may have happened!!";)" in Snort.

In an environment like this with no automated analysis tools, the analyst is quickly overwhelmed by the level of noise (false positives) they have to deal with. Once the analyst is saturated, their ability to differentiate an iPod from a brick of C4 rapidly goes to zero, the brain gives up or goes on to think about other things. If the TSA wants screeners spending time looking for every tweezer, nail clipper and bottle of contact lens cleaner, they're asking for overload of their staff and reducing its ability to be effective. In the intrusion detection world we would call what they're doing "de-tuning the sensor", they're making it detect things much more frequently by increasing the number of things that will set it off with no regard for the effect that it will have on the human analysts and no tools to help them cope with the increased information flooding them.

This problem is well known in the network security world as the "boy who cried wolf" syndrome and its the problem that led to network intrusion detection as a technology being discredited back in 2002-2003. The root cause of this problem was insufficiently sophisticated sensing technology that relied completely on (bored/untrained/distractable) humans to deal with staggering amounts of data to make the technology useful. We've wised up since then and built technology to address this root cause by automating the contextualization of data sets and giving the intrusion detection engines the capability to be self-tuning without the need for human intervention (well, I'm still working on that part).

If we're going to increase the "number of signatures" in meatspace to include everything electronic, metal or liquid, we'd better find a way to have smart, automated contextualization of the data, otherwise we're doomed to failure and someday we'll see a report out of a newspaper or GAO office declaring "Airport Security Screening is Dead".

Technorati Tags: , , , , ,


At 9:00 PM, Anonymous Adam Shostack said...

PS: Wooo! First comment!

At 11:11 PM, Anonymous Roland Dobbins said...

Please enable full-text feeds on your weblog - makes it much easier to follow for those of us who have a lot of subscriptions.

Many thanks!

At 4:53 PM, Blogger Dr Anton Chuvakin said...

It is indeed a scary thought that I obvious when you hear it the first time: the MORE the look for nail clippers and shampoo, the MORE likely they are to miss a bomb!

At 10:03 PM, Blogger Joel Esler said...

That link seems appropriate.

At 10:45 PM, Anonymous Anonymous said...

Hey Marty! Long time no see!!!

I made it roundtrip on a flight last week and got home and realized HORROR OF HORRORS - a .5 oz tube of Purell AND a 1.0 oz bottle of Lubriderm hand lotion were safely ensconced in my carry-on. I could have killed any left-over germs and moisturized your remaining digits with my "contraband".... ;-)

Becky P.

At 9:52 AM, Blogger Joel Esler said...



Post a Comment

<< Home