PEDS II - 10072002 1

An Overview of Intrusion An Overview of Intrusion Detection & Countermeasure Detection & Countermeasure

Systems – Research DirectionsSystems – Research Directions

Fernando C. Colon OsorioFernando C. Colon OsorioComputer Science DepartmentComputer Science Department

Worcester, MA 01609Worcester, MA 01609

PEDS II - 10072002 2

OutlineOutline• MotivationsMotivations• A Model of an IntrusionA Model of an Intrusion• Basic Approaches Basic Approaches • The Measurement ProblemThe Measurement Problem• Research DirectionsResearch Directions• ConclusionsConclusions

PEDS II - 10072002 3

Historical PerspectiveHistorical Perspective• Circa 1972Circa 1972

– John T. Draper discovered that he could make a free long-distance telephone call using a whistle from Cap’ Crunch cereal box. The whistle emitted a 2,600-hertz tone that got him into the internal authorization system at the phone company.

With a noisy device known as “blue box”, Draper – soon to be known as Cap’n Crunch – made it possible free long distance calls for many.

And so was born the modern technology of hacking (“cracking”) , maneuvering through security walls, rig something to avoid conventional protocols, …

PEDS II - 10072002 4

MotivationsMotivations

• In the last five-(5) years, the frequency and nature of attacks by In the last five-(5) years, the frequency and nature of attacks by “crackers” (inside and outside threats) has grown exponentially, “crackers” (inside and outside threats) has grown exponentially, see Figure 1.see Figure 1.

PEDS II - 10072002 5

Exponential Growth of IntrusionsExponential Growth of Intrusions

PEDS II - 10072002 6

MotivationsMotivations• In the last five-(5) years, the frequency and nature of attacks by In the last five-(5) years, the frequency and nature of attacks by

“crackers” (inside and outside threats) has grown exponentially, see “crackers” (inside and outside threats) has grown exponentially, see Figure 1.Figure 1.

• It has been reported that in a major eCommerce site – 40 to 60% of IT It has been reported that in a major eCommerce site – 40 to 60% of IT resources during a six month period were devoted to dwarfing attacks.resources during a six month period were devoted to dwarfing attacks.

• Avivah Litan, a financial analyst for research firm Gartner, estimates Avivah Litan, a financial analyst for research firm Gartner, estimates that fraud cost e-tailers $700 million in lost merchandise last year alone. that fraud cost e-tailers $700 million in lost merchandise last year alone. A Gartner study also shows that 5.2 percent of online shoppers have A Gartner study also shows that 5.2 percent of online shoppers have been victimized by credit card fraud and 1.9 percent by identity theft.been victimized by credit card fraud and 1.9 percent by identity theft.

• Further, in a twelve month period, see Table 1 below, at least six major Further, in a twelve month period, see Table 1 below, at least six major break-ins have occurred, and the perpetrators have not been caught.break-ins have occurred, and the perpetrators have not been caught.

PEDS II - 10072002 7

Motivations, contn…Motivations, contn…Table 1 Unsolved Hacks - The people who stole credit card numbers from these major online merchants are still at large. Company Date What they stole; additional

crimes

Playboy.com Nov 2001 Undisclosed number of

credit card numbers; extortion

Ecount Aug 2001 Personal customer

information; extortion

Western Union Sep 2000 15,000 card numbers

Creditcards.com Dec 2000 55,000 card numbers

exposed on the Web; extortion

Egghead.com Dec 2000 3.7 million credit cards

threatened*

CD Universe

Jan 2000

350,000 card numbers posted online; extortion

* Egghead announced that a hacker had accessed its computer system, "potentially including (its) customer databases." Source: CNET News.com research

PEDS II - 10072002 8

Motivations, contn…Motivations, contn…

Needless to say, this is a real BIG!!! Needless to say, this is a real BIG!!! Problem for the industry and Problem for the industry and

government.government.

PEDS II - 10072002 9

Why the exponential Why the exponential increase?increase?

• Obviously, low cost powerful workstations and PC’s for under $ 2KObviously, low cost powerful workstations and PC’s for under $ 2K

• The exponential growth of the web - # of connected computers via a The exponential growth of the web - # of connected computers via a network!!!network!!!

• eCommerce companies during the dot com boom, circa 1997-2001, eCommerce companies during the dot com boom, circa 1997-2001, rushed to deploy their sites on-line giving little or no consideration to the rushed to deploy their sites on-line giving little or no consideration to the problem of security.problem of security.

• In spite of the significant increase in the identification and elimination of In spite of the significant increase in the identification and elimination of software flaws, the corresponding increase in the complexity of software flaws, the corresponding increase in the complexity of software systems (e.g., WINDOWS XP today is 40 MB) has actually software systems (e.g., WINDOWS XP today is 40 MB) has actually made the problem worst. Furthermore, a recent study by CERT/CC, made the problem worst. Furthermore, a recent study by CERT/CC, and SecurityFocus.com [9] has shown that the rate at which new and SecurityFocus.com [9] has shown that the rate at which new vulnerabilities, easily exploitable by hacker is growing is exponentially.vulnerabilities, easily exploitable by hacker is growing is exponentially.

PEDS II - 10072002 10

Why?, contnWhy?, contn

In a single Phrase In a single Phrase

Software/Systems functionality increase vs. Software/Systems functionality increase vs. Size/Complexity crisis!!!Size/Complexity crisis!!!

PEDS II - 10072002 11

Intrusion Detection System – Intrusion Detection System – DefinitionDefinition

Formal Definition [10], [11]Formal Definition [10], [11]

““Intrusion Detection (ID) is the problem of identifying individuals Intrusion Detection (ID) is the problem of identifying individuals who are who are using,using, or attemptingor attempting to to use a computer system use a computer system without authorization (i.e., crackers) and those who have without authorization (i.e., crackers) and those who have legitimate access to the system but are abusing their privileges legitimate access to the system but are abusing their privileges (i.e., the insider threat”). (i.e., the insider threat”).

PEDS II - 10072002 12

Intrusion TimelineIntrusion TimelineSystem is Secure/DependableSystem is Secure/Dependable System is System is Secure/DependableSecure/Dependable

11stst

IntrusionIntrusion

AttemptAttempt

22ndnd

IntrusionIntrusion

AttemptAttempt

NthNth

IntrusionIntrusion

AttemptAttempt

(Success)(Success)

IntrusionIntrusion

Detected byDetected by

IDS and/orIDS and/or

IDCSIDCS

IntrusionIntrusion

CountermeasuresCountermeasures

LaunchedLaunched

ŒŒ NNthth

MTBASIMTBASI

Attacks BeginAttacks Begin

MTTIDMTTID

System is System is Secure/Dependable Secure/Dependable

MMthth

MthMth

IntrusionIntrusion

AttemptAttempt

(Success)(Success)

MTTCIMTTCI

MTBSIMTBSI

PEDS II - 10072002 13

Intrusion TimelineIntrusion TimelineSystem is Secure/DependableSystem is Secure/Dependable System is System is Secure/DependableSecure/Dependable

11stst

IntrusionIntrusion

AttemptAttempt

22ndnd

IntrusionIntrusion

AttemptAttempt

NthNth

IntrusionIntrusion

AttemptAttempt

(Success)(Success)

IntrusionIntrusion

Detected byDetected by

IDS and/orIDS and/or

IDCSIDCS

IntrusionIntrusion

CountermeasuresCountermeasures

LaunchedLaunched

ŒŒ NNthth

MTBASIMTBASI

Attack Is SuccessfulAttack Is Successful

MTTIDMTTID

System is System is Secure/Dependable Secure/Dependable

MMthth

MthMth

IntrusionIntrusion

AttemptAttempt

(Success)(Success)

MTTCIMTTCI

MTBSIMTBSI

PEDS II - 10072002 14

Intrusion TimelineIntrusion TimelineSystem is Secure/DependableSystem is Secure/Dependable System is System is Secure/DependableSecure/Dependable

11stst

IntrusionIntrusion

AttemptAttempt

22ndnd

IntrusionIntrusion

AttemptAttempt

NthNth

IntrusionIntrusion

AttemptAttempt

(Success)(Success)

IntrusionIntrusion

Detected byDetected by

IDS and/orIDS and/or

IDCSIDCS

IntrusionIntrusion

CountermeasuresCountermeasures

LaunchedLaunched

ŒŒ NNthth

MTBASIMTBASI

MTTIDMTTID

System is System is Secure/Dependable Secure/Dependable

DiagnosisDiagnosisRegionRegion

MMthth

MthMth

IntrusionIntrusion

AttemptAttempt

(Success)(Success)

MTTCIMTTCI

MTBSIMTBSI

PEDS II - 10072002 15

Intrusion TimelineIntrusion TimelineSystem is Secure/DependableSystem is Secure/Dependable System is System is Secure/DependableSecure/Dependable

11stst

IntrusionIntrusion

AttemptAttempt

22ndnd

IntrusionIntrusion

AttemptAttempt

NthNth

IntrusionIntrusion

AttemptAttempt

(Success)(Success)

IntrusionIntrusion

Detected byDetected by

IDS and/orIDS and/or

IDCSIDCS

IntrusionIntrusion

CountermeasuresCountermeasures

LaunchedLaunched

ŒŒ NNthth

MTBASIMTBASI

MTTIDMTTID

System is System is Secure/Dependable Secure/Dependable

Repair/ Repair/ Re-Re-IntegrationIntegrationRegionRegion

MMthth

MthMth

IntrusionIntrusion

AttemptAttempt

(Success)(Success)

MTTCIMTTCI

MTBSIMTBSI

PEDS II - 10072002 16

Intrusion TimelineIntrusion TimelineSystem is Secure/DependableSystem is Secure/Dependable System is System is Secure/DependableSecure/Dependable

11stst

IntrusionIntrusion

AttemptAttempt

22ndnd

IntrusionIntrusion

AttemptAttempt

NthNth

IntrusionIntrusion

AttemptAttempt

(Success)(Success)

IntrusionIntrusion

Detected byDetected by

IDS and/orIDS and/or

IDCSIDCS

IntrusionIntrusion

CountermeasuresCountermeasures

LaunchedLaunched

ŒŒ NNthth

MTBASIMTBASI

MTTIDMTTID

System is System is Secure/Dependable Secure/Dependable

System System OperationalOperational

MMthth

MthMth

IntrusionIntrusion

AttemptAttempt

(Success)(Success)

MTTCIMTTCI

MTBSIMTBSI

PEDS II - 10072002 17

Anomaly vs. Misuse IDS Anomaly vs. Misuse IDS systemssystems

In past years, multiple Intrusion Detection systems have In past years, multiple Intrusion Detection systems have been proposed an implemented. All of the proposed been proposed an implemented. All of the proposed systems are based on one or the other of two basic systems are based on one or the other of two basic approaches.approaches.

• anomaly detection anomaly detection • misuse detection. misuse detection.

Note: Kumar [13] presents a fairly complete categorization Note: Kumar [13] presents a fairly complete categorization of the most important systems proposed or build thus of the most important systems proposed or build thus far. far.

PEDS II - 10072002 18

Anomaly Detection systemsAnomaly Detection systems

Anomaly detection: Anomaly detection:

• detection of an intrusion, or attempted intrusion, is performed by detecting detection of an intrusion, or attempted intrusion, is performed by detecting changes in the statistical behavior of the system, or the behavior of users of the changes in the statistical behavior of the system, or the behavior of users of the system. system.

• In this approach a statistical model, containing parameterized metrics of the In this approach a statistical model, containing parameterized metrics of the system's operation, is constructed. system's operation, is constructed.

example, a statistical model that contains metrics on CPU Utilization, I/O example, a statistical model that contains metrics on CPU Utilization, I/O requests per second, and so forth, is constructed using historical operational requests per second, and so forth, is constructed using historical operational data. data.

• Once the model is constructed, the current behavior of the system is compared Once the model is constructed, the current behavior of the system is compared against the model, and “significant” statistical deviations from the model are against the model, and “significant” statistical deviations from the model are flagged as potential intrusions . flagged as potential intrusions .

PEDS II - 10072002 19

ProblemProblem

• For Anomaly Intrusion:For Anomaly Intrusion:

• P( Intrusion/ Anomaly Pattern) = P( Intrusion/ Anomaly Pattern) =

P(Anomaly/ Intrusion) * P(Intrusion)/P(Anomaly Pattern)

PEDS II - 10072002 20

Anomaly Detection systems – A Anomaly Detection systems – A ModelModel

Let, ALet, A11, A, A2, …, 2, …, AAn n be n measures used to determine if an intrusion is be n measures used to determine if an intrusion is occurring on a system at any given moment. Each Aoccurring on a system at any given moment. Each A i i measures a measures a different aspect of the system such As amount of I/O, etc.different aspect of the system such As amount of I/O, etc.

Let each measure ALet each measure A i i have two values 0, 1.have two values 0, 1.

Let I be the hypothesis that the system is under an intrusive attack. Let I be the hypothesis that the system is under an intrusive attack. Then, the reliability and sensitivity of each measure is given byThen, the reliability and sensitivity of each measure is given by

P(AP(Aii=1/I) and P(A=1/I) and P(A ii=1/-I)=1/-I)

Then, the combined belief in I is given by:Then, the combined belief in I is given by:

P(I/AP(I/A11, A, A22, …, A, …, Ann))

PEDS II - 10072002 21

Misuse Detection systemsMisuse Detection systems

Misuse Detection:Misuse Detection:

• fundamental premise behind the misuse model is:fundamental premise behind the misuse model is:

Attacks follow a pattern. Attacks follow a pattern.

The pattern of the attack is usually designed to exploit The pattern of the attack is usually designed to exploit “known” weaknesses in the system. A classical example of “known” weaknesses in the system. A classical example of such attacks is those that exploit the well known “Buffer such attacks is those that exploit the well known “Buffer Overflow” problem.Overflow” problem.

PEDS II - 10072002 22

Misuse Detection systemsMisuse Detection systems

Misuse Detection:Misuse Detection:

• In the Misuse Model of Intrusion Detection, it is assumed In the Misuse Model of Intrusion Detection, it is assumed that attacks can be precisely encoded in a manner that that attacks can be precisely encoded in a manner that captures variations and different forms of activities captures variations and different forms of activities perpetrated by the cracker to exploit the known perpetrated by the cracker to exploit the known vulnerabilities or weaknesses of the system. vulnerabilities or weaknesses of the system.

• These patterns or sequence of events are noted as the These patterns or sequence of events are noted as the “signature” of the intrusion. Hence, by matching new “signature” of the intrusion. Hence, by matching new “suspected” behavior against all known signatures, then “suspected” behavior against all known signatures, then the attack can be dwarfed.the attack can be dwarfed.

PEDS II - 10072002 23

Intrusion TimelineIntrusion TimelineSystem is System is Secure/DependableSecure/Dependable

11stst

IntrusionIntrusion

AttemptAttempt

22ndnd

IntrusionIntrusion

AttemptAttempt

NthNth

IntrusionIntrusion

AttemptAttempt

(Success)(Success)

IntrusionIntrusion

Detected byDetected by

IDS and/orIDS and/or

IDCSIDCS

IntrusionIntrusion

CountermeasuresCountermeasures

LaunchedLaunched

ŒŒ NNthth

MTBASIMTBASI

Realm of MisuseRealm of MisuseDetection Detection

TechniquesTechniques

Realm of AnomalousRealm of AnomalousDetection Detection

TechniquesTechniques

MTTIDMTTID

System is System is Secure/Dependable Secure/Dependable

MMthth

MthMth

IntrusionIntrusion

AttemptAttempt

(Success)(Success)

MTTCIMTTCI

MTBSIMTBSI

System is System is Secure/DependableSecure/Dependable

PEDS II - 10072002 24

Figure 1 – Generic Intrusion Detection Model [Denning]Figure 1 – Generic Intrusion Detection Model [Denning]

EnvironmentEnvironment

ClockClock

Activity ProfileActivity Profile

Event GeneratorEvent Generator

S = { sS = { s11, s, s22, …, s, …, sn n }}

Rule SetRule Set

Generate New ProfileGenerate New ProfileDynamicallyDynamically

GenerateGenerateAnomalyAnomalyRecordsRecords

UpdateUpdateProfileProfile

Audit Trails/ Network Packets/Application Trails

Assert New RulesModify Existing Rules

PEDS II - 10072002 25

Problems with Current ApproachesProblems with Current Approaches

• Amongst the most important consideration and limitations present in the Amongst the most important consideration and limitations present in the design of all such systems are the following set of problems.design of all such systems are the following set of problems.

• Problem # 1: Feature selection and pattern categorization. Problem # 1: Feature selection and pattern categorization.

– Simply stated, in Denning’s Model, Figure 1, it is assumed that the event generator can effectively select, a priori, the set of features or measures to monitor which will render an optimal set for Intrusion Detection.

• Problem # 2: the problem of adaptation. Problem # 2: the problem of adaptation.

– Systems have been build and deployed that deal very effectively with threats or intrusions previously reported or categorized.

– When previously unseen threats appear, the systems perform poorly.

• In the 1999 DARPA - Off-Line Intrusion Detection Evaluation [14], it was reported that the systems under test failed to detect an attack in 17.2 %

PEDS II - 10072002 26

Problems, contn..Problems, contn..• Problem # 3: Fault Tolerance Problem # 3: Fault Tolerance

– Resistance to subversion: Systems do fail due to accidental or malicious activities.

• system being designed must be able to recover from the traditional forms of failures such as crashes, software failures, and so forth.

• System must be able to protect itself from deliberate attempts to compromise it.

• Problem # 4: Performance Problem # 4: Performance

– System must impose minimal overhead on the system is protecting while running.

– System must be capable to sustain its performance characteristics under increasing loads and changes in the pattern of usage.

PEDS II - 10072002 27

Problems & Well Known Solutions Problems & Well Known Solutions Present in the IDCS fieldPresent in the IDCS field

• Problem # 1: Feature selection and pattern Problem # 1: Feature selection and pattern categorization. categorization.

– Simply stated, in Denning’s Model, Figure 1, it is assumed that the event generator can effectively select, a priori, the set of features or measures to monitor which will render an optimal set for Intrusion Detection.

PEDS II - 10072002 28

Problems & Well Known Solutions Problems & Well Known Solutions Present in the IDCS fieldPresent in the IDCS field

honeypot:honeypot:

• A honeypot is a fake or false system to lure the hacker into. It provides A honeypot is a fake or false system to lure the hacker into. It provides another obstacle for the hacker.another obstacle for the hacker.

• honeypot systems are decoy servers or systems set up to gather information honeypot systems are decoy servers or systems set up to gather information regarding an attacker or intruder into your system.regarding an attacker or intruder into your system.

• honeypot traps tempt intruders into areas which appear attractive, worth honeypot traps tempt intruders into areas which appear attractive, worth investigating and easy to access, taking them away from the really sensitive investigating and easy to access, taking them away from the really sensitive areas of your systems. They do not replace other traditional Internet security areas of your systems. They do not replace other traditional Internet security systems but act as an additional safeguard with alarms.systems but act as an additional safeguard with alarms.

• A honeypot is a resource which pretends to be a real target. A honeypot is A honeypot is a resource which pretends to be a real target. A honeypot is expected to be attacked or compromised. The main goals are the distraction expected to be attacked or compromised. The main goals are the distraction of an attacker and the gain of information about an attack and the attacker.of an attacker and the gain of information about an attack and the attacker.

PEDS II - 10072002 29

honeypotshoneypots

honeypots will help you:honeypots will help you:

• notice when you are penetrated notice when you are penetrated • learn how attacks are formed learn how attacks are formed • identify who is attacking you identify who is attacking you

PEDS II - 10072002 30

honeypot Exampleshoneypot Examples

• honeypot Projecthoneypot Project

– http://www.landfield.com/isn/mail-archive/2000/Nov/0124.html

• Deception Tool Kit ProjectDeception Tool Kit Project

– http://www.all.net/dtk/index.html

• SpecterSpecter

– http://www.specter.com/default50.htm

PEDS II - 10072002 31

““Specter” – Basic IdeaSpecter” – Basic Idea• Virtual Machine (VM) environmentVirtual Machine (VM) environment

– Early Traps– Early detection

PEDS II - 10072002 32

honeypot Tools – “Specter”honeypot Tools – “Specter”

PEDS II - 10072002 33

Honeypots LimitationsHoneypots Limitations

• Hard to MaintainHard to Maintain• Human Resource Intensive – Specialize Human Resource Intensive – Specialize

KnowledgeKnowledge

– Operating Systems– Network security– Current deficiencies (holes) in both O/S

and applications

PEDS II - 10072002 34

HoneynetHoneynet

Honeynet Honeynet Honeypots Honeypots Honeynet (Defn)Honeynet (Defn)

• A network systemA network system• All systems are standard production All systems are standard production

systems systems • All usage is ~ Production All usage is ~ Production

PEDS II - 10072002 35

HoneynetHoneynet

PEDS II - 10072002 36

Problems & Well Known Solutions Problems & Well Known Solutions Present in the IDCS fieldPresent in the IDCS field

• Problem # 2: the problem of adaptation. Problem # 2: the problem of adaptation.

– Systems have been build and deployed that deal very effectively with threats or intrusions previously reported or categorized.

– When previously unseen threats appear, the systems perform poorly.

• In the 1999 DARPA - Off-Line Intrusion Detection Evaluation [14], it was reported that the systems under test failed to detect an attack in 17.2 %

PEDS II - 10072002 37

Figure 1 – Generic Intrusion Detection Model [Denning]Figure 1 – Generic Intrusion Detection Model [Denning]

EnvironmentEnvironment

ClockClock

Activity ProfileActivity Profile

Event GeneratorEvent Generator

S = { sS = { s11, s, s22, …, s, …, sn n }}

Rule SetRule Set

Generate New ProfileGenerate New ProfileDynamicallyDynamically

GenerateGenerateAnomalyAnomalyRecordsRecords

UpdateUpdateProfileProfile

Audit Trails/ Network Packets/Application Trails

Assert New RulesModify Existing Rules

PEDS II - 10072002 38

Figure 2 – A simplified Intrusion Detection EngineFigure 2 – A simplified Intrusion Detection Engine

EnvironmentEnvironment ClockClock

Memory of IDSMemory of IDS(Rule Set/ Activity Profile(Rule Set/ Activity Profile

Decision EngineDecision Engine

ffg g ((, S, M, P(n), T, G ), S, M, P(n), T, G )

S = { sS = { s11, s, s22, …, s, …, sn n }}

1, 2, …, n }

Create New Rules/ProfilesCreate New Rules/ProfilesModify Existing Rules/ProfilesModify Existing Rules/Profiles

PEDS II - 10072002 39

Intrusion Detection ModelsIntrusion Detection ModelsFigure 3 – Model of An Intrusion/ Attack

Node b

Node h

Node g

Node e Node d

Node a

Node f

Node c

Tab,

Tae, Tea

Tce, Tec

TebTbd

Tdg

TegTef

Thg

Tfh

Source of Attack

Node Under Attack

PEDS II - 10072002 40

A network ModelA network Model• A trust function Tij (t) for i ¹ j, exist between two nodes, it is not necessarily symmetrical. A trust function Tij (t) for i ¹ j, exist between two nodes, it is not necessarily symmetrical.

• The trust function Tij (t) changes over time. The trust function Tij (t) changes over time.

• In addition, the lack of trust between two nodes will be denoted as having a trust relationship of zero value, Tij (t) = 0. In addition, the lack of trust between two nodes will be denoted as having a trust relationship of zero value, Tij (t) = 0.

• In the above example, Node a is the source of the intruder attack, while Node h is the target of the attack. Note that, the In the above example, Node a is the source of the intruder attack, while Node h is the target of the attack. Note that, the path for the intruder ispath for the intruder is

– Path 1: a Ü e Ü g Ü h– Path 2: a Ü b Ü e Ü g Ü h– Path 3: a Ü d Ü g Ü h

• This topological constraint amongst nodes in a network has a significant advantage over other approaches. That is, it This topological constraint amongst nodes in a network has a significant advantage over other approaches. That is, it allows the designer of the IDC System to create multiple logical layers of defense against intruders, in effect, creating allows the designer of the IDC System to create multiple logical layers of defense against intruders, in effect, creating time to detect potential intrusions and dwarfed them. time to detect potential intrusions and dwarfed them.

• ExampleExample

– Let’s say that nodes b and e suspect an intrusion by using traditional audit methods. Then, nodes b and e can invoke a state change on their trust relationships with other nodes in such a way that,

Taj (t) = 0 for all j Taj (t) = 0 for all j ¹ a and t > t of intrusion; and a and t > t of intrusion; andEquation 1:Equation 1:

Tej (t) = 0 for all j ¹ e and t > t of intrusion.Tej (t) = 0 for all j ¹ e and t > t of intrusion.

PEDS II - 10072002 41

ConclusionsConclusions

• A new model based on Byzantine A new model based on Byzantine General’s problem will be General’s problem will be investigated.investigated.

• Research Area is prime for Research Area is prime for discovery.discovery.