EINSTEIN 1.0

EINSTEIN 1.0 is a semi-automated process for detecting &mdash; albeit after the fact &mdash; inappropriate or unauthorized inbound and outbound network traffic between participating departments and agencies and the Internet. The United States Computer Emergency Readiness Team (“US-CERT”), an organizational component of DHS, administers EINSTEIN 1.0. EINSTEIN 1.0 analyzes only “packet header” information—and not packet “payload” (content) information—for inbound and outbound Internet traffic of participating agencies.2 The header information collected by EINSTEIN 1.0 technology includes: the source and destination IP addresses for the packet, the size of the data packet, the specific Internet protocol used (for e-mail, the Simple Mail Transfer Protocol and, for use of the World Wide Web, the Hypertext Transport Protocol), and the date and time of transmission of the packet (known as “the date/time stamp”).

EINSTEIN 1.0 collects this information only after packets already have been sent or received by a user, and, thus, does not provide real-time information regarding network intrusions and exploitations against Federal Systems. US-CERT analysts examine the header information to identify suspicious inbound and outbound Internet traffic, particularly network backdoors and intrusions, network scanning activities, and computer network exploitations using viruses, worms, spyware, bots, Trojan horses, and other “malware.”

EINSTEIN 1.0 contains several limitations. First, it does not provide real-time reporting regarding intrusions and exploitations against Federal Systems. Second, it does not cover all Federal Systems, and, therefore, does not provide complete awareness regarding malicious network activity directed against those systems. Third, because EINSTEIN 1.0 does not scan packet content, it does not offer complete intrusion and exploitation detection functionality.