RAIDM: Router-based Anomaly/Intrusion Detection and Mitigation Zhichun Li EECS Deparment Northwestern University 2008-04-29 Thesis Proposal.

Slides:



Advertisements
Similar presentations
Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.
Advertisements

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
1 Yan Chen Northwestern University Lab for Internet and Security Technology (LIST) in Northwestern.
1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
1 On Constructing Efficient Shared Decision Trees for Multiple Packet Filters Author: Bo Zhang T. S. Eugene Ng Publisher: IEEE INFOCOM 2010 Presenter:
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.
Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Zhichun Li Lab for Internet & Security Technology (LIST) Department.
Reverse Hashing for Sketch Based Change Detection in High Speed Networks Ashish Gupta Elliot Parsons with Robert Schweller, Theory Group Advisor: Yan Chen.
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Lab for Internet & Security Technology (LIST) Department of.
Measurement and Diagnosis of Address Misconfigured P2P traffic Zhichun Li, Anup Goyal, Yan Chen and Aleksandar Kuzmanovic Lab for Internet and Security.
A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks Yan Gao, Zhichun Li, Yan Chen Lab for Internet and Security Technology.
1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Manan Sanghi, Yan Chen, Ming- Yang Kao Northwestern Lab.
What Learned Last Week Homework qn –What machine does the URL go to?
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Yan Chen Northwestern Lab for Internet and Security Technology.
Towards a High speed Router based Anomaly/Intrusion detection System Yan Gao & Zhichun Li.
1 Network-based Intrusion Detection, Mitigation and Forensics System Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
1 HPNAIDM: the High-Performance Network Anomaly/Intrusion Detection and Mitigation System Yan Chen Lab for Internet & Security Technology (LIST) Department.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.
Network-based Intrusion Detection and Prevention in Challenging and Emerging Environments: High-speed Data Center, Web 2.0, and Social Networks Yan Chen.
SCAN: a Scalable, Adaptive, Secure and Network-aware Content Distribution Network Yan Chen CS Department Northwestern University.
Yan Chen Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.
Scalable and Efficient Data Streaming Algorithms for Detecting Common Content in Internet Traffic Minho Sung Networking & Telecommunications Group College.
Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.
Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.
Network-based Intrusion Detection, Prevention and Forensics System 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
1 Network-based Intrusion Detection, Prevention and Forensics System Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.
A Dos Resilient Flow-level Intrusion Detection Approach for High-speed Networks Yan Gao, Zhichun Li, Yan Chen Department of EECS, Northwestern University.
Anomaly/Intrusion Detection and Prevention in Challenging Network Environments 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
Towards Vulnerability-Based Intrusion Detection with Event Processing Amer Farroukh, Mohammad Sadoghi, Hans-Arno Jacobsen University of Toronto July 13,
StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Author: Xiaofei Wang, Junchen Jiang, Yi Tang, Bin Liu, and Xiaojun Wang Publisher:
Automating Analysis of Large-Scale Botnet Probing Events Zhichun Li, Anup Goyal, Yan Chen and Vern Paxson* Lab for Internet and Security Technology (LIST)
Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.
1 NetShield: Massive Semantics-Based Vulnerability Signature Matching for High-Speed Networks Zhichun Li, Gao Xia, Hongyu Gao, Yi Tang, Yan Chen, Bin Liu,
Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome, Brad Karp, and Dawn Song Carnegie Mellon University Presented by Ryan.
IPv6-Oriented 4 OC768 Packet Classification with Deriving-Merging Partition and Field- Variable Encoding Scheme Mr. Xin Zhang Undergrad. in Tsinghua University,
Anomaly/Intrusion Detection and Prevention in Challenging Network Environments 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
TCAM –BASED REGULAR EXPRESSION MATCHING SOLUTION IN NETWORK Phase-I Review Supervised By, Presented By, MRS. SHARMILA,M.E., M.ARULMOZHI, AP/CSE.
Towards High Performance Network Defense Zhichun Li EECS Department Northwestern University.
High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Yan Chen Department of Electrical Engineering and Computer Science
Yan Chen Dept. of Electrical Engineering and Computer Science Northwestern University Spring Review 2008 Award # : FA Intrusion Detection.
Yan Chen Lab for Internet and Security Technology EECS Department Northwestern University Intrusion Detection and Forensics for Self-defending Wireless.
Towards High Speed Network Defense Zhichun Li EECS Deparment Northwestern University.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Monitoring, Diagnosing, and Securing the Internet 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern University Lab for.
Network-based Intrusion Detection, Prevention and Forensics System 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.
Northwestern Lab for Internet & Security Technology (LIST)
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University
Network-based Intrusion Detection, Prevention and Forensics System
Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Department of Computer Science Northwestern University.
Attack Transformation to Evade Intrusion Detection
Zhichun Li, Gao Xia, Yi Tang, Yan Chen, and Bin Liu
Yan Chen Department of Electrical Engineering and Computer Science
End-user Based Network Measurement and Diagnosis
Northwestern Lab for Internet and Security Technology (LIST)
Lu Tang , Qun Huang, Patrick P. C. Lee
Presentation transcript:

RAIDM: Router-based Anomaly/Intrusion Detection and Mitigation Zhichun Li EECS Deparment Northwestern University Thesis Proposal

2 Outline Motivation RAIDM System Design Finished Work Proposed Work Research Plan

3 Motivation Botnets Worms Attackers

4 Motivation Network security has been recognized as the single most important attribute of their networks, according to survey to 395 senior executives conducted by AT&T. Many new emerging threats make the situation even worse. RAIDM Network-based attack defense system

5 Network Level Defense Network gateways/routers are the vantage points for detecting large scale attacks Only host based detection/prevention is not enough for modern enterprise networks. –Enterprises might not only want to reply on their end user for security protection –User might not want to stop their work to reboot machines or applications for applying patches.

6 Outline Motivation RAIDM System Design Finished Work Proposed Work Research Plan

7 Research Questions How can we achieve online anomaly detection for high-speed networks? How can we respond to zero-day polymorphic worms in their early stage? Given vulnerabilities, how to protect the high-speed networks from exploits, accurately and efficiently? How can we provide quality information for network situational awareness?

8 System Framework

9 Current Status Part I: Sketch based monitoring & detection –Result in [Infocom06,ToN,ICDCS06] Part II: Polymorphic worm signature generation –Result in [Oakland06,ICNP07] Part III: Signature matching engines –Work in progress, will be focus of this talk Part IV: Network Situational Awareness –Work in process

10 Outline Motivation RAIDM System Design Finished Work Proposed Work Research Plan

11 Part I: Sketch based monitoring & detection Reversible Sketches (include for completeness) –Use intelligent hash function design to recover the aggregated value of a series (key,value) updates for the popular keys. –Publications: –Robert Schweller, Zhichun Li, Yan Chen, Yan Gao, Ashish Gupta, Elliot Parons, Yin Zhang, Peter Dinda, Ming-Yang Kao, and Gokhan Memik, Reversible sketches: Enabling monitoring and analysis over high speed data streams, in the IEEE/ACM Transaction on Networking, Volume 15, Issue 5, Oct, 2007Reversible sketches: Enabling monitoring and analysis over high speed data streams –Robert Schweller, Zhichun Li, Yan Chen, Yan Gao, Ashish Gupta, Elliot Parons, Yin Zhang, Peter Dinda, Ming-Yang Kao, and Gokhan Memik, Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluations, and Applications, in the Proc. Of IEEE INFOCOM 2006 (252/1400=18%)Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluations, and Applications

12 Part I: Sketch based monitoring & detection Sketch-based Anomaly Detection –Build anomaly detection engines based on reversible sketches to detect horizontal scan, vertical scan, and TCP SYN flooding attacks. –Further proposed 2D sketches to differentiate the different types of attacks. –Publications –Yan Gao, Zhichun Li and Yan Chen, A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks, In Proc. Of IEEE International Conference on Distributed Computing Systems (ICDCS) 2006 (75/536=14%) (Alphabetical order)

13 Part II: Polymorphic worm signature generation TOSG (Token-Based Signature Generation) –Use token (substring) conjunction as the signature for polymorphic worms –Advantage Do not require protocol knowledge or the information about the vulnerable program Fast and noise tolerant Have analytical attack resilience bound under certain assumptions. –Limitation Do not have good attack resilience to the deliberate noise injection attack [Perdisci 2006] –Publication Zhichun Li, Manan Sanghi, Brian Chavez, Yan Chen and Ming-Yang Kao, Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience, in Proc. of IEEE Symposium on Security and Privacy, 2006 (23/251=9%) Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience

14 Part II: Polymorphic worm signature generation LESG (Length-Based Signature Generation) –Propose to use a set of field lengths of the protocol of vulnerable program as signatures. –Mainly work for buffer overflow worms –Advantage: Fast and noise tolerant Have analytical attack resilience bound under certain assumptions The bound hold under all the recently proposed attacks. –Publication Zhichun Li, Lanjia Wang, Yan Chen and Zhi (Judy) Fu, Network-based and Attack- resilient Length Signature Generation for Zero-day Polymorohic Worms, in the Proc. of IEEE International Conference on Network Protocols (ICNP) 2007 (32/220=14%)

15 Outline Motivation RAIDM System Design Finished Work Proposed Work Research Plan

16 Proposed Work Part III: Signature Matching Engine –NetShield, a protocol semantic vulnerability signature matching engine. (focus on this talk) –Report Zhichun Li, Gao Xia, Yi Tang, Ying He, Yan Chen and Bin Liu, NetShield : Towards High Performance Network-based Semantic Signature Matching

17 Proposed Work Part IV: Network Situational Awareness –Botnet Inference: Infer scan properties based on honeynet traffic: trend, uniform, hitlist, and collaboration Extrapolate the global scan scope and global number of bots based on limited local observation. Can be used to detect target attacks. Report Zhichun Li, Anup Goyal, Yan Chen and Vern Paxson, Towards Situational Awareness of Large-Scale Botnet Events using Honeynets –P2P Misconfiguration Diagnosis Found P2P misconfiguration traffic is one of the major source of Internet background radiation eMule P2P misconfiguration is due to byte ordering For BitTorrent, we found anti-P2P company deliberately inject bogus peers Report Zhichun Li, Anup Goyal, Yan Chen and Aleksandar Kuzmanovic, P2P Doctor: Measurement and Diagnosis of Misconfigured Peer-to- Peer Traffic

18 NetShield Overview Goal Feasibility Study: a Measurement Approach High Speed Parsing High Speed Matching for Large Rulesets Preliminary Evaluation Discussion

19 Signature Matching Engine Accuracy (especially for IPS) –False positive –False negative Speed Coverage: Large ruleset Regular Expression Vulnerability AccuracyPoorMuch Better SpeedGood CoverageGood

20 Reason Regular expression is not power enough to capture the exact vulnerability condition! Cannot express exact condition Can express exact condition RE Shield X

21 Feasibility Study Protocol semantic can help (Shield project [SIGCOMM04]) How much for NIDS/IPS? –Given a NIDS/NIPS has a large ruleset –What percent of the rules can use protocol semantic vulnerability signature to improve?

22 Measure Snort rules Semi-manually classify the rules. –First by CVEID –Manually look at each vulnerability Results –86.7% of rules can be improved by protocol semantic vulnerability signatures. –9.9% of rules are web DHTML and scripts related which are not suitable for signature based approach. –On average 4.5 Snort rules reduce to one vulnerability signature –Binary protocols have large reduction ratio than text based protocols.

23 Towards high speed parsing Protocol parsing problem formulation –Given a PDU and the previous states from previous PDU, output the set of fields which required by matching. Observation Parsing State Machine

24 Observation array PDU PDU  parse tree Leaf nodes (basic fields ) are integer or string Vulnerability signature mostly based on basic fields Only need to parse out the field related to signatures

25 Parsing State Machine Studied eight popular protocols: HTTP, FTP, SMTP, eMule, BitTorrent, WINRPC, SNMP and DNS and vulnerability signatures. Protocol semantics are context sensitive Common relationship among basic fields.

26 Example for WINRPC Nodes States: S 1.. S n 0.61 instruction/byte for BIND PDU

27 High speed matching Problem formulation Observation Candidate Selection Algorithm Algorithm Refinement

28 Matching Problem Formulation Data presentation –For all the vulnerability signartures we studied we need integers and strings –Integer operator: ==, >, < –String operator: ==, match_re(.,.), len(.), Buffer constraint –The string fields could be too long to buffer. –Influence whether we can change the matching order Field dependency –Array (e.g., DNS_questions, or RR records) –Associate array (e.g., HTTP headers) –Mutual exclusive fields.

29 Matching Problem Formulation (2) PDU level protocol state machine –For complex stateful protocols –For most stateful protocols the state machine is quite simple WINRPC example

30 Matching problems (cont.) Example signature for Blaster worm Single PDU matching problem (SPM) Multiple PDU matching problem (MPM)

31 Single PDU Matching Suppose we have n signatures, each is defined on k matching dimensions (matchers) –Matcher is a two tuple (field, operation) or four tuple for the associate array elements. –For example: (Filename, RE) (Version, Range_check) –Version > 3 –Version == 1 k is all possible matchers for the n signatures.

32 Table Representation We use a n×k table to represent the rules. matcher j Sig i * n row signatures k matchers

33 Requirement for SPM Large number of signatures n Large number of matchers k Large number of “don’t cares” Cannot reorder the matchers arbitrarily (buffer constraint) Field dependency –Array –Associate Array –Mutually exclusive Fields.

34 Compare to packet classification Similarity: both problem define on k matching dimensions and allow wildcards Differences: –Large k and large number of “don’t cares” –Buffer constraint –Regular expression matcher –Field dependency Related work on packet classification –Exhaustive search –Decision tree –Tuple space –Divide and Conquer (Decomposition)

35 Difficulty A more complex problem than packet classification Packet classification theoretical worst case bound –Based on computational geometry –O ((logN) k-1 ) worst case time or O (N k ) worst case memory Solution: use the characteristics from real traces

36 Observation Observation 1: most matchers are good. –After matching against them, only a small number of signatures can pass (candidates). –String matchers are all good, most integer matchers are good. –We can buffer the bad matchers to change the matching order Observation 2: real world traffic mostly does not match any signature. Actually even stronger in most case no matcher will match any rule. Observation 3: the NIDS/IPS will report all the matched rules regardless the ordering. Differ from firewall rules.

37 Basic idea Decide the matcher order at pre- computation, buffer the bad ones to the end if possible When a PDU comes, match again each matcher (column) for all the signatures simultaneously and get the possible candidates for next step Combine the candidate sets together to get the final matched signatures

38 Match single matcher Integer range checking: Binary search tree String exact matching: Trie String regular expression matching: DFA. String length checking: Binary search tree

39 Candidate Selection for SPM Basic algorithm: pre-computation

40 Matching Illustration A2 candidates B2 candidates

41 Matching Illustration Compute the operations –Explicit calculation Based on a n×k Bitmap decide the whether an element in S i requires next matchers. For those requires next matchers, search whether it is also in A i+1 –Implicit calculation (for bad matchers) Do not calculate A i+1, since it could be large Check whether the candidates in S i can match matcher ( i +1) sequentially When buffer bad matchers to the end, the B will be small.

42 Refinement SPM improvement –Allow negative conditions –Handle array case –Handle associate array case –Handle mutual exclusive case –Report the matched rules as early as possible Extend to MPM –Allowing checkpoints.

43 Results Traces from Tsinghua Univ. (TH) and Northwestern Univ. (NU) After TCP reassembly and preload the PDU in memory For DNS we only evaluate parsing. For WINRPC we have 45 vulnerability signatures which covers 3,519 Snort rules For HTTP we have 791 vulnerability signatures which covers 941 Snort rules.

44 Discussion Currently we found the candidate selection algorithm works well in practice Further thoughts –How to rely more on hardware assistance? TCAM? Use bitmap to express set operations? –Whether we can consider the traffic statistics to further improve efficiency?

45 Outline Motivation RAIDM System Design Finished Work Proposed Work Research Plan

46 Publications Zhichun Li, Lanjia Wang, Yan Chen and Zhi (Judy) Fu, Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorohic Worms, in the Proc. of IEEE ICNP Robert Schweller, Zhichun Li, Yan Chen, Yan Gao, Ashish Gupta, Elliot Parons, Yin Zhang, Peter Dinda, Ming-Yang Kao, and Gokhan Memik, Reversible sketches: Enabling monitoring and analysis over high speed data streams, in the IEEE/ACM Transaction on Networking, Volume 15, Issue 5, Oct, 2007 Reversible sketches: Enabling monitoring and analysis over high speed data streams Zhichun Li, Manan Sanghi, Brian Chavez, Yan Chen and Ming-Yang Kao, Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience, in Proc. of IEEE Symposium on Security and Privacy, 2006 Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Yan Chen and Aaron Beach, Towards Scalable and Robust Distributed Intrusion Alert Fusion with Good Load Balacing, in Proc. of ACM SIGCOMM LSAD 2006 Yan Gao, Zhichun Li and Yan Chen, A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks, In Proc. Of IEEE ICDCS 2006 Robert Schweller, Zhichun Li, Yan Chen, Yan Gao, Ashish Gupta, Elliot Parons, Yin Zhang, Peter Dinda, Ming-Yang Kao, and Gokhan Memik, Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluations, and Applications, in the Proc. Of IEEE INFOCOM 2006 Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluations, and Applications

47 Research Time Plan Apr 2008 – Jun 2008: –Finish remaining experiments of network situational awareness Sep 2008 – Mar 2008: –Refine the vulnerability signature matching algorithm –Fully implement, deploy and evaluate the Netshield prototype –Prepare job application and interview Apr 2009 – Jun 2009: –PhD dissertation writing –Thesis Defense

48 Q & A Thanks!

49 Backup

50 Outline Motivation Feasibility Study: a measurement approach Problem Statement High Speed Parsing High Speed Matching for massive vulnerability Signatures. Evaluation Conclusions

51 Outline Motivation Feasibility Study: a measurement approach Problem Statement High Speed Parsing High Speed Matching for massive vulnerability Signatures. Evaluation Conclusions

52 Outline Motivation Feasibility Study: a measurement approach Problem Statement High Speed Parsing High Speed Matching for massive vulnerability Signatures. Evaluation Conclusions

53 Outline Motivation Feasibility Study: a measurement approach Problem Statement High Speed Parsing High Speed Matching for a large number of vulnerability Signatures. Evaluation Conclusions

54 Outline Motivation Feasibility Study: a measurement approach Problem Statement High Speed Parsing High Speed Matching for massive vulnerability Signatures. Evaluation Conclusions

55 Limitations of Regular Expression Signatures Our network Traffic Filtering Internet Signature: 10.*01 X X Polymorphic attack (worm/botnet) might not have exact regular expression based signature Polymorphism!

56 What we do? Build a NIDS/NIPS with much better accuracy and similar speed comparing with Regular Expression based approaches –Feasibility: Snort ruleset (6,735 signatures) 86.7% can be improved by vulnerability signatures. –High speed Parsing: 2.7~12 Gbps –High speed Matching: Efficient Algorithm for matching massive vulnerability rules HTTP, 791 vulnerability signatures at ~1Gbps

57 Problem Formulation Parsing problem formulation –Given a PDU and the protocol specification as input, output the set of fields which required by matching.

58 Publications Zhichun Li, Lanjia Wang, Yan Chen and Zhi (Judy) Fu, Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorohic Worms, in the Proc. of IEEE ICNP Robert Schweller, Zhichun Li, Yan Chen, Yan Gao, Ashish Gupta, Elliot Parons, Yin Zhang, Peter Dinda, Ming-Yang Kao, and Gokhan Memik, Reversible sketches: Enabling monitoring and analysis over high speed data streams, in the IEEE/ACM Transaction on Networking, Volume 15, Issue 5, Oct, 2007 Reversible sketches: Enabling monitoring and analysis over high speed data streams Zhichun Li, Manan Sanghi, Brian Chavez, Yan Chen and Ming-Yang Kao, Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience, in Proc. of IEEE Symposium on Security and Privacy, 2006 Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Yan Chen and Aaron Beach, Towards Scalable and Robust Distributed Intrusion Alert Fusion with Good Load Balacing, in Proc. of ACM SIGCOMM LSAD 2006 Yan Gao, Zhichun Li and Yan Chen, A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks, In Proc. Of IEEE ICDCS 2006 Robert Schweller, Zhichun Li, Yan Chen, Yan Gao, Ashish Gupta, Elliot Parons, Yin Zhang, Peter Dinda, Ming-Yang Kao, and Gokhan Memik, Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluations, and Applications, in the Proc. Of IEEE INFOCOM 2006 Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluations, and Applications

59 Current Status Part I: Sketch based monitoring & detection –Robert Schweller, Zhichun Li, Yan Chen, Yan Gao, Ashish Gupta, Elliot Parons, Yin Zhang, Peter Dinda, Ming-Yang Kao, and Gokhan Memik, Reversible sketches: Enabling monitoring and analysis over high speed data streams, in the IEEE/ACM Transaction on Networking, Volume 15, Issue 5, Oct, 2007Reversible sketches: Enabling monitoring and analysis over high speed data streams –Robert Schweller, Zhichun Li, Yan Chen, Yan Gao, Ashish Gupta, Elliot Parons, Yin Zhang, Peter Dinda, Ming-Yang Kao, and Gokhan Memik, Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluations, and Applications, in the Proc. Of IEEE INFOCOM 2006 (252/1400=18%)Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluations, and Applications –Yan Gao, Zhichun Li and Yan Chen, A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks, In Proc. Of IEEE International Conference on Distributed Computing Systems (ICDCS) 2006 (75/536=14%) (Alphabetical order) Part II: Polymorphic worm signature generation –TOSG: Zhichun Li, Manan Sanghi, Brian Chavez, Yan Chen and Ming-Yang Kao, Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience, in Proc. of IEEE Symposium on Security and Privacy, 2006 (23/251=9%) Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience –LESG: Zhichun Li, Lanjia Wang, Yan Chen and Zhi (Judy) Fu, Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorohic Worms, in the Proc. of IEEE International Conference on Network Protocols (ICNP) 2007 (32/220=14%)

60 Current Status Part III: Signature matching engines –Work in progress, will be focus of this talk –Zhichun Li, Gao Xia, Yi Tang, Jian Chen, Ying He, Yan Chen and Bin Liu, NetShield : Towards High Performance Network- based Semantic Signature Matching, in submission Part IV: Network Situational Awareness –Work in process –Zhichun Li, Anup Goyal, Yan Chen and Vern Paxson, Towards Situational Awareness of Large-Scale Botnet Events using Honeynets, in preparation –Zhichun Li, Anup Goyal, Yan Chen and Aleksandar Kuzmanovic, P2P Doctor: Measurement and Diagnosis of Misconfigured Peer-to-Peer Traffic, in submission