Computer intrusions are an ever-present reality on the Internet, and there is a pressing need to protect applications from their harmful effects. This project will develop a new network filtering mechanism to detect and prevent intrusions fast and precise vulnerability signatures. Such signatures focus on the essence of the software defect leading to a vulnerability and the steps necessary to exploit them; as such, they can classify malicious and benign traffic with great accuracy and detect exploits that have not been previously been seen. Vulnerability signatures filter network traffic before it arrives at the application and can be deployed without performing software upgrades. This project will study the deployment of vulnerability signatures in the network, either at a firewall or embedded on network interface cards, but still logically and physically separated from the end hosts. Such separation is necessary for widespread deployment of vulnerability signatures, but introduces new resource constraints and performance requirements. This project will analyze the resulting trade-offs by following a methodical plan, informed by a detailed study of vulnerabilities and using models of attack and benign traffic to guide us at every step of the way. A prototype implementation will be developed and its effectiveness and efficiency will be quantitatively evaluated. The techniques developed in this project will offer an effective countermeasure to computer intrusions that can easily be deployed on a large number of machines. The research will also offer a foundation for other work on vulnerability signatures, including automated worm defense. In addition, the results of the detailed vulnerability study, including a testing infrastructure, will be available for other researchers studying computer intrusions.
