Attacks are commonplace in today's networks, and identifying them rapidly and accurately is critical for large network/service operators. Most existing intrusion detection systems (IDSes) are signatures-based. But such signatures are usually generated manually or semi-manually, a process too slow for defending against self-propagating malicious codes, or worms. To evade detection by signatures, attackers may also employ polymorphic worms which change their byte sequence at every successive infection.
In order to thwart a zero-day worm attack, it is essential to design an automatic signature generation system against polymorphic worms which may be deployed at the network gateways/routers and satisfy the following requirements: network-based, noise-tolerant, attack-resilient, and having efficient signature matching.
None of the existing work satisfy all the requirements above. Thus the PIs design NAPOLEON( Network-based Attack-resilient POLymophic-worm signaturE generatiON), a network-based automatic signature generation system with all the aforementioned properties. NAPOLEON has two components which complement each other: TOken-based Signature Generator (called TOSG) and LEngth-based Signature Generator (called LESG).
This project combines theoretical computer science with practical network security research. The PI has extensive experience on network anomaly/intrusion detection. The co-PI's expertise is in theoretical computer science and algorithms and has a track record of applying them to various applications including security.
This interdisciplinary research will have a strong impact. For example, during the PIs' collaboration, they have found that certain algorithmic techniques in bioinformatics are directly or indirectly applicable to worm detection problems.
