Monitoring and Intrusion Detection and Forensics on High-speed Networks

Goal

Existing intrusion detection systems (IDS) have four shortcomings: 1) are mostly host-based and not scalable to high-speed networks thus they cannot prevent the rapid propagation of the latest viruses/worms which can infect most vulnerable machines in the Internet in only ten minutes; 2) are mostly signature-based and unable to recognize unknown anomalies; 3) cannot generation signatures for polymorphic worm automatcially; 4) are isolated or centralized systems. To this end we propose to minotor and detect intrusion on high-speed networks.

People

• Yan Chen
• Zhichun Li

Collaborators

• Yan Gao
• Judy Fu (Motorola)
• Ming-Yang Kao (EECS Northwestern Univ)
• Lanjia Wang (Tsinghua University)

Past Collaborators

• Brian Chavez (UCSC)
• Peter Dinda (EECS Northwestern Univ.)
• Ashish Gupta (EECS Northwestern Univ.)
• Gokhan Memik (EECS Northwestern Univ.)
• Robert Schweller (The University of Texas - Pan American)
• Manan Sanghi (Microsoft)
• Yin Zhang (University of Texas at Austin)

Projects

• IDgraph
  • Detect intrusion through intelligent visualization.
• CDDHT
  • Distributed IDS alert fusion through DHT.
• Reversible Sketch
  • An efficient data streaming data structure which can record millions of packet information and recover the heavy changes.
• Sketch based IDS
  • An IDS build upon the k-ary sketches, reversible sketch and 2D sketches.
• Token Base Signature Generation
  • An automated content based signature generation system for polymorphic worms.
• Length Base Signature Generation
  • An automated vulnerability signature generation system for polymorphic buffer overflow worms.

Publications

• Pin Ren, Yan Gao, Zhichun Li, Yan Chen and Ben Watson, IDGraphs: Intrusion Detection and Analysis Using Histographs, in proceedings of the IEEE Workshop on Visualizaiton for Computer Security (VizSEC) 2005.
• Pin Ren, Yan Gao, Zhichun Li, Yan Chen and Ben Watson, IDGraphs: Intrusion Detection and Analysis Using Stream Compositing, in IEEE Computer Graphics & Applications 2006
• Robert Schweller, Zhichun Li, Yan Chen, Yan Gao, Ashish Gupta, Elliot Parsons, Yin Zhang, Peter Dinda, Ming-Yang Kao, and Gokhan Memik,  Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications, in proceedings of INFOCOM 2006.
• Yan Gao, Zhichun Li, and Yan Chen, A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks, in proceedings of ICDCS 2006.
• Zhichun Li, Yan Chen, and Aaron Beach, Towards Scalable and Robust Distributed Intrusion Alert Fusion with Good Load Balancing, in proceedings of ACM SIGCOMM Workshop on Large-Scale Attack Defense 2006.
• Zhichun Li, Manan Sanghi, Brian Chavez, Yan Chen, and Ming-Yang Kao, Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience, in proceedings of IEEE Symposium on Security and Privacy 2006.
• Robert Schweller, Zhichun Li, Yan Chen, Yan Gao, Ashish Gupta, Elliot Parsons, Yin Zhang, Peter Dinda, Ming-Yang Kao, and Gokhan Memik, Reversible sketches: Enabling monitoring and analysis over high-speed data streams, in IEEE/ACM Transactions on Networking, Volume 15, Issue 5, Oct 2007
• Zhichun Li, Lanjia Wang, Yan Chen and Zhi (Judy) Fu, Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms, in proceedings of IEEE ICNP 2007

Tools

• Hamsa polymorphic worm signature generator
• Reversible Sketch Code