Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience
Yan Chen - Northwestern University
Feb 22, 2006
Due to recording problems, video of this seminar will NOT be made available.
In this talk, we will first briefly introduce the High-Performance Network Anomaly/Intrusion Detection and Mitigation (HPNAIDM) system that is currently being developed in the Northwestern Lab of Internet and Security Technology (LIST) (http://list.cs.northwestern.edu), and then focus on one of its components, Hamsa, as described below. The paper on Hamsa will appear in the IEEE Syposium of Security and Privacy this year.
Zero-day polymorphic worms pose a serious potential threat to the security of Internet infrastructure. Given their exponentially increased propagation speed, it is crucial to detect them at routers/gateways in the early stages of infection. Most existing approaches for automatic signature generation are host-based and are not applicable for deploying on high-speed routers. In this talk, we propose Hamsa, a network-based automated signature generation system for polymorphic worms which is fast, noise tolerant, attack resilient, and capable of detecting multiple worm in a single
application protocol. Essentially, we propose a realistic model to analyze the invariant content of polymorphic worms which allows us to make analytical attack resilience guarantees for the signature generation algorithm. Evaluation based on a range of polymorphic worms and polymorphic engines demonstrates that Hamsa significantly outperforms recent work in terms of efficiency, accuracy, and attack resilience.
About the SpeakerDr. Yan Chen is an Assistant Professor in the Department of Electrical Engineering & Computer Science at Northwestern
University, Evanston, IL. He got his Ph.D. in Computer Science at University of California at Berkeley in 2003. His research interests include network security, network measurement, P2P systems and wireless and ad hoc networks. He won the DOE Early CAREER award in 2005 and the Microsoft Trustworthy Computing Awards in 2004 and 2005.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.