Research Projects

Research Projects

The modus operandi Project (2006-present)

This project is concerned with computing the similarity between two pieces of software. The major application is identification of metamorphic and polymorphic malware.

The FootFall Project (2003-2007)

Attackers use a variety of techniques to conceal their identity when they launch attacks through the Internet. In this project, we are investigating practical methods for "attributing" attacks (determining their source) in the face of a variety of concealment (anonymizing) techniques, particularly the use of stepping stones.

Intrusion Alert Correlation Using Prerequisites of Intrusions (2002-2006)

Current intrusion detection systems (IDSs) usually generate a large amount of false alerts and cannot fully detect novel attacks or variations of known attacks. In addition, all the existing IDSs focus on low-level attacks or anomalies; none of them can capture the logical steps or strategies behind these attacks. Consequently, the IDSs usually generate a large amount of alerts. In situations where there are intensive intrusive actions, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable.

In this project, we seek a novel approach to address these issues. The proposed technique is based on the observation that most intrusions are not isolated but related as different stages of attack sequences, with the early stages preparing for the later ones . In other words, there are often logical steps or strategies behind series of attacks. The proposed approach correlates alerts using prerequisites of intrusions .

The ARQoS Project (1999-2003)

The TCP/IP protocol family is being extended to provide quality of service (QoS) guarantees to applications. These new capabilities represent both a tempting target for hackers, and a tempting weapon to turn against other users. In this project we investigated a variety of topics, including:

  1. Pricing as a way to control network resource allocation
  2. Protection of QoS signaling protocols
  3. Intrusion detection for QoS degradation
  4. Automatic VPN configuration to meet user security specifications
  5. Protection of reliable multicast
  6. Capacity planning for DiffServ networks
  7. Tracing of attacks through stepping stones

The Real-Time Communication Project (1994-1999)

This project investigated methods of providing QoS in ATM and TCP/IP networks. Topics included unicast and multicast routing, dynamic resource allocation, packet scheduling at switches, admission control, and statistical modeling of compressed video.

Research Funding

I have been fortunate to receive substantial funding from several research sponsors. I gratefully acknowledge the support listed below.