This project is concerned with computing the similarity between
two pieces of software. The major application is identification of
metamorphic and polymorphic malware.
Attackers use a variety of techniques to conceal their identity when they
launch attacks through the Internet. In this project, we are investigating
practical methods for "attributing" attacks (determining their source) in
the face of a variety of concealment (anonymizing) techniques, particularly
the use of stepping stones.
Current intrusion detection systems (IDSs) usually generate a large amount
of false alerts and cannot fully detect novel attacks or variations of known
attacks. In addition, all the existing IDSs focus on low-level attacks or
anomalies; none of them can capture the logical steps or strategies behind
these attacks. Consequently, the IDSs usually generate a large amount of
alerts. In situations where there are intensive intrusive actions, not only
will actual alerts be mixed with false alerts, but the amount of alerts will
also become unmanageable.
In this project, we seek a novel approach to address these issues. The
proposed technique is based on the observation that most intrusions are not
isolated but related as different stages of attack sequences, with the early
stages preparing for the later ones . In other words, there are often
logical steps or strategies behind series of attacks. The proposed approach
correlates alerts using prerequisites of intrusions .
The TCP/IP protocol family is being extended to provide quality of service
(QoS) guarantees to applications. These new capabilities represent both a
tempting target for hackers, and a tempting weapon to turn against other
users. In this project we investigated a variety of topics, including:
- Pricing as a way to control network resource allocation
- Protection of QoS signaling protocols
- Intrusion detection for QoS degradation
- Automatic VPN configuration to meet user security specifications
- Protection of reliable multicast
- Capacity planning for DiffServ networks
- Tracing of attacks through stepping stones
This project investigated methods of providing QoS in ATM and TCP/IP
networks. Topics included unicast and multicast routing, dynamic resource
allocation, packet scheduling at switches, admission control, and
statistical modeling of compressed video.
I have been fortunate to receive substantial funding from several
research sponsors. I gratefully acknowledge the support listed below.
"The Origin of the Code: Automated Identification of Common
Characteristics in Malware", National Science Foundation,
"Edge Reconfigurable Optical Networks (ERONs) for High-Performance
Applications", DARPA, 05/01/2008-11/30/2008.
- "CT-ER: Metamorphic Worm Detection", National Science Foundation,
- "Supplement to 43709-CI: Integrating Alerts from Multiple Sources Using Bayesian Networks", Army Research Office, 06/01/2004-05/31/2005, $60,600, co-PI (PI is Peng Ning).
- "Tracking Attack Traffic Through Stepping Stones Using Timing-Based
Watermarks", ARDA, 10/01/2003-03/31/2007,
$1,100,100. PI (co-PI is Peng Ning).
- “Correlating Alerts Using Prerequisites of Intrusions: Towards Reducing False Alerts and Uncovering High-Level Attack Strategies”, Army Research Office, 07/01/2002-06/30/2004, $198,000, co-PI (PI is Peng Ning).
- “Reduce False Alerts, Uncover High-Level Attack Strategies and Predict Attacks in Progress Using Prerequisites of Intrusions”, National Science Foundation Trusted Computing Program, 07/01/2002-06/30/2005, $330,000. co-PI (PI is Peng Ning).
- “US Marine Corps Communications Network Modeling”, CTC, 02/01/2002 — 06/01/2003, $550,000. (co-PI along with Dennis Kekas, John Bass, James Robinson, and David Thuente)
- “Protecting Network QoS Against Denial of Service Attacks'', DARPA Fault Tolerant Networks Program, 9/15/1999-2/15/2003, $232,000. PI (co-PI was Peter Wurman).
- "Protecting Network QoS Against Denial of Service Attacks", DARPA Fault Tolerant Networking Program, 07/01/99-06/30/2002 , $1.2M. PI (co-PI was S. Felix Wu).
- "A Competitive-Market Approach to Distributed Resource Allocation with QoS and Priorities", AFOSR, 4/1/99-9/30/2001, $141,000.
- "Network Resource Pricing: Balancing Guarantees and Costs", sponsored by NEC C&C Research Labs, 7/1/98-6/30/99, $12,000.
- "Dynamic Resource Allocation and RSVP", sponsored by CACC, 8/15/97-8/14/98 , $17,000.
- "Real-Time Communication: Multicast Routing and Dynamic Resource Allocation", sponsored by AFOSR, 6/1/97-5/31/2000, $87,000.
- "Multicast Routing Algorithms", sponsored by CCSP/CACC, 10/1/95-4/30/97 , $75,000. Co-PI (PI was Prof. Yannis Viniotis).
- "Dynamic Bandwidth and Buffer Management in Wide-Area Networks", sponsored by AFOSR, 4/1/96-3/30/99, $150,000.
- "An Experimental Testbed for High-Performance Multi-Dimensional Signal Processing", sponsored by ONR, 1/1/93-12/31/93 , $95,000. co-PI (PI was Prof. Winser Alexander).
- "Real-Time Communications for Distributed Computing", sponsored by AFOSR, 10/1/92-9/30/95 , $134,000.
- "High-Performance Architectures for N-D Signal Processing", sponsored by ONR, 1/1/92-12/31/94 , $290,000. co-PI (PI was Prof. Winser Alexander).
- "Design and Analysis of Multiprocessor Computers for Robotics", sponsored by NSF, 6/1/90-6/1/92 , $52,000.
- "Logic Synthesis Using Boolean Pattern Matching", sponsored by IBM, 6/1/90-12/31/91, $30,000.
- "Switch-Level Verification and Testing of Digital MOS Circuits", 1/1/89-6/30/90 , MCNC Center for Microelectronics, $25,000.