Research Projects

The modus operandi Project (2006-present)

This project is concerned with computing the similarity between two pieces of software. The major application is identification of metamorphic and polymorphic malware.

The FootFall Project (2003-2007)

Attackers use a variety of techniques to conceal their identity when they launch attacks through the Internet. In this project, we are investigating practical methods for "attributing" attacks (determining their source) in the face of a variety of concealment (anonymizing) techniques, particularly the use of stepping stones.

Intrusion Alert Correlation Using Prerequisites of Intrusions (2002-2006)

Current intrusion detection systems (IDSs) usually generate a large amount of false alerts and cannot fully detect novel attacks or variations of known attacks. In addition, all the existing IDSs focus on low-level attacks or anomalies; none of them can capture the logical steps or strategies behind these attacks. Consequently, the IDSs usually generate a large amount of alerts. In situations where there are intensive intrusive actions, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable.

In this project, we seek a novel approach to address these issues. The proposed technique is based on the observation that most intrusions are not isolated but related as different stages of attack sequences, with the early stages preparing for the later ones . In other words, there are often logical steps or strategies behind series of attacks. The proposed approach correlates alerts using prerequisites of intrusions .

The ARQoS Project (1999-2003)

The TCP/IP protocol family is being extended to provide quality of service (QoS) guarantees to applications. These new capabilities represent both a tempting target for hackers, and a tempting weapon to turn against other users. In this project we investigated a variety of topics, including:

1. Pricing as a way to control network resource allocation
2. Protection of QoS signaling protocols
3. Intrusion detection for QoS degradation
4. Automatic VPN configuration to meet user security specifications
5. Protection of reliable multicast
6. Capacity planning for DiffServ networks
7. Tracing of attacks through stepping stones

The Real-Time Communication Project (1994-1999)

This project investigated methods of providing QoS in ATM and TCP/IP networks. Topics included unicast and multicast routing, dynamic resource allocation, packet scheduling at switches, admission control, and statistical modeling of compressed video.

Research Funding

I have been fortunate to receive substantial funding from several research sponsors. I gratefully acknowledge the support listed below.

• "The Origin of the Code: Automated Identification of Common Characteristics in Malware", National Science Foundation, 08/15/2009-01/01/2012.

• "Edge Reconfigurable Optical Networks (ERONs) for High-Performance Applications", DARPA, 05/01/2008-11/30/2008.

• "CT-ER: Metamorphic Worm Detection", National Science Foundation, 07/01/2006-06/30/2008.

• "Supplement to 43709-CI: Integrating Alerts from Multiple Sources Using Bayesian Networks", Army Research Office, 06/01/2004-05/31/2005, $60,600, co-PI (PI is Peng Ning).
  
  
• "Tracking Attack Traffic Through Stepping Stones Using Timing-Based Watermarks", ARDA, 10/01/2003-03/31/2007, $1,100,100. PI (co-PI is Peng Ning).
  
  
• “Correlating Alerts Using Prerequisites of Intrusions: Towards Reducing False Alerts and Uncovering High-Level Attack Strategies”, Army Research Office, 07/01/2002-06/30/2004, $198,000, co-PI (PI is Peng Ning).
  
  
• “Reduce False Alerts, Uncover High-Level Attack Strategies and Predict Attacks in Progress Using Prerequisites of Intrusions”, National Science Foundation Trusted Computing Program, 07/01/2002-06/30/2005, $330,000. co-PI (PI is Peng Ning).
  
  
• “US Marine Corps Communications Network Modeling”, CTC, 02/01/2002 — 06/01/2003, $550,000. (co-PI along with Dennis Kekas, John Bass, James Robinson, and David Thuente)
  
  
• “Protecting Network QoS Against Denial of Service Attacks'', DARPA Fault Tolerant Networks Program, 9/15/1999-2/15/2003, $232,000. PI (co-PI was Peter Wurman).
  
  
• "Protecting Network QoS Against Denial of Service Attacks", DARPA Fault Tolerant Networking Program, 07/01/99-06/30/2002 , $1.2M. PI (co-PI was S. Felix Wu).
  
  
• "A Competitive-Market Approach to Distributed Resource Allocation with QoS and Priorities", AFOSR, 4/1/99-9/30/2001, $141,000.
  
  
• "Network Resource Pricing: Balancing Guarantees and Costs", sponsored by NEC C&C Research Labs, 7/1/98-6/30/99, $12,000.
  
  
• "Dynamic Resource Allocation and RSVP", sponsored by CACC, 8/15/97-8/14/98 , $17,000.
  
  
• "Real-Time Communication: Multicast Routing and Dynamic Resource Allocation", sponsored by AFOSR, 6/1/97-5/31/2000, $87,000.
  
  
• "Multicast Routing Algorithms", sponsored by CCSP/CACC, 10/1/95-4/30/97 , $75,000. Co-PI (PI was Prof. Yannis Viniotis).
  
  
• "Dynamic Bandwidth and Buffer Management in Wide-Area Networks", sponsored by AFOSR, 4/1/96-3/30/99, $150,000.
  
  
• "An Experimental Testbed for High-Performance Multi-Dimensional Signal Processing", sponsored by ONR, 1/1/93-12/31/93 , $95,000. co-PI (PI was Prof. Winser Alexander).
  
  
• "Real-Time Communications for Distributed Computing", sponsored by AFOSR, 10/1/92-9/30/95 , $134,000.
  
  
• "High-Performance Architectures for N-D Signal Processing", sponsored by ONR, 1/1/92-12/31/94 , $290,000. co-PI (PI was Prof. Winser Alexander).
  
  
• "Design and Analysis of Multiprocessor Computers for Robotics", sponsored by NSF, 6/1/90-6/1/92 , $52,000.
  
  
• "Logic Synthesis Using Boolean Pattern Matching", sponsored by IBM, 6/1/90-12/31/91, $30,000.
  
  
• "Switch-Level Verification and Testing of Digital MOS Circuits", 1/1/89-6/30/90 , MCNC Center for Microelectronics, $25,000.