3rd year External Midterm Review Meeting (2009.01.07)
Project 332 ( 3rd year )
Network Security and Forensics
| In this project, we first studied a collaborative detection system for evolved worms/attacks in which a number of innovative behavior-based network intrusion detectors called Gestalt are deployed all over the target network domain. The key insight behind our approach is that even though the payload contents and traffic patterns of future attacks can be easily modified to outwit current detection techniques; there are some behavioral aspects of these attacks that are invariant, and that these invariant behaviors can be used to design a robust worm detection system. The design of Gestalt has three key aspects. First, behavioral detection can detect polymorphic and low scan-rate variants of existing attacks without any additional modifications to the detection system. We argue that attacks possess commonly shared behaviors so that we can infer attack by behavioral approach. We describe the network activities at different levels (protocol, service, and artificial network incident) to model a complex behavior. Second, anomalous events often only manifest themselves as a combination of events that occur across multiple layers, and cannot be observed at individual layers in network stack. We provide cross-level correlation for effective detection. Third, we provide meaningful assessments of a sequence of behavioral observations to system administrators by using a probabilistic inference model, and assign a confidence score indicating the belief that the observed sequence did indeed lead to a host being compromised. We also studied the methods and systems for effective network forensics. We consider that a sound and secure network will be consolidated in the future depending on both the detection and forensic techniques. We propose a data reduction mechanism to assist attack identification and reconstruction by filtering out most of the normal flows regarded as the noise/interference during traceback. We show that the proposed data reduction method indeed promotes the efficacy of attack traceback in storage, computational complexity and detection accuracy. |
Member List
| Country | Organization | Full Name | Title | |
|---|---|---|---|---|
Taiwan |
TWISC |
Sun, Yeali S. |
PI |
|
Taiwan |
TWISC |
Chen, Meng-Chang |
Co-PI |
|
US |
CMU |
Hui Zhang |
CPI |
|
Taiwan |
TWISC |
Chen, Li-Ming |
Assistant |
|
Taiwan |
TWISC |
Lin, Jia-min |
Assistant |
Project 300 Orgnization Chart (in Hanzi)
Required Documents (3rd year)
Self-Assessment Presentation File (Internal Review Meeting)
Midterm Report (External Review Meeting)
Final Report (External Review Meeting)