CT-ISG: High-Speed Network Defense with Massive and Diverse Vulnerability Signatures

CT-ISG：海量多样漏洞签名的高速网络防御

• 批准号: 0831508
• 负责人: Yan Chen
• 金额: $ 40万
• 依托单位: Northwestern University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2008
• 资助国家: 美国
• 起止时间: 2008-09-01 至 2012-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0831508&HistoricalAwards=false
• 关键词: CT; ISG; Speed; Network; Defense

NSF Proposal 0831508: CT-ISG High-Speed Network Defense with Massive and Diverse Vulnerability SignaturesPI: Yan Chen, Northwestern UniversityGiven the ever-increasing sophisticated Internet attacks, network-based Intrusion Detection/Prevention Systems (IDS/IPS) are of critical importance. Such systems mainly have two important metrics: accuracy and throuput. Accuracy is of particular importance, especially for IPSes which are inline devices that throttle connections when they are identified as malicious via signature-matching. The latest works assume that regular expressions (RE) are the right choice for signature formatting. However, there are polymorphic and metamorphic variations that can evade the RE-based detection. The fundamental problem of RE signatures is that in many cases it cannot capture the vulnerability conditions.In this project, we design a next-generation semantic based network IDS/IPS system (called NetShield) which contains thousands of vulnerability signatures with rich diversity, including protocol, file and web semantic signatures. While offering much better accuracy, NetShield provides high throughput comparable to that of the state-of-the-art regular expression based IDS. We design algorithms for 1) efficient protocol parsing and 2) massive protocol semantic signature matching. Furthermore, we extend the parsing and matching solutions to Web and file semantic signatures.This project has the potential for significant broad impact. The research component will produce fundamental knowledge that will advance the state-of-the-art in the network IDS/IPS systems. Our wide collaboration with industry researchers will facilitate such technology transfer. In addition, we plan to disseminate our work through timely releases of software/hardware, traces, and benchmarks to the open source community for broader usage. This research agenda is complemented by a strong and tightly integrated educational and outreach component.

NSF Proposal 0831508：CT-ISG High-Speed Network Defense with Massive and Diverse Vulnerability SignaturesPI：Yan Chen，Northwestern University鉴于日益复杂的互联网攻击，基于网络的入侵检测/防御系统（IDS/IPS）至关重要。这种系统主要有两个重要的指标：准确性和吞吐量。 准确性特别重要，尤其是对于IPS，它们是内联设备，当通过签名匹配将连接识别为恶意时，它们会限制连接。 最新的作品假设正则表达式（RE）是签名格式的正确选择。然而，存在可以逃避基于RE的检测的多态和变形变化。在本项目中，我们设计了一个新一代的基于语义的网络入侵检测系统（NetShield），该系统包含了数千个具有丰富多样性的漏洞特征，包括协议、文件和Web语义特征。 在提供更好的准确性的同时，NetShield提供了与最先进的基于正则表达式的IDS相媲美的高吞吐量。 我们设计的算法1）有效的协议解析和2）大规模的协议语义签名匹配。 此外，我们将解析和匹配解决方案扩展到Web和文件语义签名。研究部分将产生基础知识，这将促进国家的最先进的网络IDS/IPS系统。 我们与行业研究人员的广泛合作将促进此类技术转让。 此外，我们计划通过及时发布软件/硬件、跟踪和基准来向开源社区传播我们的工作，以便更广泛地使用。这一研究议程是由一个强大的和紧密结合的教育和推广组成部分的补充。