NetShield: Matching with a Large Vulnerability Signature RulesetDate: 2008-12-18
Time: 10:30 a.m.-11:30 a.m.
Location: Holmes Hall Room 389
Speaker: Professor Yan Chen, Northwestern University
In this talk, I will first briefly introduce the network-based monitoring, diagnosis, and anomaly/intrusion detection and prevention systems that are currently under research in the Northwestern Lab of Internet and Security Technology (LIST) (http://list.cs.northwestern.edu), and then focus on one of the projects called NetShield as described below.The accuracy of existing Network Intrusion Detection/Prevention Systems (NIDS/NIPS), which are mostly regex-based, has become a serious problem because in many cases regular expressions (regexes) cannot capture the exact vulnerability conditions. In contrast, NetShield applies vulnerability signatures which can exactly describe the vulnerability condition and achieve better accuracy. We design several algorithms for efficient protocol parsing and for matching of thousands of vulnerability signatures in parallel using a small amount of memory. We also show that 87.6% of the signatures in the Snort ruleset (6,735 rules) can have corresponding vulnerability signatures in the protocol semantic format. NetShield was implemented and deployed as a NIDS in a university data center sniffing all traffic on a link of a major router. We achieved Gbps or even 10s of Gbps throughput for both parsing and matching. Speaker Bio: Dr. Yan Chen *- joined Northwestern University in January 2004. He got his Ph.D. in Computer Science at University of California at Berkeley in 2003. His research interests include network security, and network measurement and monitoring for both wired and wireless networks. He won the Department of Energy (DoE) Early CAREER award in 2005, the Department of Defense (DoD) Young Investigator Award in 2007, and the Microsoft Trustworthy Computing Awards in 2004 and 2005 with his colleagues.