Automatic Generation of Robust Network Intrusion Detection Signatures

Award Information
Agency: Department of Defense
Branch: Army
Contract: W911NF-06-C-0169
Agency Tracking Number: O064-NC2-2006
Amount: $99,925.00
Phase: Phase I
Program: STTR
Awards Year: 2006
Solicitation Year: 2006
Solicitation Topic Code: OSD06-NC2
Solicitation Number: N/A
Small Business Information
632 Broadway, Suite 803, New York, NY, 10012
DUNS: 022423854
HUBZone Owned: N
Woman Owned: N
Socially and Economically Disadvantaged: N
Principal Investigator
 Steven Reinhardt
 Managing Engineer
 (212) 780-0527
 stever@reservoir.com
Business Contact
 Melanie Peters
Title: Business Manager
Phone: (212) 780-0527
Email: peters@reservoir.com
Research Institution
 CARNEGIE MELLON UNIV.
 A J Abels
 Collaborative Innovation Cente, 4720 Forbes Avenue, Room 211
Pittsburgh, PA, 15213
 (412) 268-4912
 Nonprofit college or university
Abstract
We propose to develop a system that autonomously and rapidly (1) directly detects exploitation of application software vulnerabilities (including previously unknown vulnerabilities) via dynamic taint analysis, and (2) generates vulnerability signatures identifying all traffic that exploits those vulnerabilities-even traffic with no other similarities to the observed exploit-via semantic analysis of program paths leading to each vulnerability. These signatures will be generated in a format suitable for deployment in a conventional network-based intrusion detection/prevention system. Compared to the current practice of manual signature generation, an automated signature generation system is a necessary step to combat rapidly spreading worms that target previously unknown ("zero-day") vulnerabilities. Compared to other proposed automated signature generation systems which use statistical or heuristic techniques, our approach (1) provides more accurate discrimination between malicious and benign traffic and more precise identification of exploited vulnerabilities at the detection stage, and (2) generates signatures that represent the fundamental characteristics of any exploit targeting a particular vulnerability as completely as possible within the constraints of the signature language. Both aspects contribute directly to reducing the number of false positives and false negatives when the signatures are deployed.

* Information listed above is at the time of submission. *

Agency Micro-sites

SBA logo
Department of Agriculture logo
Department of Commerce logo
Department of Defense logo
Department of Education logo
Department of Energy logo
Department of Health and Human Services logo
Department of Homeland Security logo
Department of Transportation logo
Environmental Protection Agency logo
National Aeronautics and Space Administration logo
National Science Foundation logo
US Flag An Official Website of the United States Government