Given the ever-increasing sophisticated Internet attacks, network-based Intrusion Detection/Prevention Systems (IDS/IPS) are of critical importance. Such systems mainly have two important metrics: accuracy and throuput. Accuracy is of particular importance, especially for IPSes which are inline devices that throttle connections when they are identified as malicious via signature-matching. The latest works assume that regular expressions (RE) are the right choice for signature formatting. However, there are polymorphic and metamorphic variations that can evade the RE-based detection. The fundamental problem of RE signatures is that in many cases it cannot capture the vulnerability conditions. In this project, we design a next-generation semantic based network IDS/IPS system (called NetShield) which contains thousands of vulnerability signatures with rich diversity, including protocol, file and web semantic signatures. While offering much better accuracy, NetShield provides high throughput comparable to that of the state-of-the-art regular expression based IDS. We design algorithms for 1) efficient protocol parsing and 2) massive protocol semantic signature matching. Furthermore, we extend the parsing and matching solutions to Web and file semantic signatures. This project has the potential for significant broad impact. The research component will produce fundamental knowledge that will advance the state-of-the-art in the network IDS/IPS systems. Our wide collaboration with industry researchers will facilitate such technology transfer. In addition, we plan to disseminate our work through timely releases of software/hardware, traces, and benchmarks to the open source community for broader usage. This research agenda is complemented by a strong and tightly integrated educational and outreach component.
CT-ISG: High-Speed Network Defense with Massive and Diverse Vulnerability Signatures