• Home
• Events
• Current Events
• 2006-2007 Events
• Internship Program
• Research Projects
• Current Projects
• Past Projects
• Photo Gallery
• Apply to be a Mentor or Scholar
• About Us
• Participant Profiles
• Frequently Asked Questions
• Contact Us

Network and System Security Research

Faculty Advisor, Wenke Lee, PhD

My recent work focuses on Internet malware detection and defense, especially botnet, which is now considered as one of the most severe threats to Internet security. We present a new kind of network perimeter monitoring strategy, which focuses on recognizing the infection and coordination dialog that occurs during a successful malware infection. BotHunter is an application designed to track the two-way communication flows between internal assets and external entities, developing an evidence trail of data exchanges that match a state-based infection sequence model.

BotHunter consists of a correlation engine that is driven by three malware-focused network packet sensors, each charged with detecting specific stages of the malware infection process, including inbound scanning, exploit usage, egg downloading, outbound bot coordination dialog, and outbound attack propagation. The BotHunter correlator then ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection. When a sequence of evidence is found to match BotHunter's infection dialog model, a consolidated report is produced to capture all the relevant events and event sources that played a role during the infection process. We refer to this analytical strategy of matching the dialog flows between internal assets and the broader Internet as dialog-based correlation, and contrast this strategy to other intrusion detection and alert correlation methods. BotHunter is made available both for operational use and to help stimulate research in understanding the life cycle of malware infections. We publish the paper in USENIX Security'07.

On worm detection and defence, I also proposed two algorithms. First, the Destination Source Correlation (DSC) algorithm focuses on the full behavior of worm (including both infection pattern and scanning pattern), and tracks real infected hosts (and not merely scans) to provide an accurate response. Second, the HoneyStat system provides a way to track the short-term infection behavior used by worms. Potentially, this provides a basis for statistical inference about a worm behavior on a network. For this work, I have published one paper in RAID'04 and another in ACSAC'04.

References:

Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke Lee. "BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation." In Proceedings of the 16th USENIX Security Symposium (Security'07), Boston, MA, August 2007.

Guofei Gu, Monirul Sharif, Xinzhou Qin, David Dagon, Wenke Lee, George Riley. "Worm Detection, Early Warning and Response Based on Local Victim Information." In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC'04), Tucson, Arizona, December 6-10, 2004.

David Dagon, Xinzhou Qin, Guofei Gu,Wenke Lee, Julian Grizzard, John Levine, and Henry Owen. "HoneyStat: Local Worm Detection Using Honeypots." In Proceedings of the 7th International Symposium on Recent