12:45PM, Thursday, November 10th 2005.
Gates 104


Automated Worm Defense: Signature Generation with Autograph and Polygraph
 

Brad Karp
University College London



About the talk:
 
An aggressively spreading Internet worm may scan the entire Internet in minutes. Yet today, it takes hours or even days after a worm's release for security experts to *manually* generate a content signature usable by intrusion detection systems (IDSes) to filter that worm's traffic. This mismatch bodes ill for the efficacy of signature-based worm defense.
                                                                                
In this talk, I will first describe Autograph, a system that generates signatures for never-before-seen worms *quickly* and *automatically*. A single Autograph monitor identifies suspicious traffic that crosses an edge network's DMZ. It then finds the most prevalent content blocks within that suspicious traffic pool, and proposes these as signatures for the worms in the that traffic pool. We demonstrate that when run on real DMZ traces containing real worm traffic, Autograph generates signatures that exhibit zero false positives and zero false negatives.  We also show how information sharing among distributed Autograph monitors allows Autograph to generate signatures quickly. For example, Autograph would have generated a signature for Code-Red-Iv2 before 2% of the vulnerable Internet hosts had become infected.
                                                                                
The natural response to signature-based worm quarantine is to render worms *polymorphic*, so that they change their payload on every infection attempt, and thus match no single contiguous signature. In the second part of this talk, I will describe Polygraph, a suite of signature generation algorithms that can be used to automatically generate signatures--even for polymorphic worms.
                                                                                
I will conclude with a few musings on the fundamental limitations of automated signature generation based solely on worm payload.

About the speaker:
 
Brad Karp is an Associate Professor (or "Senior Lecturer," in UK academic parlance) at the Department of Computer Science at University College London. He previously was a staff scientist at ICIR (previously named ACIRI) at ICSI in Berkeley, a Senior Staff Researcher at Intel Research Pittsburgh, and Adjunct Assistant Professor at Carnegie Mellon University. His research marries the design of new algorithms and the building of real systems, in the areas of wireless and sensor networks (e.g., GPSR and CLDP for geographic routing), Internet worm quarantine (e.g., Autograph and Polygraph for worm signature generation), and Internet-scale distributed systems (e.g., Open DHT, a public DHT service). Brad holds a Royal Society-Wolfson Reseach Merit Award, given to recruit leading scientists to UK universities.
                                                                                
More information:                                                                  
        http://www.cs.ucl.ac.uk/staff/B.Karp/
        http://autograph.cs.cmu.edu/