Dawn Song,
Assistant Professor, ECE & CS
Carnegie Mellon University,
Pittsburgh, PA
“Towards Automatic
Generation of Vulnerability
Signatures”
Bio:
Dawn Song is an Assistant Professor at Carnegie Mellon University. She obtained her PhD in Computer Science from UC Berkeley. Her research interest lies in security and privacy issues in computer systems and networks. She is the author of more than 35 research papers in areas ranging from software security, networking security, database security, distributed systems security, to applied cryptography.
She is the recipient of various awards and grants including the NSF CAREER Award and the IBM Faculty Award. She has served on numerous program committees of prestigious conferences including Symposium on Operating Systems Design and Implementation (OSDI), ACM Computer and Communication Security (CCS), USENIX Security Symposium, Network and Distributed Systems Security Symposium (NDSS), USENIX Annual Technical Conference, Symposium on Recent Advance in Intrusion Detection (RAID), IEEE Infocom, ACM Sensor Networks and Systems Conference (SenSys).
NOVEMBER 27th, 2006 - 10:00 am cst
Taylor Hall, Room 3.128
Department of Computer Sciences
The University of Texas at Austin
Abstract:
Content-based filtering using attack signatures is a widely-adopted defense mechansim against worm attacks and other malware attacks. However, so far, the core of this defense mechanism, signature generation, has largely been a manual process, which can be slow, tedious, inaccurate, and have fundamental limitations to scalability and complexity. In this talk, I will present our recent works towards automatic generation of worm signatures.
I will first talk about pattern-extraction based signature generation where we use machine learning techniques to extract distinguishing features of attack packets to create signatures. I will then talk about some of the fundamental limitations of such pattern-extraction based approach in defending against polymorphic attacks and other malicious attacks. Finally, I will introduce our new approach, language-based methods for automatic generation of vulnerability signatures. A vulnerability signature matches all exploits of a given vulnerability, even polymorphic or metamorphic variants. We propose new techniques using data-flow analysis and constraint solving for automatically generating vulnerability signatures. Our experiments show that we can automatically generate a vulnerability signature using a single exploit which is of much higher quality than previous approaches, demonstrating our approach is a promising direction towards automatic generation of worm signatures. Finally, our techniques have wide applicability beyond signature generation, and I will give some example applications including application dialogue replay.