Skip to main content

Yinglian Xie

Carnegie Mellon University

Date:  Thursday, April 6, 2006
Time: 10:00am-11:00am
Place: 3105 Engineering

Host: R. Jin 

Abstract: The world of network security is an arms race where attackers constantly change the signatures of their attacks to avoid detection. In addition, all sophisticated attackers use multi-level attacks that begin by compromising innocent hosts and then use these zombies to initiate and propagate the actual attack. This talk will focus on forensics techniques that can identify the true originator of a large scale attack and reconstruct the initial attack propagation paths. We believe such capability can significantly strengthen the hand of administrators in deterring attacks or correcting the weak points in a network perimeter. I will first describe a novel "random moonwalk" algorithm that automatically pinpoints the origin of an epidemic spreading attack such as Internet worms and its initial successful infection events. The algorithm is agnostic to attack specific characteristics such as payload contents, port numbers used, or software vulnerabilities exploited. It is effective in identifying the origins of both today's fast propagating worms and a wide class of stealthy worms that attempt to hide their attack flows among background traffic. I will further describe forensics in federated network environments such as the Internet, where multiple administrative domains jointly perform attack investigation without releasing information that is not available to each other. The federated system not only achieves comparable performance to centralized forensics, but also is incentive compatible: each domain's own forensics capabilities are enhanced by participating, even in partial deployment scenarios.


Biography: Not Available