Central Concerns and Questions

A server program (e.g., a web server) with buffer overflow or format string vulnerabilities might permit an attacker to commandeer a process running that program, effectively causing it to run the attacker's program, instead. Detecting these intrusions is important to protect the server and the computer network.

Besides that, servers may be under Distributed Denial-of-Service (DDoS) attacks, in which thousands, if not millions, of compromised machines (a.k.a. zombies, daemons, agents, slaves) distributed around the world send requests to the victim server at the same time to bring down the service. Such DDoS attacks need to be differentiated from Flash Events (FE) caused by a large number of legitimate requests in order to filter out attack traffic and continue to be able to serve legitimate requests.

Emerging Ideas and Initiatives

We propose a new approach to host-based intrusion detection called "Behavioral Distance" which runs replicated servers with diverse platform (e.g., Windows and Linux) or diverse applications (e.g., IIS and Apache). Experiments show that it detects software intrusions with high accuracy and moderate overhead.

We also propose a new algorithm to distinguish between FE and DDoS attacks using randomness check. To the best of our knowledge, this is the first effective and practical approach that distinguishes FE and DDoS attacks using a very small amount of memory space.

Selected Publications

[1] H. Park, P. Li, D. Gao, H. Lee and R. H. Deng. Distinguishing between FE and DDoS using Randomness Check. The 11th Information Security Conference (ISC), 2008. To appear.

[2] D. Gao, M. K. Reiter and Dawn Song. Beyond Output Voting: Detecting Compromised Replicas using Behavioral Distance. Tech Report, CMU-CYLAB-06-019, December 2006.

[3] D. Gao, M. K. Reiter and Dawn Song. Behavioral Distance Measurement Using Hidden Markov Models. The 9th International Symposium on Recent Advances in Intrusion Detection (RAID), Hamburg, Germany, September 2006.

[4] D. Gao, M. K. Reiter and Dawn Song. Behavioral Distance for Intrusion Detection. The 8th International Symposium on Recent Advances in Intrusion Detection (RAID), Seattle, WA, USA, September 2005.

[5] D. Gao, M. K. Reiter and Dawn Song. Gray-Box Extraction of Execution Graphs for Anomaly Detection. The 11th ACM Conference on Computer and Communications Security (CCS), pages 318-329, Washington, DC, USA , October 2004.

[6] D. Gao, M. K. Reiter and Dawn Song. On Gray-Box Program Tracking for Anomaly Detection. The 13th USENIX Security Symposium, pages 103-118, San Diego, CA, USA, August 2004.

Projects, Presentations and Posters

1. Debin Gao, Behavioral Distance Measurement Using Hidden Markov Models (presentation)
2. Debin Gao, Gray-Box Extraction of Execution Graphs for Anomaly Detection (presentation)

Collaborations and Industry Linkages

1. University of North Carolina at Chapel Hill, United States
2. DSO/DSTA