IBM Israel Research Seminars

The goal of a network intrusion detection system (NIDS) is to detect, and sometimes prevent, attacks on the organization's network. A long line of research has shown that current NIDS are ineffective; they both raise false alarms and miss attacks. In this talk, I will describe my quest to bring us closer to an effective NIDS: an intrusion detection system that detects real attacks and only those.

First, I will discuss the foundation of my work: a formal model called the attacker’s transformational model. This model describes how attackers transform attacks in order to evade a NIDS. Second, based on the attacker’s model, I will present a NIDS testing technique that systematically generates new unknown attack instances from known instances. I will present vulnerabilities that this testing technique found in two NIDS: Snort, a widely used and freely available NIDS, and TippingPoint, a high-end NIDS used to protect sensitive networks such as the network of the Los Alamos National Lab. Last, I will show how to use the attacker’s model to construct the NIDS signatures that are the basis for NIDS effectiveness. I will show a formal method for signature construction and illustrate how this method can help verify the signature’s accuracy.

About the Speaker
Shai Rubin is a Ph.D. student at the Computer Sciences Department in the University of Wisconsin-Madison. His main research interest is computer security, in particular, network-based intrusion detection, hardware-based pattern matching, and program analysis for security purposes.

Shai received his B.A. and M.A. degrees in Computer Science from the Technion, in 1996 and 1999, respectively. His M.A. work focuses of data-layout optimization and was done under the supervision of Michael Rodeh and David Bernstein from IBM Haifa. Shai worked in HRL in the processor verification group developing test-program generators for DSP and VLIW architectures. Shai is expected to finish his Ph.D. studies in the summer of 2006.