Rethinking Network Security

George Varghese, Cisco and UCSD

A popular approach to network security is the use of Intrusion Prevention Systems (IPS) that screen out network traffic from known attacks using a database of signatures entered by human analysts. While the IPS market is a thriving billion dollar market, there are some trends that indicate the need for new approaches. First, fast moving attacks such as the Slammer worm did much of their damage in the first 10 minutes, much faster than the hours required for human analysts to analyze the attack and provide a signature. Second, IPS devices are beginning to be integrated into network switches (e.g., Cisco, Force 10) which may require scaling the IPS to 10 and even 20 Gbps. At these speeds, the use of normalization and TCP reassembly in an IPS (motivated by the need to detect fragmented attacks and other evasions) becomes a bottleneck.

In this talk, I will suggest new approaches for dealing with these two problems. First, just as attackers use automation to launch fast moving attacks, perhaps IPS's should also use automation to *learn* signatures without human intervention. I will describe our work on the EarlyBird system at UCSD that automatically generated the signatures of all the worms that arrived on the UCSD campus in a few minutes after their arrival on campus, and ran at high speeds. Second, I will describe some recent work at Cisco, where we suggest splitting attack signatures into pieces in order to *detect* evasion attacks with minimal reassembly while allowing scaling to 20 Gbps and higher. The talk is based on work presented in OSDI 2004 on signature learning, combined with work that will appear in SIGCOMM 2006 on signature detection.


George Varghese is a Professor of Computer Science at UCSD where he does research on network protocol implementation, measurement, and network security. He received his Ph.D. from MIT in 1993, and was elected to be a Fellow of the ACM in 2004. Several networking inventions that he has co-invented (e.g., DRR, IP lookups, timing wheels) are commonly used in commercial products. He is the author of the textbook "Network Algorithmics" published by Morgan Kaufman in 2004. From June 2004 to June 2005, he was co-founder and CTO of NetSift Inc., which was acquired by Cisco Systems.

25 May (Thursday) at 1630 hrs

Gates 4B (opposite 490)