Italian"From Zero-Day Attack to Zero-Day Response" by Pavel Laskov
in
"From Zero-Day Attack to Zero-Day Response" by Pavel Laskov
Date: Maggio 12, 2010
Venue: DIEE - B Building - Meeting Room
Summary of the talk
The rapid evolution of malicious software poses a major threat to modern information systems, especially in view of the fact that this
development is driven by organized cybercrime. Utterly dangerous, as exemplified by recent incidents by Google and Co., are the so-called "zero-day" attacks for which exploits are observed in the wild before a security patch is available. There is a growing consensus in the security community that new mechanisms are needed for protection of both server and end-user systems against potentially unknown threats. In this talk I will present the main concepts and several applications of a self-learning intrusion detection system ReMIND that is capable of identifying unknown attacks with high accuracy and low false-alarm rates. The underlying idea of ReMIND is efficient analysis of application payload coupled with unsupervised anomaly detection algorithms. A software implementation of our system has reached the performance of over 1 Gbps on a standard multicore hardware. The system can be coupled with response mechanisms either in form of packet filtering or via automatic signature generation. In the last part of the talk I will discuss potential attacks against self-learning systems and present a formal analysis of online anomaly detection in the presence of a poisoning attack.
The rapid evolution of malicious software poses a major threat to modern information systems, especially in view of the fact that this
development is driven by organized cybercrime. Utterly dangerous, as exemplified by recent incidents by Google and Co., are the so-called "zero-day" attacks for which exploits are observed in the wild before a security patch is available. There is a growing consensus in the security community that new mechanisms are needed for protection of both server and end-user systems against potentially unknown threats. In this talk I will present the main concepts and several applications of a self-learning intrusion detection system ReMIND that is capable of identifying unknown attacks with high accuracy and low false-alarm rates. The underlying idea of ReMIND is efficient analysis of application payload coupled with unsupervised anomaly detection algorithms. A software implementation of our system has reached the performance of over 1 Gbps on a standard multicore hardware. The system can be coupled with response mechanisms either in form of packet filtering or via automatic signature generation. In the last part of the talk I will discuss potential attacks against self-learning systems and present a formal analysis of online anomaly detection in the presence of a poisoning attack.
The slides used by prof. Laskov during his presentation are available here.
A little photo-gallery of the event is available here.
Bio
Pavel Laskov graduated from the Moscow Institute of Radio, Electronics and Automation (Russia) in 1994 with a diploma in computer engineering. He received a M.Sc. and a Ph.D. in computer science from the University of Delaware (Newark, DE, USA) in 1996 and 2001 respectively. In 1997 he spent 6 months at AT&T Research where he was involved in the pioneering work on kernel methods of machine learning headed by V. Vapnik, the inventor of Support Vector Machines. Since 2001 he is a senior researcher at the Fraunhofer Institute FIRST in Berlin. In 2004 he has initiated investigation of machine learning methods for intrusion detection and has lead the development of a self-learning intrusion detection system ReMIND. In 2009 he was awarded a Heisenberg Fellowship of the German Science Foundation and moved to the University of Tuebingen to focus on machine learning methods for adversarial environments. He published over 40 articles in the refereed journals and conference proceedings and has served in program committees of several international conference.
Web site: Prof. Laskov Personal Page
- Login to post comments