Central Concerns and Questions

A server program (e.g., a web server) with buffer overflow or format string vulnerabilities might permit an attacker to commandeer a process running that program, effectively causing it to run the attacker's program, instead. Detecting these intrusions is important to protect the server and the computer network.

Besides that, servers may be under Distributed Denial-of-Service (DDoS) attacks, in which thousands, if not millions, of compromised machines (a.k.a. zombies, daemons, agents, slaves) distributed around the world send requests to the victim server at the same time to bring down the service. Such DDoS attacks need to be differentiated from Flash Events (FE) caused by a large number of legitimate requests in order to filter out attack traffic and continue to be able to serve legitimate requests.

Emerging Ideas and Initiatives

We propose a new approach to host-based intrusion detection called "Behavioural Distance" which runs replicated servers with diverse platforms (e.g., Windows and Linux) or diverse applications (e.g., IIS and Apache). Experiments show that it detects software intrusions with high accuracy and moderate overhead.

We also propose a new algorithm to distinguish between FE and DDoS attacks using randomness check. To the best of our knowledge, this is the first effective and practical approach that distinguishes FE and DDoS attacks using a very small amount of memory space.

Selected Publications

[1] Debin Gao, Michael K. Reiter and Dawn Song. Beyond output voting: detecting compromised replicas using HMM-based behavioral distance. IEEE Transactions on Dependable and Secure Computing (TDSC), April 2009.

[2] Peng Li, Hyundo Park , Debin Gao and Jianming Fu. Bridging the gap between data-flow and control-flow analysis for anomaly detection. The 24th Annual Computer Security Applications Conference (ACSAC 2008), Anaheim , California , USA , December 2008

[3] Hyundo Park , Peng Li, Debin Gao, Heejo Lee and Robert H. Deng. Distinguishing between FE and DDoS using randomness check. The 11th Information Security Conference (ISC), LNCS 5222, pp. 131-145, September 2008. .

[4] Debin Gao, Michael K. Reiter and Dawn Song. Behavioral distance measurement using hidden Markov models. The 9th International Symposium on Recent Advances in Intrusion Detection (RAID), Hamburg, Germany, September 2006.

[5] Debin Gao, Michael K. Reiter and Dawn Song. Behavioral distance for Intrusion detection. The 8th International Symposium on Recent Advances in Intrusion Detection (RAID), Seattle, WA , USA , September 2005.

[6] Debin Gao, Michael K. Reiter and Dawn Song. Gray-box extraction of execution graphs for anomaly detection. The 11th ACM Conference on Computer and Communications Security (CCS), pages 318-329, Washington, DC , USA , October 2004.

[7] Debin Gao, Michael K. Reiter and Dawn Song. On gray-box program tracking for anomaly detection. The 13th USENIX Security Symposium, pages 103-118, San Diego, CA , USA , August 2004.

Projects, Presentations and Posters

1. Debin Gao, Behavioral Distance Measurement Using Hidden Markov Models (presentation)
2. Debin Gao, Gray-Box Extraction of Execution Graphs for Anomaly Detection (presentation)

Collaborations and Industry Linkages

1. University of North Carolina at Chapel Hill, United States